Solved: Re: Cannot connect to Internal Network from SSL VPN - Page 2

skiwili1234 · ‎08-30-2013

First time setting ASA 5512 and I did a lot research to fix my issue but no luck. I really appreciate if I can get some help.

After successfully connected to ASA via SSL VPN. I am only able to ping the outside interface (10.2.11.4).

Please check my config and let me know what is wrong .Thanks

: Saved
:
ASA Version 9.1(2)
!
hostname asa-01
domain-name corporate.local
enable password t8tpEme73dn9e0.9 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd t8tpEme73dn9e0.9 encrypted
names
ip local pool sslvpn-ip-pool 10.255.255.1-10.255.255.100 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 50
ip address 10.2.11.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.2.255.18 255.255.255.248
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.9.23
name-server 10.2.1.1
name-server 10.2.9.24
domain-name corporate.local
object network Trusted
subnet 10.2.0.0 255.255.0.0
object network Outside
subnet 10.2.11.0 255.255.255.0
object network ss
subnet 10.2.11.0 255.255.255.0
object network VPNlocalIP
subnet 10.255.255.0 255.255.255.0
object network LAN
subnet 10.2.9.0 255.255.255.0
object network VPN-INSIDE
subnet 10.2.255.16 255.255.255.248
object-group service tcp4433 tcp
port-object eq 4433
access-list SPLIT-TUNNEL standard permit 10.2.255.16 255.255.255.248
access-list SPLIT-TUNNEL standard permit 10.2.11.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit host 10.2.9.0
access-list global_access extended permit ip object VPNlocalIP object LAN
access-list global_access extended permit ip object LAN object VPNlocalIP
pager lines 24
logging enable
logging asdm informational
logging host inside 10.2.8.8
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LAN LAN destination static VPNlocalIP VPNlocalIP
access-group global_access global
route outside 0.0.0.0 0.0.0.0 10.2.11.1 1
route inside 10.2.0.0 255.255.0.0 10.2.255.17 1
route inside 10.255.255.0 255.255.255.0 10.2.255.17 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server CA-Kerberos protocol kerberos
aaa-server CA-Kerberos (inside) host 10.2.9.24
kerberos-realm Corp.PRI
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 4431
http 192.168.1.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 outside
http redirect inside 80
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair 4151
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
subject-name CN=vpn.corp.com
keypair ASA_PKC_One
crl configure
crypto ca trustpool policy

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
telnet timeout 15
ssh 10.2.0.0 255.255.0.0 inside
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access outside
dhcpd address 192.168.1.2-192.168.1.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.2.9.23 source outside
ssl encryption aes128-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint4 management
ssl trust-point ASDM_TrustPoint4 outside
ssl trust-point ASDM_TrustPoint4 inside
webvpn
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.04063-k9.pkg 1
anyconnect enable
tunnel-group-list enable
smart-tunnel list TerminalServer Terminal mstsc.exe platform windows
group-policy DfltGrpPolicy attributes
dns-server value 10.2.9.23
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value corp.com
webvpn
customization value DfltCustomization
group-policy CA-SSLVPN-TEST internal
group-policy CA-SSLVPN-TEST attributes
wins-server none
dns-server value 10.2.9.23
vpn-tunnel-protocol ssl-client
default-domain value corp.com
group-policy CA-CLIENTLESS-TEST internal
group-policy CA-CLIENTLESS-TEST attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value Contractors-List
smart-tunnel enable TerminalServer
username ssluser password nS2GfPhvrmh.I/qL encrypted
username ssluser attributes
vpn-group-policy CA-SSLVPN-TEST
vpn-tunnel-protocol ssl-client
group-lock value AnySSLVPN-TEST
service-type remote-access
username admin password f4JufzEgsqDt05cH encrypted privilege 15
username cluser password 3mAXWbcK2ZdaFXHb encrypted
username cluser attributes
vpn-group-policy CA-CLIENTLESS-TEST
vpn-tunnel-protocol ssl-clientless
group-lock value OLY-Clientless
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
authentication-server-group CA-Kerberos LOCAL
tunnel-group DefaultRAGroup webvpn-attributes
customization CA-ClientLess-Portal
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool sslvpn-ip-pool
authentication-server-group CA-Kerberos LOCAL
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization CA-ClientLess-Portal
tunnel-group AnySSLVPN-TEST type remote-access
tunnel-group AnySSLVPN-TEST general-attributes
address-pool sslvpn-ip-pool
authentication-server-group CA-Kerberos
default-group-policy CA-SSLVPN-TEST
tunnel-group AnySSLVPN-TEST webvpn-attributes
customization OLY-Portal
group-alias AnySSLVPN-TEST disable
group-alias AnySSLVPN-TEST-Alias disable
group-alias OLY-SSLVPN disable
group-alias SSLVPN enable
tunnel-group OLY-Clientless type remote-access
tunnel-group OLY-Clientless general-attributes
authentication-server-group CA-Kerberos
default-group-policy CA-CLIENTLESS-TEST
tunnel-group OLY-Clientless webvpn-attributes
customization CA-ClientLess-Portal
nbns-server 10.2.9.23 master timeout 2 retry 2
group-alias Clientless enable
group-alias cl disable

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 3
subscribe-to-alert-group configuration periodic monthly 3
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ceea6b06a18781a23e6b5dde6b591704
: end
asdm image disk0:/asdm-713.bin
no asdm history enable

Jouni Forss · ‎09-02-2013

Hi,

If that is your complete topology then I presume that the Switch on the LAN is a L3 capable switch. Otherwise it doesnt really do any routing. It would then only have a default-gateway set for remote management and traffic originated from the switch itself.

- Jouni

skiwili1234 · ‎09-02-2013

I am not sure if I understand your reply. but i can tell you that the ASA outside network (10.2.11.0) is connected to the router dmz zone and the ASA Inside network is connected to the router to another Vlan zone called VPN-Int. the IP of the router facing internet is 204.12.153.225.

skiwili1234 · ‎09-02-2013

I just pinged www.google.ca and my internal dns server with success. so routing is working ok I guess. right?

Jouni Forss · ‎09-02-2013

Hi,

What I meant was that you have in the picture a switch directly connected to the ASA "inside" interface. This would suggest that there was no router behind the ASA "inside" interface unless its a Layer 3 switch (Switch with routing capabilities)

If I understood you correctly, you also said that the ASA "inside" is actually connected to the same router that the "outside" interface of the ASA is connected to BUT its connected on another zone/vlan?

If we take for example the host/server 10.2.9.23, what is this host/server route out the LAN network to the Internet? Does it go through straight through the Juniper OR does it go through the ASA?

I am starting to think that your problem might be that the Juniper is acting as the Internet gateway for all your LAN networks and the VPN user traffic coming through the ASA is reaching the LAN hosts but from them routed directly out the Juniper instead of routed back to the ASA.

Have you made absolutely sure that the whatever router is behind the ASA has a route for the VPN Pool network towards the ASA "inside" interface or that the LAN network is using the ASA "inside" as the default gateway?

- Jouni

skiwili1234 · ‎09-02-2013

If I understood you correctly, you also said that the ASA "inside" is actually connected to the same router that the "outside" interface of the ASA is connected to BUT its connected on another zone/vlan?

Yes , you are correct.

If we take for example the host/server 10.2.9.23, what is this host/server route out the LAN network to the Internet?

The route of 10.2.9.23 is 10.2.9.1

Does it go through straight through the Juniper OR does it go through the ASA?

It goes to the juniper

I am starting to think that your problem might be that the Juniper is acting as the Internet gateway for all your LAN networks and the VPN user traffic coming through the ASA is reaching the LAN hosts but from them routed directly out the Juniper instead of routed back to the ASA.

very likely possible. all the zones/vlan goes to the untrust interface in the juniper for internet traffic

Jouni Forss · ‎09-02-2013

Hi,

I guess the ASA is only used for VPN purposes (at the moment atleast)

Sadly, I am not familiar with the Juniper devices as I have only used Cisco to this day.

