Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Strange LAN access issue

Dear all,

I'm working on a 8.3(1) box whose VPN config isn't functional anymore, but I cannot recall what I might have done.

Obviously I've wrecked some sort of ACL or the like.

After 2 days of trying to spot the error, I've come here to post, maybe s/o can look into this.

Scenario:

[ANYCONN/IPSEC]...[WAN]...[OUTSIDE]...ASA.....[INSIDE].....[DMZ 172.16.0.0/16].....[RTR]....[LAN 192.168.20.0/24]

The Client connects fine ( either Anyconn 2.4 or ipSEC ).

The protected network/s show up nicely in the client ( split tunnel in place )

Problem:

No host ( in any of the protected nets ) is pingable / reachable ( ICMP permitted ) from the VPN Client.

BUT:

packet-tracer input inside tcp 192.168.20.210 3389 172.16.1.30 3389

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

When I ping the .20 net from the VPN client, ICMP trace shows requests coming in ( but none returns ).

ICMP echo request from outside:172.16.1.30 to inside:192.168.20.210 ID=1280 seq=768 len=32

The relevant parts of the group config are as follows:

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool (outside) Dialinpool ( ip local pool Dialinpool 172.16.1.30-172.16.1.40 mask 255.255.0.0 )

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias 2 disable

tunnel-group DefaultWEBVPNGroup ipsec-attributes

pre-shared-key *****

Tunnel config:

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_Inside

( access-list VPN_Inside remark Userland; access-list VPN_Inside standard permit 192.168.20.0 255.255.255.0 etc.  )

The .210 host above is NOT subject to NAT, so there is no NAT exemption in place.

1 ACCEPTED SOLUTION

Accepted Solutions

Strange LAN access issue

/16 does cover this also- host range would be -172.16.0.1 - 172.16.255.254.

9 REPLIES

Strange LAN access issue

Post your full configuration.

New Member

Strange LAN access issue

Ajay,

thank you for your willingness to look into the mystery.

Here is the code. Some of it was snipped ( certificates, clear names etc. ).

Partly the code was ASDM-generated.

ASA Version 8.3(1)

!

terminal width 100

hostname gate0

domain-name i-tax.local

enable password xxx

passwd xxxx

names

!

interface Ethernet0/0

description Uplink Versatel

speed 10

nameif outside

security-level 0

ip address xxxx

!

interface Ethernet0/1

description Uplink DMZ Netz 172

speed 100

duplex full

nameif inside

security-level 100

ip address 172.16.1.111 255.255.0.0

!

interface Ethernet0/2

description Uplink Hochgeschwindigkeitsstrecke

shutdown

nameif ecotel

security-level 0

pppoe client vpdn group ecotel

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.20.211

domain-name i-tax.local

object network xxxx

host 192.168.20.208

description Maschinist

object network MTA1

host 192.168.20.191

object network LX0

host 172.16.1.100

description Linux - Server

object network Thermograph

host 192.168.20.212

description Thermograph

object network WWW0

host 172.16.1.101

object network PBX0

host 192.168.20.215

description OpenScape PBX

object network Wireless

range 172.16.1.50 172.16.1.60

object network ITAXFILE

host 192.168.20.203

object network RDP0

host 192.168.20.214

object network SMB0

host 192.168.20.211

object network PB_300c

host 192.168.20.190

object network SMB2

host 192.168.20.192

description SMB2

object network MOBIL5

host 192.168.20.67

object network MOBIL16

host 192.168.20.99

object network MOBIL19

host 192.168.20.19

object network MOBIL21

host 192.168.20.52

object-group service DM_INLINE_TCP_0 tcp

port-object eq domain

port-object eq www

port-object eq smtp

port-object eq ssh

port-object eq https

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_2 tcp

port-object eq ftp

port-object eq ftp-data

object-group network Serverfarm_DMZ

description Serverfarm DMZ

network-object object LX0

network-object object WWW0

access-list outside_access extended permit tcp any object WWW0 object-group DM_INLINE_TCP_1 log warnings

