Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
498
Views
5
Helpful
2
Replies

Cisco ASA VPN cannot access internal network

pongsiri_chu
Level 1
Level 1

‎11-22-2015 08:06 PM

Hi all,

I'm very new for ASA. My current company wat to setup VPN to user to access internal. So now I'm trying to setup VPNauthenticate with my NPS server. The VPN can connect and acess outside network but cannot access internal network. Would you please help me to solve this?

My additional option :

1. I've cisco WS-C3650 connect behind firewall and has VLAN routing. 

2. My client VPN IP address use some IP from VLAN 120 (internal VLAN).

3. I've site-to-site VPN connection and VPN client and access site-to-site from current setting.

4. My ASA is 9.3.3 and  ASDM is 7.5.

Here's my current config

Many thanks in advance.

: Serial Number: FCH1932J53V
: Hardware:   ASA5515, 8192 MB RAM, CPU Clarkdale 3058 MHz, 1 CPU (4 cores)
:
ASA Version 9.3(3) 
!
hostname
enable password DV/8i0S5ZTpG7nV/ encrypted
names
name 146.20.0.196 RACKSPACE-IAD3-648421
ip local pool VLAN120 192.168.120.200-192.168.120.250 mask 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 27.254.30.162 255.255.255.224 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.200.1 255.255.255.0 
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 no ip address
!
boot system disk0:/asa933-smp-k8.bin
ftp mode passive
clock timezone ICT 7
same-security-traffic permit intra-interface
object network obj-any
 subnet 0.0.0.0 0.0.0.0
object network OBJ_GENERIC_ALL
 subnet 0.0.0.0 0.0.0.0
object network 192.168.200.0
 subnet 192.168.200.0 255.255.255.0
object network NETWORK_OBJ_192.168.120.192_26
 subnet 192.168.120.192 255.255.255.192
object network VPN_Pool
 subnet 192.168.120.192 255.255.255.192
object-group network VPN-LOCAL-205
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.110.0 255.255.255.0
 network-object 192.168.120.0 255.255.255.0
 network-object 192.168.140.0 255.255.255.0
 network-object object 192.168.200.0
object-group network VPN-REMOTE-205
 network-object 10.0.0.0 255.0.0.0
object-group service UDP-Domain udp
 port-object eq domain
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network OBJ-Internal
 description Internal network
 network-object 192.168.100.0 255.255.255.0
 network-object 192.168.110.0 255.255.255.0
 network-object 192.168.120.0 255.255.255.0
 network-object 192.168.130.0 255.255.255.0
 network-object 192.168.140.0 255.255.255.0
 network-object object 192.168.200.0
access-list outside_access_in extended deny ip any6 any 
access-list outside_access_in extended permit ip any any 
access-list 205 extended permit ip object-group VPN-LOCAL-205 object-group VPN-REMOTE-205 
access-list global_access extended deny ip any6 any 
access-list global_access extended permit ip any any 
access-list global_access extended deny ip any any 
access-list inside_access_in extended permit ip any6 any6 inactive 
access-list inside_access_in extended permit udp any any object-group UDP-Domain inactive 
access-list inside_access_in extended deny udp any any inactive 
access-list inside_access_in extended permit ip any any 
access-list VPN_ACL standard permit 192.168.100.0 255.255.255.0 
access-list VPN_ACL standard permit 192.168.110.0 255.255.255.0 
access-list VPN_ACL standard permit 192.168.120.0 255.255.255.0 
access-list VPN_ACL standard permit 192.168.130.0 255.255.255.0 
access-list VPN_ACL standard permit 192.168.140.0 255.255.255.0 
access-list VPN_ACL standard permit 10.0.0.0 255.0.0.0 
pager lines 24
logging enable
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751-90.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source static VPN-LOCAL-205 VPN-LOCAL-205 destination static VPN-REMOTE-205 VPN-REMOTE-205
nat (inside,outside) source dynamic any interface
nat (inside,outside) source static OBJ-Internal OBJ-Internal inactive
!
nat (outside,outside) after-auto source dynamic VPN_Pool interface
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 27.254.30.161 1
route inside 192.168.0.0 255.255.0.0 192.168.200.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server THRYADCP0002 protocol radius
aaa-server THRYADCP0002 (inside) host 192.168.100.8
 timeout 5
 key *****
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.200.0 255.255.255.0 management
http 192.168.120.0 255.255.255.0 inside
http 192.168.110.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 1500
crypto ipsec ikev1 transform-set AES256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map VPNMAP 205 match address 205
crypto map VPNMAP 205 set peer RACKSPACE-IAD3-648421 
crypto map VPNMAP 205 set ikev1 transform-set AES256-SHA
crypto map VPNMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VPNMAP interface outside
crypto ca trustpool policy
crypto isakmp identity address 
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 110
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 203.185.69.60 source outside
ntp server 203.185.69.59 source outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy VPN_Outside internal
group-policy VPN_Outside attributes
 dns-server value 192.168.100.2 10.130.8.38
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_ACL
 split-tunnel-all-dns enable
dynamic-access-policy-record DfltAccessPolicy
username feynman password IgKDL9xELvyByk4H encrypted privilege 15
username cisco password q45XJA9WXB.fRrlt encrypted privilege 15
username ITAdmin password ULyghJHyWn9ckvAv encrypted
tunnel-group 146.20.0.196 type ipsec-l2l
tunnel-group 146.20.0.196 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group VPN_Outside type remote-access
tunnel-group VPN_Outside general-attributes
 address-pool VLAN120
 authentication-server-group THRYADCP0002
 default-group-policy VPN_Outside
tunnel-group VPN_Outside ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map sfr
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
  inspect ipsec-pass-thru 
  inspect pptp 
  inspect snmp 
 class class-default
  user-statistics accounting
policy-map global-policy
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:884b555180954979e037492090ec9ad4
: end
asdm image disk0:/asdm-751-90.bin
no asdm history enable
Labels:
Preview file
1272 KB
0 Helpful
2 Replies 2

rvarelac
Level 7
Level 7

‎11-24-2015 04:20 PM

Hi pongsiri_chu

The NAT-exception seems to be missed from the configuration. 

Based on your configuration , you can create a simialr entry as follow:

nat (any,outside) source static VPN-LOCAL-205 VPN-LOCAL-205 destination static VPN_Pool VPN_Pool route-lookup

Hope it helps

-Randy-

0 Helpful

pongsiri_chu
Level 1
Level 1
In response to rvarelac

‎11-24-2015 11:35 PM

Hi rvarelac

Thanks for your reply. I can make it acces inside by add this command

nat (outside,inside) after-auto source dynamic VPN_Pool interface

Thanks for your help.

Customers Also Viewed These Support Documents