Solved: Cannot connect to Internal Network from SSL VPN

skiwili1234 · ‎08-30-2013

First time setting ASA 5512 and I did a lot research to fix my issue but no luck. I really appreciate if I can get some help.

After successfully connected to ASA via SSL VPN. I am only able to ping the outside interface (10.2.11.4).

Please check my config and let me know what is wrong .Thanks

: Saved
:
ASA Version 9.1(2)
!
hostname asa-01
domain-name corporate.local
enable password t8tpEme73dn9e0.9 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd t8tpEme73dn9e0.9 encrypted
names
ip local pool sslvpn-ip-pool 10.255.255.1-10.255.255.100 mask 255.255.255.0
!
interface GigabitEthernet0/0
nameif outside
security-level 50
ip address 10.2.11.4 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.2.255.18 255.255.255.248
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.9.23
name-server 10.2.1.1
name-server 10.2.9.24
domain-name corporate.local
object network Trusted
subnet 10.2.0.0 255.255.0.0
object network Outside
subnet 10.2.11.0 255.255.255.0
object network ss
subnet 10.2.11.0 255.255.255.0
object network VPNlocalIP
subnet 10.255.255.0 255.255.255.0
object network LAN
subnet 10.2.9.0 255.255.255.0
object network VPN-INSIDE
subnet 10.2.255.16 255.255.255.248
object-group service tcp4433 tcp
port-object eq 4433
access-list SPLIT-TUNNEL standard permit 10.2.255.16 255.255.255.248
access-list SPLIT-TUNNEL standard permit 10.2.11.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit host 10.2.9.0
access-list global_access extended permit ip object VPNlocalIP object LAN
access-list global_access extended permit ip object LAN object VPNlocalIP
pager lines 24
logging enable
logging asdm informational
logging host inside 10.2.8.8
logging debug-trace
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static LAN LAN destination static VPNlocalIP VPNlocalIP
access-group global_access global
route outside 0.0.0.0 0.0.0.0 10.2.11.1 1
route inside 10.2.0.0 255.255.0.0 10.2.255.17 1
route inside 10.255.255.0 255.255.255.0 10.2.255.17 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server CA-Kerberos protocol kerberos
aaa-server CA-Kerberos (inside) host 10.2.9.24
kerberos-realm Corp.PRI
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable 4431
http 192.168.1.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 outside
http redirect inside 80
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair 4151
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
subject-name CN=vpn.corp.com
keypair ASA_PKC_One
crl configure
crypto ca trustpool policy

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
telnet timeout 15
ssh 10.2.0.0 255.255.0.0 inside
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access outside
dhcpd address 192.168.1.2-192.168.1.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.2.9.23 source outside
ssl encryption aes128-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint4 management
ssl trust-point ASDM_TrustPoint4 outside
ssl trust-point ASDM_TrustPoint4 inside
webvpn
enable outside
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.04063-k9.pkg 1
anyconnect enable
tunnel-group-list enable
smart-tunnel list TerminalServer Terminal mstsc.exe platform windows
group-policy DfltGrpPolicy attributes
dns-server value 10.2.9.23
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value corp.com
webvpn
customization value DfltCustomization
group-policy CA-SSLVPN-TEST internal
group-policy CA-SSLVPN-TEST attributes
wins-server none
dns-server value 10.2.9.23
vpn-tunnel-protocol ssl-client
default-domain value corp.com
group-policy CA-CLIENTLESS-TEST internal
group-policy CA-CLIENTLESS-TEST attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value Contractors-List
smart-tunnel enable TerminalServer
username ssluser password nS2GfPhvrmh.I/qL encrypted
username ssluser attributes
vpn-group-policy CA-SSLVPN-TEST
vpn-tunnel-protocol ssl-client
group-lock value AnySSLVPN-TEST
service-type remote-access
username admin password f4JufzEgsqDt05cH encrypted privilege 15
username cluser password 3mAXWbcK2ZdaFXHb encrypted
username cluser attributes
vpn-group-policy CA-CLIENTLESS-TEST
vpn-tunnel-protocol ssl-clientless
group-lock value OLY-Clientless
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
authentication-server-group CA-Kerberos LOCAL
tunnel-group DefaultRAGroup webvpn-attributes
customization CA-ClientLess-Portal
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool sslvpn-ip-pool
authentication-server-group CA-Kerberos LOCAL
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization CA-ClientLess-Portal
tunnel-group AnySSLVPN-TEST type remote-access
tunnel-group AnySSLVPN-TEST general-attributes
address-pool sslvpn-ip-pool
authentication-server-group CA-Kerberos
default-group-policy CA-SSLVPN-TEST
tunnel-group AnySSLVPN-TEST webvpn-attributes
customization OLY-Portal
group-alias AnySSLVPN-TEST disable
group-alias AnySSLVPN-TEST-Alias disable
group-alias OLY-SSLVPN disable
group-alias SSLVPN enable
tunnel-group OLY-Clientless type remote-access
tunnel-group OLY-Clientless general-attributes
authentication-server-group CA-Kerberos
default-group-policy CA-CLIENTLESS-TEST
tunnel-group OLY-Clientless webvpn-attributes
customization CA-ClientLess-Portal
nbns-server 10.2.9.23 master timeout 2 retry 2
group-alias Clientless enable
group-alias cl disable

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 3
subscribe-to-alert-group configuration periodic monthly 3
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ceea6b06a18781a23e6b5dde6b591704
: end
asdm image disk0:/asdm-713.bin
no asdm history enable

Jouni Forss · ‎09-02-2013

Hi,

Glad to hear it works

Please do remember to mark a reply as the correct answer and/or rate helpfull answers

- Jouni

View solution in original post

Jouni Forss · ‎08-30-2013

Hi,

You seem to have routed the VPN Pool network towards your "inside" network for some reason.

route inside 10.255.255.0 255.255.255.0 10.2.255.17 1

I would imagine though that the ASA might installe a more specific route to the routing table for the IP the VPN Client gets when the VPN is active, but still I am not sure if the route makes sense.

What IP/network are you trying to reach on the LAN network?

- Jouni

skiwili1234 · ‎08-30-2013

I am trying to ping 10.2.9.23.

That route you mentioned I added thinking will help routing 10.2.9.0/24

skiwili1234 · ‎08-31-2013

Using packet tracer I can see that the traffic is allowed from 10.255.255.2 to 10.2.9.23.

I think I misconfigured NAT exempt. I am desperate for help. Please.

Sent from Cisco Technical Support iPad App

Jouni Forss · ‎08-31-2013

Hi,

The route I mentioned will actually tell the ASA that the network 10.255.255.0/24 is found behind the "inside" interface and the next hop IP address is 10.2.255.17.

You already have a route that will tell the ASA that the IP address 10.2.9.23 (and its network) is found behind "inside" interface with this command

route inside 10.2.0.0 255.255.0.0 10.2.255.17 1

So I would suggest you remove the below route

no route inside 10.255.255.0 255.255.255.0 10.2.255.17 1

And see if that makes any difference.

- Jouni

skiwili1234 · ‎08-31-2013

I just removed it but still no luck.

Sent from Cisco Technical Support iPad App

Julio Carvajal · ‎09-01-2013

Hello,

Try:

no route inside 10.255.255.0 255.255.255.0 10.2.255.17 1

no access-list SPLIT-TUNNEL standard permit host 10.2.9.0

access-list SPLIT-TUNNEL standard permit 10.2.9.0 255.255.255.0

fixup protocol icmp

Then let me know!

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

skiwili1234 · ‎09-02-2013

Hi,

Still not working. I cannot even ping the asa outside interface from internal network but I can ping inside interface from internal network.

Looks like asa outside interface isn't doing routing when traffic comes from internal network.

Sent from Cisco Technical Support iPad App

Jouni Forss · ‎09-02-2013

Hi,

Seems to me that the Split Tunnel ACL is not being used so changes to it doesnt make difference at this point. To my understanding the VPN is using Full Tunnel at the moment?

If you want to configure it specifically then you should configure this under the Group Policy

split-tunnel-policy tunnelall

Do notice that not being able to ping the external interface IP address from internal network is expected. ASA wont allow you to PING a remote interface IP address. I mean "inside" users can ping "inside" and "outside" users can ping "outside" but "inside" users cant ping "outside" interface IP address. One exception to this rule is when traffic is coming for example from "outside" interface through VPN and "management-access inside" is configured.

I would suggest that next you provide screenshows of the following:

Routing/Route Details from the VPN Client while its active so we can see that they are correct
VPN counters so we can see that the client has actually tunneled some traffic while its active
Both of the avobe can be found on the VPN client software

For some reason you have a "management-access outside" configuration. This is typically used for "inside" interface which enables you to connect to this "inside" interface IP address for management purposes from VPN Client connection and also ping it which would be good in this situation when the VPN is not working and we want to test it.

So you might consider configuring

management-access inside

And then trying to ping the "inside" interface IP address while connected.

For that you would also need an additional NAT configuration

object network LAN-LINK

subnet 10.2.255.16 255.255.255.248

nat (inside,outside) source static LAN-LINK LAN-LINK destination static VPNlocalIP VPNlocalIP route-lookup

- Jouni

skiwili1234 · ‎09-02-2013

Here are the screenshows. is that what your are looking for? I appreciate everyone for his help and time.

Jouni Forss · ‎09-02-2013

Hi,

Since you have Full Tunnel VPN I guess we could use a wider NAT rule for all the traffic. A NAT configuration that contains all the network you have in one of the static routes.

object network LAN-NETWORKS

subnet 10.2.0.0 255.255.0.0

object network VPN-POOL

subnet 10.255.255.0 255.255.255.0

nat (inside,outside) 1 source static LAN-NETWORKS LAN-NETWORKS destination static VPN-POOL VPN-POOL route-lookup

After this try PING the following IP addresses

10.2.255.18 - ASA "inside"
- For this you would need to change the setting to "management-access inside"
10.2.255.17 - ASA "inside" gateway

I would imagine that you should atleast be able to PING those IP addresses even if you werent able to ping actual LAN hosts.

I would also suggest allowing some management connection either with "ssh", "telnet" or "http" and try to connect to the "inside" interface IP address. If we can manage ICMP or form management connection through the VPN then we could narrow down the problem a bit.

If even this is not possible, I would start looking for the problems on the actual VPN Client hosts or possibly trying to enable the Split Tunnel setting for some local network to see if it changes anything. In your screenshots we can see that traffic is going to and coming from the VPN so it does seem that tunneling should be fine.

- Jouni

skiwili1234 · ‎09-02-2013

After I made the changes, now I can ping 10.2.255.18 but cannot ping 10.2.225.17.

skiwili1234 · ‎09-02-2013

I aslo enabled telnet to the inside but I couldnt connect to it.

Jouni Forss · ‎09-02-2013

Hi,

Did you try SSH or ASDM connection to the "inside" IP address?

What is the router behind the ASA "inside" interface?

Does it have the default route correctly set to point to the ASA "inside" interface IP address?

- Jouni

skiwili1234 · ‎09-02-2013

Yes I tried SSH with no success.

I am cheking right now if i have to right default gateway

Does it have the default route correctly set to point to the ASA "inside" interface IP address?