If I have understood the situation correctly, then it would seem to me that the problem might simply be that the Juniper doesnt know how to forward the traffic destined to the VPN Pool 10.255.255.0/24 from the LAN 10.2.9.0/24. It is perhaps trying to use its default route to forward the traffic to the Internet instead of the ASA.

So I would confirm that the Juniper has a route atleast for the network 10.255.255.0/24 pointing towards the gateway address which would be ASA "inside" interface IP address.

I just can't see a problem with the actual configuration of the ASA at the moment. And since traffic to the 10.2.255.17 or any LAN host doesnt work it would seem that simply is no return route to forward the VPN users traffic back to the ASA.

- Jouni

skiwili1234 · ‎09-02-2013

One more information I like to add is that we currently have Cisco VPN concentrator 3000 working as VPN only. the VPN concentrator is also using the same router as the ASA 5512.

I think I am going the use the same VPN IP pool as the VPN concentrator and see if that will make any difference.

Thanks a lot Jouni for your help.

Jouni Forss · ‎09-02-2013

Hi,

I would imagine that you are going to run into problems if you are going to use the same VPN Pool.

The routing simply aint going to work for both of the devices at the same time.

Unless you meant that the ASA was replacing the VPN Concentrator and you were going to use the same VPN Pool on the ASA and then switch the ASA to the place of the VPN Concentrator and have a try.

- Jouni

skiwili1234 · ‎09-02-2013

The ASA will replace the VPN concentrator after I get everyting working.

Jouni Forss · ‎09-02-2013

Ok,

Judging by all the things we have gone through so far it would seem to me that you are possibly dealing with a routing related problem that is related to the Juniper configurations more than the actual ASA configurations.

I don't know if I can provide any more help with this other than to suggest confirming the configurations on the Juniper so that its correctly handling the routing for the VPN Pool network configured on the ASA.

The strongest indication of this problem were

You were able to PING the ASA "inside" interface from the VPN Client which means traffic came through the VPN and reached the ASA "inside" interface BUT as soon as you pinged the Junipers interface IP that is connected to the ASA "inside" interface, there was no reply. This would match with the behaviour that the Juniper doesnt have a route for the VPN Pool behind ASA:
Also the fact that you can ping the LAN network from the ASA directly but not from the VPN Client would point to a problem with routing on the Juniper. This is because when you use the ASA to ping then the ASA will use the "inside" interface IP address as the source for the ping. As this network is between ASA and Juniper directly it means that the Juniper has a directly connected route for this network and there is no problem for routing this traffic.

- Jouni

skiwili1234 · ‎09-02-2013

I am thinking to switch the Asa to transparent mode. But I need same subnet first on the Asa

Sent from Cisco Technical Support iPad App

Jouni Forss · ‎09-02-2013

Hi,

The ASA wont support VPN in Transparent mode.

- Jouni

skiwili1234 · ‎09-02-2013

I added the static route on the juniper and now I can ping 10.2.255.17 but still cannot ping 10.2.9.23. I am close to fix the issue

Sent from Cisco Technical Support iPad App

Jouni Forss · ‎09-02-2013

Hi,

If you can ping the Juniper side of the ASA "inside" link network from the VPN Client then there should not be much problems anymore.

As I dont know the Juniper configuration format at all I am not sure what the problem is. Perhaps something related to firewall rules or perhaps something related to NAT between the interface connected to the LAN and the interface connected to the ASA.

If we were talking about a simple router behind the ASA then the only thing really required for the traffic to be routed correctly would be the static route telling the router that VPN Pool network is found behind 10.2.255.18

- Jouni

skiwili1234 · ‎09-02-2013

Hi ,
Problem solved :). As you just said, I opened firewall rule on the juniper and now I can connect to my internal network.

I can't thank you much for your help. I won't solve the issue without you.

thank you so much.

Sent from Cisco Technical Support iPad App