09-14-2010 04:13 PM
I have a 5505 and this is my first time working with a Cisco unit. My Internet access works fine and my test configuration allows clients to connect fine. How do I allow my remote clients access to my inside network?
Solved! Go to Solution.
09-15-2010 07:04 PM
Hey tony,
So i assume that the PCs in your LAN use 192.168.78.1 as the default gateway and there is no route on the pfSense router to send these back to the ASA. Please correct me if i am wrong here.
Try adding a route on the pfSense router for the destination network 192.168.50.0/24 pointing to inside interface of ASA 192.168.78.254. Let me know if this works!!
regards,
Prapanch
09-14-2010 04:28 PM
09-14-2010 04:36 PM
Let me rephrase. My VPN clients can connect fine. How do I allow them access to my "inside" network. I used a set of instructions like those to set up my VPN already. Once a VPN client connects, they can not telnet to a server on the "inside" network.
09-14-2010 05:43 PM
Hey Tony,
The reason for that could be many, a few among them being a misconfigured NAT exemption, split tunnel, etc. Can you paste the configuration of the ASA?
Regards,
Prapanch
09-14-2010 06:41 PM
It was attached to the first post but here you go...
: Saved
:
ASA Version 7.2(4)
!
hostname vpn
domain-name test.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.78.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address aaa.bbb.ccc.250 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list inside_nat0_outbound extended permit ip 192.168.78.0 255.255.255.0 192.168.50.0 255.255.255.240
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool TEST_POOL 192.168.50.1-192.168.50.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.78.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.78.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.78.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
group-policy TEST internal
group-policy TEST attributes
vpn-tunnel-protocol IPSec
username test1 password Kg/Rgy23do7gPGTv encrypted privilege 15
username user1 password IzFIX6IZbh5HBYwq encrypted privilege 0
username user1 attributes
vpn-group-policy TEST
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
address-pool TEST_POOL
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1b850c61dafeb89344fb6885c77d8e0c
: end
09-14-2010 09:01 PM
Hi,
can you paste the output of "show crypto ipsec sa" when the user is connected? Please add the command "management-access inside" and check if you are able to ping the interface IP address of the ASA, that is, 192.168.78.254?
Regards,
Prapanch
09-15-2010 05:24 AM
vpn# show crypto ipsec sa
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: aaa.bbb.ccc.250
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.1/255.255.255.255/0/0)
current_peer: 75.204.140.75, username: user1
dynamic allocated peer ip: 192.168.50.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: aaa.bbb.ccc.250, remote crypto endpt.: 75.204.140.75
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: FF43DD6E
inbound esp sas:
spi: 0x40B2B6D1 (1085454033)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28792
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xFF43DD6E (4282637678)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28792
IV size: 8 bytes
replay detection support: Y
After adding "management-access inside" I was able to ping 192.168.78.254. Before I was not able to ping.
09-15-2010 09:03 AM
Hi Tony,
Please apply captures on the ASA's inside interface and see if you packets going out and coming back in as well. For a guide on applying captures, please use the below document:
https://supportforums.cisco.com/docs/DOC-1222
In short, for the above IPSec SA, when trying to ping 192.168.78.1, the capture will be configured as below:
access-list capi permit ip host 192.168.50.1 host 192.168.78.1
access-list capi permit ip host 192.168.78.1 host 192.168.50.1
capture capin access-list capi interface inside
To view the captures, use the command "show cap capin" and paste that output here when trying to ping that IP on the inside of the ASA. Also, please try adding the command "sysopt connection permit-vpn" and see if it makes any difference. Let me know how it goes!!
Regards,
Prapanch
09-15-2010 10:58 AM
I posted the same question but no one bothered answering..... any success on your problem?!?!?
09-15-2010 11:29 AM
satuser001 wrote:
I posted the same question but no one bothered answering..... any success on your problem?!?!?
Still working on a solution...
09-15-2010 11:29 AM
vpn(config)# show cap capin
4 packets captured
1: 11:18:49.924878 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request
2: 11:18:54.862870 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request
3: 11:19:00.360760 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request
4: 11:19:05.842989 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request
4 packets shown
This was before adding "sysopt connection permit-vpn". Adding it made no change.
09-15-2010 12:12 PM
Would appreciate it if you could let me know as soon as you do......
Just in-case I forget to check... thx m8
09-15-2010 05:26 PM
Hey tony,
That's interesting. Can you ping that IP from the ASA, that is, 192.168.78.1? Also, please paste the outputs of "show cap" and "show run access-list" from the ASA. Just want to confirm the captures have been applied right.
If they are, it seems like the hosts are not replying back to the echo requests from the VPN client. You might want to have a look at that host and see if there is any kind of firewall that could be blocking pings.
Regards,
Prapanch
09-15-2010 05:39 PM
09-15-2010 05:49 PM
Hey Tony,
The captures seem ok. As is said, please have a check as to why the host is not replying to echo requests. Maybe a firewall or a misconfigured route.
regards,
Prapanch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: