Re: RA VPN Issue: User can connect but cannot see the network

dougreid · ‎02-20-2019

I have a Cisco ASA 5506-X for my business. I can log into from an external IP address and see the internal network. I used the configuration as a template for a client but it is not working correctly. I can log in but I can not ssh to a server or connect to their internal website. I see some differences in the in extra policy map in my clients ASA.

The other Item I just noticed user2 (I was using) does not have service-type remote-access.

Here is the config:

hostname ciscoasa
domain-name dot.com
enable password ****
passwd *** encrypted
names
ip local pool RA_LOCAL_NETWORK 192.168.100.0-192.168.100.7 mask 255.255.255.248

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 68.98.206.247 255.255.255.224
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
shutdown
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
shutdown
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
shutdown
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name winfieldiron.com
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network ASA_LOCAL
subnet 192.168.1.0 255.255.255.0
object network ASA_RA_REMOTE
subnet 192.168.100.0 255.255.255.248
object-group network DIGITAL_OCEAN_REMOTE
network-object 10.136.0.0 255.255.0.0
access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 10.136.0.0 255.255.0.0
access-list DIGITAL_OCEAN_REMOTE_ALLOWED extended permit ip 10.136.0.0 255.255.0.0 object ASA_LOCAL
access-list RA_VPN_REMOTE extended permit ip object ASA_RA_REMOTE object ASA_LOCAL
access-list RA_VPN_ACESSS standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside_1,outside) source static ASA_LOCAL ASA_LOCAL destination static DIGITAL_OCEAN_REMOTE DIGITAL_OCEAN_REMOTE no-proxy-arp route-lookup
nat (outside,inside_1) source static ASA_RA_REMOTE ASA_RA_REMOTE destination static ASA_LOCAL ASA_LOCAL no-proxy-arp route-lookup
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 68.98.206.225 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set FirstSet esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map domap 1 match address l2l_list
crypto map domap 1 set peer 142.93.51.229
crypto map domap 1 set ikev1 transform-set FirstSet
crypto map domap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map domap interface outside
crypto map inside_1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d30930699ff
// removed
quit
crypto ikev1 enable outside
crypto ikev1 enable inside_1
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside_1
telnet 192.168.1.0 255.255.255.0 inside_2
telnet 192.168.1.0 255.255.255.0 inside_3
telnet 192.168.1.0 255.255.255.0 inside_4
telnet 192.168.1.0 255.255.255.0 inside_5
telnet 192.168.1.0 255.255.255.0 inside_6
telnet 192.168.1.0 255.255.255.0 inside_7
telnet timeout 30
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd domain winfieldiron.com
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.199 inside
dhcpd dns 208.67.222.123 208.67.220.123 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy WIM2019RA internal
group-policy WIM2019RA attributes
dns-server value 208.67.222.123 208.67.220.123
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelall
default-domain value winfieldiron.com
dynamic-access-policy-record DfltAccessPolicy
username user1 password //password hash removed
username user1 attributes
service-type remote-access
username user2 password //password hash removed
tunnel-group 104.248.122.220 type ipsec-l2l
tunnel-group 104.248.122.220 ipsec-attributes
ikev1 pre-shared-key wimscrapwelding19
tunnel-group WIM2019RA type remote-access
tunnel-group WIM2019RA general-attributes
address-pool RA_LOCAL_NETWORK
default-group-policy WIM2019RA
tunnel-group WIM2019RA ipsec-attributes
ikev1 pre-shared-key wim1950metal
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map icmp-policy
class icmp-class
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:d07579df3ff35b21e5f773b5f6be5202
: end

gbekmezi-DD · ‎02-20-2019

Are you saying user1 works fine but user2 doesn’t? What client are you using to VPN? Is it AnyConnect? Which tunnel group are the VPN users connecting to? default or WIM2019RA?

George

dougreid · ‎02-20-2019

I was denoting differences I saw. I do not have the password for the other user. Connecting to the WIM2019RA tunnel group.

dougreid · ‎02-26-2019

The issue was with the NAT commands. I one did the NAT to inside_1. I needed to add NAT commands for inside_2, inside_3, and inside_4.