Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote access VPN client gets connected no access to LAN

: Saved

:

ASA Version 8.6(1)2

!

hostname COL-ASA-01

domain-name dr.test.net

enable password i/RAo1iZPOnp/BK7 encrypted

passwd i/RAo1iZPOnp/BK7 encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.32.0.11 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.9.200.126 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

nameif failover

security-level 0

ip address 192.168.168.1 255.255.255.0 standby 192.168.168.2

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.2.11 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name dr.test.net

object network RAVPN

subnet 192.168.0.0 255.255.255.0

object network NETWORK_OBJ_192.168.200.0_24

subnet 192.168.200.0 255.255.255.0

object network NETWORK_OBJ_192.9.200.0_24

subnet 192.9.200.0 255.255.255.0

object-group network inside_network

network-object 192.9.200.0 255.255.255.0

object-group network Outside

network-object host 172.32.0.25

access-list RAVPN_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0

access-list test123 extended permit ip host 192.168.200.1 host 192.9.200.190

access-list test123 extended permit ip host 192.9.200.190 host 192.168.200.1

access-list test123 extended permit ip object NETWORK_OBJ_192.168.200.0_24 192.9.200.0 255.255.255.0

access-list test123 extended permit ip 192.9.200.0 255.255.255.0 object NETWORK_OBJ_192.9.200.0_24

pager lines 24

mtu management 1500

mtu outside 1500

mtu inside 1500

mtu failover 1500

ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-66114.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source dynamic any interface

nat (any,inside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24

route outside 0.0.0.0 0.0.0.0 172.32.0.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=KWI-COL-ASA-01.dr.test.net,O=KWI,C=US

crl configure

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.9.200.0 255.255.255.0 inside

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 management

ssh 0.0.0.0 0.0.0.0 outside

ssh 66.35.45.128 255.255.255.192 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 30

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

group-policy RAVPN internal

group-policy RAVPN attributes

wins-server value 192.9.200.164

dns-server value 66.35.46.84 66.35.47.12

vpn-filter value test123

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test123

default-domain value dr.kligerweiss.net

username test password xxxxxxx encrypted

username admin password aaaaaaaaaaaa encrypted privilege 15

username vpntest password ddddddddddd encrypted

tunnel-group RAVPN type remote-access

tunnel-group RAVPN general-attributes

address-pool RAVPN

default-group-policy RAVPN

tunnel-group RAVPN ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly 2

  subscribe-to-alert-group configuration periodic monthly 2

  subscribe-to-alert-group telemetry periodic daily

password encryption aes

Cryptochecksum:b001e526a239af2c73fa56f3ca7667ea

: end

COL-ASA-01#

Here is some capture done on the inside interface which may help too, I tried pointing the gateway to inside interface on the target device but I think this was a switch without ip route available on it I believe that is still sending packet back to Cisco inside interface

COL-ASA-01# sho cap test | in 192.168.200

25: 23:45:55.570618 192.168.200.1 > 192.9.200.190: icmp: echo request

  29: 23:45:56.582794 192.168.200.1.137 > 192.9.200.164.137:  udp 68

  38: 23:45:58.081050 192.168.200.1.137 > 192.9.200.164.137:  udp 68

  56: 23:45:59.583176 192.168.200.1.137 > 192.9.200.164.137:  udp 68

  69: 23:46:00.573517 192.168.200.1 > 192.9.200.190: icmp: echo request

  98: 23:46:05.578110 192.168.200.1 > 192.9.200.190: icmp: echo request

  99: 23:46:05.590057 192.168.200.1.137 > 192.9.200.164.137:  udp 68

108: 23:46:07.092310 192.168.200.1.137 > 192.9.200.164.137:  udp 68

115: 23:46:08.592468 192.168.200.1.137 > 192.9.200.164.137:  udp 68

116: 23:46:10.580795 192.168.200.1 > 192.9.200.190: icmp: echo request

COL-ASA-01#

Any help or pointers greatly appreciated, I am doing this config after a long gap on Cisco last time I was working it was all PIX so just need some expert eyes to let me know if I am missing something.

And Yes I do not have a Host in Inside network to test against, all I have is a switch which cannot route and ip default gateway is not helping too...

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Remote access VPN client gets connected no access to LAN

Hi,

The first thing you should do to avoid problems is to change the VPN Pool to something else than the current LAN network as they are not really directly connected in the same network segment.

You could try the following changes

tunnel-group RAVPN general-attributes

  no address-pool RAVPN

no ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0

ip local pool RAVPN 192.168.201.1-192.168.201.254 mask 255.255.255.0

tunnel-group RAVPN general-attributes

  address-pool RAVPN

no nat  (any,inside) source static NETWORK_OBJ_192.168.200.0_24  NETWORK_OBJ_192.168.200.0_24 destination static  NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24

In the above you first remove the VPN Pool from the "tunnel-group" and then remove and recreate the VPN Pool with another network and then insert it back to the same "tunnel-group". Nex you remove the current NAT configuration.

object network LAN

subnet 192.168.200.0 255.255.255.0

object network VPN-POOL

subnet 192.168.201.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL

The above NAT configurations adds the correct NAT0 configuration for the changed VPN Pool. It also inserts the NAT rule to the very top before the Dynamic PAT rule you currently have. It is also one of the problems with the configurations as it will override your current NAT configurations.

