Remote VPN with ASA 5520 - can't access internal network

ribin.jones · ‎03-15-2011

Hi,

I am trying to build a remote vpn in ASA 5520 Software Version 8.3(1). I am using ASDM 6.3(1) for the configuration. I went through the SSL VPN wizard and did the configuration. I tried connecting to the ASA using anyconnect VPN and I could successfully connect the VPN. My home laptop takes an IP 192.168.60.21 (which I have defined in the wizard). Now my issue is, I can't access any office internal network from this laptop (none of the internal IP is ping ing even). Meanwhile, I could ping and rdp to this laptop(which is connectd by anyconnect VPN) from my office network. Any idea what the issue could be? One thing I noticed is that when I give a traceroute to an internal IP from the laptop, the first hop goes to my home ISP router. Any help greatly appreciated..

- Ribin

Federico Coto Fajardo · ‎03-15-2011

Hi,

It seems the tunnel is established but traffic is not being routed through the tunnel.

You need to check the split-tunnel rule on the ASA to define the traffic that is going to be sent through the tunnel.

What you're seeing is that traffic is going out to your ISP as clear text instead of being encrypted and sent through the tunnel.

Federico.

ribin.jones · ‎03-15-2011

Infact I have done split tunnelling. Please see the attached screenshot. 60.0/24 is the remote vpn network and 40.0/24 is the office inside network. One thing I noticed while I connected thep vpn from home is that the any connect vn network adapted takes the IP 192.168.60.22 with gateway 192.168.60.1 (There is no 60.1 IP configured anywhere). Right now with this configuration, when I connect the v

pn, I loose my internet connection as well.

- Ribin

Federico Coto Fajardo · ‎03-16-2011

The split-tunnel policy says ''tunnel all networks''
You should just tunnel ''the networks below'' as specified by the ACL.

PC gets IP 192.168.60.22
GW 192.168.60.1
What is the VPN pool defined on the ASA?

What does a route print report on the client PC?

Also, when the tunnel is established check the encrypted/decrypted counters on the ASA with the command
sh cry ips sa and on the client statistics.

A good test is to add the command management-access inside and try to PING the ASA's inside IP.

Federico.

ribin.jones · ‎03-16-2011

I did try with ''the networks below'' option with split tunnelling, but still no luck.

Below id the output of the route print in the client laptop.

C:\Users\localadmin>route print
===========================================================================
Interface List
23...00 05 9a 3c 7a 00 ......Cisco AnyConnect VPN Virtual Miniport Adapter for
Windows
14...54 42 49 01 1d c2 ......Marvell Yukon 88E8059 PCI-E Gigabit Ethernet Contr
oller
13...50 63 13 ef 33 37 ......Bluetooth Device (Personal Area Network)
11...2c 81 58 fe 19 a3 ......Atheros AR9285 Wireless Network Adapter
1...........................Software Loopback Interface 1
33...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
20...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
           0.0.0.0          0.0.0.0      192.168.2.1     192.168.2.99    281
           0.0.0.0          0.0.0.0     192.168.60.1    192.168.60.22      2
   aa.bb.cc.dd255.255.255.255      192.168.2.1     192.168.2.99     26
         127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
         127.0.0.1 255.255.255.255         On-link         127.0.0.1    306
   127.255.255.255 255.255.255.255         On-link         127.0.0.1    306
      192.168.2.99 255.255.255.255         On-link      192.168.2.99    281
      192.168.60.0    255.255.255.0         On-link     192.168.60.22    257
     192.168.60.22 255.255.255.255         On-link     192.168.60.22    257
    192.168.60.255 255.255.255.255         On-link     192.168.60.22    257
         224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
         224.0.0.0        240.0.0.0         On-link      192.168.2.99    281
         224.0.0.0        240.0.0.0         On-link     192.168.60.22    257
   255.255.255.255 255.255.255.255         On-link         127.0.0.1    306
   255.255.255.255 255.255.255.255         On-link      192.168.2.99    281
   255.255.255.255 255.255.255.255         On-link     192.168.60.22    257
===========================================================================
Persistent Routes:
   Network Address          Netmask Gateway Address Metric
           0.0.0.0          0.0.0.0     192.168.40.1 Default
           0.0.0.0          0.0.0.0      192.168.2.1 Default
           0.0.0.0          0.0.0.0     192.168.60.1       1
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
   1    306 ::1/128                  On-link
23    266 fe80::/64                On-link
23    266 fe80::c176:6022:a785:e4f8/128
                                     On-link
   1    306 ff00::/8                 On-link
23    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
   None

C:\Users\localadmin>

ASA inside interface is also not pinging after giving management-access inside command.

- Ribin

Federico Coto Fajardo · ‎03-17-2011

If using the AnyConnect VPN client you can check under statistics while connected and see if the software is encrypting any packets.

That will let us know if it's sending traffic through the tunnel.

If it's not, it's because there's still a misconfiguration on the ASA side.

Can you post a sanitized configuration?

Federico.

ribin.jones · ‎03-17-2011

Find the attached screenshot of the the Anyconnect vpn client statistics.

- Ribin

Federico Coto Fajardo · ‎03-18-2011

Can you add a split-tunneling configuration on the ASA for the SSL clients to force the above traffic through the tunnel
(instead of sending all traffic)?

Federico.

fahadallakkatt · ‎07-19-2012

Hi,

I am having same issue, could you please tell me how did you sort out this problem?

Regards,

Fahad.