Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote VPN - Connects but then what? ***Newbie ***

I have a 5505 and this is my first time working with a Cisco unit. My Internet access works fine and my test configuration allows clients to connect fine. How do I allow my remote clients access to my inside network?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Remote VPN - Connects but then what? ***Newbie ***

Hey tony,

So i assume that the PCs in your LAN use 192.168.78.1 as the default gateway and there is no route on the pfSense router to send these back to the ASA. Please correct me if i am wrong here.

Try adding a route on the pfSense router for the destination network 192.168.50.0/24 pointing to inside interface of ASA 192.168.78.254. Let me know if this works!!

regards,

Prapanch

27 REPLIES
New Member
New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

Let me rephrase. My VPN clients can connect fine. How do I allow them access to my "inside" network. I used a set of instructions like those to set up my VPN already. Once a VPN client connects, they can not telnet to a server on the "inside" network.

Cisco Employee

Re: Remote VPN - Connects but then what? ***Newbie ***

Hey Tony,

The reason for that could be many, a few among them being a misconfigured NAT exemption, split tunnel, etc. Can you paste the configuration of the ASA?

Regards,

Prapanch

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

It was attached to the first post but here you go...

: Saved
:
ASA Version 7.2(4)
!
hostname vpn
domain-name test.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.78.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address aaa.bbb.ccc.250 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name test.com
access-list inside_nat0_outbound extended permit ip 192.168.78.0 255.255.255.0 192.168.50.0 255.255.255.240
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool TEST_POOL 192.168.50.1-192.168.50.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.78.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 aaa.bbb.ccc.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.78.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.78.0 255.255.255.0 inside
ssh timeout 5
console timeout 0


group-policy TEST internal
group-policy TEST attributes
vpn-tunnel-protocol IPSec
username test1 password Kg/Rgy23do7gPGTv encrypted privilege 15
username user1 password IzFIX6IZbh5HBYwq encrypted privilege 0
username user1 attributes
vpn-group-policy TEST
tunnel-group TEST type ipsec-ra
tunnel-group TEST general-attributes
address-pool TEST_POOL
default-group-policy TEST
tunnel-group TEST ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1b850c61dafeb89344fb6885c77d8e0c
: end


Cisco Employee

Re: Remote VPN - Connects but then what? ***Newbie ***

Hi,

can you paste the output of "show crypto ipsec sa" when the user is connected? Please add the command "management-access inside" and check if you are able to ping the interface IP address of the ASA, that is,  192.168.78.254?

Regards,

Prapanch

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

vpn# show crypto ipsec sa

interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: aaa.bbb.ccc.250


      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (
192.168.50.1/255.255.255.255/0/0)
      current_peer: 75.204.140.75, username: user1
      dynamic allocated peer ip: 192.168.50.1


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0


      local crypto endpt.: aaa.bbb.ccc.250, remote crypto endpt.: 75.204.140.75


      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: FF43DD6E


    inbound esp sas:
      spi: 0x40B2B6D1 (1085454033)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28792
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xFF43DD6E (4282637678)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28792
         IV size: 8 bytes
         replay detection support: Y

After adding "management-access inside" I was able to ping 192.168.78.254. Before I was not able to ping.

Cisco Employee

Re: Remote VPN - Connects but then what? ***Newbie ***

Hi Tony,

Please apply captures on the ASA's inside interface and see if you packets going out and coming back in as well. For a guide on applying captures, please use the below document:

https://supportforums.cisco.com/docs/DOC-1222

In short, for the above IPSec SA, when trying to ping 192.168.78.1, the capture will be configured as below:

access-list capi permit ip host 192.168.50.1 host 192.168.78.1

access-list capi permit ip host 192.168.78.1 host 192.168.50.1

capture capin access-list capi interface inside

To view the captures, use the command "show cap capin" and paste that output here when trying to ping that IP on the inside of the ASA. Also, please try adding the command "sysopt connection permit-vpn" and see if it makes any difference. Let me know how it goes!!

Regards,

Prapanch

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

I posted the same question but no one bothered answering..... any success on your problem?!?!?

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

satuser001 wrote:

I posted the same question but no one bothered answering..... any success on your problem?!?!?

Still working on a solution...

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

vpn(config)# show cap capin

4 packets captured

   1: 11:18:49.924878 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request

   2: 11:18:54.862870 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request

   3: 11:19:00.360760 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request

   4: 11:19:05.842989 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request

4 packets shown

This was before adding "sysopt connection permit-vpn". Adding it made no change.

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

Would appreciate it if you could let me know as soon as you do......

Just in-case I forget to check... thx m8

Cisco Employee

Re: Remote VPN - Connects but then what? ***Newbie ***

Hey tony,

That's interesting. Can you ping that IP from the ASA, that is, 192.168.78.1? Also, please paste the outputs of "show cap" and "show run access-list" from the ASA. Just want to confirm the captures have been applied right.

If they are, it seems like the hosts are not replying back to the echo requests from the VPN client. You might want to have a look at that host and see if there is any kind of firewall that could be blocking pings.

Regards,

Prapanch

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

vpn# ping 192.168.78.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.78.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
vpn# show cap        
capture capin type raw-data access-list capi interface inside [Capturing - 752 bytes]
vpn# show run access-list
access-list inside_nat0_outbound extended permit ip 192.168.78.0 255.255.255.0 192.168.50.0 255.255.255.240
access-list capi extended permit ip host 192.168.50.1 host 192.168.78.1
access-list capi extended permit ip host 192.168.78.1 host 192.168.50.1
Cisco Employee

Re: Remote VPN - Connects but then what? ***Newbie ***

Hey Tony,

The captures seem ok. As is said, please have a check as to why the host is not replying to echo requests. Maybe a firewall or a misconfigured route.

regards,

Prapanch

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

By "host" you mean ...

Cisco Employee

Re: Remote VPN - Connects but then what? ***Newbie ***

I mean 192.168.78.1. check for firewall rules on it and disable the firewall on it for a while and see if it makes any difference.

Regards,

Prapanch

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

I can ping 192.168.78.1 from every address on the "inside" 192.168.78.0 network.

Cisco Employee

Re: Remote VPN - Connects but then what? ***Newbie ***

Hey Tony,

The reason for that is the way firewalls work (at least windows firewall). They allow pings from the same netowrk range but not from any other network range. That's why i asked you to try disabling the firewall.

Another eason could be a misconfigured route on that PC for the 192.168.50.0 network.

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

192.168.78.1 is the "inside" of a pfSense router.

aaa.bbb.ccc.248 is the "outside1" of the pfSense router.

This pfSense router is providing internet access to my network and failover with a DSL . I'm wanting to use the 5505 to provide VPN access.

Cisco Employee

Re: Remote VPN - Connects but then what? ***Newbie ***

Hey tony,

So i assume that the PCs in your LAN use 192.168.78.1 as the default gateway and there is no route on the pfSense router to send these back to the ASA. Please correct me if i am wrong here.

Try adding a route on the pfSense router for the destination network 192.168.50.0/24 pointing to inside interface of ASA 192.168.78.254. Let me know if this works!!

regards,

Prapanch

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

I was thinking the same thing. Will let you know in a few minutes.

I need to reconfig my ASA 5505....

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

I can now ping 192.168.78.1.

I need to telnet to 192.168.78.5. I can not ping or telnet to that address.

Cisco Employee

Re: Remote VPN - Connects but then what? ***Newbie ***

Hi Tony,

What do captures suggest this time? Can you once again paste the output of that?

Also, did you add a route on the pfSense router for the 192.168.50.0/24 network pointing to the ASA?

Regards,

Prapanch

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

praprama wrote:

Hi Tony,

What do captures suggest this time? Can you once again paste the output of that?

Also, did you add a route on the pfSense router for the 192.168.50.0/24 network pointing to the ASA?

Regards,

Prapanch

Yes I addeda route on the pfSense router for the 192.168.50.0/24 network pointing to the ASA. Pinging 192.168.78.1 from my Remote VPN connection works. Here is the caputers:

vpn(config)# show cap capin
8 packets captured
   1: 19:59:34.545549 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request
   2: 19:59:34.545793 802.1Q vlan#1 P0 192.168.78.1 > 192.168.50.1: icmp: echo reply
   3: 19:59:35.550325 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request
   4: 19:59:35.550539 802.1Q vlan#1 P0 192.168.78.1 > 192.168.50.1: icmp: echo reply
   5: 19:59:36.558427 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request
   6: 19:59:36.558641 802.1Q vlan#1 P0 192.168.78.1 > 192.168.50.1: icmp: echo reply
   7: 19:59:37.550874 802.1Q vlan#1 P0 192.168.50.1 > 192.168.78.1: icmp: echo request
   8: 19:59:37.551088 802.1Q vlan#1 P0 192.168.78.1 > 192.168.50.1: icmp: echo reply
8 packets shown

Cisco Employee

Re: Remote VPN - Connects but then what? ***Newbie ***

What do the captures look like for 192.168.78.5 when trying to ping/telnet 192.168.78.5?

Regards,

Prapanch

New Member

Re: Remote VPN - Connects but then what? ***Newbie ***

Prapanch,

Thanks for all of your help. Looks like there was never an issue with the ASA. I had a routing problem since the ASA was not being used as the default "inside" gateway. Adding a route to 192.168.78.5 to handle the 192.168.50.0/24 traffic fixed my telnet and pinging problems. Thanks again for your time and help. Now to find a copy of "Networking for Dummies".

THANKS,

Tony

Cisco Employee

Re: Remote VPN - Connects but then what? ***Newbie ***

Hey Tony,

Glad to know i was of help. Feel free to post queries here if you have any questions!!

Regards,

Prapanch

720
Views
0
Helpful
27
Replies