cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2481
Views
7
Helpful
13
Replies

Cisco ASA 5505 SSL VPN Issue

j.muscatello
Level 1
Level 1

I've been called upon to fix the  SSL VPN issues in our ASA5505.  The issue I am having is that I am able  to log into the vpn, access the internet, but I'm unable to access  anything on the LAN.  I can't use ping or use DNS.  Can someone please  help me figure this out.

I'm using ASDM v. 6.2(1) and ASA verison 8.2(1).  I'm not comfortable using the CLI and prefer the GUI.

13 Replies 13

ajay chauhan
Level 7
Level 7

Hi,

Seems to be missing nat exempt on your ASA Lan interface. From LAN (DNS and Rest of the Host) to VPN Pool.

This might help.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml

Thanks

Ajay

Ajay:

Thanks for the reply.  After messing around a bit with split tunneling I have been able to get access internally (servers, etc) and access externally (internet, email) while connected to the VPN.  At this point I only have one problem and that is DNS.  I can get access to my servers and printers through IP address but I can't get it to resolve the names.  Can you or anyone help me out with that?

Thanks!

Josh

Hi Josh,

The only problem is with return packet of DNS .Please add no nat statement with Source DNS server and Destination would be your VPN pool and apply that to Inside/DMZ wherever is your Interface.

Thanks

Ajay

Ajay:

Thanks for the suggestion.  I went into FIREWALL, NAT RULES and I added a NAT EXEMPT RULE.  I entred the IP address of my DNS server as the source and selected the VPN pool for my destination and that didn't seem to fix the problem.

Any other suggestions?

Thanks,

Josh

Please post the configuration after removing passwords etc .Also mentioned the IP address of your DNS server.

Thanks

Ajay

Ajay:

Here is what I have. Let me know if this is enough. Thanks!

ASA Version 8.2(1)

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 75.xxx.xx.xxx 255.xxx.xxx.xxx

!

interface Ethernet0/0

switchport access vlan 2

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 192.168.1.11

domain-name xxxxxxx.local

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0

access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0

access-list Split_Tunnel_List standard permit xx.xxx.xx.xxx 255.xxx.xxx.xxx

access-list inside_nat0_outbound_1 extended permit ip any 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Accounting_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLVPN 192.168.2.100-192.168.2.150 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 75.146.73.150 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

Please post  remote access configuration as well.

Thanks

Ajay

I'm not sure how to get to any other configuration besides the current running configuration.

Joshua,

The config you posted is truncated. It doesnt have anything about the group policies or tunnel groups.

Anyways, I think you are missing either the DNS server config or the Split DNS parameters on your group policy.

Your group policy should look something like this:

group-policy vpnpolicyx internal

group-policy vpnpolicyx attributes

  dns-server x.x.x.x

  split-dns value yourcompany.local

Give it a try and let us know how it goes.

Thanks.

Raga

Raga:

Let me repost the config file. Can you walk me through making these changes through ADSM?

ASA Version 8.2(1)

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address xx.xxx.xxx.145 255.xxx.xxx.xxx

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 192.168.1.11

domain-name server.local

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0

access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0

access-list Split_Tunnel_List standard permit xx.xxx.xxx.144 255.xxx.xxx.xxx

access-list inside_nat0_outbound_1 extended permit ip any 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Accounting_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLVPN 192.168.2.100-192.168.2.150 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 xx.xxx.xx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto ca trustpoint ASDM_TrustPoint0

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 206.217.140.200 source outside prefer

ssl trust-point ASDM_TrustPoint7 outside

webvpn

enable inside

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy Accounting internal

group-policy Accounting attributes

dns-server value 192.168.1.11

vpn-tunnel-protocol IPSec l2tp-ipsec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value northwind.local

group-policy DfltGrpPolicy attributes

dns-server value 192.168.1.11

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

address-pools value SSLVPN

webvpn

  url-list value Default

  svc ask enable default webvpn

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

Sorry I forgot you were using SSL. I dont have access to ASDM right now and I dont recall exactly where it is. It should be under the group policies, default group policy.

Using the CLI you would just need to go into config t and then type

group-policy DfltGrpPolicy attributes

split-dns value

As mentioned by Luis, you need to define the split-dns value, this will allow you to resolve extra domains plus the default-domain (obtained from the ASA) over the VPN tunnel.

Get access to an internal computer and check the default-domain and use the exact same value.

In case it does not work, please make sure you can contact the DNS server and if so, we would need to set a packet-capture on the ASA in order to see the DNS request coming in over the tunnel.

Hey guys:

I tried your suggestions and it didn't seem to work.  Here is my updated configuration.  Let me know if you have any ideas.  Thanks!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 75.xxx.xx.xxx 255.xxx.xxx.xxx

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 192.168.1.11

domain-name northwind.local

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Split_Tunnel_List standard permit 192.168.2.0 255.255.255.0

access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0

access-list Split_Tunnel_List standard permit 75.xxx.xx.xxx 255.xxx.xxx.xxx

access-list inside_nat0_outbound_1 extended permit ip any 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Accounting_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLVPN 192.168.2.100-192.168.2.150 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 75.xxx.xx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 206.217.140.200 source outside prefer

ssl trust-point ASDM_TrustPoint7 outside

webvpn

enable inside

enable outside

svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy Accounting internal

group-policy Accounting attributes

dns-server value 192.168.1.11

vpn-tunnel-protocol IPSec l2tp-ipsec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value northwind.local

group-policy DfltGrpPolicy attributes

dns-server value 192.168.1.11

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

split-dns value northwind.local

address-pools value SSLVPN

webvpn

  url-list value Default

  svc ask enable default webvpn

username Brian password wxf.F8XNw2LqrgOd encrypted privilege 0

username Brian attributes

service-type remote-access

webvpn

  homepage value http://website.com

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp