cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1595
Views
0
Helpful
27
Replies

Remote VPN - Connects but then what? ***Newbie ***

AutoootuA
Level 1
Level 1

I have a 5505 and this is my first time working with a Cisco unit. My Internet access works fine and my test configuration allows clients to connect fine. How do I allow my remote clients access to my inside network?

1 Accepted Solution

Accepted Solutions

Hey tony,

So i assume that the PCs in your LAN use 192.168.78.1 as the default gateway and there is no route on the pfSense router to send these back to the ASA. Please correct me if i am wrong here.

Try adding a route on the pfSense router for the destination network 192.168.50.0/24 pointing to inside interface of ASA 192.168.78.254. Let me know if this works!!

regards,

Prapanch

View solution in original post

27 Replies 27

Let me rephrase. My VPN clients can connect fine. How do I allow them access to my "inside" network. I used a set of instructions like those to set up my VPN already. Once a VPN client connects, they can not telnet to a server on the "inside" network.

Hey Tony,

The reason for that could be many, a few among them being a misconfigured NAT exemption, split tunnel, etc. Can you paste the configuration of the ASA?

Regards,

Prapanch

It was attached to the first post but here you go...

: Saved
:
ASA Version 7.2(4)
!
hostname vpn
domain-name test.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.78.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address aaa.bbb.ccc.250 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list inside_nat0_outbound extended permit ip 192.168.78.0 255.255.255.0 192.168.50.0 255.255.255.240
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool TEST_POOL 192.168.50.1-192.168.50.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.78.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.78.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.78.0 255.255.255.0 inside
ssh timeout 5
console timeout 0


group-policy TEST internal
group-policy TEST attributes
vpn-tunnel-protocol IPSec
username test1 password Kg/Rgy23do7gPGTv encrypted privilege 15
username user1 password IzFIX6IZbh5HBYwq encrypted privilege 0
username user1 attributes
vpn-group-policy TEST
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
address-pool TEST_POOL
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1b850c61dafeb89344fb6885c77d8e0c
: end


Hi,

can you paste the output of "show crypto ipsec sa" when the user is connected? Please add the command "management-access inside" and check if you are able to ping the interface IP address of the ASA, that is,  192.168.78.254?

Regards,

Prapanch

vpn# show crypto ipsec sa

interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: aaa.bbb.ccc.250


      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (
192.168.50.1/255.255.255.255/0/0)
      current_peer: 75.204.140.75, username: user1
      dynamic allocated peer ip: 192.168.50.1


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0


      local crypto endpt.: aaa.bbb.ccc.250, remote crypto endpt.: 75.204.140.75


      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: FF43DD6E


    inbound esp sas:
      spi: 0x40B2B6D1 (1085454033)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28792
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xFF43DD6E (4282637678)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28792
         IV size: 8 bytes
         replay detection support: Y

After adding "management-access inside" I was able to ping 192.168.78.254. Before I was not able to ping.

Hi Tony,

Please apply captures on the ASA's inside interface and see if you packets going out and coming back in as well. For a guide on applying captures, please use the below document:

https://supportforums.cisco.com/docs/DOC-1222

In short, for the above IPSec SA, when trying to ping 192.168.78.1, the capture will be configured as below:

access-list capi permit ip host 192.168.50.1 host 192.168.78.1

access-list capi permit ip host 192.168.78.1 host 192.168.50.1

capture capin access-list capi interface inside

To view the captures, use the command "show cap capin" and paste that output here when trying to ping that IP on the inside of the ASA. Also, please try adding the command "sysopt connection permit-vpn" and see if it makes any difference. Let me know how it goes!!

Regards,

Prapanch

I posted the same question but no one bothered answering..... any success on your problem?!?!?

satuser001 wrote:

I posted the same question but no one bothered answering..... any success on your problem?!?!?

Still working on a solution...

vpn(config)# show cap capin

4 packets captured

   1: 11:18:49.924878 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request

   2: 11:18:54.862870 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request

   3: 11:19:00.360760 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request

   4: 11:19:05.842989 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request

4 packets shown

This was before adding "sysopt connection permit-vpn". Adding it made no change.

Would appreciate it if you could let me know as soon as you do......

Just in-case I forget to check... thx m8

Hey tony,

That's interesting. Can you ping that IP from the ASA, that is, 192.168.78.1? Also, please paste the outputs of "show cap" and "show run access-list" from the ASA. Just want to confirm the captures have been applied right.

If they are, it seems like the hosts are not replying back to the echo requests from the VPN client. You might want to have a look at that host and see if there is any kind of firewall that could be blocking pings.

Regards,

Prapanch

vpn# ping 192.168.78.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.78.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
vpn# show cap        
capture capin type raw-data access-list capi interface inside [Capturing - 752 bytes]
vpn# show run access-list
access-list inside_nat0_outbound extended permit ip 192.168.78.0 255.255.255.0 192.168.50.0 255.255.255.240
access-list capi extended permit ip host 192.168.50.1 host 192.168.78.1
access-list capi extended permit ip host 192.168.78.1 host 192.168.50.1

Hey Tony,

The captures seem ok. As is said, please have a check as to why the host is not replying to echo requests. Maybe a firewall or a misconfigured route.

regards,

Prapanch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: