Solved: Traffic only allowed one-way for VPN connected computers

t3ntman0619 · ‎10-12-2013

Hello,

I currently have an ASA 5505. I have set it up as a remote access SSL VPN. My computers can connect to the VPN just fine. They just can't access the internal LAN (192.168.250.0). They can't ping the inside interface of the ASA, or any of the machines. It seems like all traffic is blocked for them. The strange thing is that when someone is connected to the VPN, I can ping that VPN-connect machine from the ASA and other machines inside the LAN. It seems the traffic only allows one way. I have messed with ACL's with no avail. Any suggestions please?

DHCP Pool: 192.168.250.20-50 --> For LAN

VPN Pool: 192.168.250.100 and 192.168.250.101

Outside interface grabs DHCP from modem

Inside interface: 192.168.1.1

Current Running Config:

: Saved

:

ASA Version 8.2(5)

!

hostname HardmanASA

enable password ###### encrypted

passwd ####### encrypted

names

!

interface Ethernet0/0

switchport access vlan 20

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

switchport access vlan 10

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport access vlan 10

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan10

nameif inside

security-level 100

ip address 192.168.250.1 255.255.255.0

!

interface Vlan20

nameif outside

security-level 0

ip address dhcp setroute

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool VPN_Pool 192.168.250.100-192.168.250.101 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 10 192.168.250.0 255.255.255.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.250.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh 192.168.250.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd dns 8.8.8.8

!

dhcpd address 192.168.250.20-192.168.250.50 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

svc image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

tunnel-group AnyConnect type remote-access

tunnel-group AnyConnect general-attributes

address-pool VPN_Pool

tunnel-group AnyConnect webvpn-attributes

group-alias AnyConnect enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:30fadff4b400e42e73e17167828e046f

: end

Julio Carvajal · ‎10-13-2013

Hello,

No worries

As we are going to modify the config let me do it as good as possible.

First of all it;s highly recommended to use a different IP address range for the VPN clients and the Inside network

no ip local pool VPN_Pool 192.168.250.100-192.168.250.101 mask 255.255.255.0

ip local pool VPN_Pool 192.168.251.100-192.168.251.101 mask 255.255.255.0

access-list NAT_0 permit ip 192.168.250.0 255.255.255.0 192.168.251.0 255.255.255.0

nat (inside) 0 access-list NAT_0

Afterwards give it a try and to make it work rate this post hehe

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

t3ntman0619 · ‎10-12-2013

Sorry...inside interface is 192.168.250.1

t3ntman0619 · ‎10-12-2013

I'm not sure I'm following. Do I need a nat 0 statement? If so, what would that be? NAT is definitely not my strong suit.

Julio Carvajal · ‎10-13-2013

Hello,

No worries

As we are going to modify the config let me do it as good as possible.

First of all it;s highly recommended to use a different IP address range for the VPN clients and the Inside network

no ip local pool VPN_Pool 192.168.250.100-192.168.250.101 mask 255.255.255.0

ip local pool VPN_Pool 192.168.251.100-192.168.251.101 mask 255.255.255.0

access-list NAT_0 permit ip 192.168.250.0 255.255.255.0 192.168.251.0 255.255.255.0

nat (inside) 0 access-list NAT_0

Afterwards give it a try and to make it work rate this post hehe

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

t3ntman0619 · ‎10-13-2013

I greatly appreciate your help in this. One question. Will my 192.168.250.0 devices be able to communicate with the 192.168.251.0 devices without a router? I currently don't have one, and only have a base license for the ASA.

Julio Carvajal · ‎10-13-2013

Hello Hunter,

It will do not worry,

Regards,

Remember to rate all of the helpful posts

Let me know if you do not know how to do it

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

t3ntman0619 · ‎10-14-2013

Julio,

You are the freaking man! It's working now without any problems. I was really surprised that it can route across those two subnets without any issue. One last quick question. How hard would it be to implement split-tunneling into this configuration?

Thanks again!!

Julio Carvajal · ‎10-14-2013

Hello Hunter,

I am the man! YEAHHHH!

Here is the configuration for split tunneling dude:

access-list Jcarvaja standard permit 192.168.250.0 255.255.255.0

group-policy Julio internal

group-policy Julio attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Jcarvaja

tunnel-group AnyConnect general-attributes

default-group-policy Julio

Note: Using the Julio and Jcarvaja names on the configuration makes it more professional

Regards,

Jcarvaja

Remember to follow my blog on http:/./laguiadelnetworking.com for more networking stuff.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

t3ntman0619 · ‎10-15-2013

You've done it again! Thanks again!

Julio Carvajal · ‎10-16-2013

Hello Hunter,

My pleasure,

Regards,

Jcarvaja

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ludvig.cassel · ‎10-16-2013

Hello,

I seem to be having the same kind of issue although I cannot ping from either end.

Ive set up a l2tp/ipsec vpn which I am able to connect to and get ip from my ip pool (radius authentication is working).

I tried running:

access-list NAT_0 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list NAT_0

but i get an error msg saying that the syntax of the nat command is deprecated. Im running ASA version 8.4.

Ive fiddled around abit to find the correct syntax but have been unsuccessfull so far.

Any help would be much appreciated

This is a part of my config:

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network AD1

host 192.168.1.31

description AD/RADIUS

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object network vpn_hosts

subnet 192.168.2.0 255.255.255.0

access-list AD_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list split-acl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

access-list inside_0_outbound extended permit ip object NETWORK_OBJ_192.168.1.0_24 object vpn_hosts

ip local pool POOL2 192.168.2.2-192.168.2.10 mask 255.255.255.0

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.0_25 NETWORK_OBJ_192.168.1.0_25 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.0_25 NETWORK_OBJ_192.168.1.0_25 no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static vpn_hosts vpn_hosts

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 ########## 1

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

Julio Carvajal · ‎10-12-2013

Hello.

Dude where us your nat 0 configuration? ???

Regards,

Sent from Cisco Technical Support Android App

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC