cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4180
Views
0
Helpful
5
Replies

Cisco ASA 5506-X Remote Access VPN Users can’t access resources on the LAN

a.ajiboye
Level 1
Level 1

I configured Remote Access VPN on Cisco ASA 5506-X FirePOWER using ASDM.

Users can connect via the VPN remotely and can sometimes ping the inside interface of the ASA but they can’t ping any host on the LAN, access any resources on the LAN or RDP to any Windows PC on the LAN.

 

Any ideas on what might be wrong or go wrong when configuring RA VPN via ASDM? Has anyone had a similar issue?

 

 Thank you. 

1 Accepted Solution

Accepted Solutions

Hi, yes create an nat rule for each inside nameif in the format I previously provided

HTH

View solution in original post

5 Replies 5

Hi,
You should check the NAT rules - make sure you have a no-nat rule from your RAVPN network to the Local LAN network.

 

E.g:-

nat (INSIDE,OUTSIDE) source static LOCAL_LAN LOCAL_LAN destination static VPN_POOL VPN_POOL no-proxy-arp

 

Amend interface names and object groups as needed.

HTH

Hi RJI,

 

Thank you for your suggestion.

 

 I presume you want me to include the statement “nat (inside, outside) source static NETWORK_OBJ_10.36.32.0_24  NETWORK_OBJ_10.36.32.0_24 destination static NETWORK_OBJ_192.168.255.0_24 NETWORK_OBJ_192.168.255.0_24 no-proxy-arp route-lookup ” in the config. Is this correct?

 

Also, I noticed that the ASDM uses inside_1, inside_2 .... inside_7 in other parts of the config.

 

Would you agree the statement should be as follows instead of just a single line of statement?

 

nat (inside_1, outside) source static NETWORK_OBJ_10.36.32.0_24  NETWORK_OBJ_10.36.32.0_24 destination static NETWORK_OBJ_192.168.255.0_24 NETWORK_OBJ_192.168.255.0_24 no-proxy-arp route-lookup 

 

nat (inside_2, outside) source static NETWORK_OBJ_10.36.32.0_24  NETWORK_OBJ_10.36.32.0_24 destination static NETWORK_OBJ_192.168.255.0_24 NETWORK_OBJ_192.168.255.0_24 no-proxy-arp route-lookup 

 

....

 

nat (inside_7, outside) source static NETWORK_OBJ_10.36.32.0_24  NETWORK_OBJ_10.36.32.0_24 destination static NETWORK_OBJ_192.168.255.0_24 NETWORK_OBJ_192.168.255.0_24 no-proxy-arp route-lookup 

 

Please see the show run output below in case you could see anything else that may be incorrect.

 

 Thank you. 

 

################## running-config ###########

Saved

 

: 

: Serial Number: JADX2YX0F27

: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

:

ASA Version 9.8(2) 

!

hostname CA-FW-01

domain-name abc-corp.local

enable password $sha512$5000$jvNrhEJb8OjUa0BYrjHLSg==$NMDYPRxgPTUqUCscFRWYsA== pbkdf2

names

ip local pool RemoteAccess 192.168.255.2-192.168.255.254 mask 255.255.255.0

 

!

interface GigabitEthernet1/1

 description Interface to BT ADSL Router

 nameif outside

 security-level 0

 ip address 172.16.1.2 255.255.255.0 

!

interface GigabitEthernet1/2

 bridge-group 1

 nameif inside_1

 security-level 100

!

interface GigabitEthernet1/3

 bridge-group 1

 nameif inside_2

 security-level 100

!

interface GigabitEthernet1/4

 bridge-group 1

 nameif inside_3

 security-level 100

!

interface GigabitEthernet1/5

 bridge-group 1

 nameif inside_4

 security-level 100

!

interface GigabitEthernet1/6

 bridge-group 1

 nameif inside_5

 security-level 100

!

interface GigabitEthernet1/7

 bridge-group 1

 nameif inside_6

 security-level 100

!

interface GigabitEthernet1/8

 bridge-group 1

 nameif inside_7

 security-level 100

!

interface Management1/1

 management-only

 no nameif

 no security-level

 no ip address

!

interface BVI1

 nameif inside

 security-level 100

 ip address 10.36.32.253 255.255.255.0 

!

ftp mode passive

dns server-group DefaultDNS

 domain-name abc-corp.local

same-security-traffic permit inter-interface

object network obj_any1

 subnet 0.0.0.0 0.0.0.0

object network obj_any2

 subnet 0.0.0.0 0.0.0.0

object network obj_any3

 subnet 0.0.0.0 0.0.0.0

object network obj_any4

 subnet 0.0.0.0 0.0.0.0

object network obj_any5

 subnet 0.0.0.0 0.0.0.0

object network obj_any6

 subnet 0.0.0.0 0.0.0.0

object network obj_any7

 subnet 0.0.0.0 0.0.0.0

object network BT_ROUTER

 host 172.16.1.1

 description BT ROUTER

object network NETWORK_OBJ_192.168.255.0_24

 subnet 192.168.255.0 255.255.255.0

object network NETWORK_OBJ_10.36.32.0_24

 subnet 10.36.32.0 255.255.255.0

object network ASA_FW

 host 10.36.32.253

access-list RemoteAccess_splitTunnelAcl standard permit 10.36.32.0 255.255.255.0 

access-list RemoteAccessVPN extended permit ip any any 

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside_1 1500

mtu inside_2 1500

mtu inside_3 1500

mtu inside_4 1500

mtu inside_5 1500

mtu inside_6 1500

mtu inside_7 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

!

object network obj_any1

 nat (inside_1,outside) dynamic interface

object network obj_any2

 nat (inside_2,outside) dynamic interface

object network obj_any3

 nat (inside_3,outside) dynamic interface

object network obj_any4

 nat (inside_4,outside) dynamic interface

object network obj_any5

 nat (inside_5,outside) dynamic interface

object network obj_any6

 nat (inside_6,outside) dynamic interface

object network obj_any7

 nat (inside_7,outside) dynamic interface

nat (inside, outside) source static NETWORK_OBJ_10.36.32.0_24  NETWORK_OBJ_10.36.32.0_24 destination static NETWORK_OBJ_192.168.255.0_24 NETWORK_OBJ_192.168.255.0_24 no-proxy-arp route-lookup 

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http 192.168.255.0 255.255.255.0 inside_1

http 192.168.255.0 255.255.255.0 inside_2

http 192.168.255.0 255.255.255.0 inside_3

http 192.168.255.0 255.255.255.0 inside_4

http 192.168.255.0 255.255.255.0 inside_5

http 192.168.255.0 255.255.255.0 inside_6

http 192.168.255.0 255.255.255.0 inside_7

http 10.36.32.0 255.255.255.0 inside_1

http 10.36.32.0 255.255.255.0 inside_2

http 10.36.32.0 255.255.255.0 inside_3

http 10.36.32.0 255.255.255.0 inside_4

http 10.36.32.0 255.255.255.0 inside_5

http 10.36.32.0 255.255.255.0 inside_6

http 10.36.32.0 255.255.255.0 inside_7

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 20

 authentication rsa-sig

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 40

 authentication pre-share

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 50

 authentication rsa-sig

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 70

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 80

 authentication rsa-sig

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 100

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 110

 authentication rsa-sig

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 130

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 140

 authentication rsa-sig

 encryption des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh stricthostkeycheck

ssh 10.36.32.0 255.255.255.0 inside_1

ssh 192.168.255.0 255.255.255.0 inside_1

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

 

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

 dns-server value 10.36.32.2 10.240.19.228

 vpn-filter value RemoteAccessVPN

 vpn-tunnel-protocol ikev1 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value RemoteAccess_splitTunnelAcl

 default-domain value abc-corp.local

dynamic-access-policy-record DfltAccessPolicy

username Dave password $sha512$5000$RAVEIVxuo7WdgR1voLb2OQ==$uuf5PRcrnTOOf43rYRZp+g== pbkdf2 privilege 15

username Dave attributes

 vpn-group-policy RemoteAccess

username William password $sha512$5000$pUBjqIr+P1XoXc9IB2J4eQ==$QPfGFhzUj44+FfOHKPQm6g== pbkdf2 privilege 15

username William attributes

 vpn-group-policy RemoteAccess

username william1 password $sha512$5000$WyQID0jU+hImySphNXHmEA==$9i0sy7Irdgpk4G3RQI2r3g== pbkdf2 privilege 0

username william1 attributes

 vpn-group-policy RemoteAccess

 vpn-framed-ip-address 192.168.255.2 255.255.255.0

tunnel-group RemoteAccess type remote-access

tunnel-group RemoteAccess general-attributes

 address-pool RemoteAccess

 default-group-policy RemoteAccess

tunnel-group RemoteAccess ipsec-attributes

 ikev1 pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect ip-options 

!

service-policy global_policy global

prompt hostname context 

no call-home reporting anonymous

Cryptochecksum:f2cc2f580985d36bfb96c610475fe5a5

: end

no asdm history enable

Hi, yes create an nat rule for each inside nameif in the format I previously provided

HTH

Thanks!

Hi,

Thank you for your suggestion.

I discovered that I was able to reach devices/hosts on the LAN when I connect via VPN from only my home broadband. I can RDP to Windows PCs, browser web pages on servers on the LAN, SSH to Linux hosts, etc. when I connect to VPN via my home broadband. But when I am on the move and I connect to VPN using my mobile broadband or the Guest WiFi at my office, I can't RDP, access web servers, or SSH, etc.

I have gone through Cisco VPN client debug logs and my laptop routing tables to compare the three VPN connectivity scenarios but I can't figure out any difference. Please find attached my laptop routing tables when connected from home, mobile broadband and office Guest Wifi.

While reading another post, it appears adding the keyword "route-lookup" at the end of the NAT statement may fix the problem. But, could you confirm if this would fix the problem or do you have another suggestion on possible fix for this VPN issue?

 

Another wierd observation is that I can connect to the ASA firewall using ASDM when I am locally connected to the LAN on the INSIDE interface of the ASA but I cannot connect to ASDM when I connect via VPN. Could you suggest a fix for this as well?