Solved: Can't connect to internal lans via vpn - Page 2

taifriends2 · ‎08-02-2011

Hi All,

Please i'm given an ASA 5505 to configure for remote access vpn.

I can establish vpn connection to the ASA 5505 but can't access any of the internal vlan/subnets. I configured three of the ASA ports for connection into each of the internal subnets/vlan via a switch.Given below is my full configuration. Please I will so much be grateful if someone could help me have a look and tell me where I have gone wrong. if you need further details please let me know.

Thank you very much and looking forward to hear from you.

ASA5505# sh run
: Saved
:
ASA Version 8.3(1)
!
enable password bLjadbVl0mgRQWih encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 217.x.x.x 255.255.255.128
!
interface Vlan4
nameif inside-vlan2
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface Vlan5
nameif inside-vlan3
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface Vlan6
nameif inside-vlan4
security-level 100
ip address 10.x.x.x 255.255.255.0
!
interface Vlan7
no nameif
no security-level
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
switchport access vlan 6
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name abc.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network internal_lan
subnet 10.0.96.0 255.255.240.0
object network obj-vpnpool
subnet 192.168.35.0 255.255.255.0
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended deny ip any any log
pager lines 24
logging enable
logging trap debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu inside-vlan2 1500
mtu inside-vlan3 1500
mtu inside-vlan4 1500
ip local pool vpnpool 192.168.35.1-192.168.35.254
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static obj-vpnpool obj-vpnpool
!
object network obj_any
nat (inside,outside) dynamic interface
object network internal_lan
nat (inside,outside) dynamic interface
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 217.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy remotevpn internal
group-policy remotevpn attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
username asa_vpn password zBQOtpJm.bu5EsGX encrypted
tunnel-group remotevpn type remote-access
tunnel-group remotevpn general-attributes
address-pool vpnpool
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a51b9ea891f12bb54975b0f0483d89ba
: end
ASA5505#

raga.fusionet · ‎08-04-2011

Mukaila,

First remove the existing nat configuration

no nat (inside-vlan2,outside) source static any any destination static obj-vpnpool obj-vpnpool

no nat (inside-vlan3,outside) source static any any destination static obj-vpnpool obj-vpnpool

no nat (inside-vlan4,outside) source static any any destination static obj-vpnpool obj-vpnpool

Then apply this and test again:

nat (inside-vlan2,outside) source static obj-vpnpool obj-vpnpool

nat (inside-vlan3,outside) source static obj-vpnpool obj-vpnpool

nat (inside-vlan4,outside) source static obj-vpnpool obj-vpnpool

If it still doesnt work, remove those lines and try these ones instead:

nat (inside-vlan2,any) source static obj-vpnpool obj-vpnpool

nat (inside-vlan3,any) source static obj-vpnpool obj-vpnpool

nat (inside-vlan4,any) source static obj-vpnpool obj-vpnpool

I'm not entirely familiar yet with the whole NAT configuration on the newer versions, so I'm basically following what's stated here:

http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp60183

Please give it a try and let me know how it goes.

Thanks!

taifriends2 · ‎08-04-2011

Hi MS and Raga,

Thanks for all your post. I've deleted the summary. still can't get through. I'll use your config as directed Raga and also have a look at the link you sent. I'll feed you back on the result.

once again thanks to all.

mvsheik123 · ‎08-04-2011

Is this the output while you VPN to ASA and try to ping internal IP from client (192.168.10.x)? There is no traffic

from or to to your VPN client IP. The traffic generated from Inside hosts hitting ASA to reach 192.168.10.x?

Also, on ASA enable the commands 'same-security-traffic permit intra-interface' & same-security-traffic permit inter-interface.

Thx

MS

taifriends2 · ‎08-05-2011

Hi MS,

It was the ping output from the client while I VPN to the ASA. I made the changes as directed from your last post(same-security-traffic permit intra-interface' & same-security-traffic permit inter-interface)

thanks

taifriends2 · ‎08-05-2011

Hello MS and Raga,

I think the problem with the connection is to do with "port forwarding". Because going by the last post from MS, none of the traffic generated and encrypted through the VPN were received by the ASA device. i went through a link, there it was stated that we need to enable port forwarding on UDP port 500 and UDP port 4500 to allow traffic to be forwarded to the ASA device. Please if any one know how to enable this kindly let me know.

Thanks alot for your time.

Farinde.

raga.fusionet · ‎08-05-2011

I dont think it has to do with port forwarding becuase your ASA is decrypting the packets as per the show crypto ipsec sa, so the packets are getting to the ASA and it is decrypting them.

Did you modify the nat rules ?

Could you post your latest config? (you can use the advanced editor, top right corner of the reply box and add it as attachment)

taifriends2 · ‎08-05-2011

if you scroll up a little to previous post on this question you'll see where i pasted a copy of the print screen capture of the VPN client statistics. I have packects encrypted and sent but i didn't have any packet decrypted and received. the packets getting to the ASA through the "sh crypto ipsec sa" are not from the VPN client ip address i.e " 192.168.10.x

raga.fusionet · ‎08-05-2011

Yes they are, look:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.2/255.255.255.255/0/0)

current_peer: 217.10.151.235, username: office

dynamic allocated peer ip: 192.168.10.2

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

So basically your VPN Client encrypts the packet, the ASA decrypts it, sends it to the host, the host responds back, but the ASA is not encrypting anything back.

Do this:

- add the following command to the ASA:

managment access inside-vlan2

- Connect with the VPN client

- ping 10.0.103.3

Most likely you will get a response, packets encrypted and decrypted on both sides.

- ping another host on that subnet

If it fails then it is either NAT or Routing and I dont think you have any other routing devices on that subnet right?

Then post either your latest config or at least the sh run nat and the show crypto ipsec sa (while still connected).

Thanks!

raga.fusionet · ‎08-09-2011

Mukaila, did you have any luck pinging the interface inside-vlan2 ?

taifriends2 · ‎08-10-2011

Hi Raga,

Thank you for the post.Going by your post before this last one. I noticed you said traffic is getting to the ASA and also to the internal devices. Haing this in mind, I carried out some debugging commands and noticed traffic actually gets to the internal lans but not back to the ASA. I have started looking inward probaly for some clues on the internal switches config. I'll feed you back later on today how it goes.

Thanks.

Farinde

taifriends2 · ‎08-11-2011

Hi Raga and MS,

I'm happy to tell you that the VPN is now working!!! going by my reply to you yesterday Raga, traffics weren't coming back to the ASA. I took closer look at some of the switches and noticed that the default gateway on those switches were pointing elsewhere not to the ASA inside interfaces configured. I changed these and it started working.

I really appreciate the contribution of both of you towards arriving at a solution. You're really doing a great work!!

Thanks a lot!!

Farinde.

raga.fusionet · ‎08-11-2011

Heyy It's great to hear that it is working and that you were able to figure it out.

It was nice working with you

Have fun!

PS: Please remember to mark this question as answered. Thanks!!!

mvsheik123 · ‎08-11-2011

Glad to hear that issue was resolved. If its fine with you, post the sanitized working config, so that anyone looking for config help with this code gets the benifit.

Thx

MS