Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA firewall issue

Hi

I have configured remote access VPN with local pool in ASA firewall however im accessing all the resources(my private network such as servers ) through asa firewall after getting connected the VPN but i cant the mailing server through webmail(ports like 80).Please check the configs.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA firewall issue

Hello,

Would you please take a look at the split tunneling list? Where is the OWA server located?

Cheers.

Mike

Mike
30 REPLIES
Cisco Employee

Re: ASA firewall issue

Hello,

Would you please take a look at the split tunneling list? Where is the OWA server located?

Cheers.

Mike

Mike

Re: ASA firewall issue

Hi,

It seems the OWA has 192.168.100.1 correct?

That IP is internal to the ASA via a static route.

In order for you to be able to reach that server via port 80, the server must be included in the nat0 ACL.

Question.

Can you PING 192.168.100.1 from the VPN client?

I just want to make sure that packets from the VPN client reaches the server and that the problem is specifically with the port 80.

Federico.

New Member

Re: ASA firewall issue

Hi....thanks.

    Yes.I can ping 192.168.100.1 from the vpn client.

     But i can't access web mail from the vpn client.

New Member

Re: ASA firewall issue

Hi

The OWA sserver is located at my Corporate office and the server ip is 192.168.100.1.After getting connected the vpn client,im pinging the server ip i.e 192.168.100.1 but i cant access my webmail.

R u considering the problem is at 80 port?

New Member

Re: ASA firewall issue

My OWA server locataed at my corperate office.

Bronze

Re: ASA firewall issue

Do you have a route on the 10.10.20.2 router, pointing the VPN pool back to the ASA ??

a route like,

ip route 172.16.1.0 255.255.255.0 10.10.20 1 ??

Cheers,

Nash.

New Member

Re: ASA firewall issue

Hi.....Thanks,

     But VPN ip pool was 182.16.1.1-182.16.1.10.Whenever he connected the vpn client,it will assigned this network 182.16.1.0

     Can i put this command,

       ip route 182.16.1.0 255.255.255.0 10.10.20.1?..

     Please advice me.

   Thanks.

Bronze

Re: ASA firewall issue

Hi,

Was that a typo 182 in place of 172 ??

I saw the pool as 172.16.1.0/24 in the configuration.

Yeah, you could add that route

    ip route 172.16.1.0 255.255.255.0 10.10.20.1

If it is 182

then

    ip route 182.16.1.0 255.255.255.0 10.10.20.1

Let me know how it goes.


Cheers,

Nash.

New Member

Re: ASA firewall issue

Hi.....

  When i put this command,it is saying,

    IFASA#

    IFASA#config terminal

    IFASA(config)#

    IFASA(config)# ip route 172.16.1.0 255.255.255.0 10.10.20.1

ERROR: % invalid input deteced at '^' maker

IFASA(config)#

Please advice me.

Thanks.

Bronze

Re: ASA firewall issue

Are you adding that route on 10.10.20.2 router ??


Cheers,

Nash

New Member

Re: ASA firewall issue

Hi......

    Ya.....i put this command the router.

   the command was ,

    ip route 172.16.1.0 255.255.255.0 10.10.20.1

Thanks.

Bronze

Re: ASA firewall issue

What kind of a device is the 10.10.20.2 ??

is that an ASA or a Router ??

Cheers,


Nash.

New Member

Re: ASA firewall issue

Hi.......

   10.10.20.2 this kind of divice is that an ASA.

Thanks.

Bronze

Re: ASA firewall issue

On what interface is the 10.10.20.2 Ip address configured ??

Depending on the interface name,please add the following,

route "interface name" 172.16.10.0 255.255.255.0 10.10.20.1

For ex, if the 10.10.20.2 ip address is configured on the outside interface,

add

route outside 172.16.10.0 255.255.255.0 10.10.20.1

Cheers,

Nash.

New Member

Re: ASA firewall issue

Hi.....

   Ya i put this command,

route inside 172.16.1.0 255.255.255.0 10.10.20.1

but still not happened.

Thanks.

Re: ASA firewall issue

PING is a tool that can also work in suboptimal routing cases. First configure syslogging either in ASDM or to an external syslog server. Then try telnetting 192.168.100.1 on port 80 from the VPN client. Check if a blank screen appears, then filter the syslogs that contain 192.168.100.1 and paste here. Also a network diagram will be helpfull.

New Member

Re: ASA firewall issue

Hi....

    whenever he tried to connected to vpn client port 80,it's not showing blank screen.also i sent a network daigram.

Thanks.

Re: ASA firewall issue

diagram appears to be removed. Can you upload it one more time so i can download this time. Btw was the VPN client connected while you ran route print command in VPN client? Can you doublecheck if you can telnet the mail server on 192.168.100.1 on 80 while VPN connected?

Thanks

IMPORTANT: According to the interfaces listed in route print ouput in VPN client, Cisco VPN client is not instaled. Are you using Microsoft client ?

