cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2174
Views
0
Helpful
16
Replies

Implemented VLAN, VPN Client Cannot Access Network Anymore

andrewla1212
Level 1
Level 1

Hello,

My network used to be one flat network. I implemented vlan into the environment, and now my VPN users no longer be able to access any network resources when they are connected. Please advice as what do I need to get my VPN users to access the network again.

The following is my ASA5510 and Catalyst 3550 (router on a stick) Configurations.

===

ASA Version 8.0(2)

!

hostname asa5510

domain-name mydomain.com

enable password LWveUMKns/lIV72z encrypted

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 69.x.x.197 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.101.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

passwd GBvC4V1ddiwdpe/1 encrypted

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns server-group DefaultDNS

domain-name mydomain.com

access-list incoming-traffic extended permit tcp any host 69.x.x.198 eq smtp

access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnpool 192.168.0.210-192.168.0.220 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.0.0 255.255.255.0

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 1 192.168.2.0 255.255.255.0

nat (inside) 1 192.168.3.0 255.255.255.0

nat (inside) 1 192.168.4.0 255.255.255.0

static (inside,outside) 69.X.x.198 192.168.0.8 netmask 255.255.255.255

access-group incoming-traffic in interface outside

route outside 0.0.0.0 0.0.0.0 69.x.x.193 1

route inside 192.168.0.0 255.255.255.0 192.168.101.253 1

route inside 192.168.1.0 255.255.255.0 192.168.101.253 1

route inside 192.168.2.0 255.255.255.0 192.168.101.253 1

route inside 192.168.3.0 255.255.255.0 192.168.101.253 1

route inside 192.168.4.0 255.255.255.0 192.168.101.253 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:01:30 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

http server enable

http 192.168.0.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5

ESP-AES-192-SHA ESP-AES-

192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet 192.168.0.0 255.255.255.0 inside

telnet 192.168.2.0 255.255.255.0 inside

telnet timeout 30

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

ntp authenticate

ntp server 192.168.0.11 source inside

tftp-server inside 192.168.0.88 config-test

group-policy My_VPN internal

group-policy My_VPN attributes

wins-server value 192.168.0.11

dns-server value 192.168.0.11

vpn-idle-timeout 90

vpn-tunnel-protocol IPSec

default-domain value my2k.net

username vpnlogin password RepoHxP/AmoqXrjb encrypted privilege 15

tunnel-group My_VPN type remote-access

tunnel-group My_VPN general-attributes

address-pool vpnpool

default-group-policy My_VPN

tunnel-group My_VPN ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:67614ffa957ef492f06653b431d86a75

: end

===

version 12.2

no service pad

service timestamps debug uptime

service timestamps log datetime

no service password-encryption

service sequence-numbers

!

hostname Switch4

!

enable secret 5 $1$dGie$zBIptoQldueWRtt2Plv5D1

!

no aaa new-model

clock timezone Central -6

ip subnet-zero

ip routing

!

cluster enable Test 0

!

!

crypto pki trustpoint TP-self-signed-2217997056

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2217997056

revocation-check none

rsakeypair TP-self-signed-2217997056

!

!

crypto pki certificate chain TP-self-signed-2217997056

certificate self-signed 01 nvram:IOS-Self-Sig#3601.cer

!

!

spanning-tree mode pvst

spanning-tree portfast default

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

!

!

!

interface FastEthernet0/1

switchport mode dynamic desirable

!

interface FastEthernet0/2

switchport access vlan 2

switchport mode dynamic desirable

!

interface FastEthernet0/3

switchport mode dynamic desirable

!

interface FastEthernet0/4

switchport mode dynamic desirable

!

interface FastEthernet0/5

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/6

switchport mode dynamic desirable

!

interface FastEthernet0/7

switchport mode dynamic desirable

!

interface FastEthernet0/8

switchport mode dynamic desirable

!

interface FastEthernet0/9

switchport mode dynamic desirable

!

interface FastEthernet0/10

switchport mode dynamic desirable

!

interface FastEthernet0/11

switchport mode dynamic desirable

!

interface FastEthernet0/12

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/13

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/14

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/15

switchport mode dynamic desirable

!

interface FastEthernet0/16

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/17

switchport mode dynamic desirable

!

interface FastEthernet0/18

switchport mode dynamic desirable

!

interface FastEthernet0/19

switchport mode dynamic desirable

!

interface FastEthernet0/20

switchport mode dynamic desirable

!

interface FastEthernet0/21

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/22

switchport mode dynamic desirable

!

interface FastEthernet0/23

switchport mode dynamic desirable

!

interface FastEthernet0/24

switchport mode dynamic desirable

!

interface FastEthernet0/25

switchport mode dynamic desirable

!

interface FastEthernet0/26

switchport mode dynamic desirable

!

interface FastEthernet0/27

switchport mode dynamic desirable

!

interface FastEthernet0/28

description to internet router Cisco ASA5510

no switchport

ip address 192.168.101.253 255.255.255.0

!

interface FastEthernet0/29

switchport mode dynamic desirable

!

interface FastEthernet0/30

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/31

switchport mode dynamic desirable

!

interface FastEthernet0/32

switchport mode dynamic desirable

!

interface FastEthernet0/33

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/34

switchport mode dynamic desirable

!

interface FastEthernet0/35

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/36

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/37

switchport mode dynamic desirable

!

interface FastEthernet0/38

switchport mode dynamic desirable

!

interface FastEthernet0/39

switchport mode dynamic desirable

!

interface FastEthernet0/40

switchport mode dynamic desirable

!

interface FastEthernet0/41

switchport access vlan 2

switchport mode dynamic desirable

!

interface FastEthernet0/42

switchport mode dynamic desirable

!

interface FastEthernet0/43

switchport access vlan 100

switchport mode dynamic desirable

!

interface FastEthernet0/44

switchport mode dynamic desirable

!

interface FastEthernet0/45

switchport mode dynamic desirable

!

interface FastEthernet0/46

switchport access vlan 2

switchport mode dynamic desirable

!

interface FastEthernet0/47

switchport mode dynamic desirable

!

interface FastEthernet0/48

switchport mode dynamic desirable

!

interface GigabitEthernet0/1

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface GigabitEthernet0/2

switchport mode dynamic desirable

!

interface Vlan1

description OLD NETWORK

ip address 192.168.1.254 255.255.255.0

ip helper-address 192.168.0.11

!

interface Vlan2

description OFFICES

ip address 192.168.2.254 255.255.255.0

ip helper-address 192.168.0.11

!

interface Vlan3

description MAC WORKSTATIONS

ip address 192.168.3.254 255.255.255.0

ip helper-address 192.168.0.11

!

interface Vlan4

description PRODUCTION_FLOOR

ip address 192.168.4.254 255.255.255.0

ip helper-address 192.168.0.11

!

interface Vlan100

description Back-end Devices

ip address 192.168.0.254 255.255.255.0

ip helper-address 192.168.0.11

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.101.254

ip http server

ip http secure-server

!

!

!

snmp-server community private RW

snmp-server community private@es0 RW

snmp-server community public RO

snmp-server community public@es0 RO

!

control-plane

!

alias exec shmac show mac-address-table | include

!

line con 0

exec-timeout 0 0

line vty 0 4

password cisco

login

line vty 5 15

password cisco

login

!

end

1 Accepted Solution

Accepted Solutions

Do this:

no nat (inside) 0 access-list inside_nat0_outbound
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 192.168.101.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
management-access inside
crypto isakmp nat-t

With the above configuration you should be able to connect from the VPN client and PING the inside IP of the ASA 192.168.101.254
If succesful, you should be able to reach 192.168.0.x

If the ASA is decrypting but not encrypting it's because it's receiving the traffic from the VPN client but not sending it back.
This could be because the ASA sends the packets to the 192.168.0.x network but does not receive it back.
Do the changes above and test again please.

Also, from the internal device 192.168.0.x do a traceroute to 192.168.10.x (VPN client IP) and make sure it's send to the ASA.

Federico.

View solution in original post

16 Replies 16

Hi,

The ASA receives the VPN connection and should forward the traffic to the LAN.

Please explain your setup and what addressing scheme belongs to the subnets to check the configuration.

Federico.

The VPN client will get the one of the ip address from the "ip local pool vnpool 192.168.0.210-192.168.0.220 mask of 255.255.255.0" statement.

With above ASA configuration I can get an ip address assign to vpn client wihen I connect to the network. The problem is when I'm connected, I cannot ping any devices in the 192.168.0.0 network. Since the 192.168.0.0 network is assigned to vlan 100. Do I need to create a sub interface on the ASA for vlan 100 and then assign the inside interface ethernet 0/1 to vlan 100?  Currently, inside interface ethernet 0/1 is using ip 192.168.101.254. Does this interface's ip need to be in the 192.168.0.0 network as well?

According to the configuration all VPN traffic will be sent through the tunnel (no split-tunneling).

But the ASA does not know 192.168.0.0 (it only recognizes 192.168.101.x as directly connected).

You either have to assign an interface (vlan or subinterface) to 192.168.0.x or create a route inside to reach 192.168.0.0

Federico.

Hey Federico,

Thanks for helping out thus far.

With the above ASA config, I can ping any devices on the 192.168.0.0 network. Is that telling me that I do have a path from the ASA to the inside network?

Would you give some example about creating a route or assign my inside interface eth0/1 to the 192.168.0.0 network?

Thanks,

AL

Hi,

You're right. I missed this route on the ASA:

route inside 192.168.0.0 255.255.255.0 192.168.101.253 1

Please let us know if you still need any help.

Federico.

Anyone have any other suggestions?

On the ASA I can ping any device on the 192.168.0.0 network. When a VPN connection is made, the VPN client is getting one of the ip address from the designated ip pool via this statement ip local pool vpnpool 192.168.0.210-192.168.0.220 mask 255.255.255.0. The connected VPN client cannot ping any 192.168.0.0. devices and access any shared resources.

The 192.168.0.0 is internal to the ASA (the ASA has a route to the internal network).

You're giving the VPN clients part of this addressing scheme.

I would suggest to fix the problem, to assign the VPN clients a range not in used i.e. 192.168.5.0

The problem that you're having right now is that since the ASA ''thinks'' that the 192.168.1.0/24 is internal it will not send traffic to the VPN clients.

Assign a separate subnet to the VPN clients and that should take care of it.

Federico.

It make sense, but, that wasn't it. I'm at a lost here.

Can you go ahead and change the pool of VPN clients to be on a non-overlapping subnet?

If so, we can test it and should work.

Federico.

Hey Federico, I did change the VPN client ip pool to a none-overlapping subnet. I change it to 192.168.10.210-192.168.10.220 and test. Still no go. Anything other suggestions will be appreciated

If the VPN client pool is now 192.168.10.x you should change this:

access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

to

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

Also, when connecting from the VPN client make sure that under secured routes (under statistics for the client), you see that the internal networks are listed.

Federico.

Hmm, made the change as you suggested. No go. As for the Secured Route under the VPN Client Statics, I don't see any my local network. Under the Network is 0.0.0.0, under Subnet Mask is 0.0.0.0.

I may have to revert my network back to one flat network tomorrow since my VPN users are on my tail of not getting in.

When the VPN client connects you lose Internet?

This is because all traffic is being sent through the tunnel 0.0.0.0

Do the following on the VPN server:

crypto isakmp nat-t

Disconnect the VPN client and reconnect again.

Also issue this command:

sh cry ipse sa

Make sure that everytime the client sends traffic you have packets incrementing in the encrypted/decrypted packets.

Federico.

When the VPN client connect, they lose internet connection. By desgin, we chose not to have the user to have internet when they're online via VPN.

Did the crypto isakmp nat-t and sh cry ipse sa. On the VPN client connected, I ping 192.168.101.254, I do see packets count increase in the decrypt. No change in the packet encrypt though.

Review Cisco Networking for a $25 gift card