access-list outside_access remark Webserver Payroll

access-list outside_access remark Exchange Server MTA1

access-list outside_access extended permit tcp any host 192.168.20.191 object-group DM_INLINE_TCP_0 log warnings

access-list outside_access remark Thermograph

access-list outside_access extended permit tcp any host 192.168.20.212 eq www log warnings

access-list outside_access remark UNIX - Server

access-list outside_access extended permit tcp any object LX0 object-group DM_INLINE_TCP_2 log warnings

access-list VPN_Inside remark Userland

access-list VPN_Inside standard permit 192.168.20.0 255.255.255.0

access-list VPN_Inside standard permit 172.16.0.0 255.255.0.0

pager lines 24

logging enable

logging monitor emergencies

logging asdm notifications

logging class vpn buffered warnings

logging message 103012 level debugging

mtu outside 1500

mtu inside 1500

mtu ecotel 1500

mtu management 1500

ip local pool Dialinpool 172.16.1.30-172.16.1.40 mask 255.255.0.0

ip verify reverse-path interface outside

ip verify reverse-path interface inside

ip audit name HWFFM_Outside attack action alarm drop

ip audit interface outside HWFFM_Outside

ip audit attack action alarm drop

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

icmp permit any ecotel

asdm history enable

arp timeout 14400

!

object network xxxxx

nat (inside,outside) dynamic interface dns

object network MTA1

nat (inside,outside) static xxxx dns

object network LX0

nat (inside,outside) static xxxxx dns

object network Thermograph

nat (inside,outside) static xxxx dns

object network WWW0

nat (inside,outside) static xxxx dns

object network PBX0

nat (inside,outside) dynamic interface

object network Wireless

nat (any,outside) dynamic interface

object network SMB0

nat (inside,outside) dynamic interface dns

object network PB_300c

nat (inside,outside) dynamic interface dns

object network SMB2

nat (inside,outside) dynamic interface dns

object network MOBIL5

nat (inside,outside) dynamic interface dns

object network MOBIL16

nat (inside,outside) dynamic interface dns

object network MOBIL19

nat (inside,outside) dynamic interface dns

access-group outside_access in interface outside

route outside 0.0.0.0 0.0.0.0 213.138.48.1 1

route inside 192.168.20.0 255.255.255.0 172.16.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server ITAX protocol radius

aaa-server ITAX (inside) host 192.168.20.211

key *****

radius-common-pw xxxx

http server enable

http 192.168.0.0 255.255.0.0 management

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-3DES-SHA ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

fqdn gate0

xxxxx

keypair gate0

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint2

crl configure

crypto ca trustpoint ASDM_TrustPoint3

enrollment terminal

subject-name CN=gate0

keypair gate0

crl configure

crypto ca server

shutdown

crypto ca certificate chain ASDM_TrustPoint0

certificate ca 0301

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

client-update enable

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet timeout 5

ssh 192.168.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 15

vpdn group ecotel request dialout pppoe

vpdn group ecotel xxxxx

vpdn group ecotel ppp authentication pap

vpdn username xxxxx

dhcpd dns 62.72.64.237

dhcpd domain hwffm.dmz

!

dhcpd address 172.16.1.50-172.16.1.60 inside

dhcpd dns 194.145.226.26 62.72.64.237 interface inside

dhcpd ping_timeout 750 interface inside

dhcpd domain hwffm.dmz interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics host

threat-detection statistics port number-of-rate 2

threat-detection statistics protocol number-of-rate 2

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl encryption rc4-sha1 aes256-sha1 3des-sha1

ssl trust-point ASDM_TrustPoint3 outside

webvpn

enable outside

csd image disk0:/securedesktop-asa-3.2.1.115-k9.pkg

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2

svc enable

group-policy DfltGrpPolicy attributes

vpn-simultaneous-logins 5

vpn-tunnel-protocol IPSec svc webvpn

pfs enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_Inside

split-dns value i-tax.local

intercept-dhcp enable

address-pools value Dialinpool

webvpn

  svc modules value dart

username xxxxx

tunnel-group DefaultRAGroup general-attributes

address-pool Dialinpool

authentication-server-group ITAX

authentication-server-group (outside) ITAX

tunnel-group DefaultRAGroup webvpn-attributes

group-alias 1 disable

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

trust-point ASDM_TrustPoint3

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool (outside) Dialinpool

address-pool Dialinpool

authentication-server-group ITAX

authentication-server-group (outside) ITAX

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias 2 disable

tunnel-group DefaultWEBVPNGroup ipsec-attributes

pre-shared-key *****

trust-point ASDM_TrustPoint3

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

  id-randomization

  id-mismatch action log

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

Strange LAN access issue

Ok here is problem not sure why you used such a big network /16 for Inside.

interface Ethernet0/1

description Uplink DMZ Netz 172

speed 100

duplex full

nameif inside

security-level 100

ip address 172.16.1.111 255.255.0.0

Then VPN pool has been also taken from that range-

ip local pool Dialinpool 172.16.1.30-172.16.1.40 mask 255.255.0.0

My suggestion to you would be get another subnet for vpn pool.Once that is configured NAT exempt rules also required.

Here is way to configure-

object network inside_network

  192.168.20.0 255.255.255.0


object network vpn_network

  x.x.x.x  x.x.x.x
nat (inside,outside) source static inside_network inside_network destination static vpn_network vpn_network

After that try to access it should work.

Thanks

Ajay

New Member

Re: Strange LAN access issue

Ajay,

the /16 net is so big for historic reason.

Thanks for your input - no joy so far. I've configured the NAT exempt as per your suggestion.

From what I've read, the split tunnel feature should alreeady serve as NAT exempt !?

Anyway...

I did not alter the client pool to a subnet but:

made an inside_net network object ( 192.168.20.0/24 )

made an dmz_net network object ( 172.16.0.0/16)

made an "vpntest" object from the pool's  1st address assigned to my client ( 172.16.1.30 )

and configured:

(inside,outside) source static inside_net inside_net destination static vpntest vpntest

(inside,outside) source static dmz_net dmz_net destination static vpntest vpntest

Client connects fine, but no transport ( stale traffic counter ).

What else might I be missing ?

Strange LAN access issue

Thats the reason i say change your pool and you will be all set this is not recommonded by cisco to use the pool ip from same subnet. Split tunnel is something to get specific route for vpn so that rest of the internet traffic goes locally.

Thanks

Ajay

New Member

Re: Strange LAN access issue

Ajay,

sorry.....still no joy.

I have altered the pool to vpn_clientpool to .2 and /24:

sho ip lo poo:

Begin           End             Mask            Free     Held     In use

172.16.2.10     172.16.2.20     255.255.255.0      10        0        1

I've created the appropriate object for later NAt exempt referral:

object network vpn_clientpool

subnet 172.16.2.0 255.255.255.0

Lease one ( .10/24  )is served nicely and the client connects fine.

NAT exempt is set:

nat (inside,outside) source static inside_net inside_net destination static vpn_clientpool vpn_clientpool

nat (inside,outside) source static dmz_net dmz_net destination static vpn_clientpool vpn_clientpool

Strange LAN access issue

/16 does cover this also- host range would be -172.16.0.1 - 172.16.255.254.

New Member

Re: Strange LAN access issue

10.0.0.0/24 works like a charm.

Thanks Ajay.

I must confess I come from a 6.3 PIX that has run stable for almost 10 years and needed little to no attention.

This differs from what I've learned in PIX 6.3 where a "nested pool" scenario was no problem; is this also new in 8.3 ?

Strange LAN access issue

Sorry about that i have no idea for 6.3. Things changes so fast

Thanks

Ajay

432
Views
0
Helpful
9
Replies
CreatePlease to create content