Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN - Can't Access Internal subnets behind 2nd router. HELP.

Hi guys,

Looking for a little help after a day of frustration. I am really new to this and studiying so I know that I am doing something dumb. Anyway, I purchased an ASA 5505 and placed it between my Cable Modem and Cisco 3745 router. The outside interface on the ASA is dhcp, the inside interface is 192.168.100.1. The outside interface of the 3745 is 192.168.100.2 and the inside is 192.168.1.1. The VPN pool is 192.168.200.10 - 192.168.200.10.

Here's are the problems...

1. When I establish a VPN session to the ASA, I can ping and access any resources dierectly connected to the ASA's interfaces and on the ASA's internal 192.168.100.0 network. However, I cannot access any resources behind the 3745. I cannot even ping 192.168.1.1.

2. Although I believe that I sent up split-tunnel, I cannot U-Turn back to the internet once connected to the VPN.

Here is my network topology as well as my ASA config and Router config.....

ASA ......

ASA Version 8.2(5)

!

hostname poog-fw1

domain-name poog

enable password ********** encrypted

************ encrypted

names

name 192.168.100.2 RouterWAN

name 192.168.100.0 Internal

name 192.168.200.0 VPN

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!            

interface Ethernet0/6

!            

interface Ethernet0/7

!            

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!            

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!            

boot system disk0:/asa825-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 167.206.245.129

name-server 167.206.245.130

domain-name poog

same-security-traffic permit intra-interface

object-group network VPN

object-group network RouterWAN

object-group network RouterWAN-01

object-group network RouterWAN-02

object-group network RouterWAN-03

object-group network RouterWAN-04

object-group network RouterWAN-05

object-group network obj_any

object-group network obj_any-01

object-group network obj-0.0.0.0

object-group network iphone

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit tcp VPN 255.255.255.0 any

access-list outside_access_in remark Telnet to Router

access-list outside_access_in extended permit tcp any interface outside eq telnet

access-list outside_access_in remark IP Cameras

access-list outside_access_in extended permit object-group TCPUDP any interface outside range 1021 1022

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in remark FTP to NAS

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in remark VNC to WX Server

access-list outside_access_in extended permit tcp any interface outside eq 5900

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in remark Telnet to Router

access-list outside_access_in remark IP Cameras

access-list outside_access_in remark FTP to NAS

access-list outside_access_in remark VNC to WX Server

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list inside_nat0_outbound extended permit ip Internal 255.255.255.0 VPN 255.255.255.0

access-list split-tunnel standard permit Internal 255.255.255.0

access-list split-tunnel standard permit host 192.168.1.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNPOOL 192.168.200.10-192.168.200.20 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat-control  

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface telnet RouterWAN telnet netmask 255.255.255.255

static (inside,inside) tcp interface 5900 RouterWAN 5900 netmask 255.255.255.255

static (inside,outside) tcp interface ftp RouterWAN ftp netmask 255.255.255.255

static (inside,outside) tcp interface 1021 RouterWAN 1021 netmask 255.255.255.255

static (inside,inside) tcp interface 1022 RouterWAN 1022 netmask 255.255.255.255

access-group outside_access_in in interface outside

!            

router rip   

network Internal

default-information originate

version 2   

no auto-summary

!            

route inside 192.168.1.0 255.255.255.0 RouterWAN 1

route inside VPN 255.255.255.0 192.168.100.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http Internal 255.255.255.0 inside

http VPN 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet Internal 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!            

dhcpd address RouterWAN-RouterWAN inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!            

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn       

enable outside

svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1

svc enable  

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 167.206.245.129

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-network-list value split-tunnel

group-policy Clientless internal

group-policy Clientless attributes

vpn-tunnel-protocol webvpn

webvpn      

  url-list value VPN_Book_Marks

group-policy AnyConnect internal

group-policy AnyConnect attributes

banner value Welcome To My Network

dns-server value 167.206.245.129

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list none

default-domain value poog

webvpn      

  url-list value VPN_Book_Marks

  svc keep-installer installed

  svc ask none default svc

username ogonzalez password 0VrbklOhGRHipw79 encrypted privilege 0

username ogonzalez attributes

vpn-group-policy Clientless

username jgonzalez password ymcpO334smdskkpl encrypted privilege 0

username jgonzalez attributes

vpn-group-policy AnyConnect

tunnel-group RAVPN type remote-access

tunnel-group RAVPN general-attributes

address-pool VPNPOOL

tunnel-group RAVPN webvpn-attributes

group-alias RAVPN enable

group-url https://69.121.142.156/RAVPN enable

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool VPNPOOL

default-group-policy AnyConnect

tunnel-group AnyConnect webvpn-attributes

group-alias AnyConnect enable

group-url https://69.121.142.156/AnyConnect enable

tunnel-group Clientless type remote-access

tunnel-group Clientless general-attributes

default-group-policy Clientless

!            

class-map inspection_default

match default-inspection-traffic

!            

!            

policy-map type inspect dns preset_dns_map

parameters  

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!            

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home    

profile CiscoTAC-1

  no active  

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:7d91e2ad8d7a86c40860fa8a1b117271

: end

Router.....

Current configuration : 1922 bytes

!

version 12.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname poog_rtr1

!

boot-start-marker

boot-end-marker

!

no logging buffered

no logging console

no logging monitor

enable secret 5 *************.

!

no aaa new-model

ip subnet-zero

!

!

ip cef

no ip domain lookup

ip dhcp excluded-address 192.168.1.1 192.168.1.150

!

ip dhcp pool DHCP1

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 167.206.245.129 167.206.245.130

!

!

!

!

!

!

!

!

!

!

!

!        

username ***** privilege 15 password 0 *****

!        

!        

!        

!        

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!        

interface FastEthernet0/0

description LAN

ip address 192.168.1.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!        

interface FastEthernet0/1

description WAN

ip address dhcp

ip nat outside

duplex auto

speed auto

!        

router rip

version 2

network 192.168.1.0

network 192.168.100.0

network 192.168.200.0

no auto-summary

!        

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.1.100 80 interface FastEthernet0/1 80

ip nat inside source static tcp 192.168.1.13 5900 interface FastEthernet0/1 5900

ip nat inside source static tcp 192.168.1.12 1022 interface FastEthernet0/1 1022

ip nat inside source static tcp 192.168.1.11 1021 interface FastEthernet0/1 1021

ip nat inside source static tcp 192.168.1.100 21 interface FastEthernet0/1 21

ip nat inside source static tcp 192.168.1.1 23 interface FastEthernet0/1 23

ip http server

ip http authentication local

ip classless

ip route 192.168.200.0 255.255.255.0 FastEthernet0/1

!        

!        

access-list 1 remark SDM_ACL Category=16

access-list 1 permit any

no cdp run

!        

!        

!        

!        

!        

!        

!        

dial-peer cor custom

!        

!        

!        

gateway  

!        

banner motd ^C

***** UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED! *****^C

!        

line con 0

line aux 0

line vty 0 4

login local

!        

end 

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN - Can't Access Internal subnets behind 2nd router. HELP.

"192.168.100.0 ---> 192.168.1.0 I DO NOT get ping replies."

Please add "inspect icmp" in the class inspection_default policy as shown below.

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

inspect icmp

I hope that helps.

Please rate helpful post.

thanks

11 REPLIES
Hall of Fame Super Silver

VPN - Can't Access Internal subnets behind 2nd router. HELP.

For access further inwards, you need to be either learning the route (via RIP which you have setup in the ASA) or have a static router configured. If you do a "show route" you should see what, if anything RIP is learning.

You can either make RIP work or just add a static - e.g.:

ip route 192.168.1.0 255.255.255.0 192.168.100.2

VPN - Can't Access Internal subnets behind 2nd router. HELP.

Please add this line on the ACL "inside_nat0_outbound"

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 VPN 255.255.255.0

Hope that helps.

thanks

Rizwan Rafeek

VPN - Can't Access Internal subnets behind 2nd router. HELP.

Please remove this route from ASA.

VPN network segment is located in the firewall you do not route that traffic to any interface.

incorrect route.

route inside VPN 255.255.255.0 192.168.100.1

New Member

VPN - Can't Access Internal subnets behind 2nd router. HELP.

Thank You so much for the reply. I have done what you asked but still have an issue. Now I can ping the internal resources but I cannot use them. For instance I cannot telnet into 192.168.1.1, or 192.168.1.2. I cannot VNC into 192.168.1.13 even though I can ping it.

Here is the new ASA config following your suggestions.....

ASA Version 8.2(5)

!

hostname poog-fw1

domain-name poog

enable password ****** encrypted

passwd ******* encrypted

names

name 192.168.100.2 RouterWAN

name 192.168.100.0 Internal

name 192.168.200.0 VPN

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!            

interface Ethernet0/6

!            

interface Ethernet0/7

!            

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!            

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!            

boot system disk0:/asa825-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 167.206.245.129

name-server 167.206.245.130

domain-name poog

same-security-traffic permit intra-interface

object-group network VPN

object-group network RouterWAN

object-group network RouterWAN-01

object-group network RouterWAN-02

object-group network RouterWAN-03

object-group network RouterWAN-04

object-group network RouterWAN-05

object-group network obj_any

object-group network obj_any-01

object-group network obj-0.0.0.0

object-group network iphone

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit tcp VPN 255.255.255.0 any

access-list outside_access_in remark Telnet to Router

access-list outside_access_in extended permit tcp any interface outside eq telnet

access-list outside_access_in remark IP Cameras

access-list outside_access_in extended permit object-group TCPUDP any interface outside range 1021 1022

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in remark FTP to NAS

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in remark VNC to WX Server

access-list outside_access_in extended permit tcp any interface outside eq 5900

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in remark Telnet to Router

access-list outside_access_in remark IP Cameras

access-list outside_access_in remark FTP to NAS

access-list outside_access_in remark VNC to WX Server

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list inside_nat0_outbound extended permit ip Internal 255.255.255.0 VPN 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.1.0 interface outside

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 VPN 255.255.255.0

access-list split-tunnel standard permit Internal 255.255.255.0

access-list split-tunnel standard permit host 192.168.1.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNPOOL 192.168.200.10-192.168.200.20 mask 255.255.255.0

ip verify reverse-path interface outside

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat-control  

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

nat (outside) 101 VPN 255.255.255.0

static (inside,outside) tcp interface telnet RouterWAN telnet netmask 255.255.255.255

static (inside,inside) tcp interface 5900 RouterWAN 5900 netmask 255.255.255.255

static (inside,outside) tcp interface ftp RouterWAN ftp netmask 255.255.255.255

static (inside,outside) tcp interface 1021 RouterWAN 1021 netmask 255.255.255.255

static (inside,inside) tcp interface 1022 RouterWAN 1022 netmask 255.255.255.255

access-group outside_access_in in interface outside

!            

router rip   

network Internal

default-information originate

version 2   

no auto-summary

!            

route inside 192.168.1.0 255.255.255.0 RouterWAN 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http Internal 255.255.255.0 inside

http VPN 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet Internal 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!            

dhcpd address RouterWAN-RouterWAN inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!            

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn       

enable outside

svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1

svc enable  

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 167.206.245.129

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-network-list value split-tunnel

group-policy AnyConnect internal

group-policy AnyConnect attributes

banner value You are about to connect via VPN to this network. Unauthorized Access is prohibited and tracked.

dns-server value 167.206.245.129

vpn-tunnel-protocol svc webvpn

default-domain value poog

webvpn      

  url-list value VPN_Book_Marks

  svc keep-installer installed

  svc ask none default svc

username ogonzalez password 0VrbklOhGRHipw79 encrypted privilege 0

username jgonzalez password ymcpO334smdskkpl encrypted privilege 0

username jgonzalez attributes

vpn-group-policy AnyConnect

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool VPNPOOL

default-group-policy AnyConnect

tunnel-group AnyConnect webvpn-attributes

group-alias AnyConnect enable

group-url https://69.121.142.156/AnyConnect enable

!            

class-map inspection_default

match default-inspection-traffic

!            

!            

policy-map type inspect dns preset_dns_map

parameters  

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!            

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home    

profile CiscoTAC-1

  no active  

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:0c1feac59cd2ed7b85e53a31351f8dc7

: end   

VPN - Can't Access Internal subnets behind 2nd router. HELP.

Please remove this line from ASA one highlighted below.

ip verify reverse-path interface outside

FYI...

Please remove this line from ACL on ASA.

access-list split-tunnel standard permit host 192.168.1.0 and recompile as shown below.

access-list split-tunnel standard permit 192.168.1.0 255.255.255.0

Hope that helps.

Please update.

thanks.

Rizwan Rafeek

New Member

VPN - Can't Access Internal subnets behind 2nd router. HELP.

Really Really frustrated! Now nothing works I cannot ping between the 192.168.100.0 and 192,168.1.0 networks after doing the above config. I have a test workstation attached directly to the ASA on the 192.168.100.0 network and I cannot ping a workstation on the 192,168.1.0 network!

Here is my new config....

: Saved

:

ASA Version 8.2(5)

!

hostname poog-fw1

domain-name poog

enable password ***** encrypted

passwd ******** encrypted

names

name 192.168.100.2 RouterWAN

name 192.168.100.0 Internal

name 192.168.200.0 VPN

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!            

interface Ethernet0/6

!            

interface Ethernet0/7

!            

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!            

