04-12-2011 12:01 AM - edited 03-11-2019 01:19 PM
Hi
I'm having trouble setting up local LAN (reach inside network when VPN connected) and Internet access (reach internet when VPN connected) for my VPN CLients when they are connected to my VPN, They can connect, no problem there, but I can't reach any resources when connected.
My pings time out, both to my inside network and to public ip adresses, the only thing I'm able to ping is my ASA (172.16.30.1), and I don't se any routes under "Status/Statistics/Route Details" in my cisco VPN Client (when connected).
I've tried to search the internet for answers, since I know I'm not the only one having trouble with this, but can't get it to work, first of all, I'm kind of new on Firewalling in cisco, so sorry if I missed something obvious..
Here's my config, thanks for any input!!!!
ASA Version 8.0(3)
!
hostname KardesASA
domain-name default.domain.invalid
enable password XXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.30.1 255.255.255.0
!
interface Vlan10
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXX encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list MSS_EXCEEDED_ACL extended permit tcp any any
!
tcp-map MSS-MAP
exceed-mss allow
!
pager lines 24
logging enable
logging console notifications
logging asdm notifications
mtu inside 1500
mtu outside 1500
ip local pool VPN 172.16.30.33-172.16.30.38 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.30.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.16.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 172.16.30.0 255.255.255.0 inside
telnet timeout 5
ssh 172.16.30.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 172.16.30.10-172.16.30.32 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd lease 432000 interface inside
dhcpd domain kardellskillby interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy VPNHOME internal
group-policy VPNHOME attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol IPSec
default-domain value kardellskillbyvpn
msie-proxy method no-proxy
username admin password XXX encrypted privilege 15
username Karde password XXX encrypted privilege 0
username Karde attributes
vpn-group-policy VPNHOME
tunnel-group VPNHOME type remote-access
tunnel-group VPNHOME general-attributes
address-pool VPN
default-group-policy VPNHOME
tunnel-group VPNHOME ipsec-attributes
pre-shared-key *
!
class-map MSS_EXCEEDED_MAP
match access-list MSS_EXCEEDED_ACL
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect tftp
inspect icmp
inspect icmp error
inspect pptp
inspect ipsec-pass-thru
class MSS_EXCEEDED_MAP
set connection advanced-options MSS-MAP
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:7a8b77ba352fcb2ac6b83c65be2ec17c
: end
Solved! Go to Solution.
04-12-2011 03:26 AM
04-12-2011 12:58 AM
Hi Johan,
You are missing a NAT exempt command. All VPN traffic has to be exempted from being NATed. You need to add:
access-list nonat permit ip 172.16.30.0 255.255.255.0
nat(inside) 0 access-list nonat
Also, do a "sh run sysopt" and verify if "sysopt connection permit-vpn" is present. This command allows packets from a VPN tunnel to skip interface ACL checks.
Regards,
Anu.
P.S.: Please mark the question answered, if it has been resolved. Do rate helpful posts. Thanks.
04-12-2011 02:44 AM
Thanks!!!! I'll try this as sone as I get home!
04-12-2011 03:26 AM
Sure. Let me know how it goes.
Thanks,
Anu.
04-12-2011 11:30 AM
Thank you so much!!! I can now reach my inside network from my VPN clients, I did get the internet part to work as well, I set upp split tunnelning and got it running.
Again thank you!
04-12-2011 11:51 AM
Hi Johan,
I'm glad to hear that!!
So what global IP addresses are you attempting to ping?
Regards,
Anu.
P.S.: Please mark the question answered, if it has been resolved. Do rate helpful posts. Thanks.
04-12-2011 11:54 AM
Sorry, you might have read the post before I edited it, I got it running with split tunneling, and was able to ping 4.2.2.2 for example, as well as dns querys!
Once more, THANKS!
04-12-2011 12:13 PM
I was a bit to quick in my assumption with the Split tunnel part :/
Once I enabled split tunnel I can't reach the inside network through my VPN clients no more , do you have any ideas what the problem might be?
Is it beacuse the split is trying to NAT and the nonat rule makes it into a conflict?
04-13-2011 12:48 AM
Hi Johan,
You can enable split tunneling in 3 ways:
1. if you want all traffic to travel over the VPN tunnel.(uses keyword "tunnel-all")
2. If you want traffic only from some networks to travel over the tunnel(uses keyword "tunnelspecified")
3. If you want traffic from some networks to not travel over the tunnel.(uses keyword"exclude-specified")
In the configuration below, it tunnels only what is given in the ACL. Rest of the traffic does not go through the VPN tunnel.
Try the following:
access-list spl_tun standard permit 172.16.30 0 255.255.255.0
group-policy VPNHOME attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value spl_tun
Let me know if this works.
Regards,
Anu.
04-13-2011 10:29 AM
Still don't work, I can now surf but not reach my inside network :/ sending you my present conf.
my inside addresses are:
172.16.30.1 255.255.255.0 (dhcp to 32)
my vpn adresses are:
172.16.30.32 255.255.255.248
KardesASA# show running-config
: Saved
:
ASA Version 8.0(3)
!
hostname KardesASA
domain-name default.domain.invalid
enable password XXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.30.1 255.255.255.0
!
interface Vlan10
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 10
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXX encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nonat extended permit ip 172.16.30.0 255.255.255.0 172.16.30.32 255.255.255.248
access-list MSS_EXCEEDED_ACL extended permit tcp any any
access-list VPN-SPLIT-TUNNEL remark VPN SPLIT TUNNEL
access-list VPN-SPLIT-TUNNEL standard permit 172.16.30.32 255.255.255.248
!
tcp-map MSS-MAP
exceed-mss allow
!
pager lines 24
logging enable
logging console notifications
logging asdm notifications
mtu inside 1500
mtu outside 1500
ip local pool VPN 172.16.30.33-172.16.30.38 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.16.30.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 172.16.30.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 172.16.30.0 255.255.255.0 inside
telnet timeout 5
ssh 172.16.30.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 172.16.30.10-172.16.30.32 inside
dhcpd dns 1.1.1.2 1.1.1.3 interface inside
dhcpd lease 432000 interface inside
dhcpd domain kardellskillby interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy VPNHOME internal
group-policy VPNHOME attributes
dns-server value 1.1.1.2 1.1.1.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-SPLIT-TUNNEL
default-domain value kardellskillbyvpn
split-dns value 1.1.1.2 1.1.1.3
msie-proxy method no-proxy
username admin password XXXXXX encrypted privilege 15
username Karde password XXXXXX encrypted privilege 0
username Karde attributes
vpn-group-policy VPNHOME
username Malin password XXXXXXXX encrypted privilege 0
username Malin attributes
vpn-group-policy VPNHOME
tunnel-group VPNHOME type remote-access
tunnel-group VPNHOME general-attributes
address-pool VPN
default-group-policy VPNHOME
tunnel-group VPNHOME ipsec-attributes
pre-shared-key *
!
class-map MSS_EXCEEDED_MAP
match access-list MSS_EXCEEDED_ACL
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect tftp
inspect icmp error
inspect pptp
inspect ipsec-pass-thru
inspect icmp
class MSS_EXCEEDED_MAP
set connection advanced-options MSS-MAP
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:c668d6903f535591682c72937624ed45
: end
04-14-2011 10:39 AM
Hi Johan,
I'm sorry for getting back to you so late. We are trying to tunnel traffic going to the internal network, which is 172.16.30.0. In your config, "access-list VPN-SPLIT-TUNNEL standard permit 172.16.30.32 255.255.255.248 " is incorrect. What we have to do, is tunnel traffic destined to the resources inside your network, say to some server. So, the Split tunnel ACL should be:
access-list VPN-SPLIT-TUNNEL standard permit 172.16.30.0 255.255.255.0
Let me know if this works.
Thanks,
Anu.
04-14-2011 11:05 AM
THANKS!!!!!
IT DID THE TRICK
So, I'm specifing that all my traffic, even the internet, should go through the tunnel?
One thing this dig though was disabling my traceroutes from the inside clients, :/, shouldn't this be covered by the policy-map?
policy-map global_policy
class inspection_default
inspect ftp
inspect tftp
inspect icmp error
inspect pptp
inspect ipsec-pass-thru
inspect icmp
do you have any quick guidence on why, if not I'll search the net, you have helped me more than enough!!!!
Can't thank you enough!!!!!!
04-14-2011 11:38 AM
Hi Johan,
I'm glad i could help!
With that ACL you are specifying traffic destined to the 172.16.30.0 network to be tunnelled. 172.16.30.32 is the source which requests for resources from inside the network. All the other traffic(say, to the Internet) will not be tunnelled.
If you want traceroutes to be allowed through the ASA, you need to specify an ACL and apply it to the outside interface. Here is a document to help you with this:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#trace
Regards,
Anu.
04-14-2011 11:41 AM
Thanks once more !
04-14-2011 11:58 AM
No problem. Have a great day!
Regards,
Anu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide