Another VPN access problem

FACTORY909 · ‎08-10-2013

I am new to the whole Cisco stuff but basically I've got everything setup to how I need EXCEPT VPN. I can connect and pull an IP from the correct pull, but cannot access anything on the lan. I am trying to hit host 192.168.123.123. I am using group Lasttry for the VPN connection (192.168.31.0/24).

Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd DcV4kd8yeNeI78yV encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport trunk native vlan 1

!

interface Ethernet0/3

switchport access vlan 114

!

interface Ethernet0/4

switchport access vlan 114

!

interface Ethernet0/5

switchport trunk allowed vlan 1,101-104

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/6

switchport access vlan 104

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.195.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan101

nameif VOIP

security-level 50

ip address 172.16.1.1 255.255.255.0

!

interface Vlan102

nameif guest

security-level 50

ip address 172.16.2.1 255.255.255.0

!

interface Vlan104

nameif SEC-SYSTEM

security-level 50

ip address 172.16.4.1 255.255.255.0

!

interface Vlan114

nameif itwatchdog

security-level 50

ip address 192.168.123.1 255.255.255.0

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

object-group service HTTP

service-object tcp source eq www

object-group network Webserver

network-object host 192.168.195.10

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service SecureSHELL7250

description SecureSHELL7250

service-object tcp eq 7250

access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.224 interface inside

access-list inside_nat0_outbound extended permit ip any 192.168.30.0 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.192 interface inside

access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 192.168.31.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 192.168.31.0 255.255.255.0

access-list guest_access_in extended permit ip any any

access-list outbound extended permit gre any any

access-list outbound extended permit tcp any any eq pptp

access-list outbound extended permit ip any any

access-list outbound extended permit tcp any any eq smtp

access-list SEC-SYSTEM_access_in extended permit ip any any

access-list VOIP_access_in extended permit ip any any

access-list itwatchdog_access_in extended permit ip any any

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in extended permit tcp any interface outside eq 7250

access-list Lasttry_splitTunnelAcl standard permit 192.168.123.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu guest 1500

mtu VOIP 1500

mtu SEC-SYSTEM 1500

mtu itwatchdog 1500

ip local pool TestVPN 192.168.4.1-192.168.4.20 mask 255.255.255.0

ip local pool WLGroup 192.168.30.1-192.168.30.50 mask 255.255.255.0

ip local pool LasttryPool 192.168.31.5-192.168.31.10 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 2 interface

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (guest) 1 0.0.0.0 0.0.0.0

nat (VOIP) 1 0.0.0.0 0.0.0.0

nat (SEC-SYSTEM) 1 0.0.0.0 0.0.0.0

nat (itwatchdog) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www 192.168.195.10 www netmask 255.255.255.255 tcp 100 50

static (inside,outside) tcp interface 7250 192.168.195.10 7250 netmask 255.255.255.255

static (VOIP,inside) 172.16.1.0 172.16.1.0 netmask 255.255.255.0

static (itwatchdog,inside) 192.168.123.0 192.168.123.0 netmask 255.255.255.0

static (inside,VOIP) 192.168.195.0 192.168.195.0 netmask 255.255.255.0

static (itwatchdog,inside) 192.168.123.0 192.168.123.0 netmask 255.255.255.0

static (inside,VOIP) 192.168.195.0 192.168.195.0 netmask 255.255.255.0

static (inside,itwatchdog) 192.168.195.0 192.168.195.0 netmask 255.255.255.0

access-group outbound in interface inside

access-group outside_access_in in interface outside

access-group guest_access_in in interface guest

access-group VOIP_access_in in interface VOIP

access-group SEC-SYSTEM_access_in in interface SEC-SYSTEM

access-group itwatchdog_access_in in interface itwatchdog

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.195.0 255.255.255.0 inside

http 192.168.4.0 255.255.255.0 inside

http 192.168.4.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.195.0 255.255.255.0 inside

telnet 172.16.1.0 255.255.255.0 guest

telnet timeout 5

ssh 192.168.195.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 45

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.195.221-192.168.195.249 inside

dhcpd enable inside

!

dhcpd address 172.16.2.11-172.16.2.200 guest

dhcpd enable guest

!

dhcpd address 172.16.1.20-172.16.1.50 VOIP

dhcpd enable VOIP

!

dhcpd address 172.16.4.155-172.16.4.175 SEC-SYSTEM

dhcpd enable SEC-SYSTEM

!

dhcpd address 192.168.123.124-192.168.123.128 itwatchdog

dhcpd enable itwatchdog

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy TestVPN internal

group-policy TestVPN attributes

dns-server value 192.168.195.2

vpn-filter value inside_nat0_outbound

vpn-tunnel-protocol IPSec

group-policy GroupPolicy1 internal

group-policy WLGROUP internal

group-policy WLGROUP attributes

dns-server value 192.168.195.2

vpn-filter value inside_nat0_outbound

vpn-tunnel-protocol IPSec

group-policy Lasttry internal

group-policy Lasttry attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Lasttry_splitTunnelAcl

username sshadmin password fftiVkbaHCU3ZSQW encrypted privilege 15

username john password zRKfQe22pw2SxU1g encrypted privilege 0

username john attributes

vpn-group-policy TestVPN

tunnel-group TestVPN type remote-access

tunnel-group TestVPN general-attributes

address-pool TestVPN

default-group-policy TestVPN

tunnel-group TestVPN ipsec-attributes

pre-shared-key *****

tunnel-group WLGROUP type remote-access

tunnel-group WLGROUP general-attributes

address-pool WLGroup

default-group-policy WLGROUP

tunnel-group WLGROUP ipsec-attributes

pre-shared-key *****

tunnel-group Lasttry type remote-access

tunnel-group Lasttry general-attributes

address-pool LasttryPool

default-group-policy Lasttry

tunnel-group Lasttry ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect pptp

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

Richard Burts · ‎08-11-2013

John

I have looked through the information that you posted and am not clear about the topology of the network. I see two ports on the ASA that are in vlan 114 which is the vlan for the host you are attempting to access through the vpn connection. Is this host connected to one of these ports? Or is it somewhere else in your network? If it is somewhere else in the network can you check whether it has a valid route to network 192.168.31.0?

HTH

Rick

HTH

Rick

jawad-mukhtar · ‎08-11-2013

remove

access-group outside_access_in in interface outside

then then check....

also

remove

access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 192.168.31.0 255.255.255.240

add

access-list inside_nat0_outbound extended permit ip 192.168.123.0 255.255.255.0 192.168.31.0 255.255.255.0

Jawad

Peter Koltl · ‎09-14-2013

Check the sysopt section in

Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions

paolo bevilacqua · ‎09-17-2013

Wrong forum, post in "Security - VPN". You can move your posting with the Actions panel on the right.

jeff slansky · ‎10-23-2013

i have a similiar problem. if there is a resolution to this please let me know.

kevin

andduart · ‎10-26-2013

Hi,

Please try to add the crypto isakmp nat-traversal 30, try to connect again and test the results. If this does not work we can follow some TS steps

Regards,

jeff slansky · ‎10-30-2013

my appologies for not seeing your post until now. my config is slightly different. i am missing what you are suggesting to try.

i will add it in later tonight and post back. below is my current configuration for pix 525. what troubleshooting steps should be taken if that doesn't work?

show config
: Saved
: Written by enable_15 at 06:25:46.787 UTC Fri Oct 18 2013
!
PIX Version 8.0(4)
!
hostname thcvpn01
domain-name somewhere.net
enable password * encrypted
passwd * encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.0.0.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.222.220
domain-name somewhere.net
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObject
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ThcIPPool 10.1.1.40-10.1.1.49
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 10.0.0.0 255.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
00
crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
608000
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username [username] password [password] encrypted
tunnel-group THCVpnGroup type remote-access
tunnel-group THCVpnGroup general-attributes
address-pool ThcIPPool
tunnel-group THCVpnGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0be52458c95d5dd080d82401982201ee
thcvpn01(config-pmap-c)#
thcvpn01(config-pmap-c)#
thcvpn01(config-pmap-c)#