cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1790
Views
0
Helpful
33
Replies

Cisco ASA 5510 don't allow access to the LAN services from remote VPN ???

snuwan.es
Level 1
Level 1

I have a Cisco 5510 deployed and it's connected to a 1 Mbps leased internet line. I need to configure it for remote VPN users to access internal Exchange server and sync with email system. And they should be able to access LAn servers using the VPN. I have tried this several scenarios but still I didn't get access to to local LAN servers via VPN at any cost :( (it's connecting well and also can ping to the inside interface IP address only)

Any help would be highly appreciated.

Below is my config;

LAN is 192.168.134.0

!

passwd xxx

boot system disk0:/asa803-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name domain.local

access-list abc-primary-tunnel_splitTunnelAcl standard permit 192.168.134.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.128

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

ip local pool primary-vpn-pool 192.168.166.1-192.168.166.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 59.133.230.21 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.134.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

group-policy abc-primary-tunnel internal

group-policy abc-primary-tunnel attributes

dns-server value 192.168.134.1

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value abc-primary-tunnel_splitTunnelAcl

default-domain value domain.local

username user1 password xxxencrypted privilege 0

username user1 attributes

vpn-group-policy abc-primary-tunnel

tunnel-group abc-primary-tunnel type remote-access

tunnel-group abc-primary-tunnel general-attributes

address-pool primary-vpn-pool

default-group-policy abc-primary-tunnel

tunnel-group abc-primary-tunnel ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

33 Replies 33

singhsaju
Level 4
Level 4

Hello,

your NAT 0 access-list has wrong subnet mask for the vpn pool subnet and your vpn pool has 255.255.255.0

nat 0 acl has "192.168.166.0 255.255.255.128"

access-list inside_nat0_outbound extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.128

ip local pool primary-vpn-pool 192.168.166.1-192.168.166.100 mask 255.255.255.0

change the subnet mask on NAT 0 access-list to 255.255.255.0 and then check .

HTH

Saju

Pls rate if it helps

Also add...

crypto isakmp nat-traversal

tnx for the replied, I'll post the results within next few minuets !!!

still not working !!! :(

Please advice, any help would be highly appreciated !!!

Can we see new config?

abc-fire(config)# sh run

: Saved

:

ASA Version 8.0(3)

!

hostname abc-fire

domain-name abcsoft.local

enable password ogafcUzB/QZE6nv9 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 89.183.250.42 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.134.125 255.255.255.128

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name abcsoft.local

access-list abc-primary-tunnel_splitTunnelAcl standard permit 192.168.134.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip 192.168.134.0 255.255.255.128 192.168.166.0 255.255.255.128

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

ip local pool vpn-primary-pool 192.168.166.1-192.168.166.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 89.183.250.41 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

group-policy abc-primary-tunnel internal

group-policy abc-primary-tunnel attributes

dns-server value 192.168.134.1

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value abc-primary-tunnel_splitTunnelAcl

default-domain value abcsoft.local

username user1 password yhK1oj.zZzQLnCkB encrypted privilege 0

username user1 attributes

vpn-group-policy abc-primary-tunnel

tunnel-group abc-primary-tunnel type remote-access

tunnel-group abc-primary-tunnel general-attributes

address-pool vpn-primary-pool

default-group-policy abc-primary-tunnel

tunnel-group abc-primary-tunnel ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

abc-fire(config)#

in the new config you have still not changed the subnet mask in the Nat0 access-list that i asked earlier.

changed mask to 255.255.255.0 it just now !!! but still no luck !

Do you see "hitcounts" increasing on access-list inside_nat0_outbound ?

check and post result of

show access-list inside_nat0_outbound

abc-fire(config)# show access-list inside_nat0_outbound

access-list inside_nat0_outbound; 1 elements

access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.128 192.168.166.0 255.255.255.128 (hitcnt=0) 0x1eaae319

Your access-list still does not reflect the change , also why have you changed 192.168.134.0 's subnet mask to 255.255.255.128 ??

your access-list should look as following:

access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.0

ok i have removed 128 subnets and now it's all coming with 255.255.255.0 mask !!

but still no luck ! :( but i can ping 192.168.134.125 which inside interface ...!!!

???

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: