Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2244
Views
0
Helpful
1
Replies

ASA 5505 SSL VPN cant reach inside from VPN subnet

Daniel Demers
Level 1
Level 1

‎07-07-2012 07:07 PM

Hello,

I've setup a SSL VPN to a ASA 5505 and can connect.

VPN network 192.168.2.0 /24

Inside Network 192.168.1.0 /24

Outside is connected to Router.

I am trying to RDP to a win server on the inside network but I cant get to it. Can not even ping 192.168.1.1 or (not sure if I could anyways) 192.168.2.1...

I can ping from the 192.168.1.0 net to 10.0.0.0 and 192.168.2.0 without issue but not the other way around....

I added a ACL on the outside interface and then inside interface permit ip any any but still no ping or RDP...

New at VPN and have survived so far on cisco docs but this problem is evading me.

: Saved

:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

object-group network Axon

network-object host 192.168.1.6

object-group network VPN-Clients

network-object 192.168.2.0 255.255.255.0

object-group service HTTP-HTTPS tcp

port-object eq www

port-object eq https

object-group service RDP tcp

port-object eq 3389

access-list Outside-IN extended permit ip any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNPool 192.168.2.2-192.168.2.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

access-group Outside-IN in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

group-policy VPNPolicy internal

group-policy VPNPolicy attributes

vpn-tunnel-protocol svc webvpn

address-pools value VPNPool

webvpn

url-list none

svc ask enable

username test2 password sLyNkwX4lP/BSsCW encrypted privilege 0

username test2 attributes

vpn-group-policy VPNPolicy

username fwaarmac password 5rABwjFzDBYcp0nJ encrypted privilege 15

username fwaarmac attributes

vpn-group-policy VPNPolicy

username test1 password sLyNkwX4lP/BSsCW encrypted privilege 0

username test1 attributes

vpn-group-policy VPNPolicy

username dan password Lqud3gnLO/QC5csK encrypted privilege 15

username dan attributes

vpn-group-policy VPNPolicy

tunnel-group DefaultWEBVPNGroup general-attributes

default-group-policy VPNPolicy

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool VPNPool

default-group-policy VPNPolicy

tunnel-group VPN webvpn-attributes

group-alias vpn enable

group-url

https://10.0.0.10/vpn

enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:0e732bdf9e1c3e8d87e49fdd66325e47

: end


Labels:
0 Helpful
1 Reply 1

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-08-2012 02:40 AM

ou would need to configure NAT exemption for the VPN client to access internal host:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list nonat

route inside 10.0.0.0 255.255.255.0 192.168.1.x

access-list splitacl permit 192.168.1.0 255.255.255.0

access-list splitacl permit 10.0.0.0 255.255.255.0

group-policy VPNPolicy attributes

   split-tunnel-policy tunnelspecified

   split-tunnel-network-list value splitacl

management-access inside

0 Helpful
Customers Also Viewed These Support Documents