asa vpn client unable to access internal network

Unanswered Question
May 12th, 2009

Hello,

Please if someone could take a look at my config and see what the prob is that would be greatly appreciated. The client connects fine but I can't ping the inside interface now any networks.

thank you

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Wed, 05/13/2009 - 12:35

Steven,

I would begin with the most common issue..

Enable NAT-Traversal

asa(config)#crypto isakmp nat-traversal 20

Let me know if no joy after you enable NAT-T , we'll then look closely at your nat exempt rule but enable nat-t first and have RA clients connect.

Regards

rate any helpful posts

soujern69 Wed, 05/13/2009 - 12:57

Thanks Jorge,

I tried that with no luck. Once connected I can't access anything or ping the inside interface.

So must be natting or my inside routes?

Thank you!

JORGE RODRIGUEZ Wed, 05/13/2009 - 13:50

ok we have to understand your topology,I looked at your config carefully and Im puzzle on some of the route stetements,before looking at nonat acl for RA network and your inside networks, could you clarify bellow.

Why do you have these routes in there? the 10.1.116.0/24 is your RA VPN POOL comming through outside interface RA.

you are telling the ASA to route 10.1.116.0/24 network through three different gateways 10.1.3.254 etc..

route inside 10.1.116.0 255.255.255.0 10.1.3.254 1

route inside 10.1.116.0 255.255.255.0 172.16.250.50 1

route inside 10.1.116.0 255.255.255.0 10.1.3.225 1

10.1.116.0/24 is your RA VPN POOL

also you have different networks being routed through various gateways connected to inside interface?

are these actual routers ? and do these gateways have any of their interfaces connected to the 10.1.3.0/24 network.

10.1.100.254

172.16.250.50

10.1.3.254

172.16.250.50

10.1.3.225

10.1.116.254

172.16.250.50

////////

What networks do you realy have on the inside , is it 10.1.3.0/24 via Inside interface Ethernet0/1?

Your RA Pool and nonat acl would be something as:

no access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip 10.1.3.0 255.255.255.0 10.1.116.0 255.255.255.0

Could you clarify your networks being routed through the inside interface if any?

Regards

soujern69 Wed, 05/13/2009 - 14:13

Hello,

My scenario is as follows.

We have 3 campuses and need the asa for vpn only;

Campus 1

Core switch 172.16.248.254

Campus 2

Core switch 172.16.249.254

Campus 3 (asa location)

Core switch 172.16.250.50

On campus 1 I need to access 134.*.**6.0

On campus 2 I need to access 134.*.**0.0

On campus 3 I need to access 204.*.*.0

The config is a mess cause I've tried a few different things and am not very familiar with the asa.

If you need any other info let me know and I'll be happy to provide it. I did have this working at one time, but messed something up so cleared the config and started from scratch.

Thanks you!

JORGE RODRIGUEZ Wed, 05/13/2009 - 14:56

Steven,

Thanks for providing additional information.. indeed does help.. a simple diagram would also help if you can.

I believe your problem can be easily fixed, I would suggest to start simple, the key is to first work with the actual asa interfaces, specially your inside interface 10.1.3.0/24 which I would assume it has a connection to Campus 3 Core_switch_172.16.250.50 with a interface SVI under 10.1.3.x/24 ..

the rest of your networks from campus 1 and 2 do connect to

Core_switch_172.16.250.50? if so you can then instruct the ASA to route those networks via inside interface Campus 3 Core_switch.. again , a diagram would help a bit to see.

Suggestion :

1- Remove all these routes that pertains to RA VPN pool network (10.1.116.0/24)

no route inside 10.1.116.0 255.255.255.0 10.1.3.254 1

no route inside 10.1.116.0 255.255.255.0 no 172.16.250.50 1

no route inside 10.1.116.0 255.255.255.0 10.1.3.225 1

no route inside 172.16.250.50 255.255.255.255 10.1.116.254 1

no route inside 172.16.250.254 255.255.255.255 10.1.116.254 1

no route inside 204.*.*.240 255.255.255.255 10.1.116.0 1

then correct this acl.. we could taylor the nona acl later with a better acl summarizing all your inside networks for RA Network to access them.

no access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip 10.1.3.0 255.255.255.0 10.1.116.0 255.255.255.0

Get at least RA VPN 10.1.116.0/24 to talk to hosts in the 10.1.3.0/24 network.

Regards

[edit]

I will check the post a bit later to fruther assist you.

soujern69 Thu, 05/14/2009 - 05:27

Good morning Jorge,

I've attached the latest config and have tried to make the changes you suggested. Currently from the client I'm still unable to access any networks, but I can telnet into the inside interface and have access to everything. I'm still not sure on how to add an accurate inside route so i removed these for now until I hear back from you. So my guess it's either my natting or inside routes that I have incorrect. Yes the other networks do connect to the core at my location/asa site.

I very much appreciate your help and taking the time to look at this.

Thank you,

Steven

Attachment: 
JORGE RODRIGUEZ Thu, 05/14/2009 - 09:48

Hi Steven, thanks for the update..

Ok if I understand correctly your VPN RA Pool network 10.1.116.0 can now access your inside interface and any hosts withing the 10.1.3.0/24 network..pls confirm.

For the other networks we need to know the following .

Does your ASA inside interface localted in (Campus 3 location) has a connection to the core switch_172.16.250.50 under that same ASA inside subnet 10.1.3.0/24 .. if so what is its IP address, there is where you will route the rest of your campus networks provided Campus 3 core switch/router knows of all other inside networks.

For example.

Your ASA inside interface connecting to Campus 3 core switch must have an interface under same vlan as your inside interface of ASA.. say for sake of example that Core_switch in pampus 3 has interface ip of 10.1.3.XX

Are these networks behind your ASA ?

172.16.250.0/24

134.29.136.0/24

134.29.140.0/24

if so these have to be routed through Campus 3 core switch/router behind your inside asa interface.

routes in asa would be:

route inside 172.16.250.0 255.255.255.0 10.1.3.XX 1

route inside 134.29.136.0 255.255.255.0 10.1.3.XX 1

route inside 134.29.140.0 255.255.255.0 10.1.3.XX 1

I still have a feeling we're not geting complete picture fo your inside - Your point of entry for RA VPN is in CAMPUS 3 core switch, how are other campuses connected to campus 3? can you provide a diagram.

Regards

soujern69 Thu, 05/28/2009 - 07:40

Hello Jorge/all,

I've still been working on this and am at this point. I can connect to the vpn fine and ping everything at site 1 where the asa is located. Although I can ping a public server at 204 at site 1 I can't rdp into it which I need to do.

On sites 2 & 3 I'm unable to ping or access anything. What I need from these 2 sites are rdp access to the public 134 address's and nothing else.

I've tried to created a rough diagram to see if that will help you see our layout a little better.

The state controls the 3 routers connecting the campus's and has opened up the appropriate ports on site 1 so I know that is good.

On my workstation right now i have a 10.1.3 private address and am able to access everything at all locations when not going through the vpn. So I'm thinking I must be missing something quite simple.

I'll also attach the latest config.

Thank you!!

Attachment: 

Actions

This Discussion