Cisco VPN Client cannot connect to Internal LAN

Unanswered Question
Jul 14th, 2010
User Badges:

Hi


Ive already configure cisco vpn remote access, the connection is fine and also i can established a vpn but the problem is after connecting to vpn i cannot access any internal IP on my LAN my lan ip is 10.238.151.0/24



Here is my config



ASA# sh rjn  un
: Saved
:
ASA Version 8.0(4)
!
hostname CISCOASA
domain-name
enable password LmE6IK3nzBzzPpel encrypted
passwd 2745OAJS2l2oSQqc encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxx.xxx.9.194 255.255.255.224 standby xxx.xxx.9.195
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.238.10.50 255.255.255.0 standby 10.238.10.52
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.238.1 255.255.255.0 standby 192.168.238.2
!
<--- More --->
             
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone PHST 8
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.236.9.21
name-server 10.238.9.21
domain-name travellers
same-security-traffic permit intra-interface
object-group network NG_PROXY
network-object host 10.238.10.64
network-object host 10.238.10.252
object-group service SG_PROXY tcp-udp
port-object eq 443
port-object eq 20
<--- More --->
             
port-object eq 21
port-object eq www
port-object eq domain
port-object eq 82
port-object eq 83
object-group network NG_IRONPORT_DMZ
network-object host 192.168.238.67
object-group network NG_SMTP_SERVER
network-object host 10.238.9.18
object-group icmp-type ALLOWPING
icmp-object echo
icmp-object time-exceeded
icmp-object echo-reply
icmp-object traceroute
icmp-object source-quench
icmp-object unreachable
object-group network NG_Domain_Server
network-object host 10.238.9.21
network-object host 10.238.9.22
object-group service NG_Domain_Server-udp udp
port-object eq domain
port-object eq 20
port-object eq 21
port-object eq 23
<--- More --->
             
port-object eq 443
port-object eq 8500
object-group network NG_VR
network-object host 192.168.238.29
object-group service SG_VR tcp
port-object eq 85
port-object eq www
object-group service SG_IRONPORT_DMZ tcp-udp
port-object eq www
port-object eq 443
port-object eq domain
port-object eq 20
port-object eq 21
port-object eq 23
port-object eq 25
port-object eq 83
port-object eq 82
object-group network PASSTEST
description passthrough
network-object 10.238.151.0 255.255.255.0
network-object 10.238.98.0 255.255.255.0
network-object 10.238.134.0 255.255.255.0
network-object 10.238.230.0 255.255.255.0
network-object 10.238.229.0 255.255.255.0
network-object 10.238.97.0 255.255.255.0
network-object host 10.238.10.253
network-object host 10.238.10.254
network-object 10.238.144.0 255.255.255.0
network-object 10.238.136.0 255.255.255.0
network-object host 10.238.150.38
network-object host 10.237.9.145
network-object host 10.238.9.21
network-object host 10.238.150.252
network-object host 10.237.9.147
network-object 10.238.138.0 255.255.255.0
network-object 10.238.152.0 255.255.255.0
object-group network NG-VLAN150-IT
network-object 10.238.150.0 255.255.255.0
network-object 10.236.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.88.0.0 255.255.255.0
access-list inside_access_in extended permit ip 10.236.0.0 255.255.0.0 host 192.168.238.67
access-list inside_access_in extended permit ip 10.237.9.0 255.255.255.0 host 192.168.238.67
access-list inside_access_in extended permit ip 10.238.9.0 255.255.255.0 host 192.168.238.67
access-list inside_access_in extended permit udp object-group NG_Domain_Server any object-group NG_Domain_Server-udp
access-list inside_access_in extended permit tcp object-group NG_PROXY any object-group SG_PROXY
access-list inside_access_in extended permit udp object-group NG_PROXY any object-group SG_PROXY
access-list inside_access_in extended permit ip host 10.238.10.252 host 222.127.140.49
access-list inside_access_in extended permit ip host 10.238.10.252 host 210.213.147.1


access-list inside_access_in extended permit udp host 10.238.9.21 any eq domain
access-list inside_access_in extended permit ip object-group NG-VLAN150-IT host 192.168.238.67
access-list inside_access_in extended permit ip object-group PASSTEST any
access-list inside_access_in extended permit tcp host 10.238.150.42 any eq 5938
access-list inside_access_in extended permit ip object-group NG-VLAN150-IT host 192.168.238.65
access-list inside_access_in extended permit ip any host 10.237.9.145
access-list inside_access_in extended permit icmp any any object-group ALLOWPING
access-list dmz_access_in extended permit icmp any any echo
access-list dmz_access_in extended permit icmp any any echo-reply
access-list dmz_access_in extended permit icmp any any time-exceeded
access-list dmz_access_in extended permit ip 192.168.238.0 255.255.255.0 10.238.0.0 255.255.0.0
access-list dmz_access_in extended permit tcp host 192.168.238.156 any eq 3200
access-list dmz_access_in extended permit tcp host 192.168.238.156 any eq 3389
access-list dmz_access_in extended permit tcp host 192.168.238.156 any eq 47
access-list dmz_access_in extended permit ip host 192.168.238.252 any
access-list dmz_access_in extended permit ip host 192.168.238.67 any
access-list dmz_access_in extended permit ip host 192.168.238.67 host 10.238.9.18
access-list dmz_access_in extended permit ip host 192.168.238.65 any
access-list dmz_access_in extended permit ip any host 10.237.9.145
access-list outside_access_in extended permit udp any host xxx.xxx.9.199 eq domain
access-list outside_access_in extended permit tcp any host xxx.xxx.9.197 eq www
access-list outside_access_in extended permit tcp any host xxx.xxx.9.197 eq smtp
access-list outside_access_in extended permit tcp any host xxx.xxx.9.197 eq 83
access-list outside_access_in extended permit tcp any host xxx.xxx.9.197 eq 82


access-list outside_access_in extended permit tcp any host xxx.xxx.9.198 eq 85
access-list outside_access_in extended permit tcp any host xxx.xxx.9.198 eq www
access-list outside_access_in extended permit tcp any host xxx.xxx.9.200 eq pptp
access-list outside_access_in extended permit tcp any host xxx.xxx.9.200 eq 47
access-list outside_access_in extended permit tcp any host xxx.xxx.9.197 eq telnet
access-list outside_access_in extended permit tcp any host xxx.xxx.9.197 eq ssh
access-list outside_access_in extended permit icmp any any object-group ALLOWPING
access-list outside_access_in extended permit tcp any host xxx.xxx.9.222 eq smtp
access-list outside_access_in extended permit ip any host 10.237.9.145
access-list 99 extended permit ip any any
access-list 99 extended deny ip any host 10.238.10.252
access-list Split_Tunnel_List remark RWMnetwork
access-list Split_Tunnel_List standard permit 10.0.0.0 255.0.0.0
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access standard permit 10.238.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffered informational
logging asdm informational
logging host inside 10.238.10.254
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool rwclient 10.88.0.100-10.88.0.200 mask 255.255.255.0
no failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover replication http
failover link failover GigabitEthernet0/3
failover interface ip failover 173.16.1.1 255.255.255.0 standby 173.16.1.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 xxx.xxx.9.200
global (outside) 2 xxx.xxx.9.198
global (outside) 3 xxx.xxx.9.197
global (outside) 5 xxx.xxx.9.204
global (outside) 4 xxx.xxx.9.199
nat (inside) 4 10.238.9.21 255.255.255.255
nat (inside) 4 10.238.10.64 255.255.255.255
nat (inside) 4 10.238.10.252 255.255.255.255
nat (inside) 4 10.238.10.253 255.255.255.255
nat (inside) 4 10.238.10.254 255.255.255.255
nat (inside) 4 10.238.150.38 255.255.255.255
nat (inside) 4 10.238.150.252 255.255.255.255
nat (inside) 4 10.238.97.0 255.255.255.0
nat (inside) 4 10.238.98.0 255.255.255.0
nat (inside) 4 10.238.134.0 255.255.255.0
nat (inside) 4 10.238.136.0 255.255.255.0
nat (inside) 4 10.238.138.0 255.255.255.0
nat (inside) 4 10.238.144.0 255.255.255.0
nat (inside) 4 10.238.151.0 255.255.255.0
nat (inside) 4 10.238.229.0 255.255.255.0
nat (inside) 4 10.238.230.0 255.255.255.0
nat (dmz) 5 192.168.238.65 255.255.255.255
nat (dmz) 3 192.168.238.67 255.255.255.255
nat (dmz) 1 192.168.238.156 255.255.255.255
nat (dmz) 4 192.168.238.252 255.255.255.255
static (inside,outside) tcp xxx.xxx.9.198 82 10.238.9.29 82 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.9.198 85 10.238.9.29 85 netmask 255.255.255.255
static (inside,dmz) 10.238.0.0 10.238.0.0 netmask 255.255.0.0
static (inside,dmz) 10.236.0.0 10.236.0.0 netmask 255.255.0.0
static (inside,dmz) 192.168.238.0 192.168.238.0 netmask 255.255.255.0
static (dmz,outside) xxx.xxx.9.222 192.168.238.252 netmask 255.255.255.255
static (dmz,outside) xxx.xxx.9.197 192.168.238.67 netmask 255.255.255.255
static (dmz,outside) xxx.xxx..9.200 192.168.238.156 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.9.193 1
route inside 10.236.0.0 255.255.0.0 10.238.10.1 1
route inside 10.237.0.0 255.255.0.0 10.238.10.1 1
route inside 10.237.9.145 255.255.255.255 10.238.10.1 1
route inside 10.238.0.0 255.255.0.0 10.238.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server iasvpn protocol radius
aaa-server iasvpn (inside) host 10.238.10.173
timeout 5
key travellers
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 10.238.10.252 community travellers
no snmp-server location
no snmp-server contact
snmp-server community travellers
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy RWMvpn internal
group-policy RWMvpn attributes
dns-server value 10.238.9.21 10.237.9.21
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_LAN_Access
default-domain value travellers.ph
username froilan password k6E3A3hXN2XTd8Qj encrypted
username rexcoles password tAaH42WQWu2vc.J2 encrypted privilege 15
username elmer password RH6ZHidXJ4X13LLM encrypted privilege 15
username alex password XJ78uNkRgooxuElB encrypted privilege 15


tunnel-group RWMvpn type remote-access
tunnel-group RWMvpn general-attributes
address-pool rwclient
authentication-server-group iasvpn
default-group-policy RWMvpn
tunnel-group RWMvpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect pptp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0c94bd8f01a8c9e5cb82b14c1435b18f
: end
ASA#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Thu, 07/15/2010 - 03:10
User Badges:
  • Cisco Employee,

wacha8888Froilan,


Does that IP subnet know that RA users are behind ASA (routing wise) ? Are you able to ping the inside interface of the ASA (It's not allowed in currect config but you can fix this)? Or anything on 10.238.10.0/24 ?

Actions

This Discussion