IPSEC Remote Access VPN Issue

Unanswered Question
Jul 12th, 2010

Hello All,

             I have just setup a IPSEC Remote Access VPN. I can log in from the client with no problem. I recieve a IP address from a seperate Pool than my Inside network DHCP Pool. I desire to browse everything inside my (inside Interface) network fwhenever I log into a session using the Cisco VPN software from home. My current config is below. This is a lab. Thanks.


!
hostname Cisco
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.75.0 VPN_Pool
!
interface Vlan1
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan3
no forward interface Vlan2
nameif dmz
security-level 50
ip address 192.168.4.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list VPN_to_Inside extended permit ip VPN_Pool 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_in extended permit icmp any host 192.168.2.108 echo-reply
access-list outside_in extended permit icmp any host 192.168.2.108 echo
access-list outside_in extended permit icmp any host 192.168.2.108 source-quench
access-list outside_in extended permit icmp any host 192.168.2.108 time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool IPSec_Pool 192.168.75.100-192.168.75.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.3.0 255.255.255.0
nat (dmz) 1 192.168.4.0 255.255.255.0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.50 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.3.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment url http://192.168.2.75:80/certsrv/mscep/mscep.dll
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment url http://192.168.2.75:80/certsrv/mscep/mscep.dll
subject-name CN=Douglasville,OU=Sales,O=MEMORY,C=US,St=Ga
password *
keypair SeCuReCeRt
no client-types
crl configure
crypto ca certificate map IPSEC_RA_MAP 10
subject-name attr c eq us
crypto ca certificate chain ASDM_TrustPoint0
certificate ca 595d7d967fc0bb954e064dc521c20fb4
    3082044e 30820336 a0030201 02021059 5d7d967f c0bb954e 064dc521 c20fb430
    0d06092a 864886f7 0d010105 0500303d 31153013 060a0992 268993f2 2c640119
    16054c4f 43414c31 13301106 0a099226 8993f22c 64011916 03494b45 310f300d
    06035504 0313064a 4f4e4a41 49301e17 0d313030 37313231 32323933 325a170d
    31353037 31323132 33383034 5a303d31 15301306 0a099226 8993f22c 64011916
    054c4f43 414c3113 3011060a 09922689 93f22c64 01191603 494b4531 0f300d06
    03550403 13064a4f 4e4a4149 30820122 300d0609 2a864886 f70d0101 01050003
    82010f00 3082010a 02820101 00ccf5fa 8a8ac0a5 8b663185 d5e1c22a b019639a
    0a76dc17 8816a369 8ca86929 c6cfdcd8 6dab4cef 06b1bea4 f13d4397 3ffefba4
    524676da c7dce856 f8a60b5d a5341d02 c2ee3283 c008acca 6c2b5eea 6b1a9748
    f7803b39 33f3ee76 29c699ba 8fad9e40 bdd04b02 1cc5086f 79fa6332 66cf5b73
    ef7e84a2 cc39a0e2 b289a4a0 818647c5 21cee4fe 208aa8f9 37461ca8 809ee2bf
    0ae7417e cd321574 8905a36a ebbc17f7 ac35d5a0 14075f71 7aef64eb ef8a2cee
    2574da14 9b91398b 31304059 72c13be3 12ed1904 b46e8cef 6bfb7b5f edf799d1
    ae97e36b a165229f 39cb6f17 db705633 9176e54d fc2ba25b f97bc5b0 519b7d05
    6ee5fbfc 7f0001f9 3771382b 49020301 0001a382 01483082 0144300b 0603551d
    0f040403 02018630 0f060355 1d130101 ff040530 030101ff 301d0603 551d0e04
    16041472 1ccdc811 15d6a386 5519c45a 725f2d07 aeffdf30 81f20603 551d1f04
    81ea3081 e73081e4 a081e1a0 81de8681 ab6c6461 703a2f2f 2f434e3d 4a4f4e4a
    41492c43 4e3d7773 2d323030 332c434e 3d434450 2c434e3d 5075626c 69632532
    304b6579 25323053 65727669 6365732c 434e3d53 65727669 6365732c 434e3d43
    6f6e6669 67757261 74696f6e 2c44433d 494b452c 44433d4c 4f43414c 3f636572
    74696669 63617465 5265766f 63617469 6f6e4c69 73743f62 6173653f 6f626a65
    6374436c 6173733d 63524c44 69737472 69627574 696f6e50 6f696e74 862e6874
    74703a2f 2f77732d 32303033 2e696b65 2e6c6f63 616c2f43 65727445 6e726f6c
    6c2f4a4f 4e4a4149 2e63726c 30100609 2b060104 01823715 01040302 0100300d
    06092a86 4886f70d 01010505 00038201 010000b5 08221032 02e750d1 b08a8914
    6eb70085 746b991e cb8d89f0 e38de197 ef289ab7 faae2f76 d8fa4646 4f6673ff
    69c5eeb4 307b0b9c 9ca165b7 104f7665 5456c350 2272d840 fb197a8b d614732a
    7f132c38 b1f8f91d 7552e08a c1571da1 005ac9e6 b36ba0bd 19aa4e4a df3abde8
    9caf01db 6f193991 9799d98d 1c6f9b57 9125fc6b b3d4f077 06dbef7b 23a3f955
    9b633bfa 50fd8e46 4cdf6a68 2061801b 5611e952 cdbdad11 0f72b480 2ea4ddf1
    1336400d 2f28b9d5 76d9762c 80ce67db b621769f 0698c556 7756d00a a14fecb2
    c5161f8b 9862772c 472776db 9ecf720b fe5e30f7 cb52944f 840ebddb 56db5261
    1cff538a fc433932 2f9472bf 135b2ed3 30c2
  quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 610db8f0000000000004
    30820555 3082043d a0030201 02020a61 0db8f000 00000000 04300d06 092a8648
    86f70d01 01050500 303d3115 3013060a 09922689 93f22c64 01191605 4c4f4341
    4c311330 11060a09 92268993 f22c6401 19160349 4b45310f 300d0603 55040313
    064a4f4e 4a414930 1e170d31 30303731 32313234 3735305a 170d3131 30373132
    31323537 35305a30 6d311930 1706092a 864886f7 0d010902 130a5365 43755265
    57614c6c 310b3009 06035504 06130255 53310b30 09060355 04081302 4761310f
    300d0603 55040a13 064d454d 4f525931 0e300c06 0355040b 13055361 6c657331
    15301306 03550403 130c446f 75676c61 7376696c 6c653081 9f300d06 092a8648
    86f70d01 01010500 03818d00 30818902 818100b5 be17e75d a6122a79 52507cb4
    7241e6c6 19635fcf 5ed5107c 15582d93 69a71dc1 7038bad4 5824a1dd 581f2332
    ba0131b6 1572e1d2 0a8e40f8 5c147cd4 ad7f9290 fa356584 279dc6f6 f59b3e6e
    9dd9d547 72a93261 2d05f658 4522ab86 f25b0e23 ec186725 2d9693e0 0ce9d88d
    40f6f879 03242833 a186b76d f8711bf5 f0356102 03010001 a38202a9 308202a5
    300e0603 551d0f01 01ff0404 030205a0 30150603 551d1104 0e300c82 0a536543
    75526557 614c6c30 1d060355 1d0e0416 04145750 770bb7be d8da99c3 b98f8baa
    d9bc8a71 068f301f 0603551d 23041830 16801472 1ccdc811 15d6a386 5519c45a
    725f2d07 aeffdf30 81f20603 551d1f04 81ea3081 e73081e4 a081e1a0 81de8681
    ab6c6461 703a2f2f 2f434e3d 4a4f4e4a 41492c43 4e3d7773 2d323030 332c434e
    3d434450 2c434e3d 5075626c 69632532 304b6579 25323053 65727669 6365732c
    434e3d53 65727669 6365732c 434e3d43 6f6e6669 67757261 74696f6e 2c44433d
    494b452c 44433d4c 4f43414c 3f636572 74696669 63617465 5265766f 63617469
    6f6e4c69 73743f62 6173653f 6f626a65 6374436c 6173733d 63524c44 69737472
