Solved: Re: New VPN Setup With ASDM Wizard - Can connect/authenticate No Joy Accessing LAN or Internet

MinnesoatGuy · ‎10-02-2017

So I am setting up a brand new VPN for my users on my ASA 5525 using ASDM 7.6(1). I walked throught he wizard to set up the system so my users can connect via AnyConnect. I installed the certs, set up RADIUS for authentication, etc... no issues. I connected and authenticated and instantly I lost all Intenet access and I could not access my LAN. I did read some articles about NAT and ACL setup, but I did not understand them well enough to be able to implememnt the solution to my system. I'd have thought the "Wizard" would have helped configure the VPN so my users could access my LAN.

Anyway, my address pool is 10.254.254.0/24 for the VPN users, I need them to access my inside VLAN object 10.10.1.2 (inside router) which will know how to route them once they are inside the network.

I don't even know what part of the config to provide, I'm guessing that it has to do with the NAT and/or ACL on my ASA, but I don't know what to do. Any help would be greatly appreciated.

GioGonza · ‎10-03-2017

Hello @MinnesoatGuy,

I checked the configuration and I´m sharing my findings:

group-policy GroupPolicy_HouseVPN internal
group-policy GroupPolicy_HouseVPN attributes
split-tunnel-policy excludespecified >> You have Excludespecified and the ACL is any, it going to drop all the traffic and it will not send any traffic to the ASA.
split-tunnel-network-list value Local_LAN_Access_VPN

access-list Local_LAN_Access_VPN remark Allows for VPN access to local LAN
access-list Local_LAN_Access_VPN standard permit host 0.0.0.0

I also found a static route to the inside for that traffic, that means if the ASA receives the traffic from the inside it will send it back through the same interface and not to the outside

route inside 10.254.254.0 255.255.255.0 10.10.1.2

My sugestions to copy and paste:

access-list Local_LAN_Access_VPN standard permit host 10.10.1.2
no access-list Local_LAN_Access_VPN standard permit host 0.0.0.0

group-policy GroupPolicy_HouseVPN attributes
split-tunnel-policy tunnelspecified

exit

no route inside 10.254.254.0 255.255.255.0 10.10.1.2 1

no nat (outside,inside) after-auto source static NETWORK_OBJ_10.254.254.0_24 NETWORK_OBJ_10.254.254.0_24 no-proxy-arp
nat (inside,outside) source static 10.10.1.2 10.10.1.2 destination static NETWORK_OBJ_10.254.254.0_24 NETWORK_OBJ_10.254.254.0_24 no-proxy-arp route-lookup

Apply the changes and let me know, i will be waiting for any reply.

HTH

Gio

View solution in original post

GioGonza · ‎10-02-2017

Hello @MinnesoatGuy,

Can you share the show run and share the name for the connection in order to check further?

Gio

MinnesoatGuy · ‎10-02-2017

The name for the connection? I'm not exactly sure what you mean. Here is the sh run, I removed what I thought was irrelevant and any identifying info to shorten the output a bit. I really appreciate any help.

: Serial Number: xxx
: Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname ASAHouse1
domain-name domain.mn
enable password U0d....I encrypted
names
ip local pool VPNPool 10.254.254.1-10.254.254.254 mask 255.255.255.0

!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
<--- More --->

!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
description STATE Failover Interface
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
description LAN Failover Interface
<--- More --->

!
interface GigabitEthernet0/7
nameif outside
security-level 0
ip address 255.255.255.224
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 255.255.255.0
!
boot system disk0:/asa961-smp-k8.bin
boot system disk0:/asa922-4-smp-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name domain.mn
object network GLOBAL
subnet 0.0.0.0 0.0.0.0
object network 10.70.5.2
host 10.70.5.2

