cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3815
Views
0
Helpful
6
Replies

Can't access VPN from inside network

benlemasurier
Level 1
Level 1

Hey Everyone,

I have an ASA 5510 which works great except I'm unable to connect to the remote access VPN from inside the network (behind the ASA). Is there a special NAT exemption required? What am I doing wrong here?

Here's my running-config (sanitized):

ASA Version 8.4(3)

!

terminal width 200

hostname gw

domain-name internal.example.com

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 216.x.x.x 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Ethernet0/2

nameif vpn

security-level 100

ip address 172.16.0.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone MST -7

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

domain-name internal.example.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network public_pool

range 216.x.x.x 216.x.x.x

object network public_dc

subnet 204.x.x.x 255.255.255.224

object network public_secondary

subnet 68.64.214.16 255.255.255.248

object network subnet_a

subnet 192.168.20.0 255.255.255.0

object network subnet_a_wireless

subnet 192.168.21.0 255.255.255.0

object network subnet_b

subnet 192.168.10.0 255.255.255.0

object network subnet_b_wireless

subnet 192.168.11.0 255.255.255.0

object network subnet_c

subnet 192.168.30.0 255.255.255.0

object network subnet_c_wireless

subnet 192.168.31.0 255.255.255.0

object network subnet_dc

subnet 10.10.10.0 255.255.255.192

object network subnet_server

subnet 192.168.5.0 255.255.255.0

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network subnet_primary

subnet 192.168.0.0 255.255.255.0

object network subnet_192.168.0.0

subnet 192.168.0.0 255.255.0.0

object network vpn_nat

subnet 192.168.0.0 255.255.0.0

object network obj-192.168

subnet 192.168.0.0 255.255.255.0

object-group network internal_lan_wireless

network-object object subnet_b_wireless

network-object object subnet_c_wireless

network-object object subnet_a_wireless

object-group network company_trusted_lan

network-object object subnet_a

network-object object subnet_b

network-object object subnet_c

network-object object subnet_server

network-object object subnet_dc

network-object object subnet_primary

object-group network company_lan

network-object object subnet_a

network-object object subnet_a_wireless

network-object object subnet_b

network-object object subnet_b_wireless

network-object object subnet_c

network-object object subnet_c_wireless

network-object object subnet_dc

network-object object subnet_primary

network-object object subnet_server

object-group network company_lan_internal

network-object object subnet_a

network-object object subnet_a_wireless

network-object object subnet_b

network-object object subnet_b_wireless

network-object object subnet_c

network-object object subnet_c_wireless

network-object object subnet_primary

network-object object subnet_server

access-list inside_access_in extended permit ip any any log disable

access-list inside_access_in extended permit icmp any any

access-list global_access extended permit icmp any any log disable

access-list global_access extended permit ip any any log disable

access-list outside_access_in extended permit ip any any log disable

access-list outside_access_in extended permit icmp any any log disable

access-list split_tunnel extended permit ip object-group company_lan any log disable

access-list split_tunnel extended permit icmp object-group company_lan any log

access-list DC_VPN_TRAFFIC extended permit ip object subnet_192.168.0.0 object subnet_dc

access-list inside_acl extended permit ip object-group company_lan any

access-list inside_acl extended permit icmp object-group company_lan any

access-list outside_access_out extended permit ip any any log disable

access-list outside_access_out extended permit icmp any any log disable

pager lines 30

logging enable

logging buffered debugging

logging asdm notifications

mtu outside 1500

mtu inside 1500

mtu vpn 1500

mtu management 1500

ip local pool vpn_pool 192.168.0.101-192.168.0.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-647.bin

no asdm history enable

arp timeout 14400

nat (outside,outside) source static obj-192.168 obj-192.168 destination static subnet_dc subnet_dc no-proxy-arp route-lookup

nat (inside,outside) source static company_lan_internal company_lan_internal destination static company_lan company_lan no-proxy-arp route-lookup

!

nat (inside,outside) after-auto source dynamic company_lan_internal interface

access-group global_access global

!

router eigrp 10

no auto-summary

network 192.168.0.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 216.x.x.x

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server company protocol radius

aaa-server company (inside) host 192.168.5.x

key *

radius-common-pw *

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.0.0 inside

http redirect outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec fragmentation after-encryption outside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DC_VPN_MAP 1 match address DC_VPN_TRAFFIC

crypto map DC_VPN_MAP 1 set pfs

crypto map DC_VPN_MAP 1 set peer 204.x.x.x

crypto map DC_VPN_MAP 1 set ikev1 transform-set ESP-3DES-SHA

crypto map DC_VPN_MAP 1 set security-association lifetime seconds 2147483647

crypto map DC_VPN_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map DC_VPN_MAP interface outside

telnet timeout 5

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

dhcpd address 192.168.0.20-192.168.0.100 inside

dhcpd dns 192.168.5.x interface inside

dhcpd wins 192.168.5.x interface inside

dhcpd ping_timeout 20 interface inside

dhcpd domain internal.example.com interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 91.189.94.4 source outside prefer

ssl trust-point anyconnect_trustpoint outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 192.168.5.x

dns-server value 192.168.5.x

vpn-tunnel-protocol ikev1 ikev2 ssl-client

password-storage enable

split-tunnel-network-list value split_tunnel

default-domain value internal.example.com

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

default-domain value internal.example.com

group-policy company internal

group-policy company attributes

wins-server value 192.168.5.x

dns-server value 192.168.5.x

vpn-tunnel-protocol ikev1

password-storage enable

split-tunnel-network-list value split_tunnel

default-domain value internal.example.com

group-policy GroupPolicy_company_anyconnect internal

group-policy GroupPolicy_company_anyconnect attributes

wins-server value 192.168.5.x

dns-server value 192.168.5.x

vpn-tunnel-protocol ikev2 ssl-client

password-storage enable

split-tunnel-network-list value split_tunnel

default-domain value internal.example.com

webvpn

  anyconnect profiles value company_anyconnect_client_profile type user

tunnel-group DefaultRAGroup general-attributes

address-pool vpn_pool

authentication-server-group company LOCAL

authentication-server-group (inside) company LOCAL

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group company LOCAL

authentication-server-group (inside) company LOCAL

tunnel-group company_anyconnect type remote-access

tunnel-group company_anyconnect general-attributes

address-pool vpn_pool

authentication-server-group company LOCAL

authentication-server-group (inside) company LOCAL

default-group-policy GroupPolicy_company_anyconnect

tunnel-group company_anyconnect webvpn-attributes

group-alias company_anyconnect enable

tunnel-group company type remote-access

tunnel-group company general-attributes

address-pool vpn_pool

authentication-server-group company LOCAL

authentication-server-group (inside) company LOCAL

default-group-policy company

tunnel-group company ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DC_VPN type ipsec-l2l

tunnel-group 204.x.x.x type ipsec-l2l

tunnel-group 204.x.x.x ipsec-attributes

ikev1 pre-shared-key *

!

class-map CLASS_MAP_SSH

match port tcp eq ssh

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

class CLASS_MAP_SSH

  set connection random-sequence-number disable

  set connection timeout idle 0:00:00

  set connection decrement-ttl

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

password encryption aes

: end

6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Do you mean you want to connect the VPN Client connection from your local LAN?

Dont think that is possible with your current configurations.

If you are trying what I mentioned above, what are you trying to achieve?

- Jouni

Hey Jouni,

That's exactly what I'm trying to do. The reason is because I'd like untrusted (wireless) users to be able to VPN in and get full network access.

rizwanr74
Level 7
Level 7

I would strongly recommand to change your vpn_pool range to something different from your side network.
So, lets change your vpn_pool range as shown below.


ip local pool vpn_pool 192.168.255.1-192.168.255.126 mask 255.255.255.128


object network obj-192.168
subnet 192.168.0.0 255.255.255.0

object network obj-vpn-clients
subnet 192.168.255.0 255.255.255.128


nat (inside,outside) source static obj-192.168 obj-192.168 destination static obj-vpn-clients obj-vpn-clients no-proxy-arp route-lookup

Let me know, if this helps.

thanks


That didn't work, it actually prevented VPN clients from routing any traffic at all.

Hi Ben,

If you are runnning a L3 switch inside your network, please make sure, that you have a static-route in place to push all vpn-client network traffic to FW's inside ip address, i.e. "192.168.0.1", i..e static-route on L3 switch.

Let me know, how that coming along.

thanks

ok, no difference. clients wireless or not have no issues reaching the outside world.