    69627574 696f6e50 6f696e74 862e6874 74703a2f 2f77732d 32303033 2e696b65
    2e6c6f63 616c2f43 65727445 6e726f6c 6c2f4a4f 4e4a4149 2e63726c 30820104
    06082b06 01050507 01010481 f73081f4 3081a306 082b0601 05050730 02868196
    6c646170 3a2f2f2f 434e3d4a 4f4e4a41 492c434e 3d414941 2c434e3d 5075626c
    69632532 304b6579 25323053 65727669 6365732c 434e3d53 65727669 6365732c
    434e3d43 6f6e6669 67757261 74696f6e 2c44433d 494b452c 44433d4c 4f43414c
    3f634143 65727469 66696361 74653f62 6173653f 6f626a65 6374436c 6173733d
    63657274 69666963 6174696f 6e417574 686f7269 7479304c 06082b06 01050507
    30028640 68747470 3a2f2f77 732d3230 30332e69 6b652e6c 6f63616c 2f436572
    74456e72 6f6c6c2f 77732d32 3030332e 494b452e 4c4f4341 4c5f4a4f 4e4a4149
    2e637274 303f0609 2b060104 01823714 0204321e 30004900 50005300 45004300
    49006e00 74006500 72006d00 65006400 69006100 74006500 4f006600 66006c00
    69006e00 65300d06 092a8648 86f70d01 01050500 03820101 00848927 56564788
    0d6cf0d5 d35500de c106c9b2 4ebdbb0d f80231cf fddc02b0 6d8bd280 bddcd60e
    665f1f46 44a1b144 4f48e7ef c17d757d 5372d4d5 19edc72a bf367319 989071b4
    626c24fa a50e3b34 251bea4c 9d6ca64d 8c02925e b3c08306 b7c40af8 f284f24e
    81348302 960b267d c582b0cf 9ae2dc2d 33f042bb 38ed2782 22d7e929 5063d2a3
    900c35d0 805173bd f8645208 d72727ad 93fa5e9b 786f3ff8 67a077be 59579275
    20f8dc82 98bafc7e 4fd28661 12e1a5e5 f5409618 b34ae2f8 445dc059 02e93254
    f8521264 fc3868bf 4ae06dfa 53bd54f2 d6489890 982660df 4fde2975 31b36afe
    8db50904 aa42611c ccdf62f8 682827db a270d995 7897cbc0 17
  quit
certificate ca 595d7d967fc0bb954e064dc521c20fb4
    3082044e 30820336 a0030201 02021059 5d7d967f c0bb954e 064dc521 c20fb430
    0d06092a 864886f7 0d010105 0500303d 31153013 060a0992 268993f2 2c640119
    16054c4f 43414c31 13301106 0a099226 8993f22c 64011916 03494b45 310f300d
    06035504 0313064a 4f4e4a41 49301e17 0d313030 37313231 32323933 325a170d
    31353037 31323132 33383034 5a303d31 15301306 0a099226 8993f22c 64011916
    054c4f43 414c3113 3011060a 09922689 93f22c64 01191603 494b4531 0f300d06
    03550403 13064a4f 4e4a4149 30820122 300d0609 2a864886 f70d0101 01050003
    82010f00 3082010a 02820101 00ccf5fa 8a8ac0a5 8b663185 d5e1c22a b019639a
    0a76dc17 8816a369 8ca86929 c6cfdcd8 6dab4cef 06b1bea4 f13d4397 3ffefba4
    524676da c7dce856 f8a60b5d a5341d02 c2ee3283 c008acca 6c2b5eea 6b1a9748
    f7803b39 33f3ee76 29c699ba 8fad9e40 bdd04b02 1cc5086f 79fa6332 66cf5b73
    ef7e84a2 cc39a0e2 b289a4a0 818647c5 21cee4fe 208aa8f9 37461ca8 809ee2bf
    0ae7417e cd321574 8905a36a ebbc17f7 ac35d5a0 14075f71 7aef64eb ef8a2cee
    2574da14 9b91398b 31304059 72c13be3 12ed1904 b46e8cef 6bfb7b5f edf799d1
    ae97e36b a165229f 39cb6f17 db705633 9176e54d fc2ba25b f97bc5b0 519b7d05
    6ee5fbfc 7f0001f9 3771382b 49020301 0001a382 01483082 0144300b 0603551d
    0f040403 02018630 0f060355 1d130101 ff040530 030101ff 301d0603 551d0e04
    16041472 1ccdc811 15d6a386 5519c45a 725f2d07 aeffdf30 81f20603 551d1f04
    81ea3081 e73081e4 a081e1a0 81de8681 ab6c6461 703a2f2f 2f434e3d 4a4f4e4a
    41492c43 4e3d7773 2d323030 332c434e 3d434450 2c434e3d 5075626c 69632532
    304b6579 25323053 65727669 6365732c 434e3d53 65727669 6365732c 434e3d43
    6f6e6669 67757261 74696f6e 2c44433d 494b452c 44433d4c 4f43414c 3f636572
    74696669 63617465 5265766f 63617469 6f6e4c69 73743f62 6173653f 6f626a65
    6374436c 6173733d 63524c44 69737472 69627574 696f6e50 6f696e74 862e6874
    74703a2f 2f77732d 32303033 2e696b65 2e6c6f63 616c2f43 65727445 6e726f6c
    6c2f4a4f 4e4a4149 2e63726c 30100609 2b060104 01823715 01040302 0100300d
    06092a86 4886f70d 01010505 00038201 010000b5 08221032 02e750d1 b08a8914
    6eb70085 746b991e cb8d89f0 e38de197 ef289ab7 faae2f76 d8fa4646 4f6673ff
    69c5eeb4 307b0b9c 9ca165b7 104f7665 5456c350 2272d840 fb197a8b d614732a
    7f132c38 b1f8f91d 7552e08a c1571da1 005ac9e6 b36ba0bd 19aa4e4a df3abde8
    9caf01db 6f193991 9799d98d 1c6f9b57 9125fc6b b3d4f077 06dbef7b 23a3f955
    9b633bfa 50fd8e46 4cdf6a68 2061801b 5611e952 cdbdad11 0f72b480 2ea4ddf1
    1336400d 2f28b9d5 76d9762c 80ce67db b621769f 0698c556 7756d00a a14fecb2
    c5161f8b 9862772c 472776db 9ecf720b fe5e30f7 cb52944f 840ebddb 56db5261
    1cff538a fc433932 2f9472bf 135b2ed3 30c2
  quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 5
lifetime 86400
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 outside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 4.2.2.2
dhcpd lease 86400
!
dhcpd address 192.168.3.10-192.168.3.40 inside
dhcpd enable inside
!
dhcpd address 192.168.4.10-192.168.4.40 dmz
dhcpd enable dmz
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy IPSec_GroupPolicy internal
group-policy IPSec_GroupPolicy attributes
banner value Stop Before You are Killed
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_to_Inside
username real password Zf.vD9EVqNx1RBn1 encrypted privilege 15
username roll out password f3UhLvUj1QsXsuK7 encrypted privilege 15
username megass password NCOwt6Y1yyHWkTXh encrypted privilege 15
tunnel-group IPSec_RemoteAccessVPN type remote-access
tunnel-group IPSec_RemoteAccessVPN general-attributes
address-pool IPSec_Pool
default-group-policy IPSec_GroupPolicy
tunnel-group IPSec_RemoteAccessVPN ipsec-attributes
trust-point ASDM_TrustPoint1
tunnel-group-map enable rules
tunnel-group-map IPSEC_RA_MAP 10 IPSec_RemoteAccessVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c3c4e5f9df83eb993109c01de5a99df4
: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jason Gervia Tue, 07/13/2010 - 05:42

I'm not sure if this is your only issue, but you're missing a nat exemption rule so that return traffic from your internal lan destined for your vpn pool doesn't get natted, so you'll need something similar to this:

access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.75.0 255.255.255.0

nat (inside) 0 access-list nonat

Charlie Mayes Tue, 07/13/2010 - 10:04

                   Hello Jason,

                                    I did what you said and it did not work. I have noticed that the sent traffic was encrypted but, there was no returned decrypted traffic. It seems as if traffic leaves the software client going to the inside interface of the ASA but not returning. Should there be a route or ACL in place to make the inside network browsable from the laptop software VPN client? Thanks.

Actions

This Discussion