VPN clients cannot access inside LAN

nathan demers · ‎07-07-2012

I have a vpn setup. I can vpn in from either the outside (internet) or from inside my network. Once I do that I can no longer ping or remote into the server I have setup on the 192.168.1.0/24 subnet. I can ping from the 192.168.1.0 subnet to any other subnet but I cannot ping from the vpn subnet to any other subnet. I know that I have some permits on Outside-IN and Inside-IN, this is only to make it easier to troubleshoot. Thank you in advance.

The VPN subnet is 192.168.2.0

The Server subnet is 192.168.1.0

the Internal client subnet is 10.0.0.0 /24

Here is the config and the packet-tracer output

RUNNING-CONFIG

=====================

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network Axon

network-object host 192.168.1.6

object-group network VPN-Clients

network-object 192.168.2.0 255.255.255.0

object-group service HTTP-HTTPS tcp

port-object eq www

port-object eq https

object-group service RDP tcp

port-object eq 3389

access-list Outside-IN extended permit ip any any

access-list Inside-IN extended permit ip any any

access-list Axon-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNPool 192.168.2.2-192.168.2.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

access-group Inside-IN in interface inside

access-group Outside-IN in interface outside

route outside 192.168.2.0 255.255.255.0 192.168.1.0 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

group-policy VPNPolicy internal

group-policy VPNPolicy attributes

vpn-tunnel-protocol svc webvpn

address-pools value VPNPool

webvpn

url-list none

svc ask enable

username test2 password sLyNkwX4lP/BSsCW encrypted privilege 0

username test2 attributes

vpn-group-policy VPNPolicy

username fwaarmac password 5rABwjFzDBYcp0nJ encrypted privilege 15

username fwaarmac attributes

vpn-group-policy VPNPolicy

username test1 password sLyNkwX4lP/BSsCW encrypted privilege 0

username test1 attributes

vpn-group-policy VPNPolicy

username dan password vFpifCksRBgKm.0Q encrypted privilege 15

username dan attributes

vpn-group-policy VPNPolicy

tunnel-group DefaultWEBVPNGroup general-attributes

default-group-policy VPNPolicy

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool VPNPool

default-group-policy VPNPolicy

tunnel-group VPN webvpn-attributes

group-alias vpn enable

group-url https://10.0.0.10/vpn enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b8d7144e7d51265fa9a5f38e29f40269

: end

NAT / PACKET-TRACER

========================

packet-tracer input outside tcp 192.168.2.1 3389 192.168.1.6 3389 detailed

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.1.0 255.255.255.0 inside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group Outside-IN in interface outside

access-list Outside-IN extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc95ea0e0, priority=12, domain=permit, deny=false

hits=5247, user_data=0xc793c350, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc95e6d48, priority=0, domain=inspect-ip-options, deny=true

hits=10050, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 4

Type: HOST-LIMIT

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xc959fab8, priority=0, domain=host-limit, deny=false

hits=5248, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

match ip inside any outside any

dynamic translation to pool 1 (10.0.0.10 [Interface PAT])

translate_hits = 88, untranslate_hits = 7

Additional Information:

Forward Flow based lookup yields rule:

out id=0xc962a5f8, priority=1, domain=nat-reverse, deny=false

hits=415, user_data=0xc962a388, cs_id=0x0, flags=0x0, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Jennifer Halim · ‎07-08-2012

You would need to configure NAT exemption for the VPN client to access internal host:

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list nonat permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list nonat

route inside 10.0.0.0 255.255.255.0 192.168.1.x

access-list splitacl permit 192.168.1.0 255.255.255.0

access-list splitacl permit 10.0.0.0 255.255.255.0

group-policy VPNPolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splitacl

nathan demers · ‎07-10-2012

Could that also work for an IPsec connection? Apply that policy to the IPsec profile?

Jennifer Halim · ‎07-11-2012

Yes, that will also work for IPSec VPN Client.