Solved: Help, How to configure cisco ASA5505 to permit access to internal LAN

Bienvenu Ngala · ‎05-13-2013

Hi everyone,

Once more I am stuck into another dilemma , I have configured a Cisco ASA 5505 to allow VPN access from outside to my LAN using Cisco VPN Client software. The connection is establishing properly with the ip address from my VPNPool.

From outside (on VPN connection) I can ping the interface e0/0 (outside) and the interface e0/1 (inside) of the firewall, but I cannot ping the layer 3 switch interface to which the ASA is connected ( int gi1/0/22 ip address 192.168.1.2/30 ) and I cannot ping any vlan interfaces inside my switch. Therefore, I cannot connect to any server on my internal LAN.

I hope my explaination does make sense, I am available at any time if further information is needed. Please find attached my ASA config.

Best regards,

BEN

Marvin Rhoads · ‎05-14-2013

OK, your routing looks good. I missed originally that your ASA was doing default-originate.

I think the issue is in your NONAT acccess-list:

access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

The mask there is a /24 yet the addresses you are trying to ping are in networks other than 192.168.0.0/24 - you need to make the mask /16 (192.168.0.0 255.255.0.0).

It works when pinging the ASA inside interface since that reply is from the ASA itself and thus never has to go through the nat (inside) processing.

View solution in original post

Marvin Rhoads · ‎05-13-2013

Does your internal network have a route to your VPN Pool (192.168.4.0)?

Bienvenu Ngala · ‎05-14-2013

Hi Marvin,

I beleive that is what I probably missing, if you could help me further what is the syntax the create a route to VPN Pool on internal network. My internal LAN has a ip address of 192.168.0.0/17.

Best regards,

BEN

Marvin Rhoads · ‎05-14-2013

You have OSPF running on your ASA. I assume it's also running on your internal netowkr router. Verify they see each other and that you are getting routes from the ASA ("show ip ospf neighbor" and "show ip route ospf" from internal router).

You have only declared networks on the ASA's routing process as follows:

router ospf 1

router-id 1.1.1.1

network 172.16.1.0 255.255.255.0 area 1

network 192.168.1.0 255.255.255.252 area 1

network 217.x.x.0 255.255.255.248 area 1

Add "network 192.168.4.0 255.255.255.0" and the ASA should now also advertise the VPN pool.

Bienvenu Ngala · ‎05-14-2013

Many thanks Marvin,

I have configured the router ospf the way you instructed me, I have changed the VPN Pool to a complete different class of 10.0.1.0/24, I have also configured : access-list OUTSIDE_IN_ACL permit icmp any any echo-relpy and access-group OUTSIDE_IN_ACL in interface outside. but I can only from my VPN connection ping both interfaces of the ASA and nothing else.

Please find attached my ASA and the layer 3 switch configs. And also ASA and L3 Switch ip route output.

Note this: When connected to my VPN, cmd>ip config /all it showing as follows: ip address 10.0.1.100

Subnet Mask 255.0.0.0

Def Gateway 10.0.0.1

dns server 192.168.30.3

Best regards,

BEN.

Message was edited by: Bienvenu Ngala

Marvin Rhoads · ‎05-14-2013

Sorry but your attachments don't appear.

Marvin Rhoads · ‎05-14-2013

OK, your routing looks good. I missed originally that your ASA was doing default-originate.

I think the issue is in your NONAT acccess-list:

access-list NONAT extended permit ip 192.168.0.0 255.255.255.0 10.0.1.0 255.255.255.0

The mask there is a /24 yet the addresses you are trying to ping are in networks other than 192.168.0.0/24 - you need to make the mask /16 (192.168.0.0 255.255.0.0).

It works when pinging the ASA inside interface since that reply is from the ASA itself and thus never has to go through the nat (inside) processing.

Bienvenu Ngala · ‎05-15-2013

Hi Marvin,

Thank you very much for your support, it works like a charm

I love Cisco support, I love you all