Solved: Unable to access specific IP /Server through VPN o 5508-X

fbeye · ‎01-26-2021

Hello. I have my VPN set up to the point where I can log in and all is fine but to actually access the server/folder/directory I which I need I can not.

Basically I need whoever logs into the (client less) VPN to be able to access the 10.0.2.111/Server IP/Folder.

This is my running-config, please see what I am missing.

ASA Version 9.6(4)42
!
hostname ciscoasa
enable password $sha512$5000$VxGVpbbYO1zrechJNeV1wg==$GTQ23G8/TbyeZGPCsWdOjA== pbkdf2
names
ip local pool VPNPool 10.0.3.101-10.0.3.105 mask 255.255.255.0

!
interface GigabitEthernet1/1
description WAN
nameif outside
security-level 0
pppoe client vpdn group pppoewan
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
description TPLink
nameif tplink
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/4
description mail
nameif mail
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet1/5
description ceyea
nameif ceyea
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/6
description vpn
nameif vpn
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/7
description Open
nameif Open
security-level 90
ip address 10.0.1.115 255.255.255.0
!
interface GigabitEthernet1/8
description NAS
nameif NAS
security-level 90
ip address 10.0.2.115 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa964-42-lfbff-k8.SPA
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup tplink
dns domain-lookup mail
dns domain-lookup ceyea
dns domain-lookup vpn
dns domain-lookup Open
dns domain-lookup NAS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TPLink
host 192.168.2.177
object network DLink
host 192.168.5.178
object network CeyeA
host 192.168.4.179
object network mail
host 192.168.3.180
object network inside
subnet 192.168.1.0 255.255.255.0
object network obj_192.168.1.2
host 192.168.1.2
object-group service sshd tcp
description sshd
port-object eq 4231
object-group service 993 tcp
description 993
port-object eq 993
object-group service TCP587 tcp
description TCP587
port-object eq 587
access-list SPLIT_TUNNEL standard permit 10.0.2.0 255.255.255.0
access-list vpn_access_in extended permit ip any any
access-list OUTSIDE extended permit tcp any object mail eq 993
access-list OUTSIDE extended permit tcp any object mail eq smtp
access-list OUTSIDE extended permit tcp any host 192.168.1.2 eq ssh
access-list OUTSIDE extended permit tcp any object CeyeA object-group sshd
access-list OUTSIDE extended permit tcp any object CeyeA eq smtp inactive
access-list OUTSIDE extended permit tcp any object CeyeA object-group 993
access-list OUTSIDE extended permit tcp any object CeyeA eq 587
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu tplink 1500
mtu mail 1500
mtu ceyea 1500
mtu vpn 1500
mtu Open 1500
mtu NAS 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network TPLink
nat (tplink,outside) static x.x.x.177
object network DLink
nat (vpn,outside) static x.x.x.178
object network CeyeA
nat (ceyea,outside) static x.x.x.179
object network mail
nat (mail,outside) static x.x.x.180
object network inside
nat (inside,outside) dynamic interface
object network obj_192.168.1.2
nat (inside,outside) static interface service tcp ssh ssh
access-group OUTSIDE in interface outside
access-group vpn_access_in in interface vpn
route outside 0.0.0.0 0.0.0.0 x.x.x.182 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509
308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500
3045310b 30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164
6973204c 696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f
6f742043 41203230 1e170d30 36313132 34313832 3730305a 170d3331 31313234
31383233 33335a30 45310b30 09060355 04061302 424d3119 30170603 55040a13
1051756f 56616469 73204c69 6d697465 64311b30 19060355 04031312 51756f56
61646973 20526f6f 74204341 20323082 0222300d 06092a86 4886f70d 01010105
00038202 0f003082 020a0282 0201009a 18ca4b94 0d002daf 03298af0 0f81c8ae
4c19851d 089fab29 4485f32f 81ad321e 9046bfa3 86261a1e fe7e1c18 3a5c9c60
172a3a74 8333307d 615411cb edabe0e6 d2a27ef5 6b6f18b7 0a0b2dfd e93eef0a
c6b310e9 dcc24617 f85dfda4 daff9e49 5a9ce633 e62496f7 3fba5b2b 1c7a35c2
d667feab 66508b6d 28602bef d760c3c7 93bc8d36 91f37ff8 db1113c4 9c7776c1
aeb7026a 817aa945 83e205e6 b956c194 378f4871 6322ec17 6507958a 4bdf8fc6
5a0ae5b0 e35f5e6b 11ab0cf9 85eb44e9 f80473f2 e9fe5c98 8cf573af 6bb47ecd
d45c022b 4c39e1b2 95952d42 87d7d5b3 9043b76c 13f1dedd f6c4f889 3fd175f5
92c391d5 8a88d090 ecdc6dde 89c26571 968b0d03 fd9cbf5b 16ac92db eafe797c
adebaff7 16cbdbcd 252be51f fb9a9fe2 51cc3a53 0c48e60e bdc9b476 0652e611
13857263 0304e004 362b2019 02e874a7 1fb6c956 66f07525 dc67c10e 616088b3
3ed1a8fc a3da1db0 d1b12354 df44766d ed41d8c1 b222b653 1cdf351d dca1772a
31e42df5 e5e5dbc8 e0ffe580 d70b63a0 ff33a10f ba2c1515 ea97b3d2 a2b5bef2
8c961e1a 8f1d6ca4 6137b986 7333d797 969e237d 82a44c81 e2a1d1ba 675f9507
a32711ee 16107bbc 454a4cb2 04d2abef d5fd0c51 ce506a08 31f991da 0c8f645c
03c33a8b 203f6e8d 673d3ad6 fe7d5b88 c95efbcc 61dc8b33 77d34432 35096204
921610d8 9e2747fb 3b21e3f8 eb1d5b02 03010001 a381b030 81ad300f 0603551d
130101ff 04053003 0101ff30 0b060355 1d0f0404 03020106 301d0603 551d0e04
1604141a 8462bc48 4c332504 d4eed0f6 03c41946 d1946b30 6e060355 1d230467
30658014 1a8462bc 484c3325 04d4eed0 f603c419 46d1946b a149a447 3045310b
30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164 6973204c
696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f 6f742043
41203282 02050930 0d06092a 864886f7 0d010105 05000382 0201003e 0a164d9f
065ba8ae 715d2f05 2f67e613 4583c436 f6f3c026 0c0db547 645df8b4 72c946a5
03182755 89787d76 ea963480 1720dce7 83f88dfc 07b8da5f 4d2e67b2 84fdd944
fc775081 e67cb4c9 0d0b7253 f8760707 4147960c fbe08226 93558cfe 221f6065
7c5fe726 b3f73290 9850d437 7155f692 2178f795 79faf82d 26876656 3077a637
78335210 58ae3f61 8ef26ab1 ef187e4a 5963ca8d a256d5a7 2fbc561f cf39c1e2
fb0aa815 2c7d4d7a 63c66c97 443cd26f c34a170a f890d257 a21951a5 2d9741da
074fa950 da908d94 46e13ef0 94fd1000 38f53be8 40e1b46e 561a20cc 6f588ded
2e458fd6 e9933fe7 b12cdf3a d6228cdc 84bb226f d0f8e4c6 39e90488 3cc3baeb
557a6d80 9924f56c 01fbf897 b0945beb fdd26ff1 77680d35 6423acb8 55a103d1
4d4219dc f8755956 a3f9a849 79f8af0e b911a07c b76aed34 d0b62662 381a870c
f8e8fd2e d3907f07 912a1dd6 7e5c8583 99b03808 3fe95ef9 3507e4c9 626e577f
a75095f7 bac89be6 8ea201c5 d666bf79 61f33c1c e1b9825c 5da0c3e9 d848bd19
a2111419 6eb2861b 683e4837 1a88b75d 965e9cc7 ef276208 e291195c d2f121dd
ba174282 97718153 31a99ff6 7d62bf72 e1a3931d cc8a265a 0938d0ce d70d8016
b478a53a 874c8d8a a5d54697 f22c10b9 bc5422c0 01506943 9ef4b2ef 6df8ecda
f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 31cd2e
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group pppoewan request dialout pppoe
vpdn group pppoewan localname xx
vpdn group pppoewan ppp authentication chap
vpdn username xx password xx

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_HomeVPN internal
group-policy GroupPolicy_HomeVPN attributes
wins-server none
dns-server value 205.171.3.65
vpn-tunnel-protocol ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain none
dynamic-access-policy-record DfltAccessPolicy
username CiscoVPN password J7YMLltuBD0Gdxvn encrypted
tunnel-group HomeVPN type remote-access
tunnel-group HomeVPN general-attributes
address-pool VPNPool
default-group-policy GroupPolicy_HomeVPN
tunnel-group HomeVPN webvpn-attributes
group-alias HomeVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3f171aa5d03b2497c84eb46606075582
: end

fbeye · ‎01-29-2021

Unconventional is it may be, I got it to work. I wanted my incoming VPN Sessions to be able to access 10.0.2.111 NAS which sat behind a Wireless Router with a DHCP Pool 10.0.2.0 with a Gateway of 192.168.5.178 connected to GE 1/5 with an IP of 192.168.5.1. The problem with this scenario is the Wireless Router is connected to a VPN, at random, offshore so how would any incoming connection or even the ASA itself know how to the t the 10.0.2.0 which is now only accessible, outside, through the random VPN Tunnel. The connection to the Router from the ASA is 192.168.5.178 but once on the VPN, that is irrelevant as far as routing inside. My conclusion was to utilize a spare GE Interface and set it as DHCP and have it connect to the 10.0.2.0 Subnet directly and then create a NAT. I can now connect to the VPN.

: Serial Number: JAD2120063H
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names

!
interface GigabitEthernet1/1
description WAN
nameif outside
security-level 0
pppoe client vpdn group pppoewan
ip address pppoe setroute
!
interface GigabitEthernet1/2
description asa
nameif asa
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
description TPLink
nameif tplink
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/4
description mail
nameif mail
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet1/5
description ceyea
nameif ceyea
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/6
description vpn
nameif vpn
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/7
description VPNAccess1.0
shutdown
nameif VPNAccess1.0
security-level 100
ip address dhcp setroute
!
interface GigabitEthernet1/8
description VPNAccess2.0
nameif VPNAccess2.0
security-level 100
ip address dhcp setroute
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa982-lfbff-k8.SPA
boot system disk0:/asa964-42-lfbff-k8.SPA
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TPLink
host 192.168.2.177
object network DLink
host 192.168.5.178
object network CeyeA
host 192.168.4.179
object network mail
host 192.168.3.180
object network ssh-891
host 192.168.1.2
object network ASA
subnet 192.168.1.0 255.255.255.0
description ASA
object network VPN2.0
subnet 10.0.2.0 255.255.255.0
description VPN2.0
object-group service sshd tcp
description sshd
port-object eq 4231
object-group service 993 tcp
description imap-ssl
port-object eq 993
object-group service 587 tcp
description smtp-587
port-object eq 587
access-list OUTSIDE extended permit tcp any object mail eq 993
access-list OUTSIDE extended permit tcp any object mail eq smtp
access-list OUTSIDE extended permit tcp any host 192.168.1.2 eq ssh
access-list OUTSIDE extended permit tcp any object CeyeA object-group sshd
access-list OUTSIDE extended permit tcp any object CeyeA object-group 993
access-list OUTSIDE extended permit tcp any object CeyeA eq 587
access-list OUTSIDE extended permit ip any object VPN2.0
pager lines 24
mtu outside 1500
mtu asa 1500
mtu tplink 1500
mtu mail 1500
mtu ceyea 1500
mtu vpn 1500
mtu VPNAccess1.0 1500
mtu VPNAccess2.0 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network TPLink
nat (tplink,outside) static x.x.x.177
object network DLink
nat (vpn,outside) static x.x.x.178
object network CeyeA
nat (ceyea,outside) static x.x.x1.179
object network mail
nat (mail,outside) static x.x.x.180
object network ssh-891
nat (asa,outside) static interface service tcp ssh ssh
object network ASA
nat (any,outside) dynamic interface
!
nat (any,VPNAccess2.0) after-auto source static any any destination static VPN2.0 VPN2.0
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 asa
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=192.168.1.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 8a271460
308202ce 308201b6 a0030201 0202048a 27146030 0d06092a 864886f7 0d01010b
05003029 3111300f 06035504 03130863 6973636f 61736131 14301206 03550403
130b3139 322e3136 382e312e 31301e17 0d323130 31323931 35323735 365a170d
33313031 32373135 32373536 5a302931 11300f06 03550403 13086369 73636f61
73613114 30120603 55040313 0b313932 2e313638 2e312e31 30820122 300d0609
2a864886 f70d0101 01050003 82010f00 3082010a 02820101 008e05a0 b8cf8d69
8e198c0c 38287f6f db8d187b 26a89c51 ee3e585a cf7ce9ed adc3ee7b 41e9d027
d9ef407f 76325362 93803557 b439c23a b3fcf8cc c163e11c 0ffbe3c3 380100f4
4dfb7f59 642f0d66 168c286b 6771b230 40db61a8 713e6574 63ef8ea8 d4c8c0f8
3b0d7929 e3cafa6a 3deb6a57 ac9ce1f5 805f4fad 955c7fbc 291c55ec aad8b2b4
d5551dfd 4561f840 a321907e 162aaa84 1bd668cd 7bf996c7 9f2f1e1e 75f95f79
b8d207b7 aef91e04 0bf9b668 b075de71 f0277b62 a1a3117d 3309fc3b dfae2927
cc96008c 3c76cd5c 3c9fca59 aee76d6e 54194430 5435a301 9881b97d e764d8b3
49e9b7f5 9568c020 a4506b57 9d3794e6 cfcebfc6 8300abcb a3020301 0001300d
06092a86 4886f70d 01010b05 00038201 010020e3 249172a3 561091c2 a4f465c1
40304b58 12c53213 7e610834 5f345db1 c6e703eb f3f04fd6 40c395eb 23f5e008
4e4bd21a 8a258116 9db7e12c 29338411 5584d353 293e3468 543d44c8 2ebb1957
b95568bf 469908ed 908d34bc ea169ad6 6e4ca521 20629e65 728c6938 299fecc9
4d7f6a49 52c7f261 a8ceeefd 853bf1dc 62fead86 f68645ff f6c58958 d437a2d2
897aa0c4 4e902e2b 216b3204 b025b03d 917a32fd 9567a186 7e4b7c6c 44ffd137
694f9b07 62fb0b3b 97d5ebc9 03c86f94 656be7cf fa7bfe21 8f761030 817519cb
f8699398 6dfae7d1 2cc2c2b6 631d552c d3aa0fad a2abe06a a6d3dcf5 a02048ad
352225fd b47c834b 5b6b3667 d1966c2f 6fe5
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group pppoewan request dialout pppoe
vpdn group pppoewan localname ****
vpdn group pppoewan ppp authentication chap
vpdn username **** password *****

dhcp-client client-id interface VPNAccess1.0
dhcp-client client-id interface VPNAccess2.0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 asa
dhcpd enable asa
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 asa
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 asa vpnlb-ip
webvpn
enable outside
enable VPNAccess2.0
cache
disable
error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
username HomeVPN password $sha512$5000$a1/CqY9050RwJE4ESQZgkg==$cuq+G+b+4DEIge1813A27g== pbkdf2
username HomeVPN attributes
service-type remote-access
tunnel-group HomeVPN type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect dns preset_dns_map
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:af2fa4d83d40714e16e3323aa67a326c
: end

View solution in original post

fbeye · ‎01-27-2021

The only thing I see that could possibly be the issue is the DHCP Pool for VPN being 10.0.3.0 and the NAS I want access to is 10.0.2.111. Maybe it’s not allowing cross traffic? Like I said I log in fine but bringing anything up doesn’t work. Says server/network/location not valid.

Rob Ingram · ‎01-27-2021

Hi @fbeye

Normally I'd say it's probably a NAT issue, but you don't appear to have an existing NAT rule for the NAS interface, so traffic would not be unintentially natted.

Does the NAS have a local firewall turned on that would prevent access from the RAVPN network?

Can the NAS ping it's local ASA interface IP address (10.0.2.115)?

Can you run packet-tracer from the outside interface (select an IP address from the VPN pool that is not in use), provide the output for review.

HTH

fbeye · ‎01-28-2021

Alright, you have caused me to look deeper. On the running-config I had shown, it mentions GigabitEthernet 1/8 as NAS/10.0.2.115 but this is no longer the case. I forgot that was the old setup in which it worked.

Instead of using that I went from GE 1/6 to my Wirless Router (192.168.5.1 (10.0.2.1)) and my NAS (10.0.2.111) is connected to that.

So really I can log into the ASA-5508 as it lets me login but from there I can not access the 10.0.2.111.

My NAS is literally just that, no console for anything but I Can use the Ping command and it (10.0.2.111) can PING 10.0.1.1 and 10.0.2.1 so it sees all networks.But the VPN can not access it it seems

Rob Ingram · ‎01-28-2021

So if the NAS is connected behind Gi1/6 (which appears to be named "vpn") then you have an existing NAT rule, that would be unintentially natting the traffic. You'd need to create a NAT exemption rule, to ensure the NAS traffic to the RAVPN network is not natted.

fbeye · ‎01-28-2021

Yeah I named 1/6 "vpn" because the Wireless VPN Router (D-Link DD-WRT) which is 10.0.1.1 has the NAS connected to it.

The NAS itself is not directly connected to 1/6 but I think that is neither here nor there, I get what you mean. I need to create a NAT which allows the 10.0.3.0 Subnet (the VPN Pool) to access the 10.0.2.0 Network on the 1/6 Interface?

Rob Ingram · ‎01-28-2021

Something like this:-

object network RAVPN
 subnet 10.0.3.0 255.255.255.0
object network NAS
 subnet 10.0.2.0 255.255.255.0 
!
nat (vpn,OUTSIDE) source static NAS NAS destination static RAVPN RAVPN no-proxy-arp

HTH

fbeye · ‎01-28-2021

Alright I see where you are going and that makes absolute sense.

GigabitEthernet 1/6 is 192.168.5.1, VPN Router is 192.168.5.178 with an internal subnet 10.0.2.0

So under the object network NAS would that not be geared towards the 192.168.5.1? I ask because how would the ASA even know about the 10.0.2.0 subnet as its indirectly connected.

Rob Ingram · ‎01-28-2021

Well it would need a route (static/dynamic) via the "vpn" interface, how can you ping now as you don't appear to have a route?

No the nat doesn't need to be setup for the 192.168.5.0 network as the communication is between the NAS and the RAVPN network. If you want, create another NAT rule and include the other network.

You'd have to remove the configuration of Gi1/8 as this would cause issues. Is the configuration you provided actually now accurate?

fbeye · ‎01-28-2021

The NAS (10.0.2.111) is connected to the Wifi (10.0.2.1 (192.168.5.178 / 192.168.5.1 (ASA))) and that has Internet Access as does everything on 10.0.2.0.

Incoming VPN, using 10.0.3.0 subnet, can log in but can not communicate with the 10.0.2.111. This is the issue I am having.

The VPN interface is 192.168.5.1 and the Wifi, from that subnet, is grabbing 192.168.5.178 and it itself is handing out 10.0.2.0.

As the running-config shows, it has a route to the net;

interface GigabitEthernet1/6
description vpn
nameif vpn
security-level 100
ip address 192.168.5.1 255.255.255.0

!

object network DLink
nat (vpn,outside) static x.x.x.178 (I have 5 static IP'S)

!

object network DLink
host 192.168.5.178

fbeye · ‎01-28-2021

Here is the current correct configuration, minus whatever you had me input; notice the GE 7 and 8 are 'shutdown'.

ASA Version 9.6(4)42
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
ip local pool VPNPool 10.0.3.101-10.0.3.105 mask 255.255.255.0

