05-07-2012 09:24 AM - edited 02-21-2020 06:02 PM
Hi Everyone,
Im new in ASA configuration so I really need some advise, my requirements are these:
Basically, those are my needs (not too much to ask!!) I already made most of the config but it took me 2 days to figure out some things but now i have
the issue that cannot access http/https to UCS or CUCM (10.1.1.4) and while i am connected to VPN cant surf or seek for answers on the web using my
local Internet .
Im gonna post my ASA config and the directly connected L3 switch for you expert guys to help me fugure out my mistake.. ok!
Thanks in advance !!
Solved! Go to Solution.
05-08-2012 12:14 PM
You need to create a no-nat between your internal network(s) and remote-vpn ip-pool and add that particular networks on the split-tunnel ACL.
object network obj-myinside-network
subnet x.x.x.x 255.255.255.0
nat (inside,outside) source static obj-myinside-network obj-myinside-network destination static VPN-POOL VPN-POOL
Hope that helps.
thanks
05-07-2012 10:15 AM
Hi,
You may need to add split-tunnel configuration for this. Check the below link.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
hth
MS
05-07-2012 10:33 AM
Thaks MS,
but i already configured a split-tunnel and it hasnt worked..take a look:
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
group-policy VPN-PRUEBA internal
group-policy VPN-PRUEBA attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-PRUEBA_splitTunnelAcl
Am i right?
05-07-2012 10:37 AM
Hi
Please change your ACL entry.
from this: "access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0"
To this: access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.10.0.0 255.0.0.0
Please change your route from "route INSIDE 0.0.0.0 255.0.0.0 10.10.0.1"
To this: route INSIDE 10.0.0.0 255.0.0.0 10.10.0.1
On your 3560 inside switch please add this route as well, the one below.
ip route 172.16.0.0 255.255.255.0 10.10.0.3
Hope that helps.
Please update me.
thanks
Rizwan Rafeek
05-07-2012 11:03 AM
Thanks Rizwan,
I already tried that and look what happened:
ASA5540(config)# access-list VPN-PRUEBA_splitTunnelAcl standard permi$
ERROR: IP address,mask <10.10.0.0,255.0.0.0> doesn't pair
route INSIDE 10.0.0.0 255.0.0.0 10.10.0.1
ERROR: Cannot add route, connected route exists
Any advise?
05-07-2012 11:13 AM
You were able to add the static-route on your 3560 and try it?
05-07-2012 12:14 PM
Yes i added the static route on switch but still facing internet problem access while connected to Remote Access VPN using VPN Client.
Do i need to run debugs to track the issue Rizwan?
05-07-2012 12:31 PM
You can tunnel everything including your remote-client web-browsing, so try this below.
object network VPN-POOL
nat (OUTSIDE,OUTSIDE) dynamic interface
Please let me know, if that helps.
thanks
05-07-2012 12:55 PM
Thanks Rizwan,
I have telnet access to devices but when i want to surf web pages it appears the Error page and problem with DNS.
One weird thing is that i dont loose connectivity in msn while VPN tunnel....huh?
Before i edited the LAN-INSIDE subnet to 10.0.0.0 /8 (before was /24) the split tunnel worked fine but wasnt able to have ip connectivity to vlan 15 and devices associated to it.
Do you have any solution or explanation for this issue? Sorry for being annoying
05-07-2012 01:02 PM
Do you have an internal DNS? if you do change value of your dns server to internal one.
group-policy VPN-PRUEBA attributes
dns-server value 4.2.2.2
"One weird thing is that i dont loose connectivity in msn while VPN tunnel....huh?" Coming off the cache dns record.
"Before i edited the LAN-INSIDE subnet to 10.0.0.0 /8 (before was /24) the split tunnel worked fine but wasnt able to have ip connectivity to vlan 15 and devices associated to it."
that issue due to missing no-nat between vpn-pool and your inside vlan15.
Please rate helpful post.
thanks
Rizwan Rafeek
05-07-2012 04:54 PM
I already added the internal DNS but still the same, however this Remote Access VPN is gonna be used by hosts connected to different locations so we need that everyone gets DNS from their local ISP or a general DNS that works for anyone.
Any clue?
05-07-2012 05:58 PM
When you have layer3 switch connected to your FW, all you need is mask /30 ip address to connect between your layer3 switch and your FW. this maks /8 "10.10.0.3 255.0.0.0" will overlap with "16,777,216" ips.
Please issue this command one shown below and post me the output.
packet-tracer input OUTSIDE icmp 172.16.0.2 8 0 4.2.2.2
thanks
05-07-2012 06:40 PM
Rizwan here is the output:
ASA5540-FINANZAS(config)# packet-tracer input OUTSIDE icmp 172.16.0.2 8 0 4.2.$
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static any any destination static VPN-POOL VPN-POOL
Additional Information:
NAT divert to egress interface INSIDE
Untranslate 4.2.2.2/0 to 4.2.2.2/0
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group ACL-IN global
access-list ACL-IN extended permit ip any any
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static any any destination static VPN-POOL VPN-POOL
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 593, packet dispatched to next module
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow
----------------------------------------------------------------------------------
Also i changed ASA INSIDE address to 10.14.0.2 and switch 10.14.0.1 ...also edited the static routes pointing to new gw.....but now from ASA I dont have connectivity to Switch 10 and 15 vlans so either would be while RA VPN
05-07-2012 07:22 PM
A no-nat shown below will give you access to your inside networks, so in the object "obj-myinside-network" below you incorporate your inside network subnet.
nat (inside,outside) source static obj-myinside-network obj-myinside-network destination static VPN-POOL VPN-POOL
please post your most current config.
thanks
05-07-2012 07:50 PM
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
pppoe client vpdn group infinitum
ip address pppoe
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 50
ip address 10.14.0.2 255.255.255.252
!
interface GigabitEthernet0/1.10
shutdown
vlan 10
nameif Vlan-Datos
security-level 0
no ip address
!
interface GigabitEthernet0/1.15
shutdown
vlan 15
nameif Vlan-MGMT
security-level 0
no ip address
!
interface GigabitEthernet0/2
shutdown
nameif DMZ
security-level 0
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif MGMT
security-level 0
ip address 10.15.0.5 255.255.255.0
management-only
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LAN-OUT
subnet 0.0.0.0 0.0.0.0
object network VPN-POOL
subnet 172.16.0.0 255.255.255.0
object network Admon
subnet 10.1.1.0 255.255.255.0
access-list VPN-INSIDE extended permit ip any any
access-list VPN-INSIDE extended permit tcp 172.16.0.0 255.255.255.0 any log
access-list VPN-INSIDE extended permit ip 172.16.0.0 255.255.255.0 any log
access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list INSIDE-OUT extended permit icmp any any echo-reply
access-list INSIDE-OUT extended permit icmp any any time-exceeded
access-list INSIDE-OUT extended permit icmp any any unreachable
access-list ACL-IN extended permit ip any any
access-list INSIDE extended permit ip any any log
access-list OUTSIDE extended permit ip any any
access-list nonat extended permit ip 172.16.0.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list nonat extended permit ip 10.0.0.0 255.0.0.0 172.16.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu Vlan-Datos 1500
mtu Vlan-MGMT 1500
mtu DMZ 1500
mtu MGMT 1500
ip local pool VPN_POOL 172.16.0.10-172.16.0.50 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any INSIDE
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (INSIDE,OUTSIDE) source static any any destination static VPN-POOL VPN-POOL
nat (INSIDE,OUTSIDE) source static Admon Admon destination static VPN-POOL VPN-POOL
!
object network LAN-OUT
nat (INSIDE,OUTSIDE) dynamic interface
object network VPN-POOL
nat (OUTSIDE,OUTSIDE) dynamic interface
access-group INSIDE out interface OUTSIDE
access-group ACL-IN global
route OUTSIDE 0.0.0.0 0.0.0.0 200.38.193.226 1
route INSIDE 0.0.0.0 255.0.0.0 10.14.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.0.0.0 INSIDE
http 172.16.0.0 255.255.255.0 OUTSIDE
no snmp-server location
no snmp-server contact
telnet 172.16.0.0 255.255.255.0 OUTSIDE
telnet 10.0.0.0 255.0.0.0 INSIDE
telnet timeout 5
ssh 172.16.0.0 255.255.255.0 OUTSIDE
ssh 10.0.0.0 255.0.0.0 INSIDE
ssh timeout 5
console timeout 0
management-access OUTSIDE
vpdn group infinitum request dialout pppoe
vpdn group infinitum localname t6188127487
vpdn group infinitum ppp authentication pap
vpdn username t6188127487 password *****
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy VPN-PRUEBA internal
group-policy VPN-PRUEBA attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-PRUEBA_splitTunnelAcl
username admin password XE1B.OOAZ0MEXVQC encrypted privilege 15
username admin attributes
vpn-group-policy XPG-DGO
username msanchez password RZWBd0.CKVo5Kklv encrypted privilege 0
username msanchez attributes
vpn-group-policy VPN-PRUEBA
tunnel-group XPG-DGO type remote-access
tunnel-group VPN-PRUEBA type remote-access
tunnel-group VPN-PRUEBA general-attributes
address-pool VPN_POOL
default-group-policy VPN-PRUEBA
tunnel-group VPN-PRUEBA ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
----------------------------------------------------------
3560X------These are the only changes I`ve made :
interface GigabitEthernet0/1
no switchport
ip address 10.14.0.1 255.255.255.252
!
ip default-gateway 10.14.0.2
ip classless
ip route 0.0.0.0 0.0.0.0 10.14.0.2
ip route 172.16.0.0 255.255.255.0 10.14.0.2
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: