Solved: Cannot connect to inside LAN of ASA 5505 via VPN Cisco client

trinhphanle · ‎10-23-2013

Hi all

I try to configure remote access VPN by using tunnel and I used ASA 5505, Cisco Anyconnect client.

I can connect to VPN but I cannot remote connect to one PC inside LAN of ASA 5505 and cannot ping as well.

From ASA 5505, I cannot ping the address that assigned to the PC in the Internet which connected to VPN

Thanks for any advice

Here is the configuration:

VPN(config)# show run

: Saved

:

ASA Version 8.2(5)

!

hostname VPN

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 6D6QN6WC8bYkI6/v encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.x.x 255.255.x.x

!

interface Vlan2

nameif outside

security-level 0

ip address 50.240.x.x 255.255.x.x

!

ftp mode passive

access-list NONAT extended permit ip x.x.x.x 255.255.255.0 192.168.2.0 255.255.255.128

access-list ACL-SPLIT-TUNNEL extended permit ip 192.168.2.0 255.255.255.128 192.168.2.128 255.255.255.128

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_POOL 192.168.2.0-192.168.2.128 mask 255.255.255.128

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 50.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set TRANSFORM_SET

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 43200

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns x.x.x.x

!

dhcpd address 192.168.1.5-192.168.1.132 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GROUP_POLICY internal

group-policy GROUP_POLICY attributes

vpn-idle-timeout 120

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ACL-SPLIT-TUNNEL

username testuser password oFJjANE3QKoA206w encrypted

tunnel-group TESTGROUP type remote-access

tunnel-group TESTGROUP general-attributes

address-pool VPN_POOL

default-group-policy GROUP_POLICY

tunnel-group TESTGROUP ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

Mariusz Bochen · ‎10-23-2013

Hi,

Your ACL-SPLIT-TUNNEL ACL should be the same as NONAT.

Regards

Mariusz

View solution in original post

Mariusz Bochen · ‎10-23-2013

Hi,

Your ACL-SPLIT-TUNNEL ACL should be the same as NONAT.

Regards

Mariusz

trinhphanle · ‎10-23-2013

Thanks for your help a lot

I think that you are right. However, could you please explain in detail how access-list NONAT work? for example, base on my configuration, which network I should put in

Because I am a new one with this firewall

Thanks for your help a lot

Jouni Forss · ‎10-23-2013

Hi,

Can you try the following changes

group-policy GROUP_POLICY attributes

no split-tunnel-network-list value ACL-SPLIT-TUNNEL

no access-list ACL-SPLIT-TUNNEL extended permit ip 192.168.2.0 255.255.255.128 192.168.2.128 255.255.255.128

access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0

group-policy GROUP_POLICY attributes

split-tunnel-network-list value SPLIT-TUNNEL

You could also add

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

Even though the above might not affect your current situation regarding ICMP

- Jouni

Message was edited by: Jouni Forss (Corrected the ACL)

Jouni Forss · ‎10-23-2013

Hi,

With regards to the above configuration I posted I wanted to change the Split Tunnel ACL from Extended to Standard as its much simpler to just use Standard ACL. In this setup the Standard ACL basically tells the ASA what networks are found behind the VPN and therefore behind the ASA.

The NAT0 configuration simply tells the ASA that NO NAT should be applied to traffic between your LAN network 192.168.1.0/24 and VPN Pool 192.168.2.0/25

- Jouni

trinhphanle · ‎10-23-2013

Thanks a lot

Could you please tell me how the access-list NONAT work base on my configuration?

Thanks for your help

Jouni Forss · ‎10-23-2013

Hi,

It works as it should and as I described above.

NAT0 configurations are the first one matched against when traffic comes to the ASA

You have configured your NAT0 ACL in the following way

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.128

Its then attached to the "inside" interface with the "nat" command

nat (inside) 0 access-list NONAT

So when you look at the ACL you will notice that it says source address as 192.168.1.0/24 and destination address as 192.168.2.0/25. That together with the "nat" command above tells the ASA that no NAT configurations should be applied to this traffic in either direction. Instead traffic will flow between these 2 networks without any translation.

Hope this helps

Please let us know if you get the connections working after the changes

Remember to mark a reply as the correct answer if it has answered your question.

Feel free to ask more if needed.

- Jouni

trinhphanle · ‎10-23-2013

Thanks

I am confusing with this one:

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 x.x.x.x x.x.x.x

The x.x.x.x x.x.x.x should be the ip local pool VPN or what kind of network?

Thanks a lot

Jouni Forss · ‎10-23-2013

Hi,

Yes, the destination network should be the VPN Pool network. And that is how its configured currently on your firewall.

The ACL basically tells you the networks between which NO NAT should be applied but rather the traffic should flow with their original IP addresses

- Jouni

Mariusz Bochen · ‎10-23-2013

Forgot to mention one thing (a friendly advice).

In future try to avoid posting stuff like real external IPs and passwords (even if they encrypted). Just type 1.1.1.1 instead.

...and thanks for rating my post

Regards

Mariusz

trinhphanle · ‎10-23-2013

Hi all

Thanks for your help

Solution:

ACL-SPLIT-TUNNEL ACL should be the same as NONAT

It works

Thanks