Remote client VPN can´t connect to local network or site to site networks

andresitotubia · ‎07-22-2011

Hello,

Im traying to fix a problem that im getting from a long time ago. Here is the scenario:

I setup RA-VPN under local asa 5510 IP pool (192.168.127.0/24) and all was working fine. I got internet and local network access.

Then i have 5 site to site VPN working fine but when im traying to access to those L2L VPNs from the remote acces client im not able to do that. So after that i decided to obtain IP addresses from my DHCP server so i can obtain IPs from my local network (172.17.16.0/16) and then access normally to the VPN site to site. But the surprise was that the VPN cisco client is getting local IP address (172.17.16.222) perfectly but im not able to access even to my local network.

note: i have the

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

enable.

Any idea ?

Lee Valentin · ‎07-23-2011

Post your access control entries. Access list is probably the issue, split-tunnel or nonat.

andresitotubia · ‎07-25-2011

Hello,

Below i´ll post you my long ACL. Im not applying split tunnel and i don´t think that is something on the ACL or NAT cause my VPN clients are getting IPs from the same DHCP pool of the company, and from the inside network all is working fine but from the VPN clients side there are not able even to access to the LAN network. Do you know what i mean ?.

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list ACL-VPN-S extended permit ip 172.17.0.0 255.255.0.0 172.18.1.0 255.255.255.0

access-list ACL-VPN-S extended permit ip 172.17.0.0 255.255.0.0 128.1.0.0 255.255.0.0

access-list ACL-VPN-S extended permit ip 192.168.127.0 255.255.255.0 172.18.1.0 255.255.255.0

access-list ACL-INSIDE-NAT0 extended permit ip 172.17.0.0 255.255.0.0 172.18.1.0 255.255.255.0

access-list ACL-INSIDE-NAT0 extended permit ip 172.17.0.0 255.255.0.0 128.1.0.0 255.255.0.0

access-list ACL-INSIDE-NAT0 extended permit ip 172.17.0.0 255.255.0.0 192.168.210.0 255.255.255.0

access-list ACL-INSIDE-NAT0 extended permit ip 172.17.0.0 255.255.0.0 192.168.10.0 255.255.255.0

access-list ACL-INSIDE-NAT0 extended permit ip 172.17.0.0 255.255.0.0 192.168.220.0 255.255.255.0

access-list ACL-INSIDE-NAT0 extended permit ip 172.17.0.0 255.255.0.0 192.168.16.0 255.255.255.0

access-list ACL-INSIDE-NAT0 extended permit ip 172.18.0.0 255.255.0.0 192.168.16.0 255.255.255.0

access-list ACL-INSIDE-NAT0 extended permit ip 172.18.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list ACL-INSIDE-NAT0 extended permit ip 172.17.0.0 255.255.0.0 172.16.0.0 255.255.224.0

access-list ACL-INSIDE-NAT0 extended permit ip 172.17.0.0 255.255.0.0 172.16.32.0 255.255.248.0

access-list ACL-INSIDE-NAT0 extended permit ip 172.17.0.0 255.255.0.0 172.16.64.0 255.255.192.0

access-list ACL-INSIDE-NAT0 extended permit ip 172.17.0.0 255.255.0.0 172.19.0.0 255.255.0.0

access-list ACL-INSIDE-NAT0 extended permit ip 192.168.127.0 255.255.255.0 172.18.1.0 255.255.255.0

access-list ACL-INSIDE-NAT0 extended permit ip any 192.168.127.0 255.255.255.0

access-list ACL-OUTSIDE-TELEFONICA extended permit tcp any host x.x.x.x eq www

access-list ACL-OUTSIDE-TELEFONICA extended permit tcp any host x.x.x.x eq 5900

access-list ACL-OUTSIDE-TELEFONICA extended permit tcp any host x.x.x.x eq 5901

access-list ACL-OUTSIDE-TELEFONICA extended permit tcp any host x.x.x.x eq www

access-list ACL-OUTSIDE-TELEFONICA extended permit tcp any host x.x.x.x eq 3389

access-list ACL-OUTSIDE-TELEFONICA extended permit tcp any host x.x.x.x eq https

access-list ACL-OUTSIDE-TELEFONICA extended permit tcp any host xxxxxx eq pptp

access-list ACL-OUTSIDE-TELEFONICA extended permit tcp any host xxxxxx eq 47

access-list ACL-OUTSIDE-TELEFONICA extended permit gre any host xxxxxx

access-list ACL-OUTSIDE-TELEFONICA extended permit udp any host xxxxxx eq isakmp

access-list ACL-VPN-LIM extended permit ip 172.17.0.0 255.255.0.0 192.168.16.0 255.255.255.0

access-list ACL-VPN-LIM extended permit ip 192.168.17.0 255.255.255.0 172.16.0.0 255.255.0.0

access-list ACL-VPN-LIM extended permit ip 192.168.17.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list ACL-VPN-LIM extended permit ip 172.17.0.0 255.255.0.0 172.16.0.0 255.255.224.0

access-list ACL-VPN-LIM extended permit ip 172.17.0.0 255.255.0.0 172.16.32.0 255.255.248.0

access-list ACL-VPN-LIM extended permit ip 172.17.0.0 255.255.0.0 172.16.64.0 255.255.192.0

access-list ACL-VPN-LIM extended permit ip 172.17.0.0 255.255.0.0 172.16.128.0 255.255.128.0

access-list ACL-VPN-LIM extended permit ip 172.17.0.0 255.255.0.0 172.19.0.0 255.255.0.0

access-list ACL-VPN-LIM extended permit ip 172.17.0.0 255.255.0.0 192.168.19.0 255.255.255.0

access-list ACL-NAT-LIM extended permit ip 172.17.0.0 255.255.0.0 172.16.0.0 255.255.0.0

access-list ACL-NAT-LIM extended permit ip 172.17.0.0 255.255.0.0 192.168.16.0 255.255.255.0

access-list ACL-NAT-LIM extended permit ip 172.17.0.0 255.255.0.0 172.19.0.0 255.255.0.0

access-list ACL-NAT-LIM extended permit ip 172.17.0.0 255.255.0.0 192.168.19.0 255.255.255.0

access-list ACL-NAT-LIM extended permit ip host 200.198.68.137 172.16.0.0 255.255.0.0

access-list ACL-NAT-LIM extended permit ip 172.17.0.0 255.255.0.0 192.168.125.0 255.255.255.0

access-list ACL-NAT-LIM extended permit ip 172.17.0.0 255.255.0.0 192.168.127.0 255.255.255.0

access-list ACL-OUTSIDE-DIVEO extended permit ip any host xxxxxxxxxxx

access-list ACL-OUTSIDE-DIVEO extended permit icmp any any echo

access-list ACL-NAT-BA extended permit ip 172.17.0.0 255.255.0.0 host 10.236.0.65

access-list ACL-NAT-BA extended permit ip 172.17.0.0 255.255.0.0 host 10.236.0.169

access-list ACL-NAT-BA extended permit ip 172.17.0.0 255.255.0.0 host 10.5.20.121

access-list ACL-NAT-BA extended permit ip 172.17.0.0 255.255.0.0 host 10.5.20.135

access-list ACL-NAT-BA extended permit ip 172.17.0.0 255.255.0.0 host 10.5.20.139

access-list ACL-NAT-BA extended permit ip 172.17.0.0 255.255.0.0 host 10.236.0.190

access-list ACL-NAT-LD extended permit ip 172.17.0.0 255.255.0.0 10.66.0.0 255.255.0.0

access-list ACL-NAT-LD extended permit ip 172.16.0.0 255.255.0.0 10.66.0.0 255.255.0.0

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 10.66.0.0 255.255.0.0

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.3.84

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.3.131

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.5.5

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.5.9

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.5.10

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.5.11

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.5.13

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.5.14

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.5.15

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.5.17

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.5.23

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.5.24

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.5.29

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.5.32

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 10.66.55.0 255.255.255.0

access-list ACL-VPN-LD extended permit ip 10.7.0.0 255.255.255.0 host 10.66.50.4

access-list ACL-VPN-LD extended permit ip host 10.66.50.4 10.7.0.0 255.255.255.0

access-list ACL-VPN-LD extended permit ip 10.66.0.0 255.255.0.0 10.7.0.0 255.255.255.0

nat (inside) 0 access-list ACL-INSIDE-NAT0

nat (inside) 1 access-list ACL-NAT-BA

nat (inside) 2 access-list ACL-NAT-LD

nat (inside) 1 192.168.127.0 255.255.255.0

nat (inside) 1 172.16.0.0 255.255.128.0

nat (inside) 1 172.17.0.0 255.255.0.0

nat (outside-Telefonica) 1 192.168.127.0 255.255.255.0

nat (DMZ) 0 access-list ACL-INSIDE-NAT0

nat (DMZ) 1 192.168.17.0 255.255.255.0

This is just a part. Let me know if you want anything else.

There is any way to see if an ACL is blocking it ?.

Thanks again

cminton_ERS · ‎07-25-2011

hi, from asdm or cli you can try packet tracer to see if the acl is blocking it. have you added the client vpn source range SA thru the s2s tunnels?

hth!

csm

Lee Valentin · ‎07-25-2011

It might be best to DM me with a show tech from the firewall but I'll try to assist here. Forgive me if I've misunderstood anything you wrote above. I'd just like to clarify a few things:

'not applying split tunnel'

- You're tunneling all traffic through the VPN?

'my VPN clients are getting IPs from the same DHCP pool of the company'

- Does this mean your softwarevpn pool is using the same block as your LAN?

Let's say for example your Software VPN Pool that your clients are receiving is 192.168.127.100-.150 which is similar to the pool you're using on your LAN. You will need a NAT-0 ACL similar to

access-list ACL-INSIDE-NAT0 extended permit ip 192.168.127.0 255.255.255.0 192.168.127.0 255.255.255.0

That simply says don't NAT this block when talking to this block. This will allow remote access users to communicate with nodes on the 192.168.127.0 network

Now, unless you want to have all traffic from remote hosts traverse the VPN, you need to apply an ACL similar to

access-list SOFTWAREVPN_SPLITTUNNELACL standard permit 192.168.127.0 255.255.255.0

access-list SOFTWAREVPN_SPLITTUNNELACL standard permit 172.16.32.0 255.255.255.0

access-list SOFTWAREVPN_SPLITTUNNELACL standard permit 172.16.64.0 255.255.192.0

You can keep going with this same line to include ALL the remote networks you have L2L VPN configured. Once you apply the Split Tunnel reference to your software vpn group policy, it will encrypt all traffic destined for these networks.

You already have a L2L VPN to the remote networks so nothing needs to be done on the far end since traffic for the 192.168.127.0 network is already being encrypted.

Again, DM me if you still need an assist. I'm sure there's something I'm missing here.

andresitotubia · ‎07-25-2011

Lee,

First of all thank you very much for your support. Now i'll answer your questions:

'not applying split tunnel'

- You're tunneling all traffic through the VPN?

- Thats Correct. Im tunneling all traffic through the VPN

my VPN clients are getting IPs from the same DHCP pool of the company'

- Does this mean your softwarevpn pool is using the same block as your LAN?

- Yes. Im using exactly the same pool is using the LAN. The VPN client are receiving the IP from my Windows DHCP Server. For example my vpn client is getting the 172.17.16.222 IP address.

My LAN network is: 172.17.0.0 255.255.0.0

As you can see in the ACL-INSIDE-NAT0 that i posted before that network is declared but as i said i dont access even to the other VPN network and even to my own network.