New Member

Re: ASA firewall issue

Hi.............

   Please find the attachment for the network daigram .Also,"route print" file for the  cicso vpn client.Yes,I doublechecked.

   No i can't telnet the mail server on 192.168.100.1 on 80.Please need your helpful.

Thanks.

Re: ASA firewall issue

According to the actual configuration, all traffic (including internet) of VPN clients that belong to nexttoidea group is tried to be routed to corporate network. But tunnel group nexttoidea is not configured to tunnel-all. PC thath is connected via VPN client selects its local gateway as elected gateway, and traffic is not routed over tunnel.

In order to prove this theory, right-click VPN symbol in notification area, click statistics. While this window is open, open up a browser and type http://192.168.100.2 , and most probably the count of encrypted packets does not increment.

Assuming that your secuirty policy does not imply to restrict internet access or control all trafic centrally of nexttoidea members, I recommend using split tunneling. If you agree with my assumption and you need this VPN just to be able to connect your networks, while being able to connect local networks, do the following configuration

ip local pool next_to_idea 172.16.2.1-172.16.2.10 mask 255.255.255.240

tunnel-group nexttoideavpn general-attributes

no address-pool nexttoidea

address-pool next_to_idea

no ip local pool nexttoidea 182.16.1.1-182.16.1.10 mask 255.255.255.0

no access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.192 182.16.1.0 255.255.255.240

no access-list inside_nat0_outbound extended permit ip 192.168.100.64 255.255.255.192 182.16.1.0 255.255.255.240

no access-list inside_nat0_outbound extended permit ip any 182.16.1.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.128 172.16.2.0 255.255.255.240

access-list outside_cryptomap_20 extended permit ip 192.168.100.0 255.255.255.0 172.16.2.0 255.255.255.240

access-list splitTun_nextoidea standard permit 192.168.100.0 255.255.255.128

group-policy nexttoideavpn attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splitTun_nextoidea

New Member

Re: ASA firewall issue

Hi......

   yes....i put this commands for following configuration in cisco ASA.After VPN client is connected.But,

   I can't able to ping 192.168.100.1 my server ip.

   Kindly do the needful.

Thanks.

Re: ASA firewall issue

Please post the new config, and post the output of "route print" again after config update from VPN client when it is connected.

Need the output of following

*Log into ASDM. Apperantly logging to ASDM is enabled. Go to Real-Time log viewer. Set logging to Debugging level. Into filter-by section, type in the IP address that VPN client acquired (172.16.2.x)

Now in VPN client, try to browse http://192.168.100.1 again. After that,

1)Check the real-time viewer. Paste here the logs that occured .

2)In VPN client, right-click the VPN icon at notification area, click statistics, take a screenshot and paste here

New Member

Re: ASA firewall issue

Hi......

    Please find the attachment for the new config,Also post the output of "route print".And no output showing for ASDM log.

     Kindly do the needful.

Thanks.

New Member

Re: ASA firewall issue

Hi.......

I have configured remote access VPN with local pool in ASA firewall.However i am accessing all the resoureces(My private network such as server's).

Also I can access the VPN through webmail.The port like,

port-object eq 443.

Thanks for your co-operate.

Thanks.

New Member

Re: ASA firewall issue

Hi.......

I have configured remote access VPN with local pool in ASA firewall.However i am accessing all the resources(My private network such as server's).

Also I can access the VPN through webamil.Port like,

port-object eq 443

Thanks for your co-operate.

Thanks.

New Member

Re: ASA firewall issue

Hi...........

I have configured the remote access VPN with local pool in ASA firewall however i am accessing all the resources.Also i can access the VPN through webmail.Port like,

  port-object eq 443

Thanks for your co-operation.

Thanks.

New Member

Re: ASA firewall issue

Hi.........

I have configured remote access VPN with local pool in ASA firewall.However i am accessing all the resources.(My privte network such as servers).

Also i can access VPN through webmail.The port like,

port-object eq 443

Thanks for your co-operate.

Thanks.

Re: ASA firewall issue

"whenever he tried to connected to vpn client port 80"

     I didnt understand. I mean, VPN client should try to telnet 192.168.100.1 on port 80, not to be telnetted. Instead of pinging the server, use telnet on port 80.

     Diagram is usefull. Please post the outut of "show ip route" command from 3560G core switch?

     Please post the output of "route print" command from exchange server's command line (cmd).

     Please post the output of "show ip route" command from firewall.

     Please post the output of "route print" command from the VPN client cmd line

     Did you set syslog? Did you get any syslog entries when you tried to connect exchange server on port 80 via telnet from VPN client?

New Member

Re: ASA firewall issue

Hi......

   Please find the attachment for the "route print" &  "show ip route" files.

Thanks.

866
Views
0
Helpful
30
Replies
CreatePlease login to create content