object network 10.10.1.2
host 10.10.1.2
object network 10.10.1.41
host 10.10.1.41
object network 10.1.1.26
host 10.1.1.26
object network 10.1.1.36
host 10.1.1.36
object network 10.1.1.45
host 10.1.1.45
object network 10.1.1.57
host 10.1.1.57
object network 10.1.1.65
host 10.1.1.65
object network 10.1.1.66
host 10.1.1.66
object network 10.1.1.72
host 10.1.1.72
object network 10.1.1.3
host 10.1.1.3
object network 10.1.1.4
host 10.1.1.4
object network 10.50.5.14
host 10.50.5.14
object network 10.50.5.19
host 10.50.5.19
object network 10.40.5.5
host 10.40.5.50
object network 10.30.1.237
host 10.30.1.237
object network 10.30.1.86
host 10.30.1.86
object network 10.254.1.6
host 10.254.1.6
object network 10.100.10.1
host 10.100.10.1
object network HouseTVCamera
host 10.91.7.201
description House TV WiFi Camera
object service WSUS
service tcp destination eq 8530
description POrt for WSUS server upgrade from outside the network
object network VLAN20
subnet 10.20.0.0 255.255.0.0
object network VLAN30
subnet 10.30.0.0 255.255.0.0
object network globaldynamic
host 156.98.43.58
object network NETWORK_OBJ_10.254.253.0_24
subnet 10.254.253.0 255.255.255.0
object network VPNSubnet
range 10.254.254.0 10.254.254.254
description VPN Subnet Range
object network NETWORK_OBJ_10.254.254.0_24
subnet 10.254.254.0 255.255.255.0
object network NETWORK_OBJ_10.10.1.0_24
subnet 10.10.1.0 255.255.255.0
object network 10.254.254.0
subnet 10.254.254.0 255.255.255.0
description VPN Address Pool
object-group service GroupWise tcp
description GroupWise Client
port-object eq 1677
object-group network VPN_POOL
description Address Pool For VPN
network-object object VPNSubnet
access-list outside_access_in extended deny udp any eq 16465 any
access-list outside_access_in extended deny ip 10.0.0.0 255.0.0.0 any
access-list outside_access_in extended deny tcp any eq 41837 any
access-list outside_access_in extended permit udp any eq 1935 any
access-list outside_access_in extended deny udp any eq 45 any
access-list outside_access_in extended deny tcp any eq 45 any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended deny tcp any eq 135 any
access-list outside_access_in extended deny udp any eq tftp any
access-list outside_access_in extended deny tcp any eq 445 any
access-list outside_access_in extended deny tcp any eq 1214 any
access-list outside_access_in extended deny tcp any eq 1215 any
access-list outside_access_in extended deny tcp any eq 4444 any
access-list outside_access_in extended deny tcp any eq 5554 any
access-list outside_access_in extended deny tcp any eq 6346 any
access-list outside_access_in extended deny tcp any eq 6347 any
access-list outside_access_in extended deny tcp any eq 9996 any
access-list outside_access_in extended permit ip object 10.254.254.0 any
access-list inside_access_in extended deny udp any eq 16465 any
access-list inside_access_in extended permit ip any host 156.98.98.130
<--- More --->

access-list inside_access_in extended deny tcp any eq 445 any
access-list inside_access_in extended deny tcp any eq netbios-ssn any
access-list inside_access_in extended deny tcp any eq 41837 any
access-list inside_access_in extended deny udp any eq 41837 any
access-list inside_access_in extended deny tcp any eq 6346 any
access-list inside_access_in extended deny udp any eq 6346 any
access-list inside_access_in extended deny tcp any eq 6347 any
access-list inside_access_in extended deny udp any eq 6347 any
access-list inside_access_in extended deny tcp any eq 18067 any
access-list inside_access_in extended permit ip any any
access-list inside_nat0_outbound extended permit ip any 10.254.254.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 10.254.254.0 255.255.255.0
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any object 156.98.78.180
access-list outside_access_in_1 extended permit ip object NETWORK_OBJ_10.254.254.0_24 any
access-list inside_access_in_1 extended deny tcp any any eq smtp
access-list inside_access_in_1 extended permit ip any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
<--- More --->

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
access-list VPN_in extended permit ip object VPNSubnet interface inside
access-list Local_LAN_Access_VPN remark Allows for VPN access to local LAN
access-list Local_LAN_Access_VPN standard permit host 0.0.0.0
pager lines 24
logging enable
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm informational
logging mail alerts
logging from-address ASA5525-X@domain.mn
logging recipient-address user@domain.mn level errors
logging host inside x.x.x.x 17/1500
mtu inside 1500
mtu outside 1500
mtu management 1500
ip verify reverse-path interface inside
failover
failover lan unit primary
failover lan interface LAN GigabitEthernet0/6
failover link State GigabitEthernet0/4
failover interface ip LAN x.x.x.x 255.255.255.252 standby 192.168.1.2
failover interface ip State 192.168.2.1 255.255.255.252 standby 192.168.2.2
failover ipsec pre-shared-key *****
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (inside,outside) source dynamic VLAN30 globaldynamic
nat (inside,outside) source dynamic VLAN20 globaldynamic
nat (inside,outside) source dynamic VLAN40 globaldynamic
nat (inside,outside) source dynamic VLAN50 globaldynamic
nat (inside,outside) source dynamic VLAN60 globaldynamic
nat (inside,outside) source dynamic VLAN70 globaldynamic
nat (inside,outside) source dynamic VLAN80 globaldynamic
nat (inside,outside) source dynamic VLAN91 globaldynamic
nat (inside,outside) source dynamic VLAN90 globaldynamic
nat (inside,outside) source dynamic VLAN92 globaldynamic
!

nat (outside,inside) after-auto source static NETWORK_OBJ_10.254.254.0_24 NETWORK_OBJ_10.254.254.0_24 no-proxy-arp
nat (inside,outside) after-auto source dynamic GLOBAL globaldynamic
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 156.98.43.62 1
route inside 10.1.1.0 255.255.255.0 10.10.1.2 1
route inside 10.20.0.0 255.255.0.0 10.10.1.2 1
route inside 10.30.0.0 255.255.0.0 10.10.1.2 1
route inside 10.40.0.0 255.255.0.0 10.10.1.2 1
route inside 10.50.0.0 255.255.0.0 10.10.1.2 1
route inside 10.51.0.0 255.255.0.0 10.10.1.2 1
route inside 10.60.0.0 255.255.0.0 10.10.1.2 1
route inside 10.61.0.0 255.255.0.0 10.10.1.2 1
route inside 10.70.0.0 255.255.0.0 10.10.1.2 1
route inside 10.74.160.0 255.255.248.0 10.10.1.2 1
route inside 10.74.166.0 255.255.255.0 10.10.1.2 1
route inside 10.80.0.0 255.255.0.0 10.10.1.2 1
route inside 10.90.0.0 255.255.0.0 10.10.1.2 1
route inside 10.91.0.0 255.255.0.0 10.10.1.2 1
route inside 10.100.1.0 255.255.255.0 10.10.1.2 1
route inside 10.100.10.0 255.255.255.0 10.10.1.2 1
route inside 10.100.13.0 255.255.255.0 10.10.1.2 1
route inside 10.100.16.0 255.255.255.0 10.10.1.2 1
route inside 10.100.102.0 255.255.255.0 10.10.1.2 1
route inside 10.100.103.0 255.255.255.0 10.10.1.2 1
route inside 10.100.106.0 255.255.255.0 10.10.1.2 1
route inside 10.100.107.0 255.255.255.0 10.10.1.2 1
route inside 10.254.254.0 255.255.255.0 10.10.1.2 1
route outside 255.255.255.224 10.10.1.2 1
route inside 0.0.0.0 0.0.0.0 10.10.1.2 tunneled
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server RADIUS protocol radius
authorize-only
reactivation-mode depletion deadtime 20
aaa-server RADIUS (inside) host
key *****
authentication-port xxxxx
aaa-server RADIUS2 protocol radius
aaa-server RADIUS2 (inside) host
key *****
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.60.0.0 255.255.0.0 management
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
<--- More --->

protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map inside_map 1 set ikev1 transform-set ESP-3DES-MD5 ESP-DES-MD5 ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-128-MD5 ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-DES-SHA
crypto map inside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map inside_map interface inside
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5 ESP-DES-MD5 ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-128-MD5 ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpoint ASDM_TrustPoint1
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
fqdn vpn.domain.mn
<--- More --->

subject-name CN=vpn.DOMAIN.MN,O=XXX,C=US,St=WI
keypair vpn.domsin.mn.key
crl config
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint2
certificate 0667810c 01020230 7c06082b 06010505 07010104 70306e30 2406082b 06010505
quit
crypto ca certificate chain ASDM_TrustPoint2
certificate ca 01fda3eb6eca75c888438b724bcfbc91
... 0d01010b 05003061 310b3009 06035504 06130255 53311530
8fab492e 9d3b9334 281f78ce 94eac7bd d3c96d1c de5c32f3
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
<--- More --->

prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
<--- More --->

prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
<--- More --->

authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
<--- More --->

authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 255.255.255.0 management
telnet timeout 5
no ssh stricthostkeycheck
ssh 255.255.255.0 management
ssh 10.60.0.0 255.255.0.0 management
ssh timeout 30
ssh version 2
<--- More --->

ssh key-exchange group dh-group1-sha1
console timeout 60
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 1
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
ntp server 10.1.1.1
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point ASDM_TrustPoint2 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.5.02033-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.5.02033-webdeploy-k9.pkg 2
anyconnect profiles HouseVPN_client_profile disk0:/HouseVPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
dns-server value
<--- More --->

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
gateway-fqdn value vpn.domain.mn
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_HouseVPN internal
group-policy GroupPolicy_HouseVPN attributes
wins-server none
dns-server value
vpn-tunnel-protocol ikev2 ssl-client
password-storage disable
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access_VPN
default-domain value domain.mn
split-dns value
split-tunnel-all-dns disable
address-pools value VPNPool
webvpn
anyconnect profiles value HouseVPN_client_profile type user
anyconnect ask none default anyconnect
dynamic-access-policy-record DfltAccessPolicy
username aXXXn password sXXX encrypted
username AXXXN password VD.XXXH encrypted privilege 15
username XXXX password FnXXX8U/qsyPEe0FySA encrypted
tunnel-group DefaultRAGroup general-attributes
<--- More --->

address-pool (inside) VPNPool
address-pool VPNPool
authentication-server-group RADIUS
authentication-server-group (outside) RADIUS
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPNPool
authentication-server-group RADIUS
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias HouseVPNuser enable
tunnel-group HouseVPN type remote-access
tunnel-group HouseVPN general-attributes
address-pool (outside) VPNPool
address-pool VPNPool
authentication-server-group RADIUS
authentication-server-group (outside) RADIUS
default-group-policy GroupPolicy_HouseVPN
tunnel-group HouseVPN webvpn-attributes
group-alias HouseVPN enable
!
class-map icmp-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
<--- More --->

!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map icmp_policy
class icmp-class
inspect icmp
policy-map global_policy
description Allow Ping (ICMP)
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
<--- More --->

inspect dns preset_dns_map
inspect http
inspect pptp
policy-map inside-policy
description ICMP allow out
class icmp-class
inspect icmp
!
service-policy global_policy global
service-policy inside-policy interface inside
smtp-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:23e76b6c6...73
: end

ASAHouse1# exit

Logoff

GioGonza · ‎10-02-2017

Hello,

I´m asking for the name of the tunnel-group you are connecting to. I see you have the Defaults and another one called houseVPN.

Which it is?

Gio

GioGonza · ‎10-03-2017

Hello @MinnesoatGuy,

I checked the configuration and I´m sharing my findings:

group-policy GroupPolicy_HouseVPN internal
group-policy GroupPolicy_HouseVPN attributes
split-tunnel-policy excludespecified >> You have Excludespecified and the ACL is any, it going to drop all the traffic and it will not send any traffic to the ASA.
split-tunnel-network-list value Local_LAN_Access_VPN

access-list Local_LAN_Access_VPN remark Allows for VPN access to local LAN
access-list Local_LAN_Access_VPN standard permit host 0.0.0.0

I also found a static route to the inside for that traffic, that means if the ASA receives the traffic from the inside it will send it back through the same interface and not to the outside

route inside 10.254.254.0 255.255.255.0 10.10.1.2

My sugestions to copy and paste:

access-list Local_LAN_Access_VPN standard permit host 10.10.1.2
no access-list Local_LAN_Access_VPN standard permit host 0.0.0.0

group-policy GroupPolicy_HouseVPN attributes
split-tunnel-policy tunnelspecified

exit

no route inside 10.254.254.0 255.255.255.0 10.10.1.2 1

no nat (outside,inside) after-auto source static NETWORK_OBJ_10.254.254.0_24 NETWORK_OBJ_10.254.254.0_24 no-proxy-arp
nat (inside,outside) source static 10.10.1.2 10.10.1.2 destination static NETWORK_OBJ_10.254.254.0_24 NETWORK_OBJ_10.254.254.0_24 no-proxy-arp route-lookup

Apply the changes and let me know, i will be waiting for any reply.

HTH

Gio

MinnesoatGuy · ‎10-03-2017

THAT WORKED. You are a goddam genius!

The only concern was a warning when I entered the last line:

nat (inside,outside) source static 10.10.1.2 10.10.1.2 destination static NETWORK_OBJ_10.254.254.0_24 NETWORK_OBJ_10.254.254.0_24 no-proxy-arp route-lookup

The system said "Warning: Pool (10.10.1.2) overlap with existing pool."
Any suggestions?

GioGonza · ‎10-03-2017

Hello @MinnesoatGuy,

We need to check if the traffic is leaving the ASA to the internal network...

First question: What type of device is host 10.10.1.2? We need to verofy if we can apply a capture here in order to check if the traffic reaches this device.

Second question: We need to place a capture on the ASA in order to verify if the traffic is traversing the VPN and leaving the inside interface on the ASA. The command should be:
cap <name_capture> interface inside match ip host 10.10.1.2 host 10.254.254.x << Check the IP for the VPN Client.

After you place the capture, send some traffic to the host and verify the capture, you should share the output for the command " show cap <name_capture>"

HTH
Gio

MinnesoatGuy · ‎10-04-2017

The 10.10.1.2 is my L3 core switch. It handles my inside routing.

The packet capture shows this when I connect from a remote machine and VPN in and ping 10.10.1.2 (no echo reply is received, but I ping anyway to make the traffic):
ASAHouse1# sh cap VPNcap

4 packets captured

1: 14:43:36.027205 10.254.254.6 > 10.10.1.2: icmp: echo request
2: 14:43:40.686381 10.254.254.6 > 10.10.1.2: icmp: echo request
3: 14:43:45.658840 10.254.254.6 > 10.10.1.2: icmp: echo request
4: 14:43:50.656994 10.254.254.6 > 10.10.1.2: icmp: echo request

GioGonza · ‎10-05-2017

Hello @MinnesoatGuy,

The traffic is being sent through the inside interface but the reply is not received on the ASA, you need to check the internal routing in order to see if the subnet 10.254.254.0/24 is being sent elsewhere.

How is the topology behind the ASA? You have a Layer 3 Switch but do you have something else?

HTH

Gio

MinnesoatGuy · ‎10-05-2017

Behind the AS is a Web filter, layer 2 so it is not an issue, besides it is already set to allow any traffic from that subnet through.

Then we come to my core - the port used to be connected to my PIX, but is now my ASA (don't judge). Here is the config for VLAN 10 and the route info from when I ren sh ip route for 10.254.254.0:

interface Vlan10
description Inside PIX Firewall Vlan
ip address 10.10.1.40 255.255.255.0
no ip mroute-cache
standby 10 ip 10.10.1.2
standby 10 priority 110
standby 10 preempt
standby 10 authentication house
!

S 10.254.254.0/24 [1/0] via 10.10.1.60

I'll be honest, I don't know what 10.10.1.60 is. I did not configure that route and I can't tell what that address is for.

GioGonza · ‎10-05-2017

Hello @MinnesoatGuy,

Since you don´t know what is that ip, you can check doing "show cdp neighbors" or "show arp" in order to know if that IP is active or not. Since you have a static route to that IP, the change should be removing that static route and apply the route to send the traffic to the ASA.

If the default route goes to the ASA, you should only remove that route and it will work. Let me know how it goes.

HTH

Gio

MinnesoatGuy · ‎10-05-2017

No joy.

I changed the route to 10.255.255.0 255.255.255.0 10.10.1.1
then I tried it, no dice.
I then removed the route altogether and still, nothing. I can't even get to the public servers on my network when I can get to them from the Internet when not connected to theVPN. It's strange. I feel like you are helping me so much, but there is one little thing still keeping me from accessing my LAN when I connect to the VPN.

I did notice that when I connect with my remote computer, when I run an IPCONFIG I see my IP address and subnet mask, but no default gateway. Is that normal? It would seem that a default gateway would kind of be needed. But I'm not sure with a VPN tunnel.

GioGonza · ‎10-05-2017

Hello @MinnesoatGuy,

Regarding the default gateway, you are not going to see anything to the ASA just the subnets or host you applied on the ACL for the Split-Tunnel so the DW remains the LAN or Wifi GW.

On the other hand, I saw the route and I think you applied the wrong one since you added the subnet 10.255.255.0/24 and you are using 10.254.254.0/24, maybe this was the problem :)

HTH

Gio

MinnesoatGuy · ‎10-06-2017

Oops, I actually typed that wrong in my message, I did enter the route correctly on the core switch. Still no joy. Could there be an issue with the split tunnel? I don't know what else it could be.

GioGonza · ‎10-06-2017

Well, if you added the route correctly and it is not working, according to your question the split-tunnel is working as expected since the traffic is traversing the ASA since you can see the traffic on the previous capture. The issue is when the traffic reaches your internal network since it doesn´t send the traffic back to the ASA, if the routing is off the table then it should be something blocking the reply.

Maybe we can try to enable a computer on the split-tunnel and place a wireshark in order to verify first if the traffic is reaching the device and what is happening with the reply.

HTH

Gio