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!            

boot system disk0:/asa825-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 167.206.245.129

name-server 167.206.245.130

domain-name poog

same-security-traffic permit intra-interface

object-group network VPN

object-group network RouterWAN

object-group network RouterWAN-01

object-group network RouterWAN-02

object-group network RouterWAN-03

object-group network RouterWAN-04

object-group network RouterWAN-05

object-group network obj_any

object-group network obj_any-01

object-group network obj-0.0.0.0

object-group network iphone

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit tcp VPN 255.255.255.0 any

access-list outside_access_in remark Telnet to Router

access-list outside_access_in extended permit tcp any interface outside eq telnet

access-list outside_access_in remark IP Cameras

access-list outside_access_in extended permit object-group TCPUDP any interface outside range 1021 1022

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in remark FTP to NAS

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in remark VNC to WX Server

access-list outside_access_in extended permit tcp any interface outside eq 5900

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in remark Telnet to Router

access-list outside_access_in remark IP Cameras

access-list outside_access_in remark FTP to NAS

access-list outside_access_in remark VNC to WX Server

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list inside_nat0_outbound extended permit ip Internal 255.255.255.0 VPN 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 192.168.1.0 interface outside

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 VPN 255.255.255.0

access-list split-tunnel standard permit Internal 255.255.255.0

access-list split-tunnel standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNPOOL 192.168.200.10-192.168.200.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat-control  

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

nat (outside) 101 VPN 255.255.255.0

static (inside,outside) tcp interface telnet RouterWAN telnet netmask 255.255.255.255

static (inside,inside) tcp interface 5900 RouterWAN 5900 netmask 255.255.255.255

static (inside,outside) tcp interface ftp RouterWAN ftp netmask 255.255.255.255

static (inside,outside) tcp interface 1021 RouterWAN 1021 netmask 255.255.255.255

static (inside,inside) tcp interface 1022 RouterWAN 1022 netmask 255.255.255.255

access-group outside_access_in in interface outside

!            

router rip   

network Internal

default-information originate

version 2   

no auto-summary

!            

route inside 192.168.1.0 255.255.255.0 RouterWAN 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http Internal 255.255.255.0 inside

http VPN 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet Internal 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!            

dhcpd address RouterWAN-RouterWAN inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!            

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn       

enable outside

svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1

svc enable  

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 167.206.245.129

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-network-list value split-tunnel

group-policy AnyConnect internal

group-policy AnyConnect attributes

banner value You are about to connect via VPN to this network. Unauthorized Access is prohibited and tracked.

dns-server value 167.206.245.129

vpn-tunnel-protocol svc webvpn

default-domain value poog

webvpn      

  url-list value VPN_Book_Marks

  svc keep-installer installed

  svc ask none default svc

username ogonzalez password 0VrbklOhGRHipw79 encrypted privilege 0

username jgonzalez password ymcpO334smdskkpl encrypted privilege 0

username jgonzalez attributes

vpn-group-policy AnyConnect

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool VPNPOOL

default-group-policy AnyConnect

tunnel-group AnyConnect webvpn-attributes

group-alias AnyConnect enable

group-url https://69.121.142.156/AnyConnect enable

!            

class-map inspection_default

match default-inspection-traffic

!            

!            

policy-map type inspect dns preset_dns_map

parameters  

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!            

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home    

profile CiscoTAC-1

  no active  

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:2df2033f359165aa32c005f98e4ece23

: end

VPN - Can't Access Internal subnets behind 2nd router. HELP.

I am seeing this on your no nat inside_nat0_outbound ACL.

access-list inside_nat0_outbound extended permit ip host 192.168.1.0 interface outside

what is this?

So, remove this line and try it.

thanks

New Member

Re: VPN - Can't Access Internal subnets behind 2nd router. HELP.

I removed it and still no good. Could it be an access list OR the router behind the ASA that is blocking the traffic.

192.168.1.0 --> 192.168.100.0 I get ping replies

192.168.100.0 ---> 192.168.1.0 I DO NOT get ping replies.

I did a ping test from 192.168.100.10 to 192.168.1.13 and got no replies. A trace route shows that the ASA is routing traffic correctly because the next hop was 192.168.100.2 which is my inside router.

Thinking access list or NAT somewhere. Thoughts???

Here is the new ASA config....

: Saved

:

ASA Version 8.2(5)

!

hostname poog-fw1

domain-name poog

enable password ***** encrypted

passwd ****** encrypted

names

name 192.168.100.2 RouterWAN

name 192.168.100.0 Internal

name 192.168.200.0 VPN

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!            

interface Ethernet0/6

!            

interface Ethernet0/7

!            

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!            

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!            

boot system disk0:/asa825-k8.bin

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 167.206.245.129

name-server 167.206.245.130

domain-name poog

same-security-traffic permit intra-interface

object-group network VPN

object-group network RouterWAN

object-group network RouterWAN-01

object-group network RouterWAN-02

object-group network RouterWAN-03

object-group network RouterWAN-04

object-group network RouterWAN-05

object-group network obj_any

object-group network obj_any-01

object-group network obj-0.0.0.0

object-group network iphone

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list outside_access_in extended permit tcp VPN 255.255.255.0 any

access-list outside_access_in remark Telnet to Router

access-list outside_access_in extended permit tcp any interface outside eq telnet

access-list outside_access_in remark IP Cameras

access-list outside_access_in extended permit object-group TCPUDP any interface outside range 1021 1022

access-list outside_access_in extended permit tcp any interface outside eq www

access-list outside_access_in remark FTP to NAS

access-list outside_access_in extended permit tcp any interface outside eq ftp

access-list outside_access_in remark VNC to WX Server

access-list outside_access_in extended permit tcp any interface outside eq 5900

access-list outside_access_in extended permit tcp any interface outside eq https

access-list outside_access_in remark Telnet to Router

access-list outside_access_in remark IP Cameras

access-list outside_access_in remark FTP to NAS

access-list outside_access_in remark VNC to WX Server

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list inside_nat0_outbound extended permit ip Internal 255.255.255.0 VPN 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 VPN 255.255.255.0

access-list split-tunnel standard permit Internal 255.255.255.0

access-list split-tunnel standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNPOOL 192.168.200.10-192.168.200.20 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat-control  

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0

nat (outside) 101 VPN 255.255.255.0

static (inside,outside) tcp interface telnet RouterWAN telnet netmask 255.255.255.255

static (inside,inside) tcp interface 5900 RouterWAN 5900 netmask 255.255.255.255

static (inside,outside) tcp interface ftp RouterWAN ftp netmask 255.255.255.255

static (inside,outside) tcp interface 1021 RouterWAN 1021 netmask 255.255.255.255

static (inside,inside) tcp interface 1022 RouterWAN 1022 netmask 255.255.255.255

access-group outside_access_in in interface outside

!            

router rip   

network Internal

default-information originate

version 2   

no auto-summary

!            

route inside 192.168.1.0 255.255.255.0 RouterWAN 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http Internal 255.255.255.0 inside

http VPN 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet Internal 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!            

dhcpd address RouterWAN-RouterWAN inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!            

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn       

enable outside

svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1

svc enable  

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 167.206.245.129

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-network-list value split-tunnel

group-policy AnyConnect internal

group-policy AnyConnect attributes

banner value You are about to connect via VPN to this network. Unauthorized Access is prohibited and tracked.

dns-server value 167.206.245.129

vpn-tunnel-protocol svc webvpn

default-domain value poog

webvpn      

  url-list value VPN_Book_Marks

  svc keep-installer installed

  svc ask none default svc

username ogonzalez password 0VrbklOhGRHipw79 encrypted privilege 0

username jgonzalez password ymcpO334smdskkpl encrypted privilege 0

username jgonzalez attributes

vpn-group-policy AnyConnect

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool VPNPOOL

default-group-policy AnyConnect

tunnel-group AnyConnect webvpn-attributes

group-alias AnyConnect enable

group-url https://69.121.142.156/AnyConnect enable

!            

class-map inspection_default

match default-inspection-traffic

!            

!            

policy-map type inspect dns preset_dns_map

parameters  

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!            

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home    

profile CiscoTAC-1

  no active  

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:e3461977aaca2a70f1af0f7200653080

: end

New Member

Re: VPN - Can't Access Internal subnets behind 2nd router. HELP.

Ok here's the latest, thanks to your help the VPN connection is now accessing all internal resources!!!!!

The only thing that does not work (not that big a deal, just curious why it won't work) is...

192.168.1.0 --> 192.168.100.0 I get ping replies

192.168.100.0 ---> 192.168.1.0 I DO NOT get ping replies.

I did a ping test from 192.168.100.10 to 192.168.1.13 and got no replies. A trace route shows that the ASA is routing traffic correctly because the next hop was 192.168.100.2 which is my inside router.

Thinking access list or NAT somewhere. Thoughts???

Since I am not really going to put any hosts on the 192.168.100.x subnet it does not really matter but I am really curious why this won't work.

693
Views
0
Helpful
11
Replies