Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
0
Helpful
8
Replies

Cannot access internal LAN after VPN connect

rogerknight9
Level 1
Level 1

‎10-30-2010 05:08 PM - edited ‎02-21-2020 04:56 PM

I know this is either an ACL or NAT issue that I cannot figure out.  The nat-t config in defaulted in the IOS config for the ASA.  I actually forgot the command to show the hidden default config lines.  Either way, can someone take a look at my config, and let me know what I am doing wrong, again.

Thanks ahead of time.

ASA Version 8.2(2)

!

hostname ciscousa

enable password

names

!

interface Vlan1

nameif inside

security-level 100

ip address 1.1.1.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 14.14.11.5 255.255.255.0

!

interface Vlan3

shutdown

no forward interface Vlan2

nameif dmz

security-level 50

ip address dhcp

!

interface Ethernet0/0

switchport access vlan 2

speed 100

duplex full

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

speed 100

duplex full

!

!

ftp mode passive

same-security-traffic permit intra-interface

access-list outside_in extended permit icmp any any

access-list inside_nat0 extended permit ip any 1.1.1.0 255.255.255.0

access-list inside_nat0 extended permit ip any 10.12.27.0 255.255.255.0

access-list split_tunnel standard permit 1.1.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool vpnpool 10.12.27.100-10.12.27.120 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 14.14.11.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 1.1.1.0 255.255.255.0 inside

http 1.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map inet-1_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map inet-1_map 65535 ipsec-isakmp dynamic inet-1_dyn_map

crypto map inet-1_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy vpnipsec internal

group-policy vpnipsec attributes

wins-server value 1.1.1.16

dns-server value 1.1.1.16

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

default-domain value company.com

tunnel-group vpnipsec type remote-access

tunnel-group vpnipsec general-attributes

address-pool vpnpool

default-group-policy vpnipsec

tunnel-group vpnipsec ipsec-attributes

pre-shared-key *****

!

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

Labels:
0 Helpful
8 Replies 8

Panos Kampanakis
Cisco Employee
Cisco Employee

‎11-01-2010 07:09 AM

I would suggest changing the nat0 ACL with source and destination for the the subnets instead of any.

Can you check if the tunnel comes up? "sh cry ipsec sa" will show you if the crypto ACL between the endpoint does not match and thus doesn't build an ASA.

If it doesn't then I would suggest using packet tracer to track this down.

The check hidden default configs you can use "show run all".

I hope it helps.

PK

0 Helpful

rogerknight9
Level 1
Level 1
In response to Panos Kampanakis

‎11-01-2010 06:07 PM

Thanks for the reply.  I do not know what you mean by the changing the nat0 source and destinations.  I tried different variations and nothing worked.  Even the split_tunnel doesn't work which I tried both using the CLI and ASDM. 

I did use packet-tracer and it dies all the time on the 3rd step which is the implicit ACL which denies everything.

I did do a sho run all to check if the nat-t was there and it was.

Not sure what else to try.  I thought this config would work.

THanks again!

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to rogerknight9

‎11-02-2010 10:04 AM

If you run a packet tracer for the packet on the outside it will not work because the ASA will not know the packet is encrypted and thus will drop it in the ACL.

I would suggest checking logs on the ASA for the packets that don't make it, grepping for the VPN client ip address.

PK

0 Helpful

rogerknight9
Level 1
Level 1
In response to Panos Kampanakis

‎11-02-2010 10:23 AM

Thanks for the reply.  I have been checking the logs but nothing standouts out to me as to being a problem.  Well I guess I will keep checking around for other solutions that worked for other people.  I am not getting much information back to resolve this discussion I opened.

Thanks anyway.

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to rogerknight9

‎11-02-2010 10:34 AM

Se when VPN client tries to initiate a connection inside host xxx and you have "logging buffered 7" what do you see in the "sh logg | i ?>

PK

0 Helpful

rogerknight9
Level 1
Level 1
In response to Panos Kampanakis

‎11-02-2010 11:23 AM

Thanks for the suggestions.

I have problem with the split_tunnel config, so when I connect via VPN, I lose Internet.  I also thought the split tunnel config was fine but it is not obviously.

I guess I should try to fix the split tunnel first then.

0 Helpful

rogerknight9
Level 1
Level 1
In response to rogerknight9

‎11-02-2010 06:27 PM

So I made slight progress.  I got the split_tunnel to work, but to be honest I have no idea how that happened.

Strangely, I can ping the external VPN client IP address from the Internal LAN, but I still cannot ping from the VPN client host to the internal LAN.  Also in my VPN client statistics, it still says Local LAN: Disabled.

Also when I do a 'sho cryp isak sa" instead of seeing MM_ACTIVE...I see AM_ACTIVE.

Thanks!

0 Helpful

rogerknight9
Level 1
Level 1
In response to rogerknight9

‎11-08-2010 06:13 AM

Hello,

I have been trying to get this to work within the last week but to no avail.  I changed my config altogether and started from scratch.  I have Split Tunnel working well, and I can access the VPN client from the internal LAN.  But I still cannot access the internal LAN from the VPN client host.    Can anyone take a look at my config and tell me what ACL\Access Group I am missing.  I know I am close but I cannot get over the hump.
Thanks!

ASA Version 8.2(2)

!

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xxx.xxx.xxx.xxx 255.255.255.0

!

interface Vlan3

shutdown

no forward interface Vlan2

nameif dmz

security-level 50

ip address dhcp

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

speed 100

duplex full

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_in extended permit icmp any any

access-list outside_in_vpn extended permit ip 192.168.3.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list split_tunnel standard permit 192.168.0.0 255.255.0.0

access-list split_tunnel standard permit 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool ipvpn 192.168.3.100-192.168.3.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_in in interface outside control-plane

access-group outside_in_vpn in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map internet-1_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHAESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map internet-1_map 65535 ipsec-isakmp dynamic internet-1_dyn_map

crypto map internet-1_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp identity address

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

group-policy vpnipsec internal

group-policy vpnipsec attributes

wins-server value 192.168.1.5

dns-server value 192.168.1.5

split-tunnel-policy tunnelall

split-tunnel-network-list value split_tunnel

default-domain value company.com

tunnel-group vpnipsec type remote-access

tunnel-group vpnipsec general-attributes

address-pool ipvpn

default-group-policy vpnipsec

tunnel-group vpnipsec ipsec-attributes

pre-shared-key *

!

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

!

prompt hostname context

Cryptochecksum:7e41045c9d7c66ac2c03c3b12ae63908

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents