Solved: Please Help! Connected to VPN but can not access to any internal servers.

harry0310 · ‎08-05-2013

Hi Friends,

I am a newbie on vpn stuff, and I configured a basic vpn on a Cisco ASA 5505 using ASDM, and I was able to connect to it. However, I can't ssh or RDP to any of the servers in house after I connected to the vpn. Below is the configuration. Please help!

ASA Version 8.2(5)

!

hostname sc-asa

domain-name abc.com

enable password xxxxxxxxx encrypted

passwd xxxxxxxxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

dns server-group DefaultDNS

domain-name opendns.com

access-list sc-pool_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.96 255.255.255.240

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool sc-pool 192.168.1.100-192.168.1.110 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd dns 208.67.222.222 208.67.220.220 interface inside

dhcpd lease 86400 interface inside

dhcpd domain abc.com interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

webvpn

group-policy abc-sc internal

group-policy abc-sc attributes

dns-server value 208.67.222.222 192.168.1.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value abc-sc_splitTunnelAcl

default-domain value abc.com

username a001 password xxxxxxxxxxx encrypted

username a002 password xxxxxxxxxxx encrypted

username a003 password xxxxxxxxxxx encrypted privilege 0

username a003 attributes

vpn-group-policy abc-sc

username a004 password xxxxxxxxxxx encrypted privilege 0

username a004 attributes

vpn-group-policy abc-sc

username a005 password xxxxxxxxxxx encrypted

username a006 password xxxxxxxxxxx encrypted

username a007 password xxxxxxxxxxx encrypted privilege 15

tunnel-group abc-sc type remote-access

tunnel-group abc-sc general-attributes

address-pool sc-pool

default-group-policy abc-sc

tunnel-group abc-sc ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:e7df4fa4b60a252d806ca5222d48883b

: end

Jouni Forss · ‎08-05-2013

Hi,

I would suggest you start with changing the VPN Pool to something else than the current LAN network and see if that helps

These should be the configuration needed to achieve that

First we remove VPN Pool from the VPN configuration
Then we remove the VPN Pool and create it again with another address space
When then attach that new VPN Pool again to the VPN configuration
As a last step we add a NAT0 / NAT Exempt configuration for that new VPN pool and remove the old ACL line for the old VPN Pool

tunnel-group abc-sc general-attributes

no address-pool sc-pool

no ip local pool sc-pool 192.168.1.100-192.168.1.110 mask 255.255.255.0

ip local pool sc-pool 192.168.100.100-192.168.100.110 mask 255.255.255.0

tunnel-group abc-sc general-attributes

address-pool sc-pool

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.96 255.255.255.240

- Jouni

View solution in original post

Jouni Forss · ‎08-05-2013

Hi,

I would suggest you start with changing the VPN Pool to something else than the current LAN network and see if that helps

These should be the configuration needed to achieve that

First we remove VPN Pool from the VPN configuration
Then we remove the VPN Pool and create it again with another address space
When then attach that new VPN Pool again to the VPN configuration
As a last step we add a NAT0 / NAT Exempt configuration for that new VPN pool and remove the old ACL line for the old VPN Pool

tunnel-group abc-sc general-attributes

no address-pool sc-pool

no ip local pool sc-pool 192.168.1.100-192.168.1.110 mask 255.255.255.0

ip local pool sc-pool 192.168.100.100-192.168.100.110 mask 255.255.255.0

tunnel-group abc-sc general-attributes

address-pool sc-pool

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.96 255.255.255.240

- Jouni

harry0310 · ‎08-06-2013

hmm.....

Still no luck after I made the changes

ASA Version 8.2(5)

!

hostname abc-asa

domain-name abc.com

enable password xxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

dns server-group DefaultDNS

domain-name abc.com

access-list abc-sc_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool sc-pool 192.168.100.100-192.168.100.110 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

dhcp-client client-id interface outside

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd dns 208.67.222.222 208.67.220.220 interface inside

dhcpd lease 86400 interface inside

dhcpd domain abc.com interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

webvpn

group-policy abc-sc internal

group-policy abc-sc attributes

dns-server value 208.67.222.222 192.168.1.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value abc-sc_splitTunnelAcl

default-domain value abc.com

username h001 password xxxxxxxxxxxxx encrypted privilege 0

username h001 attributes

vpn-group-policy abc-sc

username a001 password xxxxxxxxxxxxx encrypted privilege 0

username a001 attributes

vpn-group-policy abc-sc

tunnel-group abc-sc type remote-access

tunnel-group abc-sc general-attributes

address-pool sc-pool

default-group-policy abc-sc

tunnel-group abc-sc ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:1d8582136772667a3c095f11ee2441cb

geeksonline · ‎08-07-2013

Harry, you mentioned you are unable to access internal servers using RDP/SSH etc. Was that using the hostname or ip address?

richardblair · ‎08-07-2013

Also, are you able to ping these devices by address from the inside interface of your ASA?

harry0310 · ‎08-08-2013

After some investigations, I finally found the problem.

The network behind the firewall is 192.168.1.0 and the network I am testing from is also 192.168.1.0 and it didn't work.

I tried to use my aircard modem to dail in and connect to vpn, I was able to see all internal hosts.

Everything worked after I changed the internal IP to another set of subnet.

Thanks for all your helps!

Harry