cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1791
Views
0
Helpful
33
Replies

Cisco ASA 5510 don't allow access to the LAN services from remote VPN ???

snuwan.es
Level 1
Level 1

I have a Cisco 5510 deployed and it's connected to a 1 Mbps leased internet line. I need to configure it for remote VPN users to access internal Exchange server and sync with email system. And they should be able to access LAn servers using the VPN. I have tried this several scenarios but still I didn't get access to to local LAN servers via VPN at any cost :( (it's connecting well and also can ping to the inside interface IP address only)

Any help would be highly appreciated.

Below is my config;

LAN is 192.168.134.0

!

passwd xxx

boot system disk0:/asa803-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name domain.local

access-list abc-primary-tunnel_splitTunnelAcl standard permit 192.168.134.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.128

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

ip local pool primary-vpn-pool 192.168.166.1-192.168.166.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 59.133.230.21 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.134.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

group-policy abc-primary-tunnel internal

group-policy abc-primary-tunnel attributes

dns-server value 192.168.134.1

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value abc-primary-tunnel_splitTunnelAcl

default-domain value domain.local

username user1 password xxxencrypted privilege 0

username user1 attributes

vpn-group-policy abc-primary-tunnel

tunnel-group abc-primary-tunnel type remote-access

tunnel-group abc-primary-tunnel general-attributes

address-pool primary-vpn-pool

default-group-policy abc-primary-tunnel

tunnel-group abc-primary-tunnel ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

33 Replies 33

check and post result of

show access-list inside_nat0_outbound

ok gimme a min !

I don't think nat exemption acl's typically show a hitcount.

Adam,

It does show packets hitcounts increase. If you ping any host inside you should see hitcount increase by two , 1 for echo packet and one for echo reply pkt.

i did ping -t but results is same ! :(

abc-fire(config)# show access-list inside_nat0_outbound

access-list inside_nat0_outbound; 1 elements

access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.0 (hitcnt=0) 0x67872ef8

abc-fire(config)# show access-list inside_nat0_outbound

access-list inside_nat0_outbound; 1 elements

access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.128 (hitcnt=0) 0x65bde8b9

abc-fire(config)#

oops ! i dunno why this is happening.. just now i have reset my ASA to factory defaults and did the configuration from the begining..but still that subnet mask is there .. !!

please advice !!

again corrected,

abc-fire(config)# show access-list inside_nat0_outbound

access-list inside_nat0_outbound; 1 elements

access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.0 (hitcnt=0) 0x67872ef8

did you connect the vpn client? ping any host in inside network and then check hitcounts.

Although this command is enabled by default but still input this command and then connect by vpn and try to ping host in inside network

:

sysopt connection permit-vpn

Your access-list still does not reflect the change , also why have you changed 192.168.134.0 's subnet mask to 255.255.255.128 ??

your access-list should look as following:

access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.0

Your access-list still does not reflect the change , also why have you changed 192.168.134.0 's subnet mask to 255.255.255.128 ??

your access-list should look as following:

access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.0

Let's back up here. There is no reason why you should not be able to assign a 255.255.255.128 mask to his inside interface and also use this mask for your local network in your nat exemption acl. Just be consistent.

he did not show interface ip subnet in the config so i was assuming it to be /24 and not /25 , also he was using /24 in original configuration for the nat 0 acl . but now i have checked the interface ip address in the second config that he posted is indeed /25 subnet .

You're right, I would have made that assumption as well.

wht should i do now :( ???

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: