cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1637
Views
0
Helpful
33
Replies

no one can seem to help. can you?

jeff slansky
Level 1
Level 1

i have a pix 525 and am trying to setup remote access to it. i can connect but i can't ping any ips on the lan...at all. in fact the only thing it does is connect and get an ip. below is the config. i have added in a crypto isakmp nat-traversal 30 to it that is not shown.

show config
: Saved
: Written by enable_15 at 06:25:46.787 UTC Fri Oct 18 2013
!
PIX Version 8.0(4)
!
hostname thcvpn01
domain-name somewhere.net
enable password * encrypted
passwd * encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.1.1.1 255.0.0.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 208.67.222.222
name-server 208.67.222.220
domain-name somewhere.net
object-group icmp-type ICMPObject
icmp-object echo-reply
icmp-object source-quench
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit icmp any any object-group ICMPObject
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ThcIPPool 10.1.1.40-10.1.1.49
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 10.0.0.0 255.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet
crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288
00
crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4
608000
crypto dynamic-map THCDynamicMap 1 set reverse-route
crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap
crypto map THCCryptoMap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username [username] password [password] encrypted
tunnel-group THCVpnGroup type remote-access
tunnel-group THCVpnGroup general-attributes
address-pool ThcIPPool
tunnel-group THCVpnGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0be52458c95d5dd080d82401982201ee
thcvpn01(config-pmap-c)#
thcvpn01(config-pmap-c)#
thcvpn01(config-pmap-c)#

                  

thanks,

jeff

33 Replies 33

Hi,

Thank you for letting me know about the situation.

Will wait for the follow up.

- Jouni

hi,

i added the command back on: nat (outside) 101 10.1.2.0 255.255.255.0

previous scenario

  • inside hosts could get on the internet
  • inside hosts could see the other inside hosts
  • outside hosts could see inside hosts
  • outside hosts could not get internet connection

the result of adding that command is:

  • all of my inside hosts lost connectivity to the internet any more
  • all inside hosts can ping other inside hosts
  • the outside host can't connect to the inside hosts any more
  • the outside host however, can connect to the internet

because of that problem i could not reply to the thread so i removed the command back out

then ran the show crypto ipsec sa command with the outside host connected in full tunnel mode

attached is the show crypto ipsec sa output without the nat command applied

thcvpn01(config)# show crypto ipsec sa
interface: outside
Crypto map tag: THCDynamicMap, seq num: 1, local addr: [public ip address]

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.2/255.255.255.255/0/0)
current_peer: 166.137.105.67, username: [username]
dynamic allocated peer ip: 10.1.2.2

#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 520, #pkts decrypt: 520, #pkts verify: 520
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: [public ip address]/4500, remote crypto endpt.: 166.137.105.67/40012
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: A058D8D9

inbound esp sas:
spi: 0x07543F1A (122961690)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: THCDynamicMap
sa timing: remaining key lifetime (sec): 28757
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xA058D8D9 (2690177241)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: THCDynamicMap
sa timing: remaining key lifetime (sec): 28748
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: THCDynamicMap, seq num: 1, local addr: [public ip address]

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.1/255.255.255.255/0/0)
current_peer: 166.137.105.67, username: [username]

dynamic allocated peer ip: 10.1.2.1

#pkts encaps: 2053, #pkts encrypt: 2053, #pkts digest: 2053
#pkts decaps: 4623, #pkts decrypt: 4623, #pkts verify: 4623
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2053, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: [public ip address]/4500, remote crypto endpt.: 166.137.105.67/54305
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 0B3CD1AA

inbound esp sas:
spi: 0xB17C3EC8 (2977709768)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 8192, crypto-map: THCDynamicMap
sa timing: remaining key lifetime (sec): 27963
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x0B3CD1AA (188535210)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 8192, crypto-map: THCDynamicMap
sa timing: remaining key lifetime (sec): 27962
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#
thcvpn01(config)#

Hi,

To be honest, I dont see why adding that command should cause any problems for users on your LAN since it doesnt in anyway match the network on the LAN or have anything to do with its interface.

Could you provide the exact configuration you had with the above added command

- Jouni

hi,

here is the show config with that nat command in, while my inside hosts lose connectivity to the internet

thcvpn01(config)# show config

: Saved

: Written by enable_15 at 07:33:33.113 UTC Fri Nov 8 2013

!

PIX Version 8.0(4)

!

hostname thcvpn01

domain-name somewhere.net

enable password* encrypted

passwd * encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 208.67.222.222

name-server 208.67.222.220

domain-name somewhere.net

same-security-traffic permit intra-interface

object-group icmp-type ICMPObject

icmp-object echo-reply

icmp-object source-quench

icmp-object time-exceeded

icmp-object unreachable

access-list outside_access_in extended permit icmp any any object-group ICMPObje

ct

access-list inside-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.2

55.255.0

access-list SPLIT-TUNNEL standard permit 10.1.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool ThcIPPool 10.1.2.1-10.1.2.50 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (outside) 101 10.1.2.0 255.255.255.0 outside

nat (inside) 0 access-list inside-nat0

nat (inside) 101 10.0.0.0 255.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.1.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet

crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 288

00

crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4

608000

crypto dynamic-map THCDynamicMap 1 set reverse-route

crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap

crypto map THCCryptoMap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd address 10.1.1.50-10.1.1.254 inside

dhcpd dns 208.67.222.222 208.67.222.220 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy THCVpnGroup internal

group-policy THCVpnGroup attributes

dns-server value 208.67.222.222 208.67.222.220

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

username [username] password [password] encrypted

tunnel-group THCVpnGroup type remote-access

tunnel-group THCVpnGroup general-attributes

address-pool ThcIPPool

default-group-policy THCVpnGroup

tunnel-group THCVpnGroup ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:d57ad5e7f32936cf000c4be69d4385cb

thcvpn01(config)#

thcvpn01(config)#

thcvpn01(config)#

thanks

jeff

Hi,

To my understanding the "nat" command does NOT require the parameter "outside" at the end.

This would be needed if you were performing NAT/PAT for these users towards an interface which "security-level" was higher than the source interface. And in this situation the only interface towards which you are performing NAT/PAT (for which the "nat" command is meant for) is the "outside" interface so essentially the same interface where the NAT/PAT is source from. So we see that the "security-level" of the source and the destination interface is equal as the source/destination interface is the same interface.

So try to add it with just

nat (outside) 101 10.1.2.0 255.255.255.0

And then test again.

Atleast I can't see anything wrong with the configurations since you have

  • Dynamic PAT configuration for the Internet traffic that should apply to all outbound traffic for the internal users. This is done with the "nat" and "global" commands using the ID 101 (expect the one mentioned above)
  • NAT0 configurations that enables the VPN users to connect to the internal network and vice versa while avoiding any translations whatsoever. The "nat" command with the ID 0 and using "access-list" accomplishes this.

Naturally you can make the current "inside" users "nat" command more specific

no nat (inside) 101 10.0.0.0 255.0.0.0

nat (inside) 101 10.0.0.0 255.255.255.0

But other than the above listed thing I dont see any reason why your connections should not work. It would be more logical if you had just problems with the VPN users but to have the internal traffic to Internet stop doesnt make sense. Only thing I can see as a possible problem is using the "outside" parameter in the "nat" command meant for the VPN users.

Follow the above instructions and let me know if it helps

- Jouni

awesome! it appears to be working. i do not know why i got that error message saying it needs outside at the end.

look like everything is functioning as expected.

the only thing i have to do now is go back and make myself two seperate groups to use, one for split tunnel and one for full tunnel and i should be good to go.

once i do that i will make post with my configuration and lan layout so others can do the same thing easier.

talk to you soon!

jeff

Hi,

I am not 100% sure but you might get a notifications just because of the fact that you are doing a "nat" configuration on your external interface that usually is not expected. The main reason for this message might be that the "security-level" of the interface is "0" so there is a VERY HIGH likelyhood that your destination interface would have higher "security-level" so the firewall devices you to warn you about the fact that you might need the "outside" parameter. But naturally in this situation the source/destination interface is the same interface making the "security-level" equal so the warning message doesnt have to be considered at all.

Here is a link to the Software 8.0 Command Reference about the "nat" command. If you look a bit further you will find the explanation for the "outside" parameter. You can easily find both the Command Reference and Configuration Guide searching them through Google. They are very helpfull for checking configuration format and effect and usage guidelines.

Again here is the link to the "nat" command

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/no.html#wp1737858

There are other situations where a firewall might give you an warning message thats actual purpose is to information of a POSSIBLE situation or problem you might be running to.

So it doesnt always require you to do anything.

Sadly I have no knowledge that Cisco would have a documentation of the different WARNING messages that Cisco firewalls might give. Usually have to go look for them online or through Cisco directly.

Let me know if you get the setup working correctly for you.

Please do remember to mark the correct answers and/or rate helpfulls anwers if the problems/questions are resolved

Feel free to ask more though if needed and naturally make a new post if you run into some problematic situation or configuration need in the future

- Jouni

hi,

strangely enough that warning is upon entering the command. your answers perfect sense.

im so close to being able to wrap this up.

i have a single config with 2 seperate groups on it. one for split tunnel and one for full tunnel and i proved that they are sending properly with the tracert command.

awesome! thank you so much for all of your help.

2 last quick things

1) i can't ping any inside hosts by hostname when connected to either tunnel type. what is needed to allow the host name resolution?

2) is there anyway to setup a third tunnel type to allow only internet connectivity? if so how would one do that?

thanks again

jeff

Hi,

Originally atleast you had configured DNS servers as public server so if the VPN user uses those DNS server then he probably wont be able to ping any internal host by their internal name. I would look into changing the DNS servers under the "group-policy" so that the primary one is your internal DNS server and secondary is a public DNS server.

You can also go under the "group-policy" configuration mode and then use the question mark "?" to check the different options you can get. If any of the commands/parameters aint clear then I would refer to the documentation in my earlier reply which is the Command Reference. It should contain a better explanation for that command/parameter.

I am not sure what is the aim with only allowing the VPN user Internet connectivity. The only thing I can think of right away would be to give the user possibility to use the central firewalls public IP address which might have been set at some remote 3rd party site as the only allowed public IP address to access some service. This would give the user the chance to still access that 3rd party site even he/she wasnt at the office.

I guess there are couple of approaches for this.

You could create a Full Tunnel VPN (like on of the existing ones) and then use a VPN Filter ACL to first block all traffic to the LAN network and then allow all other traffic. This would essentially mean that the user could only access public IP address spaces as you have blocked the access to Internal networks only. Naturally the other approach to this solution would be to use the same Full Tunnel VPN you have created so far BUT attaching the VPN Filter ACL under the "username" configurations if you are using LOCAL usernames on the firewall for VPN AAA.

I guess the other option would be to create a VPN for which you create a "group-policy" that define Split Tunnel Policy so that it excludes some network (rather than includes them like normal Split Tunnel). In that case you could define your LAN network as the exluded address space which would essentially mean that all traffic except that directed to your LAN network would go through the VPN.

On a last note, notice that you have (if I dont remember wrong) a lot of opportunities to set different Split Tunnel rules and VPN Filter ACLs for users based on their LOCAL login "username" configured on the firewall. This should be possible with using the "username attributes" configuration space. This might essentially give you a possibility of creating a single Full Tunnel VPN group for ALL users and simply using different "group-policy" and VPN Filter ACLS to control what certain users can access.  Naturally this might not be possible if the requirement is to specifically let some users use their local Internet connection rather than tunnel it through the VPN.

Hope I made any sense

- Jouni

hi,

there is the dns-server attribute which seems like the best bet obvioulsy. my only problem is that the outside hosts can't ping the inside ip which would also be the ip address of the local dns server for the inside hosts.

i tried it and it is not working. the machines are not part of any domain at this point so there is no fully qualified domain name for the machines.

pinging the shortname appends a dns suffix onto them, that is coming from another vpn connection on the nic. so basically it is appending a suffix that really it should not be.

jeff

hi,

sorry to bother you.

some how i boned my config up and im not sure what happened. everything looks ok.

i can't seem to ping any inside hosts, by host name or by ip. all of the web traffic functions properly, with split tunnel and full tunnel.

do you have a few minutes?

jeff      

Hi,

Would need to see the current configuration

- Jouni

Hi,

i spoke incorrectly, slightly.

all outside access is working properly, proven through tracert.

i have 3 access groups. full tunnel, split tunnel and web only. web only should allow no access to the inside interface. it will solely be for secure browsing in remote locations and on other people's networks.

full tunnel and webonly are not capable of pinging ip or host name of any inside host on 10.1.1.X. i don't have other outside hosts at this point, so i am unsure if they can ping an outside host or not.

split tunnel can only ping by ip hosts on 10.1.1.X

Below is the current config. 8.8.8.8 and 8.8.4.4 are google dns ips.

show config

: Saved

: Written by enable_15 at 00:02:36.769 UTC Fri Nov 29 2013

!

