Solved: Re: VPN Connects but no remote LAN access

joanabotto · ‎10-19-2010

Hi,

I'm setting up a remote access VPN on a PIX-501.

When I attempt to connect through the software VPN, I'm able to connect however I'm unable to access any of the LAN resources.

I've pasted below part of what I think is relevant of my configuration. I'm stuck on it, could anyone help me out? Thanks in advance.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
domain-name test.local
name 10.0.2.0 Inside
name 10.0.2.13 MSExchange-in
name 2.2.2.2 MSExchange-out

access-list outside_access_in permit tcp any gt 1023 host 2.2.2.2 eq smtp
access-list outside_access_in permit tcp any host 2.2.2.2 eq https
access-list outside_access_in permit tcp any host 2.2.2.2 eq www
access-list inside_outbound_nat0_acl permit ip 10.0.2.0 255.255.255.0 192.168.235.0 255.255.255.192
access-list 101 permit icmp any any

ip address outside 3.3.3.3 255.255.255.0
ip address inside 10.0.2.254 255.255.255.0
ip local pool vpn_pool 192.168.235.1-192.168.235.15
ip local pool vpn_pool_2 192.168.235.16-192.168.235.40

global (outside) 1 3.3.3.4
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 2.2.2.2 10.0.2.13 netmask 255.255.255.255 1000 1000
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 3.3.3.1 1

aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.0.2.3 ******** timeout 10
aaa-server LOCAL protocol local

sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set ESP-3DES-MD5
crypto map outside_map 90 ipsec-isakmp dynamic dynmap
crypto map outside_map client authentication RADIUS LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup signal address-pool vpn_pool
vpngroup signal dns-server 10.0.2.3
vpngroup signal default-domain test.local
vpngroup signal idle-time 1800
vpngroup signal max-time 14400
vpngroup signal password ********
vpngroup TF address-pool vpn_pool_2
vpngroup TF dns-server 10.0.2.3
vpngroup TF default-domain test.local
vpngroup TF idle-time 1800
vpngroup TF max-time 14400
vpngroup TF password ********

Kind Regards,

Joana

Jennifer Halim · ‎10-21-2010

Sounds very much like configuration issue on the switch. You would need to check if there is any specific routes on the switch apart from the default gateway. The switch needs to route the ip pool subnet towards the firewall (10.0.2.254).

View solution in original post

Jennifer Halim · ‎10-19-2010

Please kindly add the following and try to connect to VPN again and check if you can access LAN resources:

management-access inside

isakmp nat-traversal 20

After you are connected via VPN Client, please check if you can ping the firewall inside interface (10.0.2.254) and other hosts within 10.0.2.0/24 network.

Hope that helps.

joanabotto · ‎10-20-2010

Thanks for your reply Jennifer.
I've added those commands and I still can't ping hosts within 10.0.2.0/24.
I can ping the inside interface 10.0.2.254 however I could ping it before I added the commands.

Regards,

Joana

Jennifer Halim · ‎10-20-2010

If that is the case, you might want to check if internal hosts that you are trying to ping has any windows firewall that might be enabled that normally blocks incoming pings from a different subnets. Pls disable and see if you can ping. Please also make sure that those internal hosts default gateway is the ASA inside interface (10.0.2.254).

Also, if the above still does not work, please share the output of:

show cry ipsec sa

Also, you might want to add: "fixup protocol icmp error" if you don't already have it.

joanabotto · ‎10-20-2010

The hosts don't have the windows firewall enabled, I can ping them from the router and they have 10.0.2.254 as the gateway.

The output requested:

interface: outside
Crypto map tag: outside_map, local addr. 3.3.3.3

   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.235.16/255.255.255.255/0/0)
   current_peer: 86.42.155.101:57928
   dynamic allocated peer ip: 192.168.235.16

     PERMIT, flags={transport_parent,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4
    #pkts decaps: 3761, #pkts decrypt: 3761, #pkts verify 3761
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 3.3.3.3, remote crypto endpt.: 86.42.157.10
     path mtu 1500, ipsec overhead 64, media mtu 1500
     current outbound spi: 29ddc120

     inbound esp sas:
      spi: 0xc0f091e3(3236991459)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 1, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607627/26306)
        IV size: 8 bytes
        replay detection support: Y

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x29ddc120(702398752)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607999/26304)
        IV size: 8 bytes
        replay detection support: Y

outbound ah sas:

outbound pcp sas:

Regards,

Joana

Jennifer Halim · ‎10-20-2010

Yup, definitely issue with the internal hosts itself. Packets are being decrypted on the ASA (you can see that the decrypt counter is huge), however, ASA does not get reply from the internal hosts (you can see that the encrypt counter is very low).

I assume that your internal hosts are connected to a switch, and ASA inside interface connects to the same switch. Can you try to configure a VLAN (SVI) interface on the switch, and assign a free/unique ip address in the same subnet (10.0.2.0/24) and see if you can ping this switch ip address from VPN.

[Update] You mention you can ping from the router, I assume that it's your internal router, what is your router ip address? Can you ping the router from the VPN?

joanabotto · ‎10-21-2010

Hi Jennifer,

You're right there's an HP switch between the PIX and the hosts, unfortunately I don't have access to it.

The switch has the IP address 10.0.2.1 and I can ping it from the router but not from the VPN.

The router has the IP address 10.0.2.254 and I can ping it from the VPN.

I change the VPN pool of addresses to reside in the local LAN pool (10.0.2.0/24) and I still couldn't ping the switch from the VPN.

Is it possible that the problem is caused by the switch that is only allowing traffic from the router?

Regards,

Joana

Jennifer Halim · ‎10-21-2010

Sounds very much like configuration issue on the switch. You would need to check if there is any specific routes on the switch apart from the default gateway. The switch needs to route the ip pool subnet towards the firewall (10.0.2.254).

joanabotto · ‎10-22-2010

Thank you Jennifer.

Regards,

Joana

joanabotto · ‎10-26-2010

Hi,

I had a chance to access the switch today and here's the running configuration:

; J4899B Configuration Editor;
Created on release #H.08.83
hostname "ProCurve Switch 2650"
ip default-gateway 10.0.2.254
snmp-server community "public" Unrestricted
vlan 1
   name "DEFAULT_VLAN"
   untagged 1-50
   ip address 10.0.2.1 255.255.255.0
   exit

It doesn't seem to have any specific route apart from the default gateway (10.0.2.254).

Regards,

Joana

Jennifer Halim · ‎10-28-2010

Not too sure with the command "ip default-gateway" as Cisco switch "ip default-gateway" command is default gateway for the switch only, not traffic passing through the switch.

If you would need to route traffic for the switch (cisco switch normally), you would need to configure "ip route 0.0.0.0 0.0.0.0 10.0.2.254"

To test, please change one of the host inside with default gateway of 10.0.2.254, disable the windows firewall, and then try to ping from the VPN.