topic So I restored the original in Network Security

remote access VPN users cannot access inside network on ASA 5505

cliveschneider — Tue, 12 Mar 2019 06:28:55 GMT

I have configured a Cisco ASA 5505 with remote access VPN as follows:

ASA outside: 192.168.0.254/24
ASA inside 169.254.1.254/24
VPN address pool: 192.168.3.0/24
inside network: 169.254.1.0/24

The VPN pool of hosts should have full access to the inside network. Config file is attached.

As far as I can tell, the NAT rules and access rules are correct (Im obviously missing something) but VPN remote access hosts cannot contact the inside network. I have trued varouos combinations of NAT and access rules and cannot get the VPN network talking to the inside network.

Remove these lines and try it

rizwanr74 — Mon, 24 Aug 2015 14:58:30 GMT

Remove these lines and try it.

global (inside) 2 interface
nat (outside) 2 vpn-network 255.255.255.0 outside

access-group inside_access_in in interface inside
access-group inside_access_out out interface inside

Hi rizwanr74, That didnt work

cliveschneider — Tue, 25 Aug 2015 20:02:56 GMT

Hi rizwanr74,

That didnt work, on a Windows machine connected over VPN, I get

Ping:transmit failed. General failure.

when I try ping an inside device, like there is no route on the ASA?

Can you remove the below line

rizwanr74 — Tue, 25 Aug 2015 20:40:23 GMT

Can you remove the below line and try it?

access-group outside_access_out out interface outside

Hi rizwanr74,That didn't work

cliveschneider — Sat, 29 Aug 2015 01:53:41 GMT

Hi rizwanr74,

That didn't work either. I ran the packet tracer and an implicit access rule is denying access, even though there is a configured rule that should override it.

See screenshot attached.

The clients inside network was for some reason configured as 169.254.1.0/24, which is is which is in the reserved link-local address range that Microsoft dishes out to hosts when they cant find a DHCP server.

Is there any chance the ASA wont route traffic to that address range for that reason?

I've set up a couple of ASA 5505s now with similar configs and havent had seen issue before.

I just changed the inside

cliveschneider — Sat, 29 Aug 2015 02:11:52 GMT

I just changed the inside interface and network as a test (I didn't actually change the inside network devices) and I'm still being blocked by the same access rule, so it may be unrelated to being within the reserved link-local address range.

Interestingly, however, attempting to ping the inside network on a Windows machine from the VPN network, the result has changed from:

PING: transmit failed. General failure.

to:

Request timed out.

So I restored the original

cliveschneider — Tue, 29 Sep 2015 02:43:04 GMT

Correct Answer:

So I restored the original configuration and changed the inside network address range and found that, while the packet tracer still failed, physically, the network began working correctly instantly.

It appears that the clients inside address range falling within the reserved link-local range was causing the ASA to drop packets.

The inside network has now been modified, problem solved.