I can't access to Inside LAN over VPN connected ASA 5505

sam204 · ‎11-13-2018

Hello Experts

I can’t access to Inside LAN over vpn connected, please let us know if any NAT or Access List missing on the configuration.

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.60.200.2 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup outside

same-security-traffic permit intra-interface

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object tcp

access-list no_nat extended permit ip 10.60.200.0 255.255.255.0 192.168.25.0 255.255.255.0

access-list Split_Tunnel_List remark The corporate network behind the ASA.

access-list Split_Tunnel_List standard permit 10.60.200.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-643.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list no_nat

nat (inside) 1 0.0.0.0 0.0.0.0

route inside 0.0.0.0 255.255.255.255 68.184.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.60.200.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ca trustpoint localtrust

enrollment self

fqdn sslvpn.cisco.com

subject-name CN=sslvpn.cisco.com

keypair sslvpnkeypair

crl configure

crypto ca certificate chain localtrust

certificate 1de7e95b

308201ef 30820158 a0030201 0202041d e7e95b30 0d06092a 864886f7 0d010105

0500303c 31193017 06035504 03131073 736c7670 6e2e6369 73636f2e 636f6d31

1f301d06 092a8648 86f70d01 09021610 73736c76 706e2e63 6973636f 2e636f6d

301e170d 31383131 31323039 31353430 5a170d32 38313130 39303931 3534305a

303c3119 30170603 55040313 1073736c 76706e2e 63697363 6f2e636f 6d311f30

1d06092a 864886f7 0d010902 16107373 6c76706e 2e636973 636f2e63 6f6d3081

9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c0 4c4fb7e6

da9560a9 7c5679e4 00147874 2add711b e9bcd675 433c5f54 7332e6ef cdd7638c

96a891fb 95a6472e 146cf532 9d8ad23b f170a154 d526dcd7 28eb3b89 2fa767e3

6cd12edf 16dc44a1 733f8c77 44068157 70bbb518 85a8e4b5 9984776e 0b82f728

83ef45c8 fbd27b6d 575fe762 b4d15ed9 20cdfb30 dc13cbf5 00441302 03010001

300d0609 2a864886 f70d0101 05050003 8181002d f0b3e1ea 9c446bff b25f8d35

cba8c891 a7a35df4 e8c20c7e fcb32229 00519e4b 90782ab5 7dbaf234 f5f82be1

51a13806 5bcc9b8e eaa4a90e a2739562 d91c2734 18be9bf7 7b56ba7e 2f200372

fdba1ef6 03c6b5e4 8c9a9ac0 a68b303b 03fd6974 c1529041 81b14ac2 8da83665

f58a61d3 ff12b4b0 fef774bf 511e97a7 011ba2

quit

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 10.60.200.4-10.60.200.20 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point localtrust outside

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc enable

tunnel-group-list enable

group-policy SSLCLientPolicy internal

group-policy SSLCLientPolicy attributes

dns-server value 10.60.200.3

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_Tunnel_List

default-domain value tsweb.local

address-pools value SSLClientPool

username cisco password vrjYI6MuagXL.9cH encrypted privilege 15

username cisco attributes

service-type remote-access

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile general-attributes

default-group-policy SSLCLientPolicy

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

tunnel-group SSLCLientPolicy type remote-access

tunnel-group SSLCLientPolicy general-attributes

default-group-policy SSLCLientPolicy

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:33703b432ec4f686fcdf12c90518cef0

: end

AndreaTornaghi · ‎11-13-2018

Dear,

you could try to follow this guide:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

It seems that some parts of configurations are missing.

sam204 · ‎11-13-2018

You refereed site to site vpn document.does not work for me because vpn already configured we are able to connect there is no issue. we config using this guide

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/99756-asa8-x-anyconnect-vpn.html

If you know any idea kindly look into nat and access list statement will get the solution

AndreaTornaghi · ‎11-13-2018

Did you add the following command to bypass interface ACL?

#sysopt connection permit-vpn

sam204 · ‎11-13-2018

I use this command no luck still not pinging Inside Lan

AndreaTornaghi · ‎11-13-2018

Are you trying to ping ip address of ASA on inside or something else on LAN?

In the first case, could you please try to ping something else?

sam204 · ‎11-13-2018

I tried ip address of the ASA and inside LAN system ip both didn't ping

sam204 · ‎11-14-2018

Need Expert help on this...

sam204 · ‎11-14-2018

Any idea on NAT and access list statement

sam204 · ‎11-17-2018

Any help from community..

yeharold94@gmail.com · ‎11-19-2018

try to put route 0.0.0.0 0.0.0.0 to your inside interface