PIX Version 8.0(4)

!

hostname vpnhost

domain-name somewhere.net

enable password * encrypted

passwd * encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name somewhere.net

same-security-traffic permit intra-interface

object-group icmp-type ICMPObject

icmp-object echo-reply

icmp-object source-quench

icmp-object time-exceeded

icmp-object unreachable

access-list ThcInsideFullTunnel-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list outside_access_in extended permit icmp any any object-group ICMPObject

access-list ThcInsideSplitTunnel-nat0 extended permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0

access-list THCSplitTunnelAccessList standard permit 10.1.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool ThcIPFullTunnelPool 10.1.2.1-10.1.2.254 mask 255.255.255.0

ip local pool ThcIPSplitTunnelPool 10.1.3.1-10.1.3.254 mask 255.255.255.0

ip local pool ThcIPWebOnlyTunnelPool 10.1.4.1-10.1.4.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (outside) 101 10.1.2.0 255.255.255.0

nat (outside) 101 10.1.3.0 255.255.255.0

nat (outside) 101 10.1.4.0 255.255.255.0

nat (inside) 0 access-list ThcInsideSplitTunnel-nat0

nat (inside) 101 10.0.0.0 255.0.0.0

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set THCTransformSet esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map THCDynamicMap 1 set transform-set THCTransformSet

crypto dynamic-map THCDynamicMap 1 set security-association lifetime seconds 28800

crypto dynamic-map THCDynamicMap 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map THCDynamicMap 1 set reverse-route

crypto map THCCryptoMap 1 ipsec-isakmp dynamic THCDynamicMap

crypto map THCCryptoMap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 10.1.1.50-10.1.1.254 inside

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy THCFullTunnel internal

group-policy THCFullTunnel attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

group-policy THCSplitTunnel internal

group-policy THCSplitTunnel attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value THCSplitTunnelAccessList

group-policy THCWebOnlyTunnel internal

group-policy THCWebOnlyTunnel attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

username user password * encrypted

tunnel-group THCFullTunnel type remote-access

tunnel-group THCFullTunnel general-attributes

address-pool ThcIPFullTunnelPool

default-group-policy THCFullTunnel

tunnel-group THCFullTunnel ipsec-attributes

pre-shared-key *

tunnel-group THCSplitTunnel type remote-access

tunnel-group THCSplitTunnel general-attributes

address-pool ThcIPSplitTunnelPool

default-group-policy THCSplitTunnel

tunnel-group THCSplitTunnel ipsec-attributes

pre-shared-key *

tunnel-group THCWebOnlyTunnel type remote-access

tunnel-group THCWebOnlyTunnel general-attributes

address-pool ThcIPWebOnlyTunnelPool

default-group-policy THCWebOnlyTunnel

tunnel-group THCWebOnlyTunnel ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:c979c3c6ba8f17411d144647d1f913a8

thanks,

jeff

Hi,

I am not quite sure what the problem is

If we first consider the Full Tunnel and Split Tunnel VPN Client connections then I assume these need to have access to the LAN network 10.1.1.0/24

There is atleast a problem related to the NAT0 configuration which only mentions one of the VPN Pools.

You should probably create a new ACL to which you configure any NAT0 related configuration for the "inside" networks.

So as the Full Tunnel and Split Tunnel VPNs have pools 10.1.2.0/24 and 10.1.3.0/24 we need the following configurations

access-list INSIDE-NAT0 remark NAT0 configurations for LAN

access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 10.1.3.0 255.255.255.0

no nat (inside) 0 access-list ThcInsideSplitTunnel-nat0

nat (inside) 0 access-list INSIDE-NAT0

This should enable the VPN users to connect to the LAN network.

I don't see anything that should prevent this traffic.

With regards to the WebOnly VPN I don't see anything that should be problem regarding just connecting to the Internet. The VPN is configured as Full Tunnel and there is a Dynamic PAT configuration with the NAT ID 101.

- Jouni

Hi,

ok. you were close. i had the access lists but i needed a nat (inside) 0 access-list ThcInsideFullTunnel-nat0 to get the access list working.

i didn't take your advice because im trying to keep stuff seperated out, so i can retrace my steps and see what belongs to each other in the event of an issue.

so now both the full and split tunnels can ping inside ips, but no host names.

any ideas what is wrong there?

jeff

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: