08-17-2012 03:22 PM - edited 02-21-2020 06:16 PM
I've looked through other discussions and haven't been able to find a clear answer on this so I apologize if it is a duplicate question.
I have setup the Cisco VPN client on an ASA 5505 with split-tunneling. I can connect to the VPN just fine. I can get to the internet just fine. I can NOT get to the LAN, however. I try to ping, rdp, telnet, etc. devices on the LAN side of the firewall without any luck. I have torn down and setup the VPN multiple times via the CLI and I even used various configurations using the wizard, all without any luck. Any help would be appreciated.
ASA Version 8.2(2)
!
hostname spp-provo-001-fwl-001
domain-name servpro.local
enable password F7n9M1BQr1HPy/zu encrypted
passwd F7n9M1BQr1HPy/zu encrypted
no names
name 10.0.0.11 Exch-Srv
name 10.0.0.12 DRAC
name 10.0.0.10 DVR
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ServPro
ip address pppoe setroute
!
interface Vlan12
nameif Guest_Wireless
security-level 90
ip address 10.10.0.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
!
banner exec *Authorized access only*
banner exec *This system is the property of ServPro. Disconnect IMMEDIATELY as you are not an authorized user!*
banner login *Authorized access only*
banner login *This system is the property of ServPro. Disconnect IMMEDIATELY as you are not an authorized user!*
banner asdm *Authorized access only*
banner asdm *This system is the property of ServPro. Disconnect IMMEDIATELY as you are not an authorized user!*
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.0.11
name-server 8.8.8.8
domain-name servpro.local
object-group service DRACServices tcp
port-object eq 5900
port-object eq https
port-object eq 5901
object-group service Exch-SrvServices tcp
port-object eq 587
port-object eq 993
port-object eq www
port-object eq https
port-object eq imap4
port-object eq pop3
port-object eq smtp
object-group service SBS1Services tcp
port-object eq 3389
port-object eq www
port-object eq https
port-object eq smtp
access-list outside_access_in extended permit tcp any host *.*.*.* object-group Exch-SrvServices
access-list outside_access_in extended permit icmp any *.*.*.* 255.255.255.248
access-list capture extended permit icmp any any
access-list Servpro_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.16.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
access-list guest_wireless_in extended permit tcp any any
access-list guest_wireless_in extended permit ip any any
access-list NO_NAT extended permit ip 10.0.0.0 255.255.255.0 10.10.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu Guest_Wireless 1500
ip local pool ServProDHCPVPN 172.16.10.1-172.16.10.14 mask 255.255.255.240
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (Guest_Wireless) 1 0.0.0.0 0.0.0.0
static (inside,outside) *.*.*.* 10.0.0.11 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group guest_wireless_in in interface Guest_Wireless
route outside 0.0.0.0 0.0.0.0 *.*.*.* 2 track 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Exch-Srv protocol nt
aaa-server Exch-Srv (inside) host 10.0.0.11
timeout 5
nt-auth-domain-controller EXCH-SRV
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http server idle-timeout 10
http 10.0.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http redirect outside 80
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 124
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
frequency 10
sla monitor schedule 124 life forever start-time now
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=cisco.spprovo.com
keypair ServPro
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate f642be4b
308202fc 308201e4 a0030201 020204f6 42be4b30 0d06092a 864886f7 0d010105
05003040 311a3018 06035504 03131163 6973636f 2e737070 726f766f 2e636f6d
31223020 06092a86 4886f70d 01090216 13636973 636f2e73 65727670 726f2e6c
6f63616c 301e170d 31303034 30383230 35363232 5a170d32 30303430 35323035
3632325a 3040311a 30180603 55040313 11636973 636f2e73 7070726f 766f2e63
6f6d3122 30200609 2a864886 f70d0109 02161363 6973636f 2e736572 7670726f
2e6c6f63 616c3082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082
010a0282 010100a5 b4646cde f981f048 efa54c8a 4ba4f51c 25471e01 459ea905
313ef490 72b4d853 4e95ab7d a8c1350e 5728dca6 a98c439e 2c12d219 06ee7209
9f2584d1 b2abf71c 31c0890f 3098533b 6bc3ad4b 3bcd8986 e70ca78e 07a749d6
ee4e0892 4fcb79b6 724f7012 9f42fc2f b80c17ed adb5d36b 67590061 453d9ae6
16583d36 5a22b7c2 737fd705 94656f3f 578fb67f 79bd2a59 17522be3 d2386e22
2c62352f cda317b0 be805a04 76f19989 34031cbd a5fc62a7 1d9f52f3 00cf60b6
bbbdc4f0 fb651b82 b3e22a0a 718ff0b4 e213f4ac cdeb413b 9c4a47c3 9134d7a9
e8dcf2c5 c1cd4075 61d75e3a 475a17f1 2f955741 9ed2a8d6 c381eba3 247134e1
b5c33fac 7ae03d02 03010001 300d0609 2a864886 f70d0101 05050003 82010100
70595db9 3fac914d 9790c156 5fde62c5 b4cbb0f4 0c61fab7 fae04399 27457ab7
e69d3f19 3476dc51 32c885de b5904030 05624fe0 e8983e0a ab5527f3 8c5dd64a
1e1a6082 b6091657 8704c539 a3c6be47 da2a871f 4fafe668 70db2c2b 573d47b2
7f3df02f c9d53a92 bcf5f518 9953e14c f957a6ca 279f9e9f ddbd2561 6e0503c2
ba59a165 055d697f dd028d00 5cc288c4 83ced827 9c82ef3e 7e67f2d2 6de573e3
42a0b6bf ef8d06ed cb9805f2 c38011d3 5263bc3f 5b68df7a bef36c40 8c5e33f3
26b02c27 63a9848c 8461738f cd19ae95 f059ee34 afe4bdbc 8d8d2335 751b0621
65464b2c 4649779d 3ba01b69 8977a790 73815f8b 3c483f93 a5ca9685 04b6e18a
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
!
track 2 rtr 124 reachability
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 10
ssh 10.0.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
ssh version 2
console timeout 10
vpdn group ServPro request dialout pppoe
vpdn group ServPro localname ********
vpdn group ServPro ppp authentication pap
vpdn username ******* password ***** store-local
dhcpd auto_config outside
!
dhcpd address 10.10.0.100-10.10.0.227 Guest_Wireless
dhcpd dns 8.8.8.8 4.2.2.2 interface Guest_Wireless
dhcpd enable Guest_Wireless
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 38.117.195.101 source outside
ntp server 72.18.205.157 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy Servpro internal
group-policy Servpro attributes
dns-server value 10.0.0.11
vpn-tunnel-protocol IPSec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Servpro_splitTunnelAcl
default-domain value servpro.local
username servpro password NtdaWcySmet6H6T0 encrypted privilege 15
username servpro attributes
service-type admin
username Integratechs password bHGJDrPmHaAZY/78 encrypted
tunnel-group Servpro type remote-access
tunnel-group Servpro general-attributes
address-pool ServProDHCPVPN
authentication-server-group Exch-Srv LOCAL
default-group-policy Servpro
tunnel-group Servpro webvpn-attributes
group-alias ServPro enable
tunnel-group Servpro ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:52bca254012b1b05cca7dfaa30d1c42a
: end
Solved! Go to Solution.
08-17-2012 04:16 PM
Most probably you are behind a PAT router when you are connected to VPN, so please enable the following:
crypto isakmp nat-traversal 30
08-17-2012 04:16 PM
Most probably you are behind a PAT router when you are connected to VPN, so please enable the following:
crypto isakmp nat-traversal 30
08-17-2012 04:58 PM
Could you see if you have decrypted packages in the VPN tunnel?
Since you only have one VPN you can issue this command on the ASA 5505 and verify if you have encrypts and decrypts packages in the VPN.
Try to do a ping from de VPN client to the LAN segment and then type this command:
sh crypto ipsec sa | in encrypt|decrypt
Please check the Client PC routing table (route print if it is Windows) and see if you have the route added from the VPN client. You also can check directly on the VPN client : Status > Statistics > Route Details.
After that post the results again!
08-20-2012 11:04 AM
The VPN client shows no Local LAN Routes but has 10.0.0.0 under Secured Routes
There are no encrypts or decrypts.
spp-provo-001-fwl-001(config)# sh crypto ipsec sa | in encrypt|decrypt
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
08-20-2012 11:03 AM
I added the command crypto isakmp nat-traversal 30 but I am still unable to get access to the LAN
spp-provo-001-fwl-001(config)# show run | i nat-trav
crypto isakmp nat-traversal 30
Edit: I didn't restart the client connection after I made the edit. After restarting the VPN client that seems to have done the trick! Can you explain what that command does exactly? Thanks!
Message was edited by: David Engel
08-17-2012 05:17 PM
no access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 172.16.10.0 255.255.255.240
Sent from Cisco Technical Support iPhone App
08-20-2012 11:07 AM
Clinton, I changed the configs as you requested but I still didn't have any successs getting access to the LAN.
08-20-2012 12:05 PM
You can issue the following two commands on the ASA and then try to ping a device from the client that is connected to VPN:
debug crypto ipsec
term mon
Please post results.
08-20-2012 12:39 PM
Clinton, I appreciate your help with this issue. I was able to resolve the issue using the
crypto isakmp nat-traversal 30 command. Thanks again!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide