cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5173
Views
0
Helpful
27
Replies

Can't connect to internal lans via vpn

taifriends2
Level 1
Level 1

Hi All,

Please i'm  given an ASA 5505 to configure for remote access vpn.

I can establish vpn connection to the ASA 5505 but  can't  access any of the internal vlan/subnets. I configured three of the ASA  ports for connection into each of the internal subnets/vlan via a switch.Given below is my full configuration. Please I will so much be grateful if someone could help me have a look and tell me where I have gone wrong. if you need further details please let me know.

Thank you very much and looking forward to hear from you.

ASA5505# sh run
: Saved
:
ASA Version 8.3(1)
!
enable password bLjadbVl0mgRQWih encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 217.x.x.x 255.255.255.128
!
interface Vlan4
nameif inside-vlan2
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface Vlan5
nameif inside-vlan3
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface Vlan6
nameif inside-vlan4
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface Vlan7
no nameif
no security-level
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
switchport access vlan 6
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name abc.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network internal_lan
subnet 10.0.96.0 255.255.240.0
object network obj-vpnpool
subnet 192.168.35.0 255.255.255.0
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended deny ip any any log
pager lines 24
logging enable
logging trap debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside-vlan2 1500
mtu inside-vlan3 1500
mtu inside-vlan4 1500
ip local pool vpnpool 192.168.35.1-192.168.35.254
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static obj-vpnpool obj-vpnpool
!
object network obj_any
nat (inside,outside) dynamic interface
object network internal_lan
nat (inside,outside) dynamic interface
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 217.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy remotevpn internal
group-policy remotevpn attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
username asa_vpn password zBQOtpJm.bu5EsGX encrypted
tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a51b9ea891f12bb54975b0f0483d89ba
: end
ASA5505#

1 Accepted Solution

Accepted Solutions

Heyy It's great to hear that it is working and that you were able to figure it out.

It was nice working with you

Have fun!

PS: Please remember to mark this question as answered. Thanks!!!

View solution in original post

27 Replies 27

mvsheik123
Level 7
Level 7

Hello,

Can you try by removing "access-list outside-in extended deny ip any any log".

Thx

MS

taifriends2
Level 1
Level 1

Hi MS,

I have done as you said. the ASA has been brought to the office at the moment to effect the changes because i can't log in to it remotely despite setting up both telnet and SSH remote administration.I'll feed you back immediately I test the new changes.

Thank you for your prompt response.

Farinde.

Hi MS

I've tried the option of deleting the access-list but i can't still connect with the internal network.

Mukaila,

You have a NAT 0 ACL however you forgot to apply it.

Add the following command to your config:

nat (inside) 0 access-list nat0_acl

Regards,

Raga

Hi Raga,

Thanks for your response.As i'm using ASA 5505 version 8.3 it saying this command is deprecated. Instead I used :

nat(inside,outside)1 source static any any destination static obj-vpnpool obj-vpnpool.

I see, I didnt notice that

I think I see what your problem is, you would need to add that same type of exception rule but for  inside-vlan2,  inside-vlan3 and  inside-vlan4 instead of "inside".

Give it a try and let me know how it goes.

 
172.16.8.20

Thanks Raga for noticing that. i tried to  make change as said but its still not connecting. I check the vpn client statistic its giving me the status as displayed above. please help me have a look i hope it helps.

Can you post the output of the following two commands:

sh run nat

sh cry ipsec sa

Thanks.

Thanks Raga. here are the ouput:

ASA5505# sh run nat
nat (inside-vlan2,outside) source static any any destination static obj-vpnpool obj-vpnpool
nat (inside-vlan3,outside) source static any any destination static obj-vpnpool obj-vpnpool
nat (inside-vlan4,outside) source static any any destination static obj-vpnpool obj-vpnpool
!
object network obj_any
nat (inside,outside) dynamic interface
object network internal_lan
nat (inside,outside) dynamic interface
ASA5505#
ASA5505#
ASA5505#

......................................................

ASA5505# sh cry ipsec sa

There are no ipsec sas
ASA5505#
ASA5505#
ASA5505#
ASA5505#

Thanks a lot

Hi Mukaila,

Sorry I forgot to say "while connected thru the VPN client"

I'd like to see if your ASA is decrypting those packets that the VPN client is encryting.

Please connect a VPN client and then grab the output of the sh crypto ipsec sa.

Thanks!

Hi Raga, here are the output

ASA5505# sh cry ipsec sa
interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 217.x.x.x

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.35.2/255.255.255.255/0/0)
      current_peer: 217.x.x.x, username: asa_vpn      dynamic allocated peer ip: 192.168.35.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 217.x.x.x/4500, remote crypto endpt.: 217.x.x.x/49808
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: F1B6B767
      current inbound spi : 34821647

    inbound esp sas:
      spi: 0x34821647 (880940615)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 24576, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28730
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xF1B6B767 (4055283559)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 24576, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28730
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

ASA5505#
ASA550# sh cry ipsec sa
interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 217.x.x.x

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.35.2/255.255.255.255/0/0)
      current_peer: 217.x.x.x, username: asa_vpn
      dynamic allocated peer ip: 192.168.35.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 217.x.x.x/4500, remote crypto endpt.: 217.x.x.x/49808
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: F1B6B767
      current inbound spi : 34821647

    inbound esp sas:
      spi: 0x34821647 (880940615)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 24576, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28587
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000001FF
    outbound esp sas:
      spi: 0xF1B6B767 (4055283559)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 24576, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28580
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

ASA5505#
ASA5505#
ASA5505#

thanks.

I still think is a NAT issue. Let me check out the syntax of the NAT bypass on the 8.4 version. I'll get back to you.  

Thank you very much.I'm deeply grateful for the time given to me. i'll be waiting for your reply

Hi there,

ry by adding individual subnets than summarized address (10.0.96.0/255.255.240.0). Also once connected enable 'debug

icmp trace' on ASA and ping the internal IP from VPN connected client. Post the out put.

Thx

MS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: