Remote Access VPN

Ali Bahnam · ‎09-04-2013

Dears,

I have a router and behind it I have ASA5510.

I configured site to site VPN on the router and it is working without any issues.

After that I configured remote Access VPN on the router and I connect by the vpn client but I can't anything in the internal LAN.

Appreciate your help,

Regards

Jeff Van Houten · ‎09-07-2013

Without a topology drawing, some configs or some more explanation, that's going to be a little difficult.

Sent from Cisco Technical Support iPad App

jawad-mukhtar · ‎09-09-2013

On ASA add remote VPN route towards router and u well have to use nat0 on asa

Sent from Cisco Technical Support Android App

Jawad

Ali Bahnam · ‎09-09-2013

Thank you for your response,

I already added a route from the ASA toward the router, by the way I convert the configuration on the ASA and still facing the same issue.

Regards,

paolo bevilacqua · ‎09-09-2013

Wrong forum, post in "Security - VPN". You can move your posting using the Actions panel on the right.

Ali Bahnam · ‎09-10-2013

ok I remove it now,

Attached the configuration that I did on ASA

ASA Version 8.2(5)

!

hostname

enable password iwtL1y5uEVzS9Gp9 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.64.5.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.64.6.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

access-list internal extended permit ip any any

access-list internal extended permit icmp any any

access-list external extended permit ip any any

access-list external extended permit icmp any any

access-list vpn1 extended permit ip 10.64.3.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list vpn1 extended permit ip 10.64.4.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list vpn1 extended permit ip 10.64.5.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list vpn1 extended permit ip 10.64.6.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list vpn1 extended permit ip 10.64.13.0 255.255.255.0 10.64.1.0 255.255.2

55.0

access-list vpn1 extended permit ip 10.64.20.0 255.255.255.0 10.64.1.0 255.255.2

55.0

access-list vpn1 extended permit ip 10.64.3.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list vpn1 extended permit ip 10.64.4.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list vpn1 extended permit ip 10.64.5.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list vpn1 extended permit ip 10.64.6.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list vpn1 extended permit ip 10.64.13.0 255.255.255.0 30.30.30.0 255.255.

255.0

access-list vpn1 extended permit ip 10.64.20.0 255.255.255.0 30.30.30.0 255.255.

255.0

access-list nat0 extended permit ip 10.64.3.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list nat0 extended permit ip 10.64.4.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list nat0 extended permit ip 10.64.5.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list nat0 extended permit ip 10.64.6.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list nat0 extended permit ip 10.64.13.0 255.255.255.0 10.64.1.0 255.255.2

55.0

access-list nat0 extended permit ip 10.64.20.0 255.255.255.0 10.64.1.0 255.255.2

55.0

access-list nat0 extended permit ip 10.64.3.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list nat0 extended permit ip 10.64.4.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list nat0 extended permit ip 10.64.5.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list nat0 extended permit ip 10.64.6.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list nat0 extended permit ip 10.64.13.0 255.255.255.0 30.30.30.0 255.255.

255.0

access-list nat0 extended permit ip 10.64.20.0 255.255.255.0 30.30.30.0 255.255.

255.0

access-list split-acl standard permit 10.64.3.0 255.255.255.0

access-list split-acl standard permit 10.64.4.0 255.255.255.0

access-list split-acl standard permit 10.64.5.0 255.255.255.0

access-list split-acl standard permit 10.64.6.0 255.255.255.0

access-list split-acl standard permit 10.64.13.0 255.255.255.0

access-list split-acl standard permit 10.64.20.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool siretail 30.30.30.1-30.30.30.33 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nat0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group internal in interface outside

access-group external in interface inside

route outside 0.0.0.0 0.0.0.0 10.64.5.2 1

route inside 10.64.3.0 255.255.255.0 10.64.6.2 1

route inside 10.64.4.0 255.255.255.0 10.64.6.2 1

route inside 10.64.20.0 255.255.255.0 10.64.6.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set test esp-3des esp-sha-hmac

crypto ipsec transform-set vpn esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map bmap 10 set transform-set test

crypto dynamic-map bmap 10 set security-association lifetime seconds 288000

crypto dynamic-map bmap 10 set reverse-route

crypto map smap 1 match address vpn1

crypto map smap 1 set pfs

crypto map smap 1 set peer x.x.x.x

crypto map smap 1 set transform-set vpn

crypto map smap 10 ipsec-isakmp dynamic bmap

crypto map smap interface outside

crypto isakmp enable outside

crypto isakmp policy 9

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 33

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy client internal

group-policy client attributes

vpn-simultaneous-logins 20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-acl

default-domain value siretail.com

user-authentication-idle-timeout none

username sinan password BNFgx7tPOpARB6lX encrypted privilege 15

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x..x ipsec-attributes

pre-shared-key *****

tunnel-group client type remote-access

tunnel-group client general-attributes

address-pool siretail

default-group-policy client

tunnel-group client ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:760c55ccd48d19728a2a4000f7a81237

: end

SI-Retail-Erbil#

ASA Version 8.2(5)

!

hostname

enable password iwtL1y5uEVzS9Gp9 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.64.5.1 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.64.6.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

access-list internal extended permit ip any any

access-list internal extended permit icmp any any

access-list external extended permit ip any any

access-list external extended permit icmp any any

access-list vpn1 extended permit ip 10.64.3.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list vpn1 extended permit ip 10.64.4.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list vpn1 extended permit ip 10.64.5.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list vpn1 extended permit ip 10.64.6.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list vpn1 extended permit ip 10.64.13.0 255.255.255.0 10.64.1.0 255.255.2

55.0

access-list vpn1 extended permit ip 10.64.20.0 255.255.255.0 10.64.1.0 255.255.2

55.0

access-list vpn1 extended permit ip 10.64.3.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list vpn1 extended permit ip 10.64.4.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list vpn1 extended permit ip 10.64.5.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list vpn1 extended permit ip 10.64.6.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list vpn1 extended permit ip 10.64.13.0 255.255.255.0 30.30.30.0 255.255.

255.0

access-list vpn1 extended permit ip 10.64.20.0 255.255.255.0 30.30.30.0 255.255.

255.0

access-list nat0 extended permit ip 10.64.3.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list nat0 extended permit ip 10.64.4.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list nat0 extended permit ip 10.64.5.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list nat0 extended permit ip 10.64.6.0 255.255.255.0 10.64.1.0 255.255.25

5.0

access-list nat0 extended permit ip 10.64.13.0 255.255.255.0 10.64.1.0 255.255.2

55.0

access-list nat0 extended permit ip 10.64.20.0 255.255.255.0 10.64.1.0 255.255.2

55.0

access-list nat0 extended permit ip 10.64.3.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list nat0 extended permit ip 10.64.4.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list nat0 extended permit ip 10.64.5.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list nat0 extended permit ip 10.64.6.0 255.255.255.0 30.30.30.0 255.255.2

55.0

access-list nat0 extended permit ip 10.64.13.0 255.255.255.0 30.30.30.0 255.255.

255.0

access-list nat0 extended permit ip 10.64.20.0 255.255.255.0 30.30.30.0 255.255.

255.0

access-list split-acl standard permit 10.64.3.0 255.255.255.0

access-list split-acl standard permit 10.64.4.0 255.255.255.0

access-list split-acl standard permit 10.64.5.0 255.255.255.0

access-list split-acl standard permit 10.64.6.0 255.255.255.0

access-list split-acl standard permit 10.64.13.0 255.255.255.0

access-list split-acl standard permit 10.64.20.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool siretail 30.30.30.1-30.30.30.33 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nat0

nat (inside) 1 0.0.0.0 0.0.0.0

access-group internal in interface outside

access-group external in interface inside

route outside 0.0.0.0 0.0.0.0 10.64.5.2 1

route inside 10.64.3.0 255.255.255.0 10.64.6.2 1

route inside 10.64.4.0 255.255.255.0 10.64.6.2 1

route inside 10.64.20.0 255.255.255.0 10.64.6.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set test esp-3des esp-sha-hmac

crypto ipsec transform-set vpn esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map bmap 10 set transform-set test

crypto dynamic-map bmap 10 set security-association lifetime seconds 288000

crypto dynamic-map bmap 10 set reverse-route

crypto map smap 1 match address vpn1

crypto map smap 1 set pfs

crypto map smap 1 set peer 83.206.6.245

crypto map smap 1 set transform-set vpn

crypto map smap 10 ipsec-isakmp dynamic bmap

crypto map smap interface outside

crypto isakmp enable outside

crypto isakmp policy 9

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 33

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy client internal

group-policy client attributes

vpn-simultaneous-logins 20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-acl

default-domain value siretail.com

user-authentication-idle-timeout none

username sinan password BNFgx7tPOpARB6lX encrypted privilege 15

tunnel-group 83.206.6.245 type ipsec-l2l

tunnel-group 83.206.6.245 ipsec-attributes

pre-shared-key *****

tunnel-group client type remote-access

tunnel-group client general-attributes

address-pool siretail

default-group-policy client

tunnel-group client ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:760c55ccd48d19728a2a4000f7a81237

: end

SI-Retail-Erbil#

jawad-mukhtar · ‎09-10-2013

HI

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

Add

inspect icmp

Do Rate helpful posts...

Jawad

Ali Bahnam · ‎09-11-2013

I added it, but still facing the same issue (Cannot ping the internal LAN)

Regards,

Markus Thun · ‎09-11-2013

Hi,

i am missing in your configuration the NAT exampt command for the remote client ip.

For Example:

object network LOCAL_LAN

subnet 192.168.0.0 255.255.0.0

object network REMOTE_LAN
subnet 172.16.0.0 255.255.0.0

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN

Ali Bahnam · ‎09-11-2013

Dears the issue has been solved and now I can ping the internal LAN

I just change the pool from 30.30.x.x to another subnet.

Thanx for your help.