Solved: Access internet from the Remote default gateway??? NO SPLIT TUNN

aeronav01 · ‎01-08-2014

I am struggling with an issue for a long time, i have an ASA5505 i went through lots of config and searches til i got the inside interface to be able to go to the internet;however my VPN clients can't go to the Internet. Now here is the network config:

-I have a router (which is a modem and a router and an AP) 3 in 1..this router is connected to the ISP with a coaxial cable. the inside network is 192.168.0.0/24.

-The ASA is connected to the roter's inside network from its' outside interface.

-The ASA's inside network is 192.168.1.0/24 and a static gateway configured already (which is the router) <Static route>outside int>default gateway 192.168.0.1 (which is the router's internal IP address).

-Computers inside the ASA are able to connect to websites (but i can't PING anything outside the network from CMD)!!!!!

-When a VPN cleint connect using IPsec (no certificate) using Cisco VPN client software,the client can ping and do remote desktop connection with computers on this same inside network (192.168.1.0/24) but can't go to the internet even know that other computers on the network can go to the internet.

-One of the computers on the network (the inside network) is a server 2008 R2 domain controller which can go to the internet as i mentioned above.

What i am trying to do is to have the VPN clients to be able to go to the internet using the ASA's inside NIC as a default gateway (192.168.1.1) , i already have VPN setup with group name, preshared key, username and password and without split tunneling (which is what i want)

Thanks

Jouni Forss · ‎01-08-2014

Hi,

The most common problem in getting ICMP to work through an ASA is lacking either the ACL rules or the ICMP Inspection.

Check your current "policy-map" configurations on the ASA with the command

show run policy-map

I would presume you have the default "policy-map" configurations on the ASA that are attached globally

Under the "policy-map" configurations you should see multiple "inspect" commands. Go under the correct configuration mode (where the current commands are located) and add the following

inspect icmp

inspect icmp error

Then test the ICMP through the firewall again.

With regards to the VPN Internet traffic we would need to know the ASA software level which you can check with the command "show version"

First you need to check that you have this command

same-security-traffic permit intra-interface

This will allow the VPN users traffic to enter the "outside" interface of the ASA, get PATed and then head out again through the "outside" interface. Without the above command it wont work. The traffic from the VPN user to the Internet will never go through the "inside" interface of your ASA.

Then you will also need to have the Dynamic PAT configuration for your VPN users so they get translated to the same IP address as the LAN users behind the ASA. This configuration format depends on the software level I mentioned above

On an ASA running 8.2 (or below) you would typically have this configuration

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 (or the LAN network mentioned specifically)

To enable Dynamic PAT for VPN users you would add

nat (outside) 1

On an ASA running 8.3 (and above) you could configure the Dynamic PAT for VPN users in the following way

object network VPN-PAT

subnet

nat (outside,outside) dynamic interface

This should be it. Naturally you might have some configuration that might override this but I doubt it.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎01-08-2014

Hi,

I would personally configure the VPN Pools from different networks than the actual LAN behind the ASA.

At the moment it seems that you are atleast missing the "nat" statement for the VPN Pools address space so they will have a translations towards the Internet router.

nat (outside) 1 192.168.1.0 255.255.255.0

- Jouni

View solution in original post

Jouni Forss · ‎01-08-2014

Hi,

The VPN pool can be pretty much any network. The ASA will handle the traffic forwarding for the network you use for the VPN Pool. Actually, when you connect with a VPN Client you will automatically see the IP address that the VPN Client got from the ASA in the routing table of the ASA if you check the output of "show route" command.

I tend to avoid configuring VPN Pool IP address from the same network that is located behind the ASA itself.

Naturally if you change the VPN Pool you will have to take this into account in the NAT0 configurations also and anything else you might have configured related to the original VPN Pool.

But if everything is working fine for you then you naturally dont have to change anything if you dont want to.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

View solution in original post

Jouni Forss · ‎01-08-2014

Hi,

The most common problem in getting ICMP to work through an ASA is lacking either the ACL rules or the ICMP Inspection.

Check your current "policy-map" configurations on the ASA with the command

show run policy-map

I would presume you have the default "policy-map" configurations on the ASA that are attached globally

Under the "policy-map" configurations you should see multiple "inspect" commands. Go under the correct configuration mode (where the current commands are located) and add the following

inspect icmp

inspect icmp error

Then test the ICMP through the firewall again.

With regards to the VPN Internet traffic we would need to know the ASA software level which you can check with the command "show version"

First you need to check that you have this command

same-security-traffic permit intra-interface

This will allow the VPN users traffic to enter the "outside" interface of the ASA, get PATed and then head out again through the "outside" interface. Without the above command it wont work. The traffic from the VPN user to the Internet will never go through the "inside" interface of your ASA.

Then you will also need to have the Dynamic PAT configuration for your VPN users so they get translated to the same IP address as the LAN users behind the ASA. This configuration format depends on the software level I mentioned above

On an ASA running 8.2 (or below) you would typically have this configuration

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 (or the LAN network mentioned specifically)

To enable Dynamic PAT for VPN users you would add

nat (outside) 1

On an ASA running 8.3 (and above) you could configure the Dynamic PAT for VPN users in the following way

object network VPN-PAT

subnet

nat (outside,outside) dynamic interface

This should be it. Naturally you might have some configuration that might override this but I doubt it.

Hope this helps

- Jouni

aeronav01 · ‎01-08-2014

Thanks,I have done the same-security-traffic permit intra-interface but nothing changed, i wanted to post these configs before i do any changes so you can also take a look at the : (show version AND show running-config)

1-show version:

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 12 hours 12 mins

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0 : address is 649e.f3ea.2e51, irq 11

1: Ext: Ethernet0/0 : address is 649e.f3ea.2e49, irq 255

2: Ext: Ethernet0/1 : address is 649e.f3ea.2e4a, irq 255

3: Ext: Ethernet0/2 : address is 649e.f3ea.2e4b, irq 255

4: Ext: Ethernet0/3 : address is 649e.f3ea.2e4c, irq 255

5: Ext: Ethernet0/4 : address is 649e.f3ea.2e4d, irq 255

6: Ext: Ethernet0/5 : address is 649e.f3ea.2e4e, irq 255

7: Ext: Ethernet0/6 : address is 649e.f3ea.2e4f, irq 255

8: Ext: Ethernet0/7 : address is 649e.f3ea.2e50, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

SSL VPN Peers : 2

Total VPN Peers : 10

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has a Base license.

Serial Number: JMX1553Z021

Running Activation Key: 0x7a0eca5b 0xfc5b1054 0x88214dc8 0x9b0c28f0 0x80062f84

Configuration register is 0x10001

Configuration last modified by enable_15 at 16:20:42.009 CST Tue Jan 7 2014

2- show running-config:

ASA Version 8.2(5)

!

hostname ciscoasa

domain-name nav.info

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.0.1 router description router

name 192.168.0.0 Outside-network

name 192.168.0.10 WebServer-External

name 192.168.1.6 Aeroresearcher-IN

name 192.168.0.230 Aeroresearcher-OUT

name 192.168.1.10 WebServer-Internal

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.0.6 255.255.255.0

!

interface Vlan5

no forward interface Vlan1

nameif DMZ

security-level 50

ip address 172.30.1.1 255.255.255.0

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 4.4.4.2

name-server WebServer-Internal

domain-name nav.info

same-security-traffic permit intra-interface

object-group service DM_INLINE_SERVICE_1

service-object tcp-udp

service-object ip

service-object tcp eq www

service-object tcp eq https

service-object udp eq snmp

service-object udp eq snmptrap

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group protocol DM_INLINE_PROTOCOL_5

protocol-object ip

protocol-object icmp

protocol-object icmp6

object-group network DMZ-Outside

object-group network DMZ-Otside

access-list testvpn2_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 a

ny interface outside

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3

any any

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a

ny any

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a

ny any

access-list inside_authentication extended deny tcp any any

access-list inside_access_out extended permit ip any any

access-list inside_access_out extended permit object-group DM_INLINE_PROTOCOL_5

any any

access-list outside_access_out extended permit ip any any

access-list outside_access_out extended permit object-group DM_INLINE_PROTOCOL_2

any any

access-list inside_nat0_outbound extended permit ip any 192.168.1.240 255.255.25

5.252

access-list DMZ_access_in extended permit tcp any eq www any eq www

access-list DMZ_access_out extended permit tcp any eq www any eq www

access-list OutsidetoDMZ extended permit tcp any host WebServer-Internal

access-list OutsidetoDMZ extended permit tcp any host WebServer-Internal eq www

access-list OutsidetoDMZ extended permit tcp any interface inside eq telnet

access-list InsidetoDMZ extended permit tcp any host WebServer-Internal eq www

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ip local pool vpn 192.168.1.100-192.168.1.200 mask 255.255.255.0

ip local pool vpn2 192.168.1.205-192.168.1.210 mask 255.255.255.255

ip local pool vpn3 192.168.1.215-192.168.1.220 mask 255.255.255.0

ip local pool vpntunnelpool 192.168.1.240-192.168.1.243 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (inside) 1 interface

global (outside) 1 192.168.0.8-192.168.0.15 netmask 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www WebServer-Internal www netmask 255.255

.255.255

static (inside,outside) tcp interface telnet 192.168.1.1 telnet netmask 255.255.

255.255

static (inside,inside) 192.168.0.6 WebServer-Internal netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group OutsidetoDMZ in interface outside

access-group outside_access_out out interface outside

access-group DMZ_access_in in interface DMZ

access-group DMZ_access_out out interface DMZ

route outside 0.0.0.0 0.0.0.0 router 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication match inside_authentication inside LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128

-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256

-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 10

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 10

console timeout 0

vpdn username admin password ***** store-local

dhcpd auto_config outside

!

dhcpd address 192.168.1.11-192.168.1.36 inside

dhcpd dns WebServer-Internal WebServer-Internal interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy testvpn2 internal

group-policy testvpn2 attributes

wins-server value 192.168.1.10

dns-server value 192.168.1.10

vpn-tunnel-protocol IPSec

default-domain value nav.info

msie-proxy method auto-detect

group-policy testvpn2_1 internal

group-policy testvpn2_1 attributes

dns-server value 4.4.4.2

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value testvpn2_splitTunnelAcl

default-domain value nav.info

group-policy testvpn internal

group-policy testvpn attributes

dns-server value 4.4.4.2

vpn-tunnel-protocol IPSec

group-policy vpntunnel internal

group-policy vpntunnel attributes

dns-server value 192.168.1.10 4.4.4.2

vpn-tunnel-protocol IPSec

default-domain value nav.info

username testvpn3 password 0AKWGtPSEgAcPI9K encrypted privilege 0

username testvpn3 attributes

vpn-group-policy vpntunnel

username testvpn2 password 0AKWGtPSEgAcPI9K encrypted privilege 0

username testvpn2 attributes

vpn-group-policy testvpn2

username testvpn password 0AKWGtPSEgAcPI9K encrypted privilege 0

username testvpn attributes

vpn-group-policy testvpn

tunnel-group testvpn type remote-access

tunnel-group testvpn general-attributes

address-pool vpn

default-group-policy testvpn

tunnel-group testvpn ipsec-attributes

pre-shared-key *****

tunnel-group testvpn2 type remote-access

tunnel-group testvpn2 general-attributes

address-pool vpn3

default-group-policy testvpn2_1

tunnel-group testvpn2 ipsec-attributes

pre-shared-key *****

tunnel-group vpntunnel type remote-access

tunnel-group vpntunnel general-attributes

address-pool vpntunnelpool

default-group-policy vpntunnel

tunnel-group vpntunnel ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3fdc1f46bcd29911d32590b48453d2e8

As you see i have three VPN connections created.

Thanks

Jouni Forss · ‎01-08-2014

Hi,

I would personally configure the VPN Pools from different networks than the actual LAN behind the ASA.

At the moment it seems that you are atleast missing the "nat" statement for the VPN Pools address space so they will have a translations towards the Internet router.

nat (outside) 1 192.168.1.0 255.255.255.0

- Jouni

aeronav01 · ‎01-08-2014

Thanks, It worked, the internet is slower but iam guessing that is natural due to packet inspection, but you mentioned that you would assign VPN IP Pool ip addresses are not on the same vlan network (192.168.1.0/24) do you mean that i can just go to the VPN pool and assign ip addresses of a network that DOES NOT even exist here on the internal vlans or without configuring a new network??? IF so then how can the VPN client connect to that network (192.168.1.0) if the primary purpose of VPN is to allow connection to that network? i mean would it still be able to communicate with the (192.168.1.0 network)?

Thanks again.

Jouni Forss · ‎01-08-2014

Hi,

The VPN pool can be pretty much any network. The ASA will handle the traffic forwarding for the network you use for the VPN Pool. Actually, when you connect with a VPN Client you will automatically see the IP address that the VPN Client got from the ASA in the routing table of the ASA if you check the output of "show route" command.

I tend to avoid configuring VPN Pool IP address from the same network that is located behind the ASA itself.

Naturally if you change the VPN Pool you will have to take this into account in the NAT0 configurations also and anything else you might have configured related to the original VPN Pool.

But if everything is working fine for you then you naturally dont have to change anything if you dont want to.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

aeronav01 · ‎01-08-2014

Yes, and thank you.

Access internet from the Remote default gateway??? NO SPLIT TUNNELING