06-20-2019 06:46 AM - edited 02-21-2020 09:41 PM
Hi All,
I'm configuring remote access on an ASA5505 and have it a popular stumbling block. The Remote access VPN has connected but I cannot access internal resources or the internet. weirdly I can ping the external interface. It's a full tunnel VPN.
I've done a lot of Googling and from what I can see NAT is usually the source of the fix, however, my ASA isn't doing NAT. I have another firewall terminating the internet connection, which is then connected to an L3 switch. The VPN firewall (ASA5505) is then connected to the layer 3 switch, see attached diagram. So all the NATing is done on the other firewall. My remote client is getting the correct IP address (10.8.248.100) with the default gateway of 10.8.248.1 (which I've configured on VLAN248).
The traffic path is:
Internet to Edge Firewall (White in diagram)
Edge Firewall to ASA VPN firewall (red in diagram) via VLAN999
ASA VPN firewall to internal resources via vlan 325
Below is my config, can anyone shed any light on why you think I'm not having any luck?
ciscoasa# show run
: Saved
:
: Serial Number:
: Hardware: ASA5505
:
ASA Version 9.1(6)8
!
hostname ciscoasa
enable password PW encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool POOL 10.8.248.100-10.8.248.110 mask 255.255.255.0
!
interface Ethernet0/0
switchport trunk allowed vlan 248,324-325
switchport mode trunk
description TO-INTERNAL
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
switchport access vlan 999
description ASA-OUTSIDE
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan240
no nameif
no security-level
no ip address
!
interface Vlan248
nameif VPN-VLAN
security-level 100
ip address 10.8.248.1 255.255.255.0
!
interface Vlan325
nameif INTERNAL
security-level 100
ip address 172.16.224.5 255.255.255.252
!
interface Vlan999
description ASA-OUTSIDE
nameif OUTSIDE
security-level 0
ip address 172.16.99.1 255.255.255.252
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_10.8.248.96_28
subnet 10.8.248.96 255.255.255.240
access-list ACL_OUTSIDE extended permit icmp any any echo-reply
pager lines 24
logging buffered informational
mtu INTERNAL 1500
mtu OUTSIDE 1500
mtu VPN-VLAN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INTERNAL
icmp permit any OUTSIDE
icmp permit any VPN-VLAN
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
router ospf 1
router-id 172.16.224.5
network 10.8.248.0 255.255.255.0 area 0
network 172.16.224.0 255.255.255.252 area 0
network 172.16.224.4 255.255.255.252 area 0
log-adj-changes
!
route OUTSIDE 0.0.0.0 0.0.0.0 172.16.99.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 INTERNAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 INTERNAL
ssh 172.16.99.0 255.255.255.252 OUTSIDE
ssh 10.8.248.0 255.255.255.0 VPN-VLAN
ssh 172.16.99.0 255.255.255.0 VPN-VLAN
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable OUTSIDE
anyconnect-essentials
anyconnect image disk0:/anyconnect/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_TN-M internal
group-policy GroupPolicy_TN-M attributes
wins-server none
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol ssl-client
default-domain value tomnet.local
username admin password PW encrypted
tunnel-group TN-M type remote-access
tunnel-group TN-M general-attributes
address-pool POOL
default-group-policy GroupPolicy_TN-M
tunnel-group TN-M webvpn-attributes
group-alias TN-M enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa#
Many Thanks,
Tom
06-21-2019 06:11 AM
Why do you have the below VPN VLAN defined?
interface Vlan248
nameif VPN-VLAN
security-level 100
ip address 10.8.248.1 255.255.255.0
This is not required for you to route traffic to the VPN users. The route for the VPN users should show up on the External interface with respect to the VPN ASA. This interface will cause it to route to a connected VLAN, which serves no purpose. Try removing that VLAN interface.
Also, share your routing table from the VPN ASA if possible.
06-25-2019 03:43 AM
Hi,
Many Thanks for your response. I'll give this a go and see what happens.
Kind Regards,
Tom
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide