02-10-2015 01:45 PM - edited 02-21-2020 08:04 PM
I have a asa 5505 that we setup up a vpn connection to recently. Everything on our internal vlan (120) works fine when using the VPN. Although VPN clients cannot access the Voice vlan (200). I have added the voice network to the ACL list and mapped it to the anyconnect connection profile. Still a no go. Any ideas? Config below
!
interface Vlan2
nameif outside
security-level 0
ip address 255.255.255.252
!
banner login WARNING!!! This is a private network device. Authorized access only. Unauthorized access is not allowed and will be logged, proper action will be taken.
banner motd Don't access this router without proper authorization.
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
domain-name valleyview.local
object network obj-10.193.5.248
subnet 10.193.5.248 255.255.255.248
object network obj-10.193.5.0
subnet 10.193.5.0 255.255.255.0
object network obj-10.193.5.230
host 10.193.5.230
object network obj-10.193.5.230-02
host 10.193.5.230
object network obj-10.193.5.230-03
host 10.193.5.230
object network obj-10.193.5.77
host 10.193.5.77
object network obj-10.193.5.77-01
host 10.193.5.77
object network obj-10.193.5.230-04
host 10.193.5.230
object network obj-10.193.5.230-05
host 10.193.5.230
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Exchange
host 10.193.5.230
object network VPN_NETWORK
subnet 192.168.22.0 255.255.255.248
object network Voice_Network
subnet 10.200.1.0 255.255.255.0
description Voice Network
object network VPN_CLIENTS
subnet 192.168.22.0 255.255.255.248
object network NETWORK_OBJ_192.168.22.0_29
subnet 192.168.22.0 255.255.255.248
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object object Voice_Network
access-list inside_out extended permit ip host 10.193.5.230 any4
access-list inside_out extended deny tcp 10.193.5.0 255.255.255.0 any4 eq smtp log debugging
access-list inside_out extended permit ip 10.193.5.0 255.255.255.0 any4
access-list inside_out extended permit ip object Voice_Network any
access-list inside_out extended permit ip object VPN_CLIENTS any inactive
access-list extended extended permit gre any4 host 173.163.35.105
access-list oustside_in extended permit gre any4 host 173.163.35.105 inactive
access-list VPNUsers_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any4 10.193.5.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.193.5.0 255.255.255.0 10.193.5.248 255.255.255.248
access-list DefaultRAGroup_splitTunnelAcl standard permit any4
access-list VPN_splitTunnelAcl standard permit any4
access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq www inactive
Solved! Go to Solution.
02-11-2015 12:11 PM
Ok for the vvn-vpn_splitTunnelAcl access-list you need to remove the standard access-list you are already using and add them back in as extended access-list.
NO access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
!
access-list vvn-vpn_splitTunnelAcl extended permit ip 10.193.5.0 255.255.255.0 192.168.22.0 255.255.255.248
!
access-list vvn-vpn_splitTunnelAcl extended permit ip 10.200.1.0 255.255.255.0 192.168.22.0 255.255.255.248
!
The command I posted above has the word static at the beginning it does not look like you copied the complete command in yours
nat (inside,outside) source static Voice_Network Voice_Network destination static VPN_NETWORK VPN_NETWORK
Try that again and let me know
Thanks
!
02-11-2015 12:34 PM
Ok great ! glad its working, take care !
02-10-2015 02:03 PM
You need the route inside command, so whatever is doing your routing , lets say you have a router or layer 3 switch on the same subnet as the ASA 10.193.5.0 , and lets say the IP address of that switch/roter is 10.193.5.2 then you would need to add the command " route inside 10.200.1.0 255.255.255.0 10.193.5.2 ,also for security purposes you should ever post the outside IP of your firewall on these threads or anywhere in general, either make them same x.x.x.x or something made up like 1.1.2.2.
Also in your split tunnel config under your group-policy for VPN you should have an ACL that matches the split-tunnel that ACL should have look something like access-list VPN_splitTunnelAcl extended permit ip 10.200.1.0 255.255.255.0 192.168.22.0 255.255.255.248.
I am not sure if that is the correct ACL as you have 2 referenced for VPN, also you will want to make sure you do not NAT traffic from the voice subnet 10.200.1.0 to the VPN subnet 192.168.22.0
Let me know if that makes sense
Thanks
02-11-2015 10:57 AM
FItz, Thanks for the reply.
I do have a few questions though. The route inside command are you saying that needs to placed on my Layer 3 switch attached to the ASA? From the switches you can talk ping across vlans as they are routed interfaced on the layer 3 switch. The traffic just gets dropped when trying to ping to the 10.200.X.X vlan from the VPN client
02-11-2015 11:11 AM
No, you want to place the route inside command on the ASA, because the ASA has no knowledge of that subnet so you need to tell it how to get to that subnet by the route inside command, whatever switch is the gateway for the 10.200.1.0 network should be the IP you point the route inside command to so it should look something like " route inside 10.200.1.0 255.255.255.0 10.193.5.2 <--------- 10.193.5.2 is just an example you would use whatever IP address is on the switch that does the routing for the network.
That should allow access from the VPN pool to the 10.200.1.0 network
02-11-2015 11:20 AM
I went ahead and issued the route inside 10.200.1.0 255.255.255.0 10.193.5.1 command in the ASA and I am still unable to ping that vlan from the VPN.
EDIT
From the ASA I am able to ping the 10.200.1.0 subnet just not from the VPN
02-11-2015 11:23 AM
Ok you get a show running config of the ASA and send it me me or post it here, you can leave out the IP address of the outside interface and any passwords for security purposes. I can review it, you might need to modify you access-list for split-tunnel traffic.
Thanks
02-11-2015 11:28 AM
As requested
Result of the command: "sh run"
: Saved
:
ASA Version 9.1(4)
!
hostname vvnrt0
domain-name valleyview.local
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd Hex3HvOKW72M49oO encrypted
names
ip local pool VPNIPPool 10.193.5.251-10.193.5.254 mask 255.255.255.0
ip local pool VPN_IP_Pool 192.168.22.1-192.168.22.6 mask 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.193.5.193 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 255.255.255.252
!
banner login WARNING!!! This is a private network device. Authorized access only. Unauthorized access is not allowed and will be logged, proper action will be taken.
banner motd Don't access this router without proper authorization.
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 75.75.75.75
name-server 75.75.76.76
domain-name valleyview.local
object network obj-10.193.5.248
subnet 10.193.5.248 255.255.255.248
object network obj-10.193.5.0
subnet 10.193.5.0 255.255.255.0
object network obj-10.193.5.230
host 10.193.5.230
object network obj-10.193.5.230-02
host 10.193.5.230
object network obj-10.193.5.230-03
host 10.193.5.230
object network obj-10.193.5.77
host 10.193.5.77
object network obj-10.193.5.77-01
host 10.193.5.77
object network obj-10.193.5.230-04
host 10.193.5.230
object network obj-10.193.5.230-05
host 10.193.5.230
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Exchange
host 10.193.5.230
object network VPN_NETWORK
subnet 192.168.22.0 255.255.255.248
object network Voice_Network
subnet 10.200.1.0 255.255.255.0
description Voice Network
object network VPN_CLIENTS
subnet 192.168.22.0 255.255.255.248
object network NETWORK_OBJ_192.168.22.0_29
subnet 192.168.22.0 255.255.255.248
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object object Voice_Network
access-list inside_out extended permit ip host 10.193.5.230 any4
access-list inside_out extended deny tcp 10.193.5.0 255.255.255.0 any4 eq smtp log debugging
access-list inside_out extended permit ip 10.193.5.0 255.255.255.0 any4
access-list inside_out extended permit ip object Voice_Network any
access-list inside_out extended permit ip object VPN_CLIENTS any inactive
access-list extended extended permit gre any4 host 173.163.35.105
access-list oustside_in extended permit gre any4 host 173.163.35.105 inactive
access-list VPNUsers_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any4 10.193.5.248 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.193.5.0 255.255.255.0 10.193.5.248 255.255.255.248
access-list DefaultRAGroup_splitTunnelAcl standard permit any4
access-list VPN_splitTunnelAcl standard permit any4
access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq www inactive
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq https inactive
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq 987 inactive
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq 4125 inactive
access-list outside_in extended permit tcp any4 host 10.193.5.77 eq 8081 inactive
access-list outside_in extended permit tcp any4 host 10.193.5.77 eq 1099 inactive
access-list outside_in extended permit tcp any4 host 10.193.5.230 eq smtp inactive
access-list outside_in extended permit ip any object Voice_Network
access-list outside_in extended permit ip object VPN_CLIENTS 10.200.1.0 255.255.255.0 inactive
access-list All_VPN_Access extended permit ip object NETWORK_OBJ_192.168.22.0_29 object Voice_Network
access-list All_VPN_Access extended permit ip any object Voice_Network
access-list All_VPN_Access extended permit ip any any
access-list global_access extended permit ip object Voice_Network any
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static any any destination static obj-10.193.5.248 obj-10.193.5.248 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.193.5.0 obj-10.193.5.0 destination static obj-10.193.5.248 obj-10.193.5.248 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.22.0_29 NETWORK_OBJ_192.168.22.0_29 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.22.0_29 NETWORK_OBJ_192.168.22.0_29 no-proxy-arp route-lookup
!
object network obj-10.193.5.230-02
nat (inside,outside) static interface service tcp 4125 4125
object network obj-10.193.5.230-03
nat (inside,outside) static interface service tcp 987 987
object network obj-10.193.5.77
nat (inside,outside) static interface service tcp 1099 1099
object network obj-10.193.5.77-01
nat (inside,outside) static interface service tcp 8081 8081
object network obj-10.193.5.230-04
nat (inside,outside) static interface service tcp smtp smtp
object network obj-10.193.5.230-05
nat (inside,outside) static interface service tcp pptp pptp
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_out in interface inside
access-group outside_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 173.163.35.106 1
route inside 10.200.1.0 255.255.255.0 10.193.5.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPNUGRP protocol ldap
aaa-server VPNUGRP (outside) host 10.193.5.230
timeout 5
server-type auto-detect
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.193.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.193.5.0 255.255.255.0 inside
telnet timeout 30
ssh 10.193.5.0 255.255.255.0 inside
ssh 255.255.255.255 outside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 75.75.75.75 75.75.76.76
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.193.5.230
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vvn-vpn_splitTunnelAcl
default-domain value valleyview.local
address-pools value VPN_IP_Pool
group-policy DfltGrpPolicy attributes
dns-server value 10.193.5.230
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vvn-vpn_splitTunnelAcl
address-pools value VPN_IP_Pool
group-policy GroupPolicy_Valley_View_VPN internal
group-policy GroupPolicy_Valley_View_VPN attributes
wins-server none
dns-server value 10.193.5.230 75.75.75.75
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain value valleyview.local
split-dns value valleyview.local
address-pools value VPN_IP_Pool
username bcleary password encrypted privilege 15
username bcleary attributes
vpn-group-policy DfltGrpPolicy
username test password encrypted
username morefieldcomm password encrypted
username Vendor password encrypted privilege 0
username Vendor attributes
vpn-group-policy DfltGrpPolicy
username swthomas password encrypted
username compugen password encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool VPNIPPool
default-group-policy GroupPolicy_Valley_View_VPN
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy GroupPolicy_Valley_View_VPN
tunnel-group Valley_View_VPN type remote-access
tunnel-group Valley_View_VPN general-attributes
address-pool VPN_IP_Pool
default-group-policy GroupPolicy_Valley_View_VPN
tunnel-group Valley_View_VPN webvpn-attributes
group-alias Valley_View_VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
smtp-server 10.193.5.230
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:
: end
02-11-2015 11:40 AM
Try adding the following 2 commands to the ASA, disconnect from the VPN and try again
nat (inside,outside) source static Voice_Network Voice_Network destination static VPN_NETWORK VPN_NETWORK
!
!
!
access-list vvn-vpn_splitTunnelAcl extended permit ip 10.200.1.0 255.255.255.0 192.168.22.0 255.255.255.248
02-11-2015 11:56 AM
Didnt work look like syntax issue maybe
vvnrt0(config)# nat (inside,outside) source Voice_Network Voice_Network destin$
nat (inside,outside) source Voice_Network Voice_Network destination static VPN_N
^ETWORK VPN_NETWORK
ERROR: % Invalid input detected at '^' marker.
vvnrt0(config)# nat (inside,outside) source 10.200.1.0 255.255.255.0 10.200.1.$
nat (inside,outside) source 10.200.1.0 255.255.255.0 10.200.1.0 255.255.255.0 de
^stination static VPN_NETWORK VPN_NETWORK
ERROR: % Invalid input detected at '^' marker.
vvnrt0(config)# access
vvnrt0(config)# access-list vvn-vpn_splitTunnelAcl extended permit ip 10.200.1$
ERROR: Cannot mix different types of access lists
ERROR: <vvn-vpn_splitTunnelAcl> cannot be created
02-11-2015 12:11 PM
Ok for the vvn-vpn_splitTunnelAcl access-list you need to remove the standard access-list you are already using and add them back in as extended access-list.
NO access-list vvn-vpn_splitTunnelAcl standard permit 10.193.5.0 255.255.255.0
!
access-list vvn-vpn_splitTunnelAcl extended permit ip 10.193.5.0 255.255.255.0 192.168.22.0 255.255.255.248
!
access-list vvn-vpn_splitTunnelAcl extended permit ip 10.200.1.0 255.255.255.0 192.168.22.0 255.255.255.248
!
The command I posted above has the word static at the beginning it does not look like you copied the complete command in yours
nat (inside,outside) source static Voice_Network Voice_Network destination static VPN_NETWORK VPN_NETWORK
Try that again and let me know
Thanks
!
02-11-2015 12:30 PM
Fitz you the man!!!. Adding the 10.200.1.0/24 network to the vvn-vpn_splitTunnelAcl ACL seemed to fix the issue!!
Thanks for all your help.
02-11-2015 12:34 PM
Ok great ! glad its working, take care !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide