Solved: Unable to Access Company LAN via VPN

karl_009 · ‎10-25-2012

Hello,

I have a ASA 5505 that I have been using to test run the IPSec VPN connection after studying the different configs and running through the ASDM I keep getting the same issue that I can't receive any traffic.

The company LAN is on a 10.8.0.0 255.255.0.0 network, I have placed the VPN clients in 192.168.10.0 255.255.255.0 network, the 192 clients can't talk to the 10.8 network.

On the Cisco VPN client I can see lots of sent packets but none received.

I think it could be to do with the NAT but from the examples I have seen I believe it should work.

I have attached the complete running-config, as I could well have missed something.

Many Thanks for any help on this...

FWBKH(config)# show running-config

: Saved

:

ASA Version 8.2(2)

!

hostname FWBKH

domain-name test.local

enable password XXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXXX encrypted

names

name 9.9.9.9 zscaler-uk-network

name 10.8.50.0 inside-network-it

name 10.8.112.0 inside-servers

name 17.7.9.10 fwbkh-out

name 10.8.127.200 fwbkh-in

name 192.168.10.0 bkh-vpn-pool

!

interface Vlan1

nameif inside

security-level 100

ip address fwbkh-in 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address fwbkh-out 255.255.255.248

!

interface Vlan3

nameif vpn

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

banner login Trespassers will be Shot, Survivors will be Prosecuted!!!!

banner motd Trespassers will be Shot, Survivors will be Prosecuted!!!!

banner asdm Trespassers will be Shot, Survivors will be Prosecuted!!!!

boot system disk0:/asa822-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name test.local

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_UDP_1 udp

port-object eq 4500

port-object eq isakmp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object udp

access-list inside_access_in extended permit tcp 10.8.0.0 255.255.0.0 any object-group DM_INLINE_TCP_2 log warnings inactive

access-list inside_access_in extended permit ip inside-network-it 255.255.255.0 any inactive

access-list inside_access_in extended permit tcp 10.8.0.0 255.255.0.0 host zscaler-uk-network eq www

access-list inside_access_in extended permit ip inside-servers 255.255.255.0 any log warnings

access-list USER-ACL extended permit tcp 10.8.0.0 255.255.0.0 any eq www

access-list USER-ACL extended permit tcp 10.8.0.0 255.255.0.0 any eq https

access-list outside_nat0_outbound extended permit ip bkh-vpn-pool 255.255.255.0 10.8.0.0 255.255.0.0

access-list outside_access_in extended permit udp any host fwbkh-out object-group DM_INLINE_UDP_1 log errors inactive

access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 10.8.0.0 255.255.0.0 any

access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0

access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0

access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu vpn 1500

ip local pool UK-VPN-POOL 192.168.10.10-192.168.10.60 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat-control

global (inside) 1 interface

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 10.8.0.0 255.255.0.0 dns

nat (outside) 0 access-list outside_nat0_outbound outside

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 17.7.9.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.8.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint BKHFW

enrollment self

subject-name CN=FWBKH

crl configure

crypto ca certificate chain BKHFW

certificate fc968750

308201dd 30820146 a0030201 020204fc 96875030 0d06092a 864886f7 0d010105

05003033 310e300c 06035504 03130546 57424b48 3121301f 06092a86 4886f70d

ccc6f3cb 977029d5 df42515f d35c0d96 798350bf 7472725c fb8cd64d 514dc9cb

7f05ffb9 b3336388 d55576cc a3d308e1 88e14c1e 8bcb13e5 c58225ff 67144c53 f2

quit

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.8.0.0 255.255.0.0 inside

ssh timeout 30

ssh version 2

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy UK-VPN-USERS internal

group-policy UK-VPN-USERS attributes

dns-server value 10.8.112.1 10.8.112.2

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value UK-VPN-USERS_splitTunnel

default-domain value test.local

address-pools value UK-VPN-POOL

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol webvpn

username admin password XXXXXXXXXXXXXXXXX encrypted privilege 15

username karl password XXXXXXXXXXXXXXX encrypted privilege 15

tunnel-group UK-VPN-USERS type remote-access

tunnel-group UK-VPN-USERS general-attributes

address-pool UK-VPN-POOL

default-group-policy UK-VPN-USERS

tunnel-group UK-VPN-USERS ipsec-attributes

pre-shared-key *****

tunnel-group IT-VPN type remote-access

tunnel-group IT-VPN general-attributes

address-pool UK-VPN-POOL

default-group-policy UK-VPN-USERS

tunnel-group IT-VPN ipsec-attributes

pre-shared-key *****

!

class-map ALLOW-USER-CLASS

match access-list USER-ACL

class-map type inspect http match-all ALLOW-URL-CLASS

match not request header from regex ALLOW-ZSGATEWAY

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map type inspect http ALLOW-URL-POLICY

parameters

class ALLOW-URL-CLASS

drop-connection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ip-options

policy-map ALLOW-USER-URL-POLICY

class ALLOW-USER-CLASS

inspect http

!

service-policy global_policy global

service-policy ALLOW-USER-URL-POLICY interface inside

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:00725d3158adc23e6a2664addb24fce1

: end

Javier Portuguez · ‎10-25-2012

Hi Karl,

Please make the following changes:

ip local pool VPN_POOL_UK_USERS 192.168.254.1-192.168.254.254

access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 192.168.254.0 255.255.255.0

!

no nat (outside) 0 access-list outside_nat0_outbound outside

!

access-list UK-VPN-USERS_SPLIT permit 10.8.0.0 255.255.0.0

!

group-policy UK-VPN-USERS attributes

split-tunnel-network-list value UK-VPN-USERS_SPLIT

!

no access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0

no access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0

!

access-list inside_access_in extended permit ip 10.8.0.0 255.255.255.0 192.168.254.0 255.255.255.0

!

management-access inside

******'

As you can see, I did create a new pool, since you already have an interface in the 192.168.10.0/24 network, which does affect the VPN clients.

Once you are done, connect the client and try:

ping 10.8.127.200

Does it work?

Try to ping other internal IPs as well.

Let me know how it goes.

Portu.

Please rate any helpful posts

Message was edited by: Javier Portuguez

View solution in original post

Javier Portuguez · ‎10-25-2012

Hi Karl,

Please make the following changes:

ip local pool VPN_POOL_UK_USERS 192.168.254.1-192.168.254.254

access-list inside_nat0_outbound_1 extended permit ip 10.8.0.0 255.255.0.0 192.168.254.0 255.255.255.0

!

no nat (outside) 0 access-list outside_nat0_outbound outside

!

access-list UK-VPN-USERS_SPLIT permit 10.8.0.0 255.255.0.0

!

group-policy UK-VPN-USERS attributes

split-tunnel-network-list value UK-VPN-USERS_SPLIT

!

no access-list UK-VPN-USERS_splitTunnel extended permit ip 10.8.0.0 255.255.0.0 bkh-vpn-pool 255.255.255.0

no access-list UK-VPN-USERS_splitTunnel extended permit ip inside-servers 255.255.255.0 bkh-vpn-pool 255.255.255.0

!

access-list inside_access_in extended permit ip 10.8.0.0 255.255.255.0 192.168.254.0 255.255.255.0

!

management-access inside

******'

As you can see, I did create a new pool, since you already have an interface in the 192.168.10.0/24 network, which does affect the VPN clients.

Once you are done, connect the client and try:

ping 10.8.127.200

Does it work?

Try to ping other internal IPs as well.

Let me know how it goes.

Portu.

Please rate any helpful posts

Message was edited by: Javier Portuguez

karl_009 · ‎11-07-2012

Hello,

Thanks for the reply.

After looking into the problem more closely I realised this was a network design issue, the majority of the internal LAN uses a default gateway that was unable to find its way back to 192.168.1.x where as the test clients that where using the ASA as the default gateway where able to return the replies of the pings.

Thanks for your help on this, your config did allow me to ping the ASA its self while VPN'ed in, also I learned abit more and the config was tidied up.

Many Thanks

Karl