Solved: Re: ASA 5505 VPN can't access inside host

randyclark · ‎05-30-2008

I have setup remote VPN access on a ASA 5505 but cannot access the host or ASA when I login using the VPN. I can connect with the Cisco VPN client and the VPN light is on on the ASA and it shows that I'm connected. I have the correct Ip address but I cannot ping or connect to any of the internal addresses. I cannot find what I'm missing. I have the VPN bypassing the interface ACLs. Since I can login but not go anywhere I feel certian I missed something.

part of config below

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

ip local pool xxxx 10.1.1.50-10.1.1.55 mask 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map inside_dyn_map 20 set pfs

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

service-policy global_policy global

group-policy xxxxxxx internal

group-policy xxxxxxx attributes

banner value xxxxx Disaster Recovery Site

wins-server none

dns-server value 24.xxx.xxx.xx

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

default-domain none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout none

ip-phone-bypass disable

leap-bypass disable

nem disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools value xxxxxx

smartcard-removal-disconnect enable

client-firewall none

webvpn

functions url-entry

vpn-nac-exempt none

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

tunnel-group xxxx type ipsec-ra

tunnel-group xxxx general-attributes

address-pool xxxx

default-group-policy xxxx

tunnel-group blountdr ipsec-attributes

pre-shared-key *

acomiskey · ‎06-02-2008

You are missing nat exemption for the vpn clients. Add the following and you should be good to go.

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

View solution in original post

acomiskey · ‎05-30-2008

If you can post the config, that would be great.

randyclark · ‎05-30-2008

I get the banner and IP adress info...

This is what the client log provides...

1 13:45:32.942 05/30/08 Sev=Warning/2 CVPND/0xE3400013

AddRoute failed to add a route: code 87

Destination 172.20.255.255

Netmask 255.255.255.255

Gateway 10.1.2.1

Interface 10.1.2.5

2 13:45:32.942 05/30/08 Sev=Warning/2 CM/0xA3100024

Unable to add route. Network: ac14ffff, Netmask: ffffffff, Interface: a010205, Gateway: a010201.

randyclark · ‎06-02-2008

Here's the latest config... I can connect, get an IP but still cannot access the local host or the firewall. The firewall show that I have a tunnel but I still can't access anything.

acomiskey · ‎06-02-2008

You are missing nat exemption for the vpn clients. Add the following and you should be good to go.

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

moo · ‎07-09-2008

I'm having exactly the same problem even though I have the nat exemption entries exactly as stated here.

I've redone the configuration several time with exactly the same result.

a.alekseev · ‎07-09-2008

open a new topic, attach configs, give full description of the problem.