Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
834
Views
0
Helpful
1
Replies

Remote Access VPN Clients Cannot Access inside LAN

lee.owensby
Level 1
Level 1

‎04-16-2012 12:44 PM - edited ‎03-11-2019 03:54 PM

I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with.  I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA.  Thay can ping each other.  The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10.  I do not need split tunneling to be enabled.  The active WAN interface is the one labeled outside_cable.

: Saved

:

ASA Version 8.2(1)

!

hostname ASA5505

domain-name default.domain.invalid

enable password eelnBRz68aYSzHyz encrypted

passwd eelnBRz68aYSzHyz encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group dataDSL

ip address 76.244.75.57 255.255.255.255 pppoe

!

interface Vlan3

nameif dmz

security-level 50

ip address 192.168.9.1 255.255.255.0

!            

interface Vlan10

nameif outside_cable

security-level 0

ip address 50.84.96.178 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!            

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit intra-interface

object-group service Netbios udp

port-object eq 139

port-object eq 445

port-object eq netbios-ns

object-group service Netbios_TCP tcp

port-object eq 445

port-object eq netbios-ssn

object-group network DM_INLINE_NETWORK_1

network-object host 192.168.100.177

network-object host 192.168.100.249

object-group service Web_Services tcp

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

object-group network DM_INLINE_NETWORK_10

network-object host 192.168.9.10

network-object host 192.168.9.4

object-group network DM_INLINE_NETWORK_11

network-object host 192.168.9.10

network-object host 192.168.9.4

object-group network DM_INLINE_NETWORK_2

network-object host 192.168.9.10

network-object host 192.168.9.4

object-group network DM_INLINE_NETWORK_3

network-object host 192.168.9.10

network-object host 192.168.9.4

object-group network DM_INLINE_NETWORK_4

network-object host 192.168.9.10

network-object host 192.168.9.4

object-group network DM_INLINE_NETWORK_5

network-object host 192.168.9.10

network-object host 192.168.9.4

object-group network DM_INLINE_NETWORK_6

network-object host 192.168.9.10

network-object host 192.168.9.4

object-group network DM_INLINE_NETWORK_7

network-object host 192.168.9.10

network-object host 192.168.9.4

object-group network DM_INLINE_NETWORK_8

network-object host 192.168.9.10

network-object host 192.168.9.4

object-group network DM_INLINE_NETWORK_9

network-object host 192.168.9.10

network-object host 192.168.9.4

object-group network VPN

network-object 192.168.255.0 255.255.255.0

access-list outside_access_in extended permit icmp any host 76.244.75.61

access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp

access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data

access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www

access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https

access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www

access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https

access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www

access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https

access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www

access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https

access-list dmz_access_in remark Quickbooks

access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719

access-list dmz_access_in remark Quickbooks range

access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337

access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434

access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398

access-list dmz_access_in remark QB

access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019

access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638

access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios

access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP

access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive

access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any

access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any

access-list dmz_access_in remark Printer

access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services

access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain

access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply

access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable

access-list dmz_access_in remark QB probably does not need any udp

access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive

access-list dmz_access_in remark QB included in other rule range

access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive

access-list dmz_access_in remark May be required for Quickbooks

access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5

access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5

access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4

access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240

access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0

access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0

access-list outside_cable_access_in extended permit icmp any host 50.84.96.182

access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp

access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data

access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www

access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https

access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www

access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https

access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www

access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https

access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www

access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https

access-list Local_LAN_Access standard permit host 0.0.0.0

access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any

access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0

pager lines 24

logging enable

logging buffered informational

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500 

mtu outside_cable 1500

ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0

ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 10 interface

global (outside_cable) 10 interface

nat (inside) 0 access-list nonat-in

nat (inside) 10 0.0.0.0 0.0.0.0

nat (dmz) 0 access-list dmz_nat0_outbound

nat (dmz) 10 0.0.0.0 0.0.0.0

static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns

static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns

static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns

static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns

static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0

static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns

static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns

static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns

static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns

static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns

static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

access-group outside_cable_access_in in interface outside_cable

route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.100.0 255.255.255.0 inside

http 204.107.173.0 255.255.255.0 outside

http 204.107.173.0 255.255.255.0 outside_cable

http 0.0.0.0 0.0.0.0 outside_cable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_cable_map interface outside_cable

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp enable outside_cable

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 192.168.100.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.100.0 255.255.255.0 inside

ssh 204.107.173.0 255.255.255.0 outside

ssh 204.107.173.0 255.255.255.0 outside_cable

ssh 0.0.0.0 0.0.0.0 outside_cable

ssh timeout 15

console timeout 0

vpdn group dataDSL request dialout pppoe

vpdn group dataDSL localname cadspecialties@static.sbcglobal.net

vpdn group dataDSL ppp authentication pap

vpdn username cadspecialties@static.sbcglobal.net password *********

dhcpd address 192.168.100.30-192.168.100.99 inside

dhcpd dns 192.168.100.5 68.94.156.1 interface inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.100.5

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy cad_supplies_RAVPN internal

group-policy cad_supplies_RAVPN attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl

group-policy VPNPHONE internal

group-policy VPNPHONE attributes

dns-server value 192.168.100.5

vpn-tunnel-protocol IPSec

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

client-firewall none

client-access-rule none

username swinc password BlhBNWfh7XoeHcQC encrypted

username swinc attributes

vpn-group-policy cad_supplies_RAVPN

username meredithp password L3lRjzwb7TnwOyZ1 encrypted

username meredithp attributes

vpn-group-policy cad_supplies_RAVPN

service-type remote-access

username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0

username ipphone1 attributes

vpn-group-policy VPNPHONE

username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0

username ipphone2 attributes

vpn-group-policy VPNPHONE

username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0

username ipphone3 attributes

vpn-group-policy VPNPHONE

username oethera password WKJxJq7L6wmktFNt encrypted

username oethera attributes

vpn-group-policy cad_supplies_RAVPN

service-type remote-access

username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted

username markh attributes

vpn-group-policy cad_supplies_RAVPN

tunnel-group DefaultRAGroup general-attributes

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group cad_supplies_RAVPN type remote-access

tunnel-group cad_supplies_RAVPN general-attributes

address-pool VPN_IP_range

default-group-policy cad_supplies_RAVPN

tunnel-group cad_supplies_RAVPN ipsec-attributes

pre-shared-key *

tunnel-group VPNPHONE type remote-access

tunnel-group VPNPHONE general-attributes

address-pool VPN_Phone

default-group-policy VPNPHONE

tunnel-group VPNPHONE ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 1500

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c

: end

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎04-16-2012 04:24 PM

Hi,

You have your "group-policy" set so that you have excluding some networks from being tunneled.

In this access-list named Local_LAN_Access you specify "0.0.0.0"

Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.

This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card