cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2276
Views
0
Helpful
11
Replies

VPN client cannot view internal subnet. I almost have it....

rbtdublin
Level 1
Level 1

In summary my VPN clients can connect but cannot view the internal subnet or access the internet.

I also want my vpn client to access the web over the VPN for additional security. i.e. I don't want to split connection.

I've spent an age on this and I know I'm close.

I have an ASA 5505.

Outside network successfully connected to its own dedicated modem to internet over pppoe.

ASA inside network address is 192.168.8.104

Office lan is on 192.168.8.*

I if plug a laptop into one of the asa ports I can access the web.

Office domain controller/dhcp server/dns is on 192.168.8.100

Office default gateway is 192.168.8.1 which is a modem/router on a second broadband line.

I've configured the VPN on its own subnet for 192.168.9.65-192.168.9.126 mask 255.255.255.192

For now I'm happy using a user list for authentication but I will switch to NT Domain once everything else is working.

Can someone help me spot the obvious?

Config attached

thanks

11 Replies 11

Jitendriya Athavale
Cisco Employee
Cisco Employee

route inside 192.168.9.0 255.255.255.0 192.168.8.104 1

please remove this and just keep the default route

I removed route but the problem remains.

Since you are tunneling every request from the vpn client , for the client to reach the internet he needs to get nat ( overload ) from your external ip. this is how you do it :-

1>

access-list split-in ext permit ip 192.168.9.64 255.255.255.192 any

nat (outside) 1 access-list split-in

even though i perfere having a split tunnel for internet traffic and tunnel only private ip + whitelisted web sites if any.

2> You need nat exempt for internal traffic to vpn traffic.

you need to remove you single no nat statement and then  configure this :-

access-list nonat ext permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

nat (inside) 0 access-list nonat

3> set up a reverse route statement :-

crypto dynamic-map outside_dyn_map 20 set reverse-route

Try it ... and tell me know if you see any other problems.

thanks

i see you have the following

crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

any particular reason why you need all of them can you remove 40,60 and 80 and keep only 20

crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set reverse-route

secondly,

can you give the following command

sysopt connection permit-vpn

management-access inside

and after doing this can you try to ping the vlan 1 ip which 192.168.8.104

once you have done that let me know if you can ping the firewall ip or not

if you are not able to ping it then please paste the following output

sh crypto ipsec sa peer

sh vpn-session-db remote

Thank you for the replies.

I have applied all the suggested changes.

I can now ping the asa box (192.168.8.104) from the vpn client but nothing else.

Updated config settings attached.

I take it the VPN wizard in the cisco asdm just doesn't cut it.

So you have two internet connections right. One through the ASA and the other through a secondary line which is the default gateway for your lan.In that case since your lan does not know where to send the icmp reply (basically doesn't have a route pointing back to the ASA) , it is going to send it to the default gateway and thus fails.

You can test it by adding a route on any PC ( route add 192.168.9.x mask 255.255.255.0 ) and see if you are getting a reply from that particular host. Another way is to PAT all your vpn client connections to the inside interface of your ASA.

that is  global(inside) 1 interface

Since your lan knows where the ASA is , it will send all reply packets to the ASA instead of your the secondary internet connection.But this works only when you initiate the traffic from the client and not the other way round.

could you please brief me as to why you have put these commands and whether you have any specific requirement

nat (outside) 1 access-list split-in

can you make this more specific

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

make it say

access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.9.0 255.255.255.0

and then try to ping any of the host and then can you collect the following output for us

sh crypto ipsec sa

Hi,

Did you ever solve this issue? I am having a similar issue with my l2tp clients...the strange thing is that my Cisco vpn clients are just fine. If you solve it, please let me know what you did.

Thanks,

Hi,

Your Cisco VPN clients can view the internal subnet but your L2TP clients cannot?

Do they use the same pool?

Federico.

yes, they use the same pool. I have to enter the route manually on the l2tp client for him to access the internal net.

route add 192.168.24.0 mask 255.255.254.0 172.16.10.x where x is whatever the pool assigns.

object-group network DMZ
network-object 192.168.24.0 255.255.254.0

object-group network RAS_Users
network-object 172.16.10.0 255.255.255.0

access-list RAVPN_Split_Tunnel standard permit 192.168.24.0 255.255.254.0
access-list nonat-traffic extended permit ip object-group DMZ object-group RAS_Users

ip local pool CARTVPN 172.16.10.1-172.16.10.254

nat (inside) 0 access-list nonat-traffic

crypto ipsec transform-set NJ1 esp-3des esp-md5-hmac
crypto ipsec transform-set CART-PPTP esp-3des esp-sha-hmac
crypto ipsec transform-set CART-PPTP mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 20 set transform-set CART-PPTP NJ1

crypto dynamic-map dynmap 20 set reverse-route

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel

tunnel-group DefaultRAGroup general-attributes
address-pool CARTVPN
authentication-server-group CART-RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2

group-policy DMZ-RA-VPN-GROUP internal
group-policy DMZ-RA-VPN-GROUP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel

tunnel-group DMZ-RA-VPN-GROUP type remote-access
tunnel-group DMZ-RA-VPN-GROUP general-attributes
address-pool CARTVPN
authentication-server-group CART-RADIUS
default-group-policy DMZ-RA-VPN-GROUP
tunnel-group DMZ-RA-VPN-GROUP ipsec-attributes
pre-shared-key *****

Hi,

thanks to those who replied to my original question and apologies for not replying in turn.

I tried all the suggested changes and got as far has having a client connect to the VPN that could connect to the ASA ipaddress but still not access other machines on the subnet.

In the end we had made too many changes without understanding their implications and decided to hire a company to configure the device for us.

This in itself has been a trial and I wouldn't recommend cisco to any other small business, but thats for another day.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: