Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cannot reach internal network on VPN

Hi there,

 

So i have been configuring a ASA5510 to the best of my knowledge to allow VPN access to our internal network and its resourses. IPSEC is set up correctly.

When connected I am successfully getting an IP address from the VPN subnet but I can not reach any internal hosts(pings failing). Also I noticed that my default gateway is using a IP address from within the VPN subnet.

I have followed the wizard and configuration guide from online but am still in the dark...this is all a bit new to me!

I will post the config if you need to see it.

 

Any help would be appreciated!

 

1 ACCEPTED SOLUTION

Accepted Solutions

Hi, just a few things I have

Hi, just a few things I have noticed. What group are you currently testing with? The split tunnel for both groups should be a standard ACL, well it doesn't have to be but it typically is. I suspect it's not working because the ACL is defined in the wrong direction. So you can either remove the first line from the ACL RemoteVPNAccess or change it to a standard ACL. I recommend using a standard ACL.

The same also goes for your no nat and inside ACLs, they should be permitting the local subnets to the pool addresses. So you can remove the second line of the nonat ACL and 'access-list inside_access_in extended permit ip 10.10.200.0 255.255.255.0 any' of the inside ACL.

Also you should tunnel all or use a split tunnel ACL but not both and also try removing the vpn filter, we can get to that after we have connectivity.

3 REPLIES

Please post the configuration

Please post the configuration

New Member

Thank you for the reply...The

Thank you for the reply...

The ASA is in a COLO(10.10.0.0/24 subnet) our remote locations include 192.168.2.0/23, 10.27.131.0/24, 10.27.130.0/24 and 10.27.129.0/24.

Like I mentioned before I can connect via VPN and get a IP address form the Remote Hosts group 10.10.200.0/24 subnet. However I also get a gateway address from this subnet. I cant ping to any host on any subnet.

We have 50% of users that authenicate to one DC and the 50% to another.

 


ASA Version 8.0(5)
!
hostname COLOASA
domain-name USA.COM

names
name 192.168.2.0 CHI
name 10.27.130.0 DAL
name 10.27.129.0 PHI    
name 10.27.131.0 ROM
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 199.47.XXX.xx 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.0.2 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring

dns domain-lookup inside
dns domain-lookup management

dns server-group DefaultDNS
 name-server 192.168.2.23
 name-server 192.168.2.4
 domain-name USA.COM

dns server-group SESDNS
 name-server 10.27.131.8
 domain-name EUROPE.COM


object-group network InternalNetworks
 network-object 10.10.0.0 255.255.255.0
 network-object PHI 255.255.255.0
 network-object DAL 255.255.255.0
 network-object ROM 255.255.255.0
 network-object CHI 255.255.254.0

access-list inside_nat0_outbound extended permit ip object-group InternalNetworks 10.10.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.200.0 255.255.255.0 object-group InternalNetworks
access-list vpnsplit extended permit ip object-group InternalNetworks 10.10.200.0 255.255.255.0
access-list inside-in extended permit ip any any inactive
access-list inside_access_in extended permit ip 10.10.200.0 255.255.255.0 any
access-list inside_access_in extended permit ip object-group InternalNetworks any
access-list outside_access_in extended permit ip object-group InternalNetworks any
access-list outside_access_in extended permit ip 10.10.200.0 255.255.255.0 any
access-list outside_access_in extended permit icmp any any
access-list RemoteVPNAccess extended permit ip 10.10.200.0 255.255.255.0 object-group InternalNetworks
access-list RemoteVPNAccess extended permit ip object-group InternalNetworks 10.10.200.0 255.255.255.0
access-list nonat-inside extended permit ip object-group InternalNetworks 10.10.200.0 255.255.255.0
access-list nonat-inside extended permit ip 10.10.200.0 255.255.255.0 object-group InternalNetworks
pager lines 24

logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool RemoteHosts 10.10.200.100-10.10.200.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

nat (inside) 0 access-list nonat-inside
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 199.47.XXX.XX 1
route inside PHI 255.255.255.0 10.10.0.1 1
route inside DAL 255.255.255.0 10.10.0.1 1
route inside ROM 255.255.255.0 10.10.0.1 1
route inside CHI 255.255.255.0 10.10.0.1 1
route inside 0.0.0.0 0.0.0.0 10.10.0.2 tunneled

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy


aaa-server SAT protocol radius
aaa-server SAT (inside) host 192.168.2.23
 key ******
aaa-server msradius protocol radius
aaa-server msradius (inside) host 10.27.131.8
 key ******
aaa authentication ssh console LOCAL


http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 management
http DAL 255.255.255.0 inside
http CHI 255.255.255.0 inside
http ROM 255.255.255.0 inside
http 10.10.0.0 255.255.255.0 inside
http CHI 255.255.254.0 inside

no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
telnet CHI 255.255.254.0 inside
telnet ROM 255.255.255.0 inside
telnet 10.10.0.0 255.255.255.0 inside
telnet timeout 30

console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.23 source inside prefer

group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol webvpn
group-policy USARemote internal
group-policy USARemote attributes
 dns-server value 192.168.2.23 192.168.2.4
 vpn-filter value RemoteVPNAccess
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelall
 split-tunnel-network-list value RemoteVPNAccess
 default-domain value USA.COM

group-policy EURRemote internal
group-policy EURRemote attributes
 dns-server value 10.27.131.8 10.27.130.30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelall
 split-tunnel-network-list value RemoteVPNAccess
 default-domain value EUROPE.COM

username sshuser password x encrypted
username admin password x encrypted


tunnel-group USARemote type remote-access
tunnel-group USARemote general-attributes

address-pool RemoteHosts
 authentication-server-group SAS
 default-group-policy USARemote
tunnel-group USARemote ipsec-attributes
 pre-shared-key *


tunnel-group EURRemote type remote-access
tunnel-group EURRemote general-attributes
 address-pool RemoteHosts
 authentication-server-group msradius
 default-group-policy EURRemote
tunnel-group EURRemote ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!

 

Hi, just a few things I have

Hi, just a few things I have noticed. What group are you currently testing with? The split tunnel for both groups should be a standard ACL, well it doesn't have to be but it typically is. I suspect it's not working because the ACL is defined in the wrong direction. So you can either remove the first line from the ACL RemoteVPNAccess or change it to a standard ACL. I recommend using a standard ACL.

The same also goes for your no nat and inside ACLs, they should be permitting the local subnets to the pool addresses. So you can remove the second line of the nonat ACL and 'access-list inside_access_in extended permit ip 10.10.200.0 255.255.255.0 any' of the inside ACL.

Also you should tunnel all or use a split tunnel ACL but not both and also try removing the vpn filter, we can get to that after we have connectivity.

51
Views
0
Helpful
3
Replies