×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN Connects but unable to access internal devices

Answered Question
Jul 2nd, 2013
User Badges:

Thank you in advance for any assistance that can be provided.


I am using AnyConnect to create a VPN with an ASA 5505.  Once connected, the client needs to access a device behind a 1941 router.


Internally, (not using VPN), all my routing is working correctly.  My VPN client can connect and when I put a route on my 1941 router, I am able to ping that particular device.  But my VPN client cannot appear to ping anything else, either the devices on the same internal range as the ASA 5505 or anything past the 1941.


VPN Client                                      ASA 5505                                      Workstation                    1941 Router                        Far Device

192.168.201.20 ----->   Outside IP x.x.x.x // Internal 192.168.101.1          192.168.101.56        192.168.101.2 // 192.168.8.1          192.168.8.150

Client connects and get IP from ASA

                                                                                                        Cannot ping this                                                            Cannot ping this

                                                                                                                                           Can ping internal IP of 1941

                                                                                                                                            *(after creating a static route)



I have been playing around with my configuration extensively to try and make this work.  Split-tunneling is enabled and is required.


Here is my current config:


hostnameMYHOST

enable password mUUvr2NINofYuSh2 encrypted

passwd UNDrnIuGV0tAPtz2 encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.101.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.0.0

!

interface Vlan7

no forward interface Vlan1

nameif DMZ

security-level 20

ip address 137.57.183.1 255.255.255.0

!

ftp mode passive

clock timezone MST -7

dns domain-lookup outside

object-group network obj_any_dmz

access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any

access-list nonat extended permit ip 192.168.201.0 255.255.255.0 any

access-list split-tunneling standard permit 192.168.101.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0

ip local pool vpn_pool 192.168.201.20-192.168.201.30 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 10 137.57.183.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.8.0 255.255.255.0 192.168.101.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable 64000

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

subject-name CN=MYHOST

keypair ClientX_cert

crl configure

crypto ca certificate chain ASDM_TrustPoint1

certificate 0f817951

    308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105

    05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30

    1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d

    31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117

    30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648

    86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648

    86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430

    1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3

    4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9

    db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c

    783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886

    f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8

    b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821

    fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9

    7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3

    63ebd49d 30dd06f4 e0fa25

  quit

crypto isakmp enable outside

crypto isakmp policy 40

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 DMZ

ssh timeout 10

console timeout 0


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

ssl trust-point ASDM_TrustPoint1 outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

group-policy ClientX_access internal

group-policy ClientX_access attributes

dns-server value 4.2.2.2

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunneling

default-domain value access.local

address-pools value vpn_pool

ipv6-address-pools none

webvpn

  svc mtu 1406

  svc rekey time none

  svc rekey method ssl

username ClientX password ykAxQ227nzontdIh encrypted privilege 15

username ClientX attributes

vpn-group-policy ClientX_access

service-type admin

tunnel-group ClientX type remote-access

tunnel-group ClientX general-attributes

address-pool Internal_Range

default-group-policy ClientX_access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy ClientX_access

tunnel-group ClientX_access type remote-access

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:da38065247f7334a5408b7ada3af29ae

: end

Correct Answer by Karsten Iwen about 4 years 1 month ago

ok, lets go on ... ;-)


Split-Tunneling: The ACL must include all networks you want to reach through the VPN:


access-list split-tunneling standard permit 192.168.101.0 255.255.255.0

access-list split-tunneling standard permit 192.168.8.0   255.255.255.0



NAT: Don't use "any" in the nat-exemption, but specify all traffic that should not be natted:


access-list nonat extended permit ip 192.168.101.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list nonat extended permit ip 192.168.8.0   255.255.255.0 192.168.201.0 255.255.255.0


Routing: The 1941 needs a route for the vpn-pool pointing to the ASA (just in case there is no default route to the ASA)


-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Karsten Iwen Tue, 07/02/2013 - 12:38
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

ok, lets go on ... ;-)


Split-Tunneling: The ACL must include all networks you want to reach through the VPN:


access-list split-tunneling standard permit 192.168.101.0 255.255.255.0

access-list split-tunneling standard permit 192.168.8.0   255.255.255.0



NAT: Don't use "any" in the nat-exemption, but specify all traffic that should not be natted:


access-list nonat extended permit ip 192.168.101.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list nonat extended permit ip 192.168.8.0   255.255.255.0 192.168.201.0 255.255.255.0


Routing: The 1941 needs a route for the vpn-pool pointing to the ASA (just in case there is no default route to the ASA)


-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Lemon Lime Tue, 07/02/2013 - 13:22
User Badges:

Okay.....I gave that a shot but still not happening.


I put a route on the 1941, which I can ping successfully.  I cannot seem to ping anything else on my internal network or anything past the 1941.


Here's the updated short config:


access-list nonat extended permit ip 192.168.101.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.201.0 255.255.255.0

access-list split-tunneling standard permit 192.168.101.0 255.255.255.0

access-list split-tunneling standard permit 192.168.8.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ip local pool vpn_pool 192.168.201.20-192.168.201.30 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 10 137.57.183.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

route inside 192.168.8.0 255.255.255.0 192.168.101.2 1

Lemon Lime Tue, 07/02/2013 - 14:12
User Badges:

Oooops!!


I am a big fat liar.  I can actually ping my internal network!  Hurrah!!


Unfortunately I stil cannot ping anything the otherside of my 1941.  I have confirmed that internally all the routing is fine.  I can ping from my VPN client to the interface of the 1941 (192.168.101.2) but then nothing seems to happen after that.

Any suggestions on debugs I can run?


Again, many thanks for your assistance.

Karsten Iwen Tue, 07/02/2013 - 14:32
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

Do a "debug ip icmp" on the 1941 and ping the remote IP (192.168.8.1) of the router. Do you see any output? And paste the config of the router.



-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Lemon Lime Tue, 07/02/2013 - 15:48
User Badges:

Nothing appeared on the 1941 when pinging anything on the other side  of the device, which lead me to believe it was a ASA firewall issue.


I have it working.  I did some research and playing  around and for anyone else who looks at this in future I added these two  lines to my config:


access-list outside_access_in extended permit ip 192.168.201.0 255.255.255.0 192.168.8.0 255.255.255.0


access-group outside_access_in in interface outside


-----------


Karsten, many thanks for your help.  You Sir are a Gentleman and a scholar or as the kids say "you da man".

Actions

This Discussion