IPSec VPN users cannot reach internal servers.

danielbowne · ‎08-27-2014

I am trying to setup an ASA 5505 for VPN access to a remote site. When connected to VPN I can ping the internal interface(192.168.10.1) but no internal hosts. Also internal hosts can ping the connected vpn users. VPN users can also browser the internet.

It is not just ping but all services(http/https..etc). What they heck am I doing wrong?

Any suggestions would be great!

Internal network: 192.168.10.0/24

VPN Pool 192.168.11.0/27

Cryptochecksum: 3aa5331f e35440ac 6c7b5d9a b2f61bc2

: Saved

: Written by enable_15 at 06:47:35.218 EDT Thu Aug 28 2014

!

ASA Version 8.2(5)

!

hostname IZ-SC1

names

name 192.168.10.10 INZSC-Server1

name 192.168.11.0 VPNPOOL

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.255.1.240 255.255.255.0

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

domain-name in-zone.com

same-security-traffic permit intra-interface

object-group service RDP tcp

description Remote Desktop Protocol

port-object eq 3389

object-group network INZSC-Server1

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object icmp echo

service-object icmp echo-reply

service-object icmp information-reply

service-object icmp unreachable

object-group service OPSVIEW tcp

port-object eq 5666

access-list Split-Tunnel standard permit 192.168.10.0 255.255.255.0

access-list INZONEVPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0

access-list OUTSIDE_IN extended permit tcp any host INZSC-Server1 eq 3389

access-list inside_nat0_outbound extended permit ip VPNPOOL 255.255.255.224 192.168.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 VPNPOOL 255.255.255.224

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any interface outside

access-list outside_access_in extended permit tcp any interface outside object-group OPSVIEW

pager lines 24

logging enable

logging console warnings

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool INZONEVPN-Pool 192.168.11.1-192.168.11.30 mask 255.255.255.224

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

asdm location INZSC-Server1 255.255.255.255 inside

asdm location CharterTestBox 255.255.255.255 inside

asdm location WAN-IP 255.255.255.255 inside

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 5666 INZSC-Server1 5666 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.255.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

reval-period 36000

sq-period 300

http server enable

http 192.168.1.0 255.255.255.0 inside

http VPNPOOL 255.255.255.0 inside

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd dns 8.8.8.8 8.8.4.4 interface inside

dhcpd auto_config outside interface inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 64.90.182.55 source outside prefer

ntp server 96.47.67.105 source outside

webvpn

enable inside

enable outside

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec webvpn

nac-settings value DfltGrpPolicy-nac-framework-create

webvpn

svc keepalive none

svc dpd-interval client none

svc dpd-interval gateway none

svc compression deflate

customization value DfltCustomization

group-policy INZONEVPN internal

group-policy INZONEVPN attributes

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value INZONEVPN_splitTunnelAcl

tunnel-group INZONEVPN type remote-access

tunnel-group INZONEVPN general-attributes

address-pool INZONEVPN-Pool

default-group-policy INZONEVPN

tunnel-group INZONEVPN ipsec-attributes

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3aa5331fe35440ac6c7b5d9ab2f61bc2

: end

nkarthikeyan · ‎08-28-2014

Hi,

r u using both vpn pool and internal lan with same subnet? if so please change it to a different segment.... create a no-nat for the traffic between vpn pool and internal lan subnet...... if you are restricting in access_list on outside interface.... then allow the vpn pool towards internal lan...

Regards

Karthik

danielbowne · ‎08-28-2014

miss type in notes: Correct info > VPN Pool 192.168.11.0/27

nkarthikeyan · ‎08-28-2014

Hi,

Allow in outside intrerface binded access-list for the traffic between your vpn subnet to local internal lan..... or you need to give sysopt connection permit vpn to skip the interface acl's filtering for vpn users....

Regards

Karthik

Richard Burts · ‎08-29-2014

Is there a route on the router or layer 3 switch for the inside network that forwards 192.168.11.0 toward the ASA?

HTH

Rick

HTH

Rick