03-26-2014 11:41 AM
Hi there,
So i have been configuring a ASA5510 to the best of my knowledge to allow VPN access to our internal network and its resourses. IPSEC is set up correctly.
When connected I am successfully getting an IP address from the VPN subnet but I can not reach any internal hosts(pings failing). Also I noticed that my default gateway is using a IP address from within the VPN subnet.
I have followed the wizard and configuration guide from online but am still in the dark...this is all a bit new to me!
I will post the config if you need to see it.
Any help would be appreciated!
Solved! Go to Solution.
03-27-2014 07:00 AM
Hi, just a few things I have noticed. What group are you currently testing with? The split tunnel for both groups should be a standard ACL, well it doesn't have to be but it typically is. I suspect it's not working because the ACL is defined in the wrong direction. So you can either remove the first line from the ACL RemoteVPNAccess or change it to a standard ACL. I recommend using a standard ACL.
The same also goes for your no nat and inside ACLs, they should be permitting the local subnets to the pool addresses. So you can remove the second line of the nonat ACL and 'access-list inside_access_in extended permit ip 10.10.200.0 255.255.255.0 any' of the inside ACL.
Also you should tunnel all or use a split tunnel ACL but not both and also try removing the vpn filter, we can get to that after we have connectivity.
03-26-2014 02:45 PM
Please post the configuration
03-26-2014 05:21 PM
Thank you for the reply...
The ASA is in a COLO(10.10.0.0/24 subnet) our remote locations include 192.168.2.0/23, 10.27.131.0/24, 10.27.130.0/24 and 10.27.129.0/24.
Like I mentioned before I can connect via VPN and get a IP address form the Remote Hosts group 10.10.200.0/24 subnet. However I also get a gateway address from this subnet. I cant ping to any host on any subnet.
We have 50% of users that authenicate to one DC and the 50% to another.
ASA Version 8.0(5)
!
hostname COLOASA
domain-name USA.COM
names
name 192.168.2.0 CHI
name 10.27.130.0 DAL
name 10.27.129.0 PHI
name 10.27.131.0 ROM
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 199.47.XXX.xx 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.0.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.2.23
name-server 192.168.2.4
domain-name USA.COM
dns server-group SESDNS
name-server 10.27.131.8
domain-name EUROPE.COM
object-group network InternalNetworks
network-object 10.10.0.0 255.255.255.0
network-object PHI 255.255.255.0
network-object DAL 255.255.255.0
network-object ROM 255.255.255.0
network-object CHI 255.255.254.0
access-list inside_nat0_outbound extended permit ip object-group InternalNetworks 10.10.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.200.0 255.255.255.0 object-group InternalNetworks
access-list vpnsplit extended permit ip object-group InternalNetworks 10.10.200.0 255.255.255.0
access-list inside-in extended permit ip any any inactive
access-list inside_access_in extended permit ip 10.10.200.0 255.255.255.0 any
access-list inside_access_in extended permit ip object-group InternalNetworks any
access-list outside_access_in extended permit ip object-group InternalNetworks any
access-list outside_access_in extended permit ip 10.10.200.0 255.255.255.0 any
access-list outside_access_in extended permit icmp any any
access-list RemoteVPNAccess extended permit ip 10.10.200.0 255.255.255.0 object-group InternalNetworks
access-list RemoteVPNAccess extended permit ip object-group InternalNetworks 10.10.200.0 255.255.255.0
access-list nonat-inside extended permit ip object-group InternalNetworks 10.10.200.0 255.255.255.0
access-list nonat-inside extended permit ip 10.10.200.0 255.255.255.0 object-group InternalNetworks
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool RemoteHosts 10.10.200.100-10.10.200.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat-inside
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 199.47.XXX.XX 1
route inside PHI 255.255.255.0 10.10.0.1 1
route inside DAL 255.255.255.0 10.10.0.1 1
route inside ROM 255.255.255.0 10.10.0.1 1
route inside CHI 255.255.255.0 10.10.0.1 1
route inside 0.0.0.0 0.0.0.0 10.10.0.2 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server SAT protocol radius
aaa-server SAT (inside) host 192.168.2.23
key ******
aaa-server msradius protocol radius
aaa-server msradius (inside) host 10.27.131.8
key ******
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 management
http DAL 255.255.255.0 inside
http CHI 255.255.255.0 inside
http ROM 255.255.255.0 inside
http 10.10.0.0 255.255.255.0 inside
http CHI 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet CHI 255.255.254.0 inside
telnet ROM 255.255.255.0 inside
telnet 10.10.0.0 255.255.255.0 inside
telnet timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.23 source inside prefer
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
group-policy USARemote internal
group-policy USARemote attributes
dns-server value 192.168.2.23 192.168.2.4
vpn-filter value RemoteVPNAccess
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelall
split-tunnel-network-list value RemoteVPNAccess
default-domain value USA.COM
group-policy EURRemote internal
group-policy EURRemote attributes
dns-server value 10.27.131.8 10.27.130.30
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelall
split-tunnel-network-list value RemoteVPNAccess
default-domain value EUROPE.COM
username sshuser password x encrypted
username admin password x encrypted
tunnel-group USARemote type remote-access
tunnel-group USARemote general-attributes
address-pool RemoteHosts
authentication-server-group SAS
default-group-policy USARemote
tunnel-group USARemote ipsec-attributes
pre-shared-key *
tunnel-group EURRemote type remote-access
tunnel-group EURRemote general-attributes
address-pool RemoteHosts
authentication-server-group msradius
default-group-policy EURRemote
tunnel-group EURRemote ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
03-27-2014 07:00 AM
Hi, just a few things I have noticed. What group are you currently testing with? The split tunnel for both groups should be a standard ACL, well it doesn't have to be but it typically is. I suspect it's not working because the ACL is defined in the wrong direction. So you can either remove the first line from the ACL RemoteVPNAccess or change it to a standard ACL. I recommend using a standard ACL.
The same also goes for your no nat and inside ACLs, they should be permitting the local subnets to the pool addresses. So you can remove the second line of the nonat ACL and 'access-list inside_access_in extended permit ip 10.10.200.0 255.255.255.0 any' of the inside ACL.
Also you should tunnel all or use a split tunnel ACL but not both and also try removing the vpn filter, we can get to that after we have connectivity.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: