Solved: Need help with accessing internal network through VPN on ASA5505 8.4(1)

eoestreich · ‎03-02-2011

I recently upgraded my ASA5055 from 8.02 to 8.4 and since I upgraded to the new version I can no longer access my network at home through the VPN. I can connect to the VPN with no issues however I can no longer ping or connect to my 10.0 network. Would someone be so kind to look at my config and tell me what needs to be added for this to operate? In my old config I had a NAT statement for the VPN which is no longer here.

Also I wanted to configure WebVPN to work as well and this is one thing that I have never been able to figure out. Is there also a way that I can be on my 20.0 network and connect to the VPN and access the 10.0 network as well? When connected to my 20.0 network I am not presented with the credentials to connect to the VPN. I would be thankful if someone can help me out. The most important part of this is the first part of this question.

My configuration:

ASA Version 8.4(1)

!

hostname ASA5505

domain-name xxxxxxxx.dyndns.org

enable password xxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxxxx encrypted

names

name 192.168.10.2 server

name 192.168.10.3 desktop

name 192.168.10.5 canon

name 192.168.10.6 mvix

name 192.168.10.7 xbox

name 192.168.10.8 dvr

name 192.168.10.9 bluray

name 192.168.10.10 lcd

name 192.168.10.11 mp620

name 192.168.10.12 kayla

name 192.168.1.1 asa5505

name 192.168.1.2 ap1

name 192.168.10.4 mvix2

name 192.168.10.13 lcd2

name 192.168.10.14 dvr2

!

interface Vlan1

nameif Management

security-level 100

ip address asa5505 255.255.255.248

management-only

!

interface Vlan2

mac-address 0050.8db6.8287

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan10

nameif Private

security-level 100

ip address 192.168.10.1 255.255.255.224

!

interface Vlan20

nameif Public

security-level 100

ip address 192.168.20.1 255.255.255.224

!

interface Ethernet0/0

description Pointing towards WAN

switchport access vlan 2

!

interface Ethernet0/1

description Uplink to Linksys port 12

switchport access vlan 10

!

interface Ethernet0/2

description Server 192.168.10.2/27

switchport access vlan 10

!

interface Ethernet0/3

description Uplink to Eth1 Management

!

interface Ethernet0/4

switchport access vlan 30

!

interface Ethernet0/5

switchport access vlan 30

!

interface Ethernet0/6

switchport access vlan 30

!

interface Ethernet0/7

description Cisco 1200 Access Point

switchport trunk allowed vlan 1,10,20

switchport trunk native vlan 1

switchport mode trunk

!

banner motd Authorized users only, all others must disconnect now!

boot system disk0:/asa841-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name xxxxxxx.dyndns.org

object network obj-192.168.50.0

subnet 192.168.50.0 255.255.255.0

object network server

host 192.168.10.2

object network obj-192.168.10.0

subnet 192.168.10.0 255.255.255.224

object network obj-192.168.20.0

subnet 192.168.20.0 255.255.255.224

object network server-01

host 192.168.10.2

object network server-02

host 192.168.10.2

object network xbox

host 192.168.10.7

object network xbox-01

host 192.168.10.7

object network xbox-02

host 192.168.10.7

object network xbox-03

host 192.168.10.7

object network xbox-04

host 192.168.10.7

object network server-03

host 192.168.10.2

object network server-04

host 192.168.10.2

object network server-05

host 192.168.10.2

object network desktop

host 192.168.10.3

object network kayla

host 192.168.10.12

access-list Home_VPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.224

access-list outside_access_in extended permit tcp any any eq 3389

access-list outside_access_in extended permit tcp any any eq 2325

access-list outside_access_in extended permit tcp any object server eq ftp

access-list outside_access_in extended permit tcp any any eq 5851

access-list outside_access_in extended permit udp any any eq 5850

access-list outside_access_in extended permit tcp any any eq pptp

access-list outside_access_in extended permit udp any any eq syslog

access-list outside_access_in extended permit udp any any eq 88

access-list outside_access_in extended permit udp any any eq 3074

access-list outside_access_in extended permit tcp any any eq 3074

access-list outside_access_in extended permit tcp any any eq domain

access-list outside_access_in extended permit udp any any eq domain

access-list outside_access_in extended permit tcp any any eq https

access-list outside_access_in extended permit tcp any object server eq ssh

access-list outside_access_in extended permit tcp any any eq 2322

access-list outside_access_in extended permit tcp any any eq 5900

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any source-quench

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

access-list outside_access_in extended permit udp any any eq 5852

access-list KaileY_splitTunnelAcl standard permit 192.168.10.0 255.255.255.224

pager lines 24

logging enable

logging timestamp

logging buffer-size 36000

logging buffered warnings

logging trap debugging

logging asdm informational

logging from-address xxxxxxx@yahoo.com

logging recipient-address xxxxxxxx@yahoo.com level errors

logging host Management server

mtu Management 1500

mtu outside 1500

mtu Private 1500

mtu Public 1500

ip local pool IPPOOL 192.168.50.2-192.168.50.10 mask 255.255.255.0

ip local pool VPN_POOL 192.168.100.2-192.168.100.10 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

!

object network server

nat (Private,outside) static interface service tcp ftp 5851

object network obj-192.168.10.0

nat (Private,outside) dynamic interface

object network obj-192.168.20.0

nat (Public,outside) dynamic interface

object network server-01

nat (Private,outside) static interface service tcp 2325 2325

object network server-02

nat (Private,outside) static interface service udp syslog syslog

object network xbox

nat (Private,outside) static interface service udp 88 88

object network xbox-01

nat (Private,outside) static interface service udp 3074 3074

object network xbox-02

nat (Private,outside) static interface service tcp 3074 3074

object network xbox-03

nat (Private,outside) static interface service tcp domain domain

object network xbox-04

nat (Private,outside) static interface service udp domain domain

object network server-03

nat (Private,outside) static interface service tcp https https

object network server-04

nat (Private,outside) static interface service tcp ssh 2322

object network server-05

nat (Private,outside) static interface service tcp 5900 5900

object network desktop

nat (Private,outside) static interface service tcp 3389 3389

object network kayla

nat (Private,outside) static interface service udp 5852 5852

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.248 Management

http redirect outside 80

snmp-server location Upstairs Office

snmp-server contact xxxxxxxx@yahoo.com

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.1.0 255.255.255.248 Management

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 30

console timeout 30

management-access Management

dhcpd dns 24.205.1.14 66.215.64.14

dhcpd ping_timeout 750

dhcpd domain xxxxxxxx.dyndns.org

dhcpd auto_config outside

!

dhcpd address 192.168.1.4-192.168.1.5 Management

dhcpd enable Management

!

dhcpd address 192.168.10.20-192.168.10.30 Private

dhcpd enable Private

!

dhcpd address 192.168.20.2-192.168.20.30 Public

dhcpd enable Public

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 192.43.244.18

ntp server 129.6.15.28

webvpn

group-policy Home_VPN internal

group-policy Home_VPN attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol ikev1 ssl-clientless

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Home_VPN_splitTunnelAcl

default-domain value www.xxxxxx.com

address-pools value IPPOOL

webvpn

url-list value ClientlessBookmark

group-policy KaileY internal

group-policy KaileY attributes

dns-server value 8.8.8.8 4.2.2.2

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value KaileY_splitTunnelAcl

default-domain value xxxxxxx.dyndns.org

username scottrog password xxxxxxxxxxxxxx encrypted privilege 0

username john password xxxxxxxxxxxxxxx encrypted privilege 0

username joek password xxxxxxxxxxxx encrypted privilege 0

username eostrike password xxxxxxxxxxxx encrypted privilege 15

username almostsi password xxxxxxxxxxxxxx encrypted privilege 0

username ezdelarosa password xxxxxxxxxxxxxxencrypted privilege 0

tunnel-group Home_VPN type remote-access

tunnel-group Home_VPN general-attributes

address-pool IPPOOL

authorization-server-group LOCAL

authorization-server-group (outside) LOCAL

default-group-policy Home_VPN

authorization-required

tunnel-group Home_VPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group SSLClientProfile type remote-access

tunnel-group SSLClientProfile webvpn-attributes

group-alias SSLVPNClient enable

tunnel-group ClientLESS type remote-access

tunnel-group KaileY type remote-access

tunnel-group KaileY general-attributes

address-pool VPN_POOL

default-group-policy KaileY

tunnel-group KaileY ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group-map default-group Home_VPN

!

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:438ed6084bb3dc956574b1ce83f52b86

: end

ASA5505#

Jennifer Halim · ‎03-02-2011

Here is the NAT statements for your first question:

object network obj-192.168.100.0

subnet 192.168.100.0 255.255.255.0

nat (Private,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.50.0 obj-192.168.50.0

nat (Private,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0

And "clear xlate" after the above, and that should resolve your first issue.

Let me check out your second question and get back to you shortly.

View solution in original post

Jennifer Halim · ‎03-02-2011

Here is the NAT statements for your first question:

object network obj-192.168.100.0

subnet 192.168.100.0 255.255.255.0

nat (Private,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.50.0 obj-192.168.50.0

nat (Private,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0

And "clear xlate" after the above, and that should resolve your first issue.

Let me check out your second question and get back to you shortly.

eoestreich · ‎03-02-2011

Jennifer,

Thank you for helping me on this. The obj- are completely throwing me off. I cannot test at the moment as I am at home so I will try and test it tomorrow when at work or even goto a hotspot this eveing. I did believe it was a nat statement issue as well I just could not figure out how to write it.

Again thank you and I will let you know if this fixed me up :-)

EricO

Jennifer Halim · ‎03-02-2011

Great, and thanks for the update.

On your second and third questions:

2) WebVPN - please advise what you are planning to use the WebVPN for, and also if you have license for WebVPN?

3) I am not quite sure I understand the purpose of VPN when you are connected to 20.0 to access 10.0 because as per the current config, both network is directly connected to the ASA with the same security level, so with a few configurations you can access 10.0 from 20.0 directly and vice versa without any VPN required.

eoestreich · ‎03-02-2011

Update:

The reason I asked about being able to VPN from my directly connected device was to save me trips to my local hot spot to test this out. I am keeping my private and public network seperated. I no longer need this request as I was able to install the VPN client on my parents PC and RDP to them and VPN back to test the connection.

When I connected back to my network through a remote VPN connection I was still not able to ping or connect to my 10.0 network. I believe I had an ACL for this however it did not work on the 8.02 to 8.4(1) upgrade. I did however add this statement just now and it started to work (sysopt connection permit-vpn). I am not sure if this is a good solution or if I should replace it with an ACL but at this time it is doing what I want it to.

As for WebVPN I have been wanting to set up the clientless browser based SSH VPN connection to my network. This way I can access my resources from anywhere on any PC.

Here is my ASA's licenses:

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 20             DMZ Unrestricted
Dual ISPs                         : Enabled        perpetual
VLAN Trunk Ports                  : 8              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Standby perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 25             perpetual
Total VPN Peers                   : 25             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5505 Security Plus license.

ASA5505# sh flash
--#-- --length-- -----date/time------ path
107 4096        Apr 15 2009 07:16:08 sdesktop
121 1462        Apr 15 2009 07:16:08 sdesktop/data.xml
108 4181246     Sep 10 2008 06:51:48 securedesktop-asa-3.2.1.103-k9.pkg
109 398305      Sep 10 2008 06:52:08 sslclient-win-1.1.0.154.pkg
110 24938496    Feb 05 2011 20:43:28 asa841-k8.bin
    6 4096        Sep 10 2008 06:54:46 crypto_archive
112 14137344    Apr 14 2009 20:31:32 asa804-k8.bin
113 15841428    Feb 05 2011 20:44:18 asdm-641.bin
    3 4096        Apr 14 2009 20:48:58 log
114 7605252     Apr 14 2009 21:15:30 asdm-61551.bin
115 3032497     Apr 14 2009 22:14:34 anyconnect-win-2.3.0254-k9.pkg
116 8548        Feb 05 2011 20:47:16 8_0_4_0_startup_cfg.sav
   12 4096        Feb 05 2011 20:47:24 coredumpinfo
   13 59          Feb 05 2011 20:47:24 coredumpinfo/coredump.cfg
117 1757        Feb 05 2011 20:47:24 upgrade_startup_errors_201102060447.log

127111168 bytes total (56422400 bytes free)
ASA5505#

I want to thank you for helping me on this. Sad to admit that i have been working on my first issue off and on for over a week and could not figure it out.

Jennifer Halim · ‎03-05-2011

Correct, you should enable "sysopt connection permit-vpn" to allow VPN traffic through, as it will only allow traffic through if it's from the VPN tunnel.

OK, based on your license, yes, you can configure and connect via WebVPN, however, you can only have 2 concurrent Web VPN connection.

You can configure SSH plugin with WebVPN to access your SSH device.

Here is a sample configuration on WebVPN to get started on the WebVPN configuration:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

Here is the sample configuration to import RDP Plug-in (but in your case, you will want to import SSH Plug-in):

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c0603.shtml

(The URL provides the same method for importing RDP Plug-in or SSH Plug-in, there is no sample config specifically for SSH Plugin but the process to import it is exactly the same)

Hope that helps.

eoestreich · ‎03-05-2011

Thank you Jennifer. I will give these examples a try and let you know the outcome. Again I appreicate your help.