Solved: Help Cannot Access Internal Resources

jnoble921 · ‎10-30-2013

Hello I am trying to setup an ASA 5505 at Home and connecting to it via the Cisco Secure Mobility Client

Internal Network: 10.37.1.0 /24

Guest Network: 10.37.2.0 /24

VPN DHCP: 10.37.3.0 /24

I am only able to connect with local ASA account, not LDAP like I want. After I connect I get my secured route 10.37.1.0/24 (my internal network) but I cannot ping, RDP, SSH etc anything inside. I get the message below...

4

Oct 30 2013

12:08:36

10.37.3.130

Deny icmp src outside:10.37.3.130 dst home:SPIDERMAN (type 8, code 0) by access-group "outside_access_in" [0x0, 0x0]

Any help would be greatly appreciated! Thank you.

Saved

: Written by enable_15 at 09:09:04.925 EDT Wed Oct 30 2013

!

ASA Version 8.2(5)

!

hostname aquaman

domain-name batcave.local

enable password O8X.8O1jZvTr6Rh3 encrypted

passwd zHg4tACBjpuqj6q5 encrypted

names

name 10.37.1.99 GREEN-ARROW

name 208.67.222.222 OpenDNS1 description resolver1.opendns.com

name 208.67.220.220 OpenDNS2 description resolver2.opendns.com

name 208.67.222.220 OpenDNS3 description resolver3.opendns.com

name 208.67.220.222 OpenDNS4 description resolver4.opendns.com

name 10.37.1.15 THE-HULK

name 178.33.199.65 ComodoMX1 description mxsrv1.spamgateway.comodo.com

name 178.33.199.66 ComodoMX2 description mxsrv2.spamgateway.comodo.com

name 10.37.1.101 SPIDERMAN

name 10.37.1.10 DAREDEVIL

name 65.73.180.177 WorkIP

name 10.37.1.254 OpenVPNAS

name 10.37.3.0 VPN_DHCP

name 10.37.2.10 GuestWirelessAP

name 10.37.1.20 THE-FLASH

name 10.37.1.200 BR_1

name 10.37.1.201 BR_2

name 10.37.1.30 IRONMAN

name 10.37.1.25 WIKI

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

switchport access vlan 5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif home

security-level 100

ip address 10.37.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan5

nameif guest

security-level 50

ip address 10.37.2.254 255.255.255.0

!

time-range M-F_9-16

periodic weekdays 9:00 to 16:00

!

banner motd

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server OpenDNS1

name-server OpenDNS2

name-server OpenDNS3

name-server OpenDNS4

domain-name batcave.local

same-security-traffic permit inter-interface

object-group service RDP tcp

description Remote Desktop Protocol

port-object eq 3389

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group network ComodoSpamFilter

network-object host ComodoMX1

network-object host ComodoMX2

object-group network OpenDNSServers

network-object host OpenDNS2

network-object host OpenDNS4

network-object host OpenDNS3

network-object host OpenDNS1

object-group service VNC tcp

port-object eq 5900

object-group service smartmail tcp

port-object eq 9998

object-group service http2 tcp

port-object eq 8080

object-group service RDP2 tcp

port-object eq 3789

object-group service DM_INLINE_TCP_1 tcp

port-object eq ssh

port-object eq telnet

object-group network Netflix

network-object host BR_1

network-object host BR_2

object-group service RDP3 tcp

port-object eq 3999

access-list outside_access_in extended permit tcp any interface outside object-group RDP log disable

access-list outside_access_in extended permit tcp any interface outside eq ftp log disable

access-list outside_access_in extended permit tcp any interface outside eq www log disable

access-list outside_access_in extended permit tcp object-group ComodoSpamFilter interface outside eq smtp log disable

access-list outside_access_in extended permit tcp any interface outside object-group smartmail log disable

access-list outside_access_in extended permit tcp host WorkIP interface outside object-group VNC log disable

access-list outside_access_in extended permit tcp any interface outside object-group http2 log disable

access-list outside_access_in extended permit tcp any interface outside object-group RDP2 log disable

access-list outside_access_in extended permit icmp any interface outside echo-reply log disable

access-list home_access_in extended permit object-group TCPUDP 10.37.1.0 255.255.255.0 object-group OpenDNSServers eq domain log disable

access-list home_access_in extended permit object-group TCPUDP host SPIDERMAN any eq domain log disable

access-list home_access_in extended deny object-group TCPUDP 10.37.1.0 255.255.255.0 any eq domain log disable

access-list home_access_in extended permit ip any any log disable

access-list guest_access_in extended permit object-group TCPUDP 10.37.2.0 255.255.255.0 object-group OpenDNSServers eq domain log disable

access-list guest_access_in extended deny tcp 10.37.2.0 255.255.255.0 any eq ftp log disable

access-list guest_access_in extended deny tcp 10.37.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1 log disable

access-list guest_access_in extended deny tcp 10.37.2.0 255.255.255.0 any object-group RDP log disable

access-list guest_access_in extended deny tcp 10.37.2.0 255.255.255.0 any object-group VNC log disable

access-list guest_access_in extended deny object-group TCPUDP 10.37.2.0 255.255.255.0 any eq domain log disable

access-list guest_access_in extended permit ip any any log disable time-range M-F_9-16

access-list Split_Tunnel_List standard permit 10.37.1.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging trap notifications

logging asdm informational

logging device-id hostname

logging host home THE-FLASH

mtu home 1500

mtu outside 1500

mtu guest 1500

ip local pool VPN_DHCP 10.37.3.130-10.37.3.139 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any home

icmp permit host WorkIP outside

icmp deny any outside

icmp deny any guest

asdm image disk0:/asdm-714.bin

asdm location THE-HULK 255.255.255.255 home

asdm location WIKI 255.255.255.255 home

asdm location GREEN-ARROW 255.255.255.255 home

asdm location OpenDNS2 255.255.255.255 home

asdm location OpenDNS4 255.255.255.255 home

asdm location OpenDNS3 255.255.255.255 home

asdm location OpenDNS1 255.255.255.255 home

asdm location ComodoMX1 255.255.255.255 home

asdm location ComodoMX2 255.255.255.255 home

asdm location SPIDERMAN 255.255.255.255 home

asdm location DAREDEVIL 255.255.255.255 home

asdm location WorkIP 255.255.255.255 home

asdm location OpenVPNAS 255.255.255.255 home

asdm location VPN_DHCP 255.255.255.0 home

asdm location GuestWirelessAP 255.255.255.255 home

asdm location THE-FLASH 255.255.255.255 home

asdm location IRONMAN 255.255.255.255 home

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (home) 101 0.0.0.0 0.0.0.0

nat (guest) 101 0.0.0.0 0.0.0.0

static (home,outside) tcp interface 3389 GREEN-ARROW 3389 netmask 255.255.255.255

static (home,outside) tcp interface ftp THE-HULK ftp netmask 255.255.255.255

static (home,outside) tcp interface www THE-HULK www netmask 255.255.255.255

static (home,outside) tcp interface smtp IRONMAN smtp netmask 255.255.255.255

static (home,outside) tcp interface 9998 IRONMAN 9998 netmask 255.255.255.255

static (home,outside) tcp interface 5900 SPIDERMAN 5900 netmask 255.255.255.255

static (home,outside) udp interface tftp THE-FLASH tftp netmask 255.255.255.255

static (home,outside) tcp interface 3789 THE-FLASH 3789 netmask 255.255.255.255

static (home,outside) tcp interface 8080 WIKI 8080 netmask 255.255.255.255

access-group home_access_in in interface home

access-group outside_access_in in interface outside

access-group guest_access_in in interface guest

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server BATCAVE protocol ldap

aaa-server BATCAVE (home) host DAREDEVIL

ldap-base-dn OU=Users, OU=Home, DC=batcave, DC=local

ldap-group-base-dn memberOf=CN=Cisco VPN Users, OU=Groups, OU=Home, DC=batcave, DC=local

ldap-naming-attribute sAMAccountName

ldap-login-password npYDApHrdVjOTcj8kJha

ldap-login-dn CN=Cisco LDAP Account,OU=Service Accounts,DC=batcave,DC=local

server-type microsoft

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authorization exec LOCAL

http server enable 3737

http WorkIP 255.255.255.255 outside

http 10.37.1.0 255.255.255.0 home

http redirect outside 80

http redirect home 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no vpn-addr-assign aaa

vpn-addr-assign local reuse-delay 5

telnet timeout 5

ssh GREEN-ARROW 255.255.255.255 home

ssh SPIDERMAN 255.255.255.255 home

ssh DAREDEVIL 255.255.255.255 home

ssh WorkIP 255.255.255.255 outside

ssh timeout 10

ssh version 2

console timeout 30

dhcpd auto_config outside

!

dhcprelay server DAREDEVIL home

dhcprelay enable guest

dhcprelay setroute guest

dhcprelay timeout 60

priority-queue home

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 64.90.182.55 source outside prefer

tftp-server home THE-FLASH tftp://10.37.1.20/

webvpn

enable home

enable outside

svc image disk0:/anyconnect-win-3.1.04066-k9_3.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

dns-server value 10.37.1.10

vpn-simultaneous-logins 1

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value batcave.local

webvpn

svc ask enable default webvpn

username aquaman password KKOPGG99Bk0xyhXS encrypted privilege 15

username jared password YlQ4V6UbWiR/Dfov encrypted privilege 15

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool VPN_DHCP

tunnel-group HomeVPN type remote-access

tunnel-group HomeVPN general-attributes

address-pool VPN_DHCP

authentication-server-group BATCAVE

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

!

smtp-server 10.37.1.30

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:65c8e856cde7d73200dd38f670613c2b

: end

JORGE RODRIGUEZ · ‎10-30-2013

Hi Jared,

Because your configuration has the no sysopt connection permit-vpn statement - you are missing a nat exempt rule. Therefore you will need to configure an access list to allow the traffic between your RA VPN network,and your inside subnet - apply that the rule towards your home interface where the 10.37.1.0/24 resides.

Example:

access-list nonat_rule extended permit ip 10.37.1.0 255.255.255.0 10.37.3.0 255.255.255.0
nat (home) 0 access-list nonat_rule

Give that a try

Regards

Jorge Rodriguez

View solution in original post

JORGE RODRIGUEZ · ‎10-30-2013