!
interface GigabitEthernet1/1
description WAN
nameif outside
security-level 0
pppoe client vpdn group pppoewan
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
description TPLink
nameif tplink
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/4
description mail
nameif mail
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface GigabitEthernet1/5
description ceyea
nameif ceyea
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/6
description vpn
nameif vpn
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface GigabitEthernet1/7
description Open
shutdown
nameif Open
security-level 90
ip address 10.0.1.115 255.255.255.0
!
interface GigabitEthernet1/8
description NAS
shutdown
nameif NAS
security-level 90
ip address 10.0.2.115 255.255.255.0
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
boot system disk0:/asa964-42-lfbff-k8.SPA
boot system disk0:/asa951-lfbff-k8.SPA
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup tplink
dns domain-lookup mail
dns domain-lookup ceyea
dns domain-lookup vpn
dns domain-lookup Open
dns domain-lookup NAS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network TPLink
host 192.168.2.177
object network DLink
host 192.168.5.178
object network CeyeA
host 192.168.4.179
object network mail
host 192.168.3.180
object network inside
subnet 192.168.1.0 255.255.255.0
object network obj_192.168.1.2
host 192.168.1.2
object-group service sshd tcp
description sshd
port-object eq 4231
object-group service 993 tcp
description 993
port-object eq 993
object-group service TCP587 tcp
description TCP587
port-object eq 587
access-list SPLIT_TUNNEL standard permit 10.0.2.0 255.255.255.0
access-list vpn_access_in extended permit ip any any
access-list OUTSIDE extended permit tcp any object mail eq 993
access-list OUTSIDE extended permit tcp any object mail eq smtp
access-list OUTSIDE extended permit tcp any host 192.168.1.2 eq ssh
access-list OUTSIDE extended permit tcp any object CeyeA object-group sshd
access-list OUTSIDE extended permit tcp any object CeyeA eq smtp inactive
access-list OUTSIDE extended permit tcp any object CeyeA object-group 993
access-list OUTSIDE extended permit tcp any object CeyeA eq 587
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu tplink 1500
mtu mail 1500
mtu ceyea 1500
mtu vpn 1500
mtu Open 1500
mtu NAS 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network TPLink
nat (tplink,outside) static x.x.x.177
object network DLink
nat (vpn,outside) static x.x.x.178
object network CeyeA
nat (ceyea,outside) static x.x.x.179
object network mail
nat (mail,outside) static x.x.x.180
object network inside
nat (inside,outside) dynamic interface
object network obj_192.168.1.2
nat (inside,outside) static interface service tcp ssh ssh
access-group OUTSIDE in interface outside
access-group vpn_access_in in interface vpn
route outside 0.0.0.0 0.0.0.0 x.x.x.182 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509
308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500
3045310b 30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164
6973204c 696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f
6f742043 41203230 1e170d30 36313132 34313832 3730305a 170d3331 31313234
31383233 33335a30 45310b30 09060355 04061302 424d3119 30170603 55040a13
1051756f 56616469 73204c69 6d697465 64311b30 19060355 04031312 51756f56
61646973 20526f6f 74204341 20323082 0222300d 06092a86 4886f70d 01010105
00038202 0f003082 020a0282 0201009a 18ca4b94 0d002daf 03298af0 0f81c8ae
4c19851d 089fab29 4485f32f 81ad321e 9046bfa3 86261a1e fe7e1c18 3a5c9c60
172a3a74 8333307d 615411cb edabe0e6 d2a27ef5 6b6f18b7 0a0b2dfd e93eef0a
c6b310e9 dcc24617 f85dfda4 daff9e49 5a9ce633 e62496f7 3fba5b2b 1c7a35c2
d667feab 66508b6d 28602bef d760c3c7 93bc8d36 91f37ff8 db1113c4 9c7776c1
aeb7026a 817aa945 83e205e6 b956c194 378f4871 6322ec17 6507958a 4bdf8fc6
5a0ae5b0 e35f5e6b 11ab0cf9 85eb44e9 f80473f2 e9fe5c98 8cf573af 6bb47ecd
d45c022b 4c39e1b2 95952d42 87d7d5b3 9043b76c 13f1dedd f6c4f889 3fd175f5
92c391d5 8a88d090 ecdc6dde 89c26571 968b0d03 fd9cbf5b 16ac92db eafe797c
adebaff7 16cbdbcd 252be51f fb9a9fe2 51cc3a53 0c48e60e bdc9b476 0652e611
13857263 0304e004 362b2019 02e874a7 1fb6c956 66f07525 dc67c10e 616088b3
3ed1a8fc a3da1db0 d1b12354 df44766d ed41d8c1 b222b653 1cdf351d dca1772a
31e42df5 e5e5dbc8 e0ffe580 d70b63a0 ff33a10f ba2c1515 ea97b3d2 a2b5bef2
8c961e1a 8f1d6ca4 6137b986 7333d797 969e237d 82a44c81 e2a1d1ba 675f9507
a32711ee 16107bbc 454a4cb2 04d2abef d5fd0c51 ce506a08 31f991da 0c8f645c
03c33a8b 203f6e8d 673d3ad6 fe7d5b88 c95efbcc 61dc8b33 77d34432 35096204
921610d8 9e2747fb 3b21e3f8 eb1d5b02 03010001 a381b030 81ad300f 0603551d
130101ff 04053003 0101ff30 0b060355 1d0f0404 03020106 301d0603 551d0e04
1604141a 8462bc48 4c332504 d4eed0f6 03c41946 d1946b30 6e060355 1d230467
30658014 1a8462bc 484c3325 04d4eed0 f603c419 46d1946b a149a447 3045310b
30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164 6973204c
696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f 6f742043
41203282 02050930 0d06092a 864886f7 0d010105 05000382 0201003e 0a164d9f
065ba8ae 715d2f05 2f67e613 4583c436 f6f3c026 0c0db547 645df8b4 72c946a5
03182755 89787d76 ea963480 1720dce7 83f88dfc 07b8da5f 4d2e67b2 84fdd944
fc775081 e67cb4c9 0d0b7253 f8760707 4147960c fbe08226 93558cfe 221f6065
7c5fe726 b3f73290 9850d437 7155f692 2178f795 79faf82d 26876656 3077a637
78335210 58ae3f61 8ef26ab1 ef187e4a 5963ca8d a256d5a7 2fbc561f cf39c1e2
fb0aa815 2c7d4d7a 63c66c97 443cd26f c34a170a f890d257 a21951a5 2d9741da
074fa950 da908d94 46e13ef0 94fd1000 38f53be8 40e1b46e 561a20cc 6f588ded
2e458fd6 e9933fe7 b12cdf3a d6228cdc 84bb226f d0f8e4c6 39e90488 3cc3baeb
557a6d80 9924f56c 01fbf897 b0945beb fdd26ff1 77680d35 6423acb8 55a103d1
4d4219dc f8755956 a3f9a849 79f8af0e b911a07c b76aed34 d0b62662 381a870c
f8e8fd2e d3907f07 912a1dd6 7e5c8583 99b03808 3fe95ef9 3507e4c9 626e577f
a75095f7 bac89be6 8ea201c5 d666bf79 61f33c1c e1b9825c 5da0c3e9 d848bd19
a2111419 6eb2861b 683e4837 1a88b75d 965e9cc7 ef276208 e291195c d2f121dd
ba174282 97718153 31a99ff6 7d62bf72 e1a3931d cc8a265a 0938d0ce d70d8016
b478a53a 874c8d8a a5d54697 f22c10b9 bc5422c0 01506943 9ef4b2ef 6df8ecda
f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 31cd2e
quit
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group pppoewan request dialout pppoe
vpdn group pppoewan localname ****
vpdn group pppoewan ppp authentication chap
vpdn username **** password *****

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.7.03052-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.7.03052-webdeploy-k9.pkg 2
anyconnect image disk0:/anyconnect-win-4.4.04030-webdeploy-k9.pkg 3
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_HomeVPN internal
group-policy GroupPolicy_HomeVPN attributes
wins-server none
dns-server value 205.171.3.65
vpn-tunnel-protocol ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain none
dynamic-access-policy-record DfltAccessPolicy
username CiscoVPN password vDrtqJBt6VHKYwU6 encrypted
tunnel-group HomeVPN type remote-access
tunnel-group HomeVPN general-attributes
address-pool VPNPool
default-group-policy GroupPolicy_HomeVPN
tunnel-group HomeVPN webvpn-attributes
group-alias HomeVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a0358615eb64f8e42a5efa29871cb6f7
: end

fbeye · ‎01-28-2021

Rob Ingram · ‎01-28-2021

So the NAS is connected to the wifi with an IP address of 10.0.2.111 and the wifi AP has an IP address of 192.168.5.178. If the NAS can ping 10.0.1.1 and 10.0.2.1, the only way it could do that if that traffic were natted behind the wifi AP's ip address??

You'd probably need to route the traffic from the AP to the ASA and have a route on the ASA to the 10.0.2.0 network via the AP as the next hop (you'll probably need to remove the IP address of the interface you've shutdown).

fbeye · ‎01-28-2021

Correct.

Currently 10.0.2.111 can Ping 10.0.1.0 and 10.0.2.0. I believe this is done due to the setup on the Catalyst Switch. Also, any PC /device on 10.0.1.0 can communicate with the 10.0.2.111. Where I was having an issue was whichever ip co0nnects to the ASA via VPN, how does it connect? I mean, how would an IP of 205.6.7.11 (example) who connects to the VPN know how to get to 10.0.2.111? The devices on the network already can. Is there a way to give any incoming VPN connection an IP address internally and have that NAT?

I hear what you are saying about the IP ROUTE but my devices are already communicating, just not anything from the Internet/VPN side.

Rob Ingram · ‎01-28-2021

In the configuration of the first post the ASA would have assumed the 10.0.2.0 network was directly connected. Now with that interface shutdown the ASA doesn't know where the 10.0.2.0 network is, there is no specific route (only the default route). You'll need to define a route, that would depend on the configuration of your AP and/or switch.