You have your Dynamic PAT rule at the very top of your NAT rules currently which is not a good idea. If you wish to change it to something else that wont override the other NAT configurations in the future you can do the following change.

no nat (inside,outside) source dynamic any interface

nat (inside,outside) after-auto source dynamic any interface

NOTICE! Changing the above Dynamic PAT configuration will temporarily terminate all connections for users from the LAN as you reconfigure the Dynamic PAT rule. So if you do this change make sure that its ok to cause still small cut in the current connections of internal users

Hope this helps

Let me know if it works for you

- Jouni

3 REPLIES
New Member

Remote access VPN client gets connected no access to LAN

I also noticed this on the access switch, I can see the Remote client IP address without MAC address which explains my damn switch is not routing back it is doing a ARP to the destination instead of sending the packet back to the ASA Inside interface, So I need to wait till I put in some physical host on the switch

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  192.9.200.18            0   0014.4f45.aba6  ARPA   Vlan4000

Internet  192.168.200.254         -   6c41.6a6f.3544  ARPA   Vlan2000

Internet  192.168.2.1             -   6c41.6a6f.3543  ARPA   Vlan1000

Internet  192.168.2.29           23   0010.e03c.5d76  ARPA   Vlan1000

Internet  192.9.200.126           9   4c00.821d.a717  ARPA   Vlan4000

Internet  172.32.0.2            215   7cad.74e8.45d2  ARPA   Vlan101

Internet  172.32.0.21             -   6c41.6a6f.3541  ARPA   Vlan101

Internet  192.168.200.1           0   Incomplete      ARPA

Internet  192.9.200.184           1   0004.961c.0a30  ARPA   Vlan4000

Internet  192.9.200.190           -   6c41.6a6f.3545  ARPA   Vlan4000

COL-SWT-01#

Super Bronze

Remote access VPN client gets connected no access to LAN

Hi,

The first thing you should do to avoid problems is to change the VPN Pool to something else than the current LAN network as they are not really directly connected in the same network segment.

You could try the following changes

tunnel-group RAVPN general-attributes

  no address-pool RAVPN

no ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0

ip local pool RAVPN 192.168.201.1-192.168.201.254 mask 255.255.255.0

tunnel-group RAVPN general-attributes

  address-pool RAVPN

no nat  (any,inside) source static NETWORK_OBJ_192.168.200.0_24  NETWORK_OBJ_192.168.200.0_24 destination static  NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24

In the above you first remove the VPN Pool from the "tunnel-group" and then remove and recreate the VPN Pool with another network and then insert it back to the same "tunnel-group". Nex you remove the current NAT configuration.

object network LAN

subnet 192.168.200.0 255.255.255.0

object network VPN-POOL

subnet 192.168.201.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL

The above NAT configurations adds the correct NAT0 configuration for the changed VPN Pool. It also inserts the NAT rule to the very top before the Dynamic PAT rule you currently have. It is also one of the problems with the configurations as it will override your current NAT configurations.

You have your Dynamic PAT rule at the very top of your NAT rules currently which is not a good idea. If you wish to change it to something else that wont override the other NAT configurations in the future you can do the following change.

no nat (inside,outside) source dynamic any interface

nat (inside,outside) after-auto source dynamic any interface

NOTICE! Changing the above Dynamic PAT configuration will temporarily terminate all connections for users from the LAN as you reconfigure the Dynamic PAT rule. So if you do this change make sure that its ok to cause still small cut in the current connections of internal users

Hope this helps

Let me know if it works for you

- Jouni

New Member

Remote access VPN client gets connected no access to LAN

Hi Jauni,

Thanks for your time really appreciate it, I figured that out and already did change the pool to 192.168.100.0/24

The main reason that earlier pool wasn't working was this, my other collegue has configured a VLAN without my knowledge on the LAN switch this was done for some other reason.

COL-SWT-01#sh ip int br

Interface              IP-Address      OK? Method Status                Protocol

Vlan1                  unassigned      YES NVRAM  administratively down down

Vlan101                172.32.0.21     YES NVRAM  up                    up

Vlan255                unassigned      YES NVRAM  up                    up

Vlan1000               192.168.2.2     YES manual up                    up

Vlan2000               192.168.200.254 YES NVRAM  up                    up

Vlan4000               192.9.200.190   YES NVRAM  up                    up

FastEthernet0          unassigned      YES NVRAM  administratively down down

After I changed the pool it worked and later we ran into other trunking issues on a interface that was taken care off. Thanks for the commads though, it took me a while to figure that out with sh run | in 192.168.200 and all those little things.

814
Views
0
Helpful
3
Replies