VPN session established but cannot access trusted LAN segment on

bernardkwok73 · ‎10-09-2012

Just a roundup of my Cisco ASA configuration...

1) Configure remote access IPSec VPN

2) Group Policies - vpntesting

3) AES256 SHA DH group 5

4) Configure local user vpntesting

5) Configure dhcp pool - 10.27.165.2 to 10.27.165.128 mask /24

6) open access on outside interface

7) IKE group - vpntesting

A) Did I miss anything?

B) For example, there is a LAN segment - 10.27.40.x/24 on the trusted leg of the Cisco ASA but I can't access it. Do I need to create access lists to allow my VPN session to access the trust LANs?

C) Any good guide for configuring remote access VPN using ASDM?

Harish Balakrishnan · ‎10-09-2012

Hello Bernard,

U have listed all man :).. just a thing.. did you create the split tunnel and specified the network which VPN wants to access and also.. if you have a nat configured for internet access, for your lan , then you need to have a 'no nat ' configured

for this VPN communication..

please post your config so that, i can help you out if there some other playing a role

Harish,

shuja.najmee · ‎10-12-2012

I have couple of issues with my EasyVPN server and Cisco VPN Client on Win7.

1: Sometimes, clients are connected, connection shows established but no traffic or pings can be made to corp network. I might have to do with NAT settings to except VPN traffic from being NATed.

2: VPN Clients don't pick the same IP address from local address pool even though I specified "RECYLE" option.

I would apprecaite if you look at my configuration and advise any mis-config or anything that needs to be corrected.

Thank you so much.

Configuration:

##############################################################################

TQI-WN-RT2911#sh run

Building configuration...

Current configuration : 7420 bytes

!

! Last configuration change at 14:49:13 UTC Fri Oct 12 2012 by admin

! NVRAM config last updated at 14:49:14 UTC Fri Oct 12 2012 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname TQI-WN-RT2911

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network default local

!

aaa session-id common

!

no ipv6 cef

ip source-route

ip cef

!

ip dhcp remember

!

ip domain name telquestintl.com

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2562258950

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2562258950

revocation-check none

rsakeypair TP-self-signed-2562258950

!

crypto pki certificate chain TP-self-signed-2562258950

certificate self-signed 01

#########

quit

license udi pid CISCO2911/K9 sn ##############

!

redundancy

!

track 1 ip sla 1 reachability

delay down 10 up 20

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ############## address 173.161.255.###

255.255.255.240

!

crypto isakmp client configuration group EASY_VPN

key ##############

dns 10.10.0.241 10.0.0.241

domain domain.com

pool EZVPN-POOL

acl VPN+ENVYPTED_TRAFFIC

save-password

max-users 50

max-logins 10

netmask 255.255.255.0

crypto isakmp profile EASY_VPN_IKE_PROFILE1

match identity group EASY_VPN

client authentication list default

isakmp authorization list default

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile EASY_VPN_IPSec_PROFILE1

set security-association idle-time 86400

set transform-set ESP-3DES-SHA

set isakmp-profile EASY_VPN_IKE_PROFILE1

!

crypto map VPN_TUNNEL 10 ipsec-isakmp

description ***TUNNEL-TO-FAIRFIELD***

set peer 173.161.255.241

set transform-set ESP-3DES-SHA

match address 105

!

interface Loopback1

ip address 10.10.30.1 255.255.255.0

!

interface Tunnel1

ip address 172.16.0.2 255.255.255.0

ip mtu 1420

tunnel source GigabitEthernet0/0

tunnel destination 173.161.255.241

tunnel path-mtu-discovery

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Optonline WAN secondary

ip address 108.58.179.### 255.255.255.248 secondary

ip address 108.58.179.### 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map VPN_TUNNEL

!

interface GigabitEthernet0/1

description T1 WAN Link

ip address 64.7.17.### 255.255.255.240

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

description LAN

ip address 10.10.0.1 255.255.255.0 secondary

ip address 10.10.0.3 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback1

tunnel mode ipsec ipv4

tunnel protection ipsec profile EASY_VPN_IPSec_PROFILE1

!

router eigrp 1

network 10.10.0.0 0.0.0.255

network 10.10.30.0 0.0.0.255

network 172.16.0.0 0.0.0.255

!

router odr

!

router bgp 100

bgp log-neighbor-changes

!

ip local pool EZVPN-POOL 10.10.30.51 10.10.30.199 recycle delay

65535

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map OPTIMUM-ISP interface

GigabitEthernet0/0 overload

ip nat inside source route-map T1-ISP interface GigabitEthernet0/1

overload

ip nat inside source static tcp 10.10.0.243 25 108.58.179.### 25

extendable

ip nat inside source static tcp 10.10.0.243 80 108.58.179.### 80

extendable

ip nat inside source static tcp 10.10.0.243 443 108.58.179.### 443

extendable

ip nat inside source static tcp 10.10.0.220 3389 108.58.179.### 3389

extendable

ip nat inside source static tcp 10.10.0.17 12000 108.58.179.###

12000 extendable

ip nat inside source static tcp 10.10.0.16 80 108.58.179.### 80

extendable

ip nat inside source static tcp 10.10.0.16 443 108.58.179.### 443

extendable

ip nat inside source static tcp 10.10.0.16 3389 108.58.179.### 3389

extendable

ip route 0.0.0.0 0.0.0.0 108.58.179.### track 1

ip route 0.0.0.0 0.0.0.0 64.7.17.97 ##

!

ip access-list extended VPN+ENVYPTED_TRAFFIC

permit ip 10.10.0.0 0.0.0.255 any

permit ip 10.0.0.0 0.0.0.255 any

permit ip 10.10.30.0 0.0.0.255 any

!

ip sla 1

icmp-echo 108.58.179.### source-interface GigabitEthernet0/0

threshold 100

timeout 200

frequency 3

ip sla schedule 1 life forever start-time now

access-list 1 permit 10.10.0.0 0.0.0.255

access-list 2 permit 10.10.0.0 0.0.0.255

access-list 100 permit ip 10.10.0.0 0.0.0.255 any

access-list 105 remark ***GRE-TRAFFIC TO FAIRFIELD***

access-list 105 permit gre host 108.58.179.### host 173.161.255.###

!

route-map T1-ISP permit 10

match ip address 100

match interface GigabitEthernet0/1

!

route-map OPTIMUM-ISP permit 10

match ip address 100

match interface GigabitEthernet0/0

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

end

TQI-WN-RT2911#

##############################################################################

Gareth Gudger · ‎01-28-2014

You may need to enable NAT Traversal. Type the following command.

CRYPTO ISAKMP NAT-TRAVERSAL 30

VPN session established but cannot access trusted LAN segment on the ASA