cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1356
Views
25
Helpful
19
Replies

Can't access internal resources

laurabolda
Level 1
Level 1

The users were able to login to VPN client successfully.   However, none of the users could access any internal resources. For example, the users are unable to Remote Control to the server.  They are unable to ping to any internal servers or map a drive to the servers.

Please let me know if you have any questions or need additional information.  Attached is the config.  Thanks.

19 Replies 19

laurabolda
Level 1
Level 1

Here is the config file.

You are missing the NAT exemption as follows:

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

nat (Inside) 0 access-list nonat

Hope that resolves the issue.

Halijenn,

Thanks very much for taking time to look at the issue.  Your suggestion works.  Can you explain what these two statements are?

Thanks.

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
nat (Inside) 0 access-list nonat

The first command is the access-list to bypass NAT for traffic flowing between both networks (1921.68.100.0/24 and 192.168.101.0/24)
The second command is to apply the access-list to the NAT rules for the inside interface.

In other words, with the above two commands, you're instructing the ASA to bypass NAT for the VPN traffic.
In this way the encrypted traffic will flow between both networks without NAT.

Hope it helps.

Federico.

Federico,

Thanks for your prompt response and information.  May I ask you another question?  I want Tech Support group (VPN client) to access all the servers in 192.168.100.xxx network.  Do I need to create an access-list for this group?  If I do, I have been creating each access list for each server for this group.

access-list ts standard permit host 192.168.100.1
access-list ts standard permit host 192.168.100.2
access-list ts standard permit host 192.168.100.5
access-list ts standard permit host 192.168.100.6
access-list ts standard permit host 192.168.100.7
access-list ts standard permit host 192.168.100.14

Can I say this instead or if there is a better way?

access-list ts standard permit 192.168.100.0 255.255.255.0

Here is the part of the config for your information.  The entire config file was posted earlier.

group-policy techsupport internal

group-policy techsupport attributes

dns-server value 66.102.7.250

vpn-filter value ts

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

default-domain value consoto.com

address-pools value vpnpool

tunnel-group techsupport type remote-access
tunnel-group techsupport general-attributes
address-pool vpnpool
authentication-server-group (Inside) LOCAL
default-group-policy techsupport
strip-group
tunnel-group techsupport ipsec-attributes
pre-shared-key ***

Please let me know if you need additional information.  Thanks.

If you want the VPN client to access servers on the 192.168.100.0/24 network, you normally define those servers on an ACL.


I see the group-policy for that VPN group, has split-tunnel all.
This means that all traffic is sent through the tunnel from the client.

With the above NAT0 configuration and sending all traffic through the tunnel (no split-tunneling), you should be able to reach the
servers without additional configuration.

Another option is to specify a split-tunneling policy to only send the intended traffic through the tunnel.

Federico.

Federico,

Thanks for your prompt response and information. For some reason, I had the filter on "ts" access-list (vpn-filter value ts) under group-policy.  Anyway, I removed the access-lists for ts and "vpn-filter value ts" statements.  My intention was to have the ts group policy to access all the servers in 192.168.100 network .

May I ask you another question?  Since I did not setup Split tunneling, does the internet traffic also goes through the tunnel from the client? So, if the users login to the VPN client and get on the internet, the internet traffic will go to my system first and then out to the internet.  If I had setup Split-tunneling, the internet traffic would have gone directly to the internet.

Thanks.

The access-list applied to the vpn-filter under the group policy is to filter traffic through the VPN.

By default all traffic is allowed to pass through the tunnel.

In order to access the servers on the 192.168.100.x network, you should add the nat0 commands with the access-list.

Also make sure that crypto isakmp nat-traversal is enabled.

WIth the command: management-access inside, you should reach the inside IP of the ASA from the VPN clients.

If you still cannot reach the servers from the VPN clients check two things:

1. sh cry ips sa shows packets encrypted/decrypted for the VPN client connection

2. There's a route pointing to the ASA for the pool of VPN addresses (or the default gateway for the 192.168.100.x network is the ASA)

Split-tunneling is a mechanism to encrypt only the traffic that you want (to avoid sending all traffic through the tunnel).

You are correct.

If split-tunneling is enabled, only the traffic specified on the split-tunnel ACL is sent through the tunnel.

Right now, since the split-tunnel policy is to encrypt ALL, this means that Internet traffic from the clients is sent through the tunnel.

You have two options:

1. Enable a split tunneling policy to send only the encrypted traffic that you need through the tunnel (not waste any resources).

2. Send all traffic through the tunnel (as it is), and configure the ASA to provide the VPN clients with Internet access (through it).

In the first option, the VPN clients will continue to have their own Internet access (without sending that traffic through the tunnel).

Federico.

Federico,

Thanks for your prompt response and information.  I want to setup the Split-tunneling for the ts group-policy and allow the ts group to access all the servers in 192.168.100 network.  How would you setup the group policy and tunnel-group for ts?

Please let me know if you need additional information.  Thanks.

Check that you have the following configuration:


access-list split-acl permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0
cry isa nat-t
management-access inside

sysopt connection permit-vpn

group-policy techsupport internal
group-policy techsupport attributes
dns-server value 66.102.7.250
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
default-domain value consoto.com

tunnel-group techsupport type remote-access
tunnel-group techsupport general-attributes
address-pool vpnpool
authentication-server-group (Inside) LOCAL
default-group-policy techsupport
strip-group
tunnel-group techsupport ipsec-attributes
pre-shared-key ***


In this way, the VPN clients will connect and have access only to the 192.168.100.0/24 network.
If you want to restrict access to only certain hosts, you can modify the split-acl ACL.
If you want to enable further restrictions (based on ports), you can apply the vpn-filter under the group-policy.

Things to check:
1. Make sure the 192.168.100.0/24 has a route back to the ASA when going to 192.168.101.0/24
2. Make sure with the command: sh run nat, that you get the nat0 statement referring to the ACL we discussed before.
3. Try to PING 192.168.100.254 make sure that it works.

If it does not work, please post the output of:


sh cry isa sa
sh cry ips sa

Federico.

Federico,

Thanks for your prompt response and information.  Your instructions work!!!  I was able to get to any servers on 192.168.100 network. I was able to ping to any servers on 192.168.100 network.  However, I am not able to ping to the gateway 10.10.10.254.  But, it is OK.

Thank you very much, Federico.  You are a great help!!!

I'm glad that it worked!
However, I don't see from the ASA where the 10.10.10.254 is located.


Anyway if you need further assistance, just let us know ;-)

Federico.

Sorry Federico.  I meant 192.168.100.254, not 10.10.10.254.  I was helping another customer while replying.

Thanks.  You are great!!!

Just in case you want to PING the Gateway (is this a router)?
You need to check that it has a route to 192.168.101.0/24 pointing to the ASA.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: