09-02-2008 06:42 PM - edited 02-21-2020 03:55 PM
Hi all. My office network is protected by asa5510 firewall with vpn configured. When i vpn into my office network i could not access the firewall via the firewall's internal address using telnet etc even though i have already enable telnet. The firewall is my office network gateway. Below is my config. Pls advise. Thks in advance. Access to my office network is fine using vpn.
hostname firewall
domain-name default.domain.invalid
enable password xxx
names
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1x.x 255.255.255.0
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.2x.x 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 8x.x.x.x 255.255.255.240
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.224
access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu management 1500
ip local pool addpool 172.16.0.1-172.16.0.20 mask 255.255.0.0
no failover
monitor-interface inside
monitor-interface DMZ
monitor-interface outside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 192.168.1x.0 255.255.255.0
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 8x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn internal
group-policy vpn attributes
dns-server value 192.168.1x.x 192.168.1x.x
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
webvpn
username ciscoadm password xxx encrypted privilege 15
username ciscoadm attributes
vpn-group-policy vpn
webvpn
http server enable
http 192.168.1x.x 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 13800
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool addpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
telnet 192.168.1x.x 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
09-02-2008 07:58 PM
u have mimatch in subnet mask between the nat0 ACL and vpn pool
ur pool is
ip local pool addpool 172.16.0.1-172.16.0.20 mask 255.255.0.0
while in the ACL the mask is
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.224
try to make the vpn pool like
ip local pool addpool 172.16.0.1-172.16.0.20 mask 255.255.255.0
also the ACL u have dos not cover all IPs
so if u want make it like
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.0
finally check this ACL might blocking the traffic
access-group outside_access_in in interface outside
good luck
if helpful Rate
09-02-2008 10:02 PM
Hi marwanshawi,
Thk you for your response.
I have made the following changes.
1)i have change "access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.224 " to "access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0" hence the vpn address pool match my nat exemption ACL
2)i have remove the deny statement from outside_access_in acl.
After doing the above, i am still unable to telnet into the firewall after i manage to vpn into my office network.All other server can be accessed once my vpn connection is up. Pls advise, thks in advance.
09-02-2008 10:11 PM
even if u remove the deny
there is deny all by default called implicit deny
u need to make explicit allow
so allow what ever traffic u want the vpn client to do
like
permit tcp 172.16.0.0 255.255.0.0 [asa inside ip] eq 23
permit tcp [asa inside ip] eq 23 172.16.0.0 255.255.0.0
and also
do
clear xlate and clear conn
good luck
09-02-2008 10:30 PM
Hi,
Did you add the "management-access" command ?
To allow management access to an interface other than the onefrom which you
entered the security appliance when using IPSec VPN, use the management-access
command in global configuration mode.
management-access inside
09-02-2008 11:13 PM
Hi dhana,
Thk you for your response. After adding "management-access inside" i now can ping the internal interface of my firewall after connection to my office network via vpn which i previously could not. However i could not access my firewall via asdm and telnet even though i have allowed 0.0.0.0 0.0.0.0 to access the firewall for both telnet and asdm using the device access option available in asdm. Pls advise. Thks in advance.
09-04-2008 08:09 PM
Hi all. Below is my configuration. After i enable "management-access inside" i could access my firewall internal ip via ping after establishing vpn connection but not others like telnet even though "telnet 0.0.0.0 0.0.0.0 inside" is enabled. Pls advise.
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1x.254 255.255.255.0
!
interface Ethernet0/1
nameif DMZ
security-level 50
ip address 192.168.2x.254 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 8x.xx.xx.xx 255.255.255.240
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx
ftp mode passive
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any
access-list inside_access_in extended permit esp any any
access-list inside_access_in extended permit gre any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny ip any any
access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0
access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0
access-list prod standard permit host 192.168.1x.x
access-list prod standard deny any
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm informational
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
mtu management 1500
ip local pool pool 172.16.0.1-172.16.0.20 mask 255.255.0.0
no failover
monitor-interface inside
monitor-interface DMZ
monitor-interface outside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 192.168.1x.0 255.255.255.0
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 8x.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpnuser internal
group-policy vpnuser attributes
dns-server value 192.168.1x.x 192.168.1x.x
split-tunnel-policy tunnelspecified
split-tunnel-network-list value prod
default-domain value mm.com
webvpn
username user password xxx encrypted privilege 15
username user attributes
vpn-group-policy vpnuser
webvpn
http server enable
http 192.168.1x.x 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 13800
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpnuser type ipsec-ra
tunnel-group vpnuser general-attributes
address-pool pool
default-group-policy vpnuser
tunnel-group vpnuser ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd dns 8x.x.1x.x 8x.x.x.x
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
09-05-2008 06:06 AM
try specifying your vpn ip pool range of telnelt access...
telnet 172.16.0.0 255.255.0.0 inside
http 172.16.0.0 255.255.0.0 inside
...if your still having issues with asdm via vpn.
09-08-2008 08:03 PM
Hi marshall, thk you for your response. I specified what you suggested and now i can access asdm interface after connecting vpn. However i still could not access through telnet after connecting vpn. Pls advise. Thks in advance.
09-09-2008 05:30 AM
are you trying to access in the mgmt interface or the inside interface when trying to telnet over VPN?
09-09-2008 05:06 PM
Hi. I am trying to access the inside interface of my firewall over vpn. After i enable "management-access inside" i manage to access my firewall inside interface via asdm over vpn but not through telnet. Even though i have enable my vpn ip to access the firewall via telnet and asdm as below.
"http 172.20.0.0 255.255.255.0 inside"
"telnet 172.20.0.0 255.255.255.0 inside"
09-09-2008 05:13 PM
Hi,
You have an interface specified as manegement0/0 namif management as asa magament only interface
try
management-access management
Rgds
Jorge
09-10-2008 06:55 AM
i would suggest trying to add an acl for telnet access..
access-list acl_in extended permit tcp any any eq telnet
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: