Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1802
Views
26
Helpful
22
Replies

Remote VPN can't access LAN devices or internet

Go to solution
HSSEngineering
Level 1
Level 1

‎07-10-2014 05:50 AM

So I have a server and a computer on the inside I can access through a ASA 5505 with ASA 9.2(1) and ASDM 7.2(1)

The computer on 192.168.1.110 through port 8080 can show me a demo website.

The server on 192.168.1.222 got my DNS, FTP, HTTP, mail and more on it.

On the outside I got a computer (by outside I mean from the firewall and cable directly into the computer) on 192.168.20.2 and the firewall's outside being 192.168.20.1

 

From the outside I can access the 8080 without problems (and I assume aswell with the server, but it's on another default gateway and cannot be accessed right now). However - when I connect through my VPN I'm assigned 192.168.30.5 but cannot connect to the inside computer through 192.168.1.110:8080.

This will throw the error: Asymmetric NAT rules matched for forward and reverse flow; Connection for udp src outside: 192.168.30.5/49608(...) dst inside: 192.168.1.222/53 denied due to NAT reverse path failure.

 

Somewhere I got a conflict or a non-created access rule. Anyone willing to take a shot?

 

I marked some with bold for what I thought could be the cause.

 

ciscoasa(config)# sh running-config 
: Saved
:
ASA Version 9.2(1) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool IP-Pool 192.168.30.5-192.168.30.200 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.20.1 255.255.255.0 
!
boot system disk0:/asa921-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network testServer-8080
 host 192.168.1.110
 description The test server
object network Server-21
 host 192.168.1.222
 description The test server
object network Server-25
 host 192.168.1.222
 description The test server
object network Server-53
 host 192.168.1.222
 description The test server
object network Server-80
 host 192.168.1.222
 description The test server
object network Server-443
 host 192.168.1.222
 description The test server
object network Server-2525
 host 192.168.1.222
 description The test server
object network Server-993
 host 192.168.1.222
 description The test server
object network Server-6001
 host 192.168.1.222
 description The test server
object network Server-6002
 host 192.168.1.222
 description The test server
object network Server-6003
 host 192.168.1.222
 description The test server
object network Server-6004
 host 192.168.1.222
 description The test server
object network VPN-HOSTS
 subnet 192.168.30.0 255.255.255.0
object network inside
 host 192.168.1.0
object network Server-vpn
 host 192.168.1.222
access-list outside_access_in extended permit tcp any object testServer-8080 eq 8080 
access-list outside_access_in extended permit tcp any object Server-21 eq ftp 
access-list outside_access_in extended permit tcp any object Server-25 eq smtp 
access-list outside_access_in extended permit tcp any object Server-2525 eq 2525 
access-list outside_access_in extended permit udp any object Server-53 eq domain inactive 
access-list outside_access_in extended permit tcp any object Server-80 eq www 
access-list outside_access_in extended permit tcp any object Server-443 eq https 
access-list outside_access_in extended permit tcp any object Server-993 eq 993 
access-list outside_access_in extended permit tcp any object Server-6001 eq 6001 
access-list outside_access_in extended permit tcp any object Server-6002 eq 6002 
access-list outside_access_in extended permit tcp any object Server-6003 eq 6003 
access-list outside_access_in extended permit tcp any object Server-6004 eq 6004 
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source dynamic VPN-HOSTS inside destination static Server-vpn Server-vpn
!
object network obj_any
 nat (inside,outside) dynamic interface
object network testServer-8080
 nat (inside,outside) static interface service tcp 8080 8080 
object network Server-21
 nat (inside,inside) static interface service tcp ftp ftp 
object network Server-25
 nat (inside,outside) static interface service tcp smtp smtp 
object network Server-53
 nat (inside,inside) static interface service tcp domain domain 
object network Server-80
 nat (inside,outside) static interface service tcp www www 
object network Server-443
 nat (inside,outside) static interface service tcp https https 
object network Server-2525
 nat (inside,outside) static interface service tcp 2525 2525 
object network Server-993
 nat (inside,outside) static interface service tcp 993 993 
object network Server-6001
 nat (inside,outside) static interface service tcp 6001 6001 
object network Server-6002
 nat (inside,outside) static interface service tcp 6002 6002 
object network Server-6003
 nat (inside,outside) static interface service tcp 6003 6003 
object network Server-6004
 nat (inside,outside) static interface service tcp 6004 6004 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HSS-auth-server protocol radius
 authorize-only
aaa-server HSS-auth-server (inside) host 192.168.1.222
 timeout 5
 key *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 30
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy HSSvpn internal
group-policy HSSvpn attributes
 dns-server value 192.168.1.222
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value outside_access_in ! this value had it's own name earlier
 default-domain value hss.dk
tunnel-group HSSvpn type remote-access
tunnel-group HSSvpn general-attributes
 address-pool IP-Pool
 authentication-server-group HSS-auth-server
 default-group-policy HSSvpn
 password-management
tunnel-group HSSvpn ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group HSSvpn ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:9859258e11364180cf9b3e21173b3f2f
: end

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-10-2014 06:06 AM

Hi,

 

The bolded "nat" configuration is incorrect as you suspected.

