cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


588
Views
0
Helpful
6
Replies
Beginner

VPN: I can connect, but cannot access LAN

Hi there,

I have an ASA and have VPN configured. 

I can connect the VPN and i get an IP from the VPN pool.

I know it's being blocked by an ACL somewhere but having problems finding out where. 

Anyone able to help?  Ive posted code below:

hostname 5505

domain-name #.ie

enable password N5KimYERshmEw8m2 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.250 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address pppoe setroute

!

interface Vlan3

shutdown

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd N5KimYERshmEw8m2 encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name pna.ie

same-security-traffic permit intra-interface

object-group network inside-net

network-object 192.168.10.0 255.255.255.0

object-group network vpnpool-net

network-object 192.168.11.0 255.255.255.0

object-group network trend

network-object 216.104.20.0 255.255.255.0

access-list outside-acl extended permit icmp any any echo-reply

access-list outside-acl extended permit icmp any any source-quench

access-list outside-acl extended permit icmp any any unreachable

access-list outside-acl extended permit icmp any any time-exceeded

access-list outside-acl extended permit tcp any any eq smtp

access-list outside-acl extended permit tcp any any eq https

access-list outside-acl extended permit tcp any any eq pptp

access-list inside-acl extended permit tcp object-group inside-net eq smtp any eq smtp

access-list inside-acl extended permit tcp object-group inside-net eq www any eq www

access-list inside-acl extended permit udp object-group inside-net any eq domain

access-list inside-acl extended permit ip object-group inside-net any

access-list inside-acl extended permit icmp any any

access-list inside-nat extended permit ip object-group inside-net any

access-list inside-nonat extended permit ip object-group inside-net object-group vpnpool-net

access-list splittunnel extended permit ip object-group inside-net object-group vpnpool-net

access-list inside_nat0_outbound extended permit ip object-group inside-net object-group vpnpool-net

access-list vpnclient_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip object-group inside-net object-group vpnpool-net

pager lines 20

logging enable

logging asdm errors

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool vpnclientpool 192.168.11.1-192.168.11.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

icmp permit any dmz

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 212.17.43.82 netmask 255.255.255.255

nat (inside) 0 access-list inside_nat0_outbound_1 outside

nat (inside) 1 192.168.10.0 255.255.255.0

nat (outside) 1 192.168.11.0 255.255.255.0

static (inside,outside) tcp interface 3389 192.168.10.12 3389 netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.10.11 https netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.10.11 smtp netmask 255.255.255.255

static (inside,outside) tcp interface pptp 192.168.10.11 pptp netmask 255.255.255.255

access-group inside-acl in interface inside

access-group outside-acl in interface outside

route outside 0.0.0.0 0.0.0.0 217.67.133.190 1

route outside 0.0.0.0 0.0.0.0 85.91.2.237 1

route outside 0.0.0.0 0.0.0.0 85.91.2.115 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authentication http console LOCAL

http server enable

http 89.101.34.116 255.255.255.255 outside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map vpnclient 1 set transform-set ESP-3DES-SHA

crypto dynamic-map vpnclient 21 set pfs

crypto dynamic-map vpnclient 21 set transform-set ESP-3DES-SHA

crypto dynamic-map vpnclient 41 set pfs

crypto dynamic-map vpnclient 41 set transform-set ESP-3DES-SHA

crypto map xvpn 99 ipsec-isakmp dynamic vpnclient

crypto map xvpn interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.10.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.10.0 255.255.255.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

vpdn group magnet request dialout pppoe

vpdn group magnet localname *******

vpdn group magnet ppp authentication chap

vpdn username ********* password *********

dhcpd auto_config outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

group-policy vpnclient internal

group-policy vpnclient attributes

wins-server value 192.168.10.10

dns-server value 192.168.10.10 8.8.8.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnclient_splitTunnelAcl

default-domain value pna.local

username vpnclient password twe345rtw435e345trw encrypted privilege 15

username vpnclient attributes

vpn-group-policy vpnclient

username userone password qweqweqweqwe encrypted privilege 7

username usertwo password rrqewqewqewq encrypted privilege 7

tunnel-group vpnclient type ipsec-ra

tunnel-group vpnclient general-attributes

address-pool vpnclientpool

default-group-policy vpnclient

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:ccdddcc71d6f2d71741a4437102acb74e

: end

Thanks in advance

Everyone's tags (3)
6 REPLIES 6
Contributor

VPN: I can connect, but cannot access LAN

I think you should remove the outside keyword from your nat0 statement:

nat (inside) 0 access-list inside_nat0_outbound_1 outside

Beginner

VPN: I can connect, but cannot access LAN

Hi Andrew,

Thanks for the reply!

I ran: no nat (inside) 0 access-list inside_nat0_outbound_1 outside

and then: nat (inside) 0 access-list inside_nat0_outbound_1

unfortunately that didnt work!

anything else look wrong?

Beginner

VPN: I can connect, but cannot access LAN

I had a look at the Syslog Messages and i can see the following:

TCP access denied by ACL from (my-public-ip) to outside:212.17.43.81

Beginner

VPN: I can connect, but cannot access LAN

anyone else available to help????

Contributor

VPN: I can connect, but cannot access LAN

Config seems to be fine.

Do the hosts on the inside subnet have the route towards vpn-pool subnet (or default route) through the 192.168.10.250?

Highlighted
Beginner

VPN: I can connect, but cannot access LAN

You may need to enable NAT Traversal. Type this.

CRYPTO ISAKMP NAT-TRAVERSAL 30

More in depth info here as well as other common causes.

http://supertekboy.com/2014/01/28/cisco-vpn-connects-but-cannot-access-inside-resources/