11-12-2013 08:22 AM - edited 03-11-2019 08:03 PM
Hello Guys,
I've managed to setup an ssl vpn connection on asa 5505 but i have the below issue
inside network: 10.0.0.0/24
asa inside: 10.0.0.254
dns: 10.0.0.1
vpn pool:192.168.50.0/24
When i am connected through vpn i am receiving 192.168.50.1 ip address and i am able to ping hosts inside except the domain controller which is 10.0.0.1.
Also i am unable to ping from asa my vpn client.
Please see below my configuration and advice accordingly
!
ASA Version 8.2(5)
!
hostname imlfw
domain-name IMLDOM
enable password q06nVnsUc78g4jiU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x 255.255.255.252
!
ftp mode passive
clock timezone EEDT 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.0.1
name-server 8.8.8.8
name-server 4.4.4.2
domain-name IMLDOM
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network inside-net
network-object 10.0.0.0 255.255.255.0
access-list inside_in extended permit ip any any
access-list inside_in extended permit icmp any any
access-list outside_acl extended permit ip any any
access-list outside_acl extended permit icmp any any
access-list ACL-SPLIT-TUNNEL extended permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
logging debug-trace
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 192.168.50.1-192.168.50.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
static (inside,outside) tcp interface 3389 10.0.0.1 3389 netmask 255.255.255.255
access-group inside_in in interface inside
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 [gateway's ip] 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.1 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 10.0.0.1 255.255.255.255 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd dns 10.0.0.1
!
dhcpd address 10.0.0.50-10.0.0.81 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 87.232.1.40 prefer
ntp server 81.94.123.16
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy TELECOMMUTERSPOLICY internal
group-policy TELECOMMUTERSPOLICY attributes
vpn-idle-timeout 120
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL-SPLIT-TUNNEL
webvpn
svc dtls enable
svc keep-installer installed
username ************************************
tunnel-group telecommuters type remote-access
tunnel-group telecommuters general-attributes
address-pool VPNPOOL
default-group-policy TELECOMMUTERSPOLICY
tunnel-group telecommuters webvpn-attributes
group-alias TELECOMMUTERS enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6c5d2f60afc59fca351ff98a2a30ca93
: end
Solved! Go to Solution.
11-12-2013 08:28 AM
Hi,
I cant see a NAT0 configuration.
Add the following configuration
access-list INSIDE-NAT0 remark NAT0 for VPN Client traffic
access-list INSIDE-NAT0 permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
Though I am not sure how you would be able to ping other internal hosts when you dont have a NAT0 configuration for any host on the network.
If you are pinging the VPN Client (which usually is not needed) try the following command
ping inside 192.168.50.x
Where you naturally fill in the IP address that the VPN Client has gotten.
Hope this helps
- Jouni
11-12-2013 08:28 AM
Hi,
I cant see a NAT0 configuration.
Add the following configuration
access-list INSIDE-NAT0 remark NAT0 for VPN Client traffic
access-list INSIDE-NAT0 permit ip 10.0.0.0 255.255.255.0 192.168.50.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
Though I am not sure how you would be able to ping other internal hosts when you dont have a NAT0 configuration for any host on the network.
If you are pinging the VPN Client (which usually is not needed) try the following command
ping inside 192.168.50.x
Where you naturally fill in the IP address that the VPN Client has gotten.
Hope this helps
- Jouni
11-12-2013 08:35 AM
Jouni you are a star!!
Thanks a lot for your help, you saved me hours of reading
11-13-2013 02:11 AM
Hi,
Answering here regarding your private message.
You mention in your message the ASA as 10.0.0.1 but the above configuration says 10.0.0.254? Are you sure you are connecting to the correct IP address for ASA management?
You seem to have the required configuration to enable management of the ASA through the VPN
Which is
management-access inside
With regards to copying the configuration from the ASA directly to the VPN Client host. I think the ASA will probably use the "outside" interface as the source IP address for the TFTP traffic and since you are using Split Tunnel it wont match the VPN configuration/connection.
You could try to temporarily switch the VPN Client to Full Tunnel and see if that helps. If that works you could try to add the ASAs external IP address to the Split Tunnel ACL
Hope this helps
- Jouni
11-13-2013 02:42 AM
Regarding the ip of the asa it was a mistypo the correct which i used to access the asdm and still doesn't work is 10.0.0.254
I've added also
access-list ACL-SPLIT-TUNNEL extended permit ip host mypublicip 192.168.50.0 255.255.255.0
but still no luck.
What do you mean swith the client to full tunnel? how do i achieve that?
11-13-2013 05:00 AM
Hi,
To change to Full Tunnel you would have to do the following changes
group-policy TELECOMMUTERSPOLICY attributes
no split-tunnel-policy tunnelspecified
no split-tunnel-network-list value ACL-SPLIT-TUNNEL
split-tunnel-policy tunnelall
To change back naturally add the old configurations back.
I have not had use for copying traffic to a VPN Client from the ASA directly or doing management through VPN as both have been handled in other ways so I am not sure if there is something missing.
I for example am not sure will the "http 0.0.0.0 0.0.0.0 outside" apply to these connections or will you actually have to use the "inside" interface. It would seem logical that it would be "outside" but I am not sure. You already seem to have that sorted. Naturally you can try adding an "inside" command also.
Otherwise I would suggest getting logs from the connection attempts through VPN.
You could also try SSH or Telnet through the VPN to the ASA interface and see if those succeed.
- Jouni
11-13-2013 06:09 AM
Thanks Jouni i will try it and let you know!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: