Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Remote Access - Can't access inside devices or outside

Hello,

I have an ASA550 - I've set up an IPSEC VPN and can connect to the ASA and I can access the CLI.

From the ASA I can access internal devices and I can access the internet.

However, I can't access the internal devices or the internet from the IPSec connected computer.

Any help is appreciated!!!!

Here's the config:

ASA Version 8.2(5)

!

hostname asa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.47.70.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240

!

ftp mode passive

access-list inside_nat0_outbound extended permit ip 10.47.60.0 255.255.255.0 10.47.70.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit udp any any eq time

access-list outside_1_cryptomap extended permit ip any 10.47.60.0 255.255.255.0

ip local pool hze_dhcp 10.47.60.10-10.47.60.41 mask 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 3600

management-access inside

dhcpd dns 10.47.70.3

dhcpd option 3 ip 10.47.70.1

!

dhcpd address 10.47.70.50-10.47.70.81 inside

dhcpd enable inside

!

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

address-pool hze_dhcp

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: ASA Remote Access - Can't access inside devices or outside

Hi,

I dont think you have Dynamic PAT configured for the VPN Client user traffic that is supposed to browse the Internet through the ASAs WAN link.

Try adding

nat (outside) 1 10.47.60.0 255.255.255.0

Also the "packet-tracer" you have issue doesnt simulate the connection coming from the VPN Client. The VPN Client user is not located behind the "inside" interface and the VPN Clients address space doesnt include the IP address 10.47.70.20.

While the VPN Client connection is active you could use the "packet-tracer" command

packet-tracer input outside tcp 10.47.60.x 12345 8.8.8.8 80

While ofcourse replacing the "x" with the actual IP that the user got from the ASA

- Jouni

3 REPLIES
New Member

ASA Remote Access - Can't access inside devices or outside

I solved the internal host access issue.

Turns out there were two problems.

1. I had inverted my nat 0 acess-list statement;

2) I was missing the nat-control command.

The key was using show run nat command.

The Seconds issue (Accessing hosts on the internet from the VPN) I haven't solved.

I thought the issue was solved using the same-security-traffic permit intra-interface  command. Using packet input inside tcp 10.47.70.20 www 8.8.8.8 www detail resulted in success, but when I tried it from a browser it failed.

Super Bronze

Re: ASA Remote Access - Can't access inside devices or outside

Hi,

I dont think you have Dynamic PAT configured for the VPN Client user traffic that is supposed to browse the Internet through the ASAs WAN link.

Try adding

nat (outside) 1 10.47.60.0 255.255.255.0

Also the "packet-tracer" you have issue doesnt simulate the connection coming from the VPN Client. The VPN Client user is not located behind the "inside" interface and the VPN Clients address space doesnt include the IP address 10.47.70.20.

While the VPN Client connection is active you could use the "packet-tracer" command

packet-tracer input outside tcp 10.47.60.x 12345 8.8.8.8 80

While ofcourse replacing the "x" with the actual IP that the user got from the ASA

- Jouni

New Member

ASA Remote Access - Can't access inside devices or outside

Yep! Thank you so much. I was missing the nat (outside) 1 10.47.60.0 255.255.255.0 command.

Nice catch on my packet tracer. I copy and posted the wrong line. It works!

133
Views
0
Helpful
3
Replies