 

Replace it with something like this

 

object network LAN
 subnet 192.168.1.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static VPN-HOSTS VPN-HOSTS

 

I would also suggest using a separate "standard" access-list for the Split Tunnel ACL.

For example

access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0

You would naturally have to switch the above ACL to the "group-policy" used.

 

Additionally, if you want to control the connections incoming from VPN users in the "outside_access_in" ACL then you could change one of the default settings on the ASA by issuing the command

no sysopt connection permit-vpn

If you need to revert it back then just issue it without the "no" in front. Then its back to its default setting. This doesnt show in the running configuration by the way.

With this setting any connections coming from VPN connections have to be allowed on the interface ACL of the interface that terminates the VPN connection. So in your case that would be the ACL attached to the "outside" interface.

 

Hope this helps :)

 

- Jouni

View solution in original post

22 Replies 22

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-10-2014 06:06 AM

Hi,

 

The bolded "nat" configuration is incorrect as you suspected.

 

Replace it with something like this

 

object network LAN
 subnet 192.168.1.0 255.255.255.0

nat (inside,outside) 1 source static LAN LAN destination static VPN-HOSTS VPN-HOSTS

 

I would also suggest using a separate "standard" access-list for the Split Tunnel ACL.

For example

access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0

You would naturally have to switch the above ACL to the "group-policy" used.

 

Additionally, if you want to control the connections incoming from VPN users in the "outside_access_in" ACL then you could change one of the default settings on the ASA by issuing the command

no sysopt connection permit-vpn

If you need to revert it back then just issue it without the "no" in front. Then its back to its default setting. This doesnt show in the running configuration by the way.

With this setting any connections coming from VPN connections have to be allowed on the interface ACL of the interface that terminates the VPN connection. So in your case that would be the ACL attached to the "outside" interface.

 

Hope this helps :)

 

- Jouni

Go to solution
HSSEngineering
Level 1
Level 1
In response to Jouni Forss

‎07-10-2014 02:46 PM

That took care of it - very nice. Thank you

 

What exactly should I write for the standard lists?

I try with just  access-list Split-Tunnel-ACL standard permit 192.168.30.0 255.255.255.0 but then get the message:

ERROR: Cannot mix different types of access lists
ERROR: <Split-Tunnel-ACL> cannot be created

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to HSSEngineering

‎07-10-2014 02:55 PM

Hi ,

 

Firstly configure "clear configure access-list Split-Tunnel-ACL" , and then run the command again "access-list Split-Tunnel-ACL standard permit 192.168.30.0 255.255.255.0".
Seems like there is already some extended entry created for this access-list.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Go to solution
HSSEngineering
Level 1
Level 1
In response to Dinesh Moudgil

‎07-11-2014 03:49 AM

It didn't work quite as good. The asymmetric message is gone (thank you) but I can't access my server, 192.168.1.222 through the VPN-tunnel.

I changed the access-list name and the Group-policy for Split-tunnel, but still no luck.

Also - When I connect through the vpn and tries to access the internet, it's not through the firewall (but this is what's called split-tunneling, right?).

 

My latest setup, marked with "suspicious" lines:

 

: Saved
ASA Version 9.2(1) 
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool IP-Pool 192.168.30.5-192.168.30.200 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.253 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
boot system disk0:/asa921-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Server-25
 host 192.168.1.222
 description The test server
object network Server-80
 host 192.168.1.222
 description The test server
object network Server-443
 host 192.168.1.222
 description The test server
object network Server-2525
 host 192.168.1.222
 description The test server
object network Server-993
 host 192.168.1.222
 description The test server
object network Server-6001
 host 192.168.1.222
 description The test server
object network Server-6002
 host 192.168.1.222
 description The test server
object network Server-6003
 host 192.168.1.222
 description The test server
object network Server-6004
 host 192.168.1.222
 description The test server
object network VPN-HOSTS
 subnet 192.168.30.0 255.255.255.0
object network inside-net
 host 192.168.1.0
object network VPN-Server
 host 192.168.1.222
access-list outside_access_in extended permit tcp any object Server-25 eq smtp 
access-list outside_access_in extended permit tcp any object Server-2525 eq 2525 
access-list outside_access_in extended permit tcp any object Server-80 eq www 
access-list outside_access_in extended permit tcp any object Server-443 eq https 
access-list outside_access_in extended permit tcp any object Server-993 eq 993 
access-list outside_access_in extended permit tcp any object Server-6001 eq 6001 
access-list outside_access_in extended permit tcp any object Server-6002 eq 6002 
access-list outside_access_in extended permit tcp any object Server-6003 eq 6003 
access-list outside_access_in extended permit tcp any object Server-6004 eq 6004 
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0 
access-list Split-Tunnel-ACL standard permit 192.168.30.0 255.255.255.0 
no pager
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-721.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-net inside-net destination static VPN-HOSTS VPN-HOSTS
nat (inside,outside) source static VPN-Server VPN-Server destination static VPN-HOSTS VPN-HOSTS
!
object network obj_any
 nat (inside,outside) dynamic interface
object network Server-25
 nat (inside,outside) static interface service tcp smtp smtp 
object network Server-80
 nat (inside,outside) static interface service tcp www www 
object network Server-443
 nat (inside,outside) static interface service tcp https https 
object network Server-2525
 nat (inside,outside) static interface service tcp 2525 2525 
object network Server-993
 nat (inside,outside) static interface service tcp 993 993 
object network Server-6001
 nat (inside,outside) static interface service tcp 6001 6001 
object network Server-6002
 nat (inside,outside) static interface service tcp 6002 6002 
object network Server-6003
 nat (inside,outside) static interface service tcp 6003 6003 
object network Server-6004
 nat (inside,outside) static interface service tcp 6004 6004 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server HSS-auth-server protocol radius
 authorize-only
aaa-server HSS-auth-server (inside) host 192.168.1.222
 timeout 5
 key *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 30
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client client-id interface outside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy HSSvpn internal
group-policy HSSvpn attributes
 wins-server value 192.168.1.222
 dns-server value 192.168.1.222
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel-ACL
 default-domain value hss.dk
tunnel-group HSSvpn type remote-access
tunnel-group HSSvpn general-attributes
 address-pool IP-Pool
 authentication-server-group HSS-auth-server
 default-group-policy HSSvpn
 password-management
tunnel-group HSSvpn ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group HSSvpn ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:74e93a19385822503dbd9f3a72c202c2
: end

ciscoasa(config)# 

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to HSSEngineering

‎07-11-2014 04:07 AM

Add "access-list Split-Tunnel-ACL standard permit 192.168.1.0 255.255.255.0 " to the configuration and this should help.

Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Go to solution
HSSEngineering
Level 1
Level 1
In response to Dinesh Moudgil

‎07-11-2014 05:57 AM

I can connect to the server :D You are the master of ASA!

Then it turned out that I have misunderstood what I needed. I fell over this nice post with nice diagrams: http://blog.soundtraining.net/2013/03/how-to-configure-split-tunneling-on.html

So I take I need to do a "no split-tunnel-policy". Do I need more?

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to HSSEngineering

‎07-11-2014 05:59 AM

Hi ,

Here are the commands:-

group-policy test internal
group-policy test attributes
split-tunnel-policy tunnelall-------------(allows all the traffic to go through VPN tunnel)

nat (outside,outside) 1 source dynamic VPN-HOSTS VPN-HOSTS interface

------(Allows VPN users to get Patted to external ASA IP for internet access)

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Go to solution
HSSEngineering
Level 1
Level 1
In response to Dinesh Moudgil

‎07-11-2014 06:11 AM

nat throws me an error:

"Subnet can not be used as mapped source in dynamic NAT policy"

Perhaps it not good with the object... should it be modified?

object network VPN-HOSTS

  subnet 192.168.30.0 255.255.255 0

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to HSSEngineering

‎07-11-2014 06:19 AM

Can you please try removing previous static nat for inside to outside interface.
Also, try these commands:-

object-group network VPC-HOSTS
network 192.168.30.0 255.255.255.0
exit
nat (outside,outside) 1 source dynamic VPC-HOSTS interface

 

Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.

 

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
HSSEngineering
Level 1
Level 1
In response to Dinesh Moudgil

‎07-11-2014 06:30 AM

slightly confused here:

there's no 'network' under object-group network. You have the following:

group-object

network-object.

I'm gonna go with the last and nat it and see what happens.

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to HSSEngineering

‎07-11-2014 06:33 AM

I meant "network-object"  :)

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
HSSEngineering
Level 1
Level 1
In response to Dinesh Moudgil

‎07-11-2014 06:56 AM

object-group network VPC-HOSTS
    network-object 192.168.30.0 2255.255.255.0
    exit
nat (outside,outside) 1 source dynamic VPC-HOSTS interface

 

Now I have no internet and not server connection

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to HSSEngineering

‎07-11-2014 07:34 AM

I see that you have got
"object network obj_any
 nat (inside,outside) dynamic interface"
in place and this should allow you to access internet.

Can you please share the output of this command
"packet-tracer input inside icmp <internal host ip> 8 0 4.2.2.2 detailed"

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
HSSEngineering
Level 1
Level 1
In response to Dinesh Moudgil

‎07-11-2014 07:39 AM

ciscoasa(config)# $icmp 192.168.1.0 8 0 4.2.2.2 detailed packet-tracer input inside icmp 192.168.1.0 8 0 4.2.2.2 detailed$
 
Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0xcc7b8c18, priority=1, domain=permit, deny=false
hits=744126, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
 
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 78.143.76.193, outside
 
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents