cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5031
Views
0
Helpful
6
Replies

ASA 5505 IPSEC VPN connected but can't access to LAN

sai cheng
Level 1
Level 1

ASA : 8.2.5

ASDM: 6.4.5

LAN: 10.1.0.0/22

VPN Pool: 172.16.10.0/24

Hi, we purcahsed a new ASA 5505 and try to setup IPSEC VPN via ASDM; i just simply run the Wizards, setup vpnpool, split tunnelling,etc.

I can connect to the ASA by using cisco VPN client and internet works fine on the local PC, but it cannot access to the LAN (can't ping. can't remote desktop). I tried the same thing on our Production ASA(those have both Remote VPN and Site-to-site VPN working), the new profile i created worked fine.

Below is my configure, do I mis-configure anything?

ASA Version 8.2(5)

!

hostname asatest

domain-name XXX.com

enable password 8Fw1QFqthX2n4uD3 encrypted

passwd g9NiG6oUPjkYrHNt encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.1.1.253 255.255.252.0

!

interface Vlan2

nameif outside

security-level 0

ip address XXX.XXX.XXX.XXX 255.255.255.240

!

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name vff.com

access-list vpntest_splitTunnelAcl standard permit 10.1.0.0 255.255.252.0

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.252.0 172.16.10.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging trap warnings

logging asdm informational

logging device-id hostname

logging host inside 10.1.1.230

mtu inside 1500

mtu outside 1500

ip local pool vpnpool 172.16.10.1-172.16.10.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD protocol nt

aaa-server AD (inside) host 10.1.1.108

nt-auth-domain-controller 10.1.1.108

http server enable

http 10.1.0.0 255.255.252.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.1.0.0 255.255.252.0 inside

ssh timeout 20

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy vpntest internal

group-policy vpntest attributes

wins-server value 10.1.1.108

dns-server value 10.1.1.108

vpn-tunnel-protocol IPSec l2tp-ipsec

password-storage disable

ip-comp disable

re-xauth disable

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpntest_splitTunnelAcl

default-domain value XXX.com

split-tunnel-all-dns disable

backup-servers keep-client-config

address-pools value vpnpool

username admin password WeiepwREwT66BhE9 encrypted privilege 15

username user5 password yIWniWfceAUz1sUb encrypted privilege 5

username user3 password umNHhJnO7McrLxNQ encrypted privilege 3

tunnel-group vpntest type remote-access

tunnel-group vpntest general-attributes

address-pool vpnpool

authentication-server-group AD

authentication-server-group (inside) AD

default-group-policy vpntest

strip-realm

tunnel-group vpntest ipsec-attributes

pre-shared-key BEKey123456

peer-id-validate nocheck

!

!

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpnclient

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:447bbbc60fc01e9f83b32b1e0304c6b4

: end

1 Accepted Solution

Accepted Solutions

From the captures we can see packets going from the Pool to the internal LAN but we cannot see any reply packets coming back.

The routing should be such that for 172.16.10.0/24 the packets should reach the inside interface of this ASA.

So either on the client machines or the switch in your internal LAN you need to add route for 172.16.10.0/24 pointing towards the inside interface of this ASA.

View solution in original post

6 Replies 6

kssinha
Level 1
Level 1

Hi Sai,

Can you take captures on your inside interface (behind which your Local LAN is) and check if you can see bi-directional traffic or not?

It seems like on your internal LAN there might be a routing issue,ie, a device in between might not be routing traffic back to the ASA for the pool IP subnet.

To take captures create an ACL,

access-list test123 permit ip host x.x.x.x host y.y.y.y

access-list test123 permit ip host y.y.y.y host x.x.x.x

cap test123 interface inside access-list test123

show cap test123

x.x.x.x = Pool ip address which your client machine gets

y.y.y.y = IP address you are trying to ping in your internal LAN.

Check if you see packets going out to the internal LAN and if you see reply packets or not. If you don't check your internal routing and if there is another firewall in between check if traffic to pool is allowed on that.

HTH

Also, just to add if management access in enabled on the inside interface, can you try and ping the inside interface of ASA and see if you get replies for that?

Thank you for your response. I think i  found something: this ASA is a acted as a sceondry gateway of the LAN, the rest of the computers in the LAN are using the other ASA as thier default gateway. If i change a  pc's gateway, then i can get ping response back.

I tested on the production ASA, i can ping  every computer on the LAN, no matter what's their gateway is, but this new ASA act can't Also, While Remoted in, I cannot ping this ASA's inside IP. 

sai cheng
Level 1
Level 1

Below is the capture:

asatest# show cap test

8 packets captured

   1: 15:09:24.337842 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request

   2: 15:09:26.997323 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50

   3: 15:09:28.457923 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50

   4: 15:09:28.796772 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request

   5: 15:09:30.046292 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50

   6: 15:09:31.457633 802.1Q vlan#1 P0 172.16.10.1.5544 > 10.1.1.108.3389: S 321718812:321718812(0) win 8192

   7: 15:09:33.795231 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request

   8: 15:09:34.434853 802.1Q vlan#1 P0 172.16.10.1.5544 > 10.1.1.108.3389: S 321718812:321718812(0) win 8192

8 packets shown

From the captures we can see packets going from the Pool to the internal LAN but we cannot see any reply packets coming back.

The routing should be such that for 172.16.10.0/24 the packets should reach the inside interface of this ASA.

So either on the client machines or the switch in your internal LAN you need to add route for 172.16.10.0/24 pointing towards the inside interface of this ASA.

I change  a Machine's gateway to this ASA and capture again, now we can see some reply.

All ohter PCs and switches gateway are point to another ASA, maybe that's the reason why i didn't work?

what's the recommanded way to make our LAN to have two 2 gateways(for load balance or backup router, etc)?

add two gateways to all PCs and swtichwes?

1: 18:15:48.307875 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
   2: 18:15:49.777685 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
   3: 18:15:51.377147 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
   4: 18:15:57.445777 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
   5: 18:15:58.856324 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
   6: 18:16:00.395090 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
   7: 18:16:06.483464 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
   8: 18:16:08.082805 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
   9: 18:16:09.542406 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 68
  10: 18:16:20.640424 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
  11: 18:16:20.642193 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
  12: 18:16:21.169607 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
  13: 18:16:21.171210 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
  14: 18:16:22.179556 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
  15: 18:16:22.181142 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
  16: 18:16:23.237673 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.230: icmp: echo request
  17: 18:16:23.239291 802.1Q vlan#1 P0 10.1.1.230 > 172.16.10.1: icmp: echo reply
  18: 18:16:27.676402 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
  19: 18:16:29.246935 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
  20: 18:16:30.676921 802.1Q vlan#1 P0 172.16.10.1.137 > 10.1.1.108.137:  udp 50
  21: 18:16:49.539660 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
  22: 18:16:54.952602 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request
  23: 18:17:04.511463 802.1Q vlan#1 P0 172.16.10.1 > 10.1.1.233: icmp: echo request

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: