Hi,

We are using two Cisco ASA 5540 in Active/Standby mode. At ASA three zone is configured(i.e. DMZ, Inside and Outside).

Please suggest.

Thanks a lot in advance.

Regards

Dipak

Hi Dipak,

VPN unable to access any resources in your network (DMZ/Inside) or only specific servers and apps? Incase if unable to access any resources - This may be related to Splittunneling or nat0 config issue for traffic to VPN cleints. If possible, post the sanitized configs from ASA.

Thx

MS

Hi,

We have configured two vpn. The first one is sahajvpn and second is dcsahajvpn(for testing purpose).

If home users connect through sahajvpn (Home users will get 172.21.10.x ip address which is DMZ zone IP address), He/she is able to do remote desktop and do telnet on the tcp port  1521 & 1528 on which Oracle Database is running as well as telnet to other any server on which particular service running on a particula port, but home users are unable to ping any server nor connect to Oracle database Server(tcp port 1521 & 1528) through SQL developer or toad nor able to access any share folder nor able to do ssh on any other server.

We have created second vpn named dcsahajvpn for testing purpose to solve this issue, but it doesn't work. If home users connect through dcsahajvpn(Home users will get 172.21.15.x ip address, which is Inside zone local lan IP address). He/she is unable to do anything.

The VPN and Nat0 configuration are mentioned below :

DMZ zone - 172.21.10.x

Inside zone - 172.21.1.x (Inside server zone)

                    172.21.15.x ( Local lan)

access-list INSIDE_nat0_outbound extended permit ip any any

access-list INSIDE_nat0_outbound extended permit ip any 172.21.10.x 255.255.255.0

access-list INSIDE_nat0_outbound extended permit ip 172.21.15.x 255.255.255.128 172.21.15.64 255.255.255.192

access-list INSIDE_nat0_outbound extended permit ip 172.21.15.x 255.255.255.128 172.21.15.96 255.255.255.240

access-list INSIDE_nat0_outbound extended permit ip 172.21.10.x 255.255.255.128 172.21.4.192 255.255.255.224

access-list INSIDE_nat0_outbound extended permit ip 172.21.1.x  255.255.255.0 172.21.4.192 255.255.255.224

access-list INSIDE_nat0_outbound extended permit ip 172.21.10.x 255.255.255.128 172.21.10.96 255.255.255.240

access-list INSIDE_nat0_outbound extended permit ip 172.21.1.x 255.255.255.0 172.21.10.96 255.255.255.240

access-list INSIDE_nat0_outbound extended permit ip 172.21.15.x 255.255.255.128 172.21.10.96 255.255.255.240

access-list INSIDE_nat0_outbound extended permit ip 172.21.15.x 255.255.255.128 172.21.15.96 255.255.255.224

access-list INSIDE_nat0_outbound extended permit ip 172.21.15.x 255.255.255.128 172.21.15.x 255.255.255.224

access-list DMZ_nat0_outbound extended permit ip 172.21.10.x 255.255.255.0 172.21.15.96 255.255.255.240

access-list DMZ_nat0_outbound extended permit ip 172.21.10.x 255.255.255.128 172.21.10.96 255.255.255.240

access-list DMZ_nat0_outbound extended permit ip 172.21.10.x 255.255.255.128 172.21.10.128 255.255.255.224

access-list DMZ_nat0_outbound extended permit ip 172.21.15.x 255.255.255.128 172.21.15.96 255.255.255.224

access-list DMZ_nat0_outbound extended permit ip 172.21.10.x  255.255.255.128 172.21.15.96 255.255.255.224

Sahaj VPN

access-list sahajvpn_splitTunnelAcl standard permit any

access-list sahajvpn_splitTunnelAcl standard permit 172.21.10.x 255.255.255.128

access-list sahajvpn_splitTunnelAcl standard permit 172.21.1.x 255.255.255.0

access-list sahajvpn_splitTunnelAcl standard permit I172.21.15.x 255.255.255.128

group-policy sahajvpn internal

group-policy sahajvpn attributes

dns-server value 172.21.10.13

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

split-tunnel-network-list value sahajvpn_splitTunnelAcl

default-domain value sahaj.co.in

msie-proxy method no-proxy

msie-proxy local-bypass enable

tunnel-group sahajvpn type remote-access

tunnel-group sahajvpn general-attributes

address-pool vpnpool

default-group-policy sahajvpn

tunnel-group sahajvpn ipsec-attributes

pre-shared-key *****

DC Sahaj VPN

access-list dcsahajvpn_splitTunnelAcl standard permit 172.21.15.x 255.255.255.128

access-list dcsahajvpn_splitTunnelAcl standard permit 172.21.1.x 255.255.255.0

access-list dcsahajvpn_splitTunnelAcl standard permit 172.21.10.x 255.255.255.128

group-policy dcsahajvpn internal

group-policy dcsahajvpn attributes

dns-server value 172.21.10.x 172.21.10.x

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value sahajvpn_splitTunnelAcl

tunnel-group dcsahajvpn type remote-access

tunnel-group dcsahajvpn general-attributes

address-pool DBA_Pool

default-group-policy dcsahajvpn

tunnel-group dcsahajvpn ipsec-attributes

pre-shared-key *******

Please suggest.

Thanks a lot in advance.

Regards

Dipak

From my understanding Sahaj or dcsahaj- clients connecting to any profile getting IP address assigned from IP space used in your network/ASA.  This is not recomended scenario. Configure ip space that is not being used (ex: 192.168.100.0) as VPN client pool.

Also, for Sahaj profile you have -

split-tunnel-policy tunnelall

split-tunnel-network-list value sahajvpn_splitTunnelAcl

Not sure if you need both statements. I need to cross check, but it looks like depends on how you want your VPN users internet traffic, you may need to stick with either 'tunnel all' or specified list.

Test with diiferent pool and post the result. If you still have issues, post complete ASA config (without username/pass/SNMP details).

Thx

MS

Hi,

I have configured new vpn for testing purpose, but the problem is still the same. I have configured new pool with vpn filter. We are able to do telnet on a particular port as well as able to do remote desktop connection, but we are unable to do ping, nor ssh nor able to connect to Oracle Database server nor able to access the share folder.

The configuration details are mentioned below:

access-list dbapool standard permit 172.21.15.0 255.255.255.128

access-list dbapool standard permit 172.21.1.0 255.255.255.0

access-list dbapool standard permit 172.21.10.0 255.255.255.0

access-list dbapool1 extended permit object-group DM_INLINE_SERVICE_4 172.21.11.0 255.255.255.128 object-group DM_INLINE_NETWORK_111

access-list dbapool2 extended permit object-group DM_INLINE_PROTOCOL_4 172.21.11.0 255.255.255.128 object-group DM_INLINE_NETWORK_112

ip local pool dbapool 172.21.11.1-172.21.11.20 mask 255.255.255.128

group-policy dbapool internal

group-policy dbapool attributes

dns-server value 172.21.10.13 172.21.10.12

vpn-filter value dbapool1

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value dbapool

default-domain value xxxxxxxx

username xxxxxxx password yyyyyyy encrypted privilege 15

username xxxxxxx attributes

vpn-group-policy dbapool

vpn-filter value dbapool2

vpn-tunnel-protocol IPSec

group-lock value dbapool

tunnel-group dbapool type remote-access

tunnel-group dbapool general-attributes

address-pool dbapool

default-group-policy dbapool

tunnel-group dbapool ipsec-attributes

pre-shared-key *****

object-group network DM_INLINE_NETWORK_111

network-object host 172.21.1.11

network-object host 172.21.1.65

network-object host 172.21.1.48

network-object host 192.168.3.11

object-group service DM_INLINE_SERVICE_4

service-object icmp

service-object tcp-udp eq 1528

service-object tcp eq sqlnet

service-object tcp-udp range 135 139

service-object tcp eq 3389

service-object icmp echo

service-object icmp echo-reply

service-object icmp traceroute

service-object icmp unreachable

object-group network DM_INLINE_NETWORK_112

network-object host 172.21.1.11

network-object host 172.21.1.65

network-object host 172.21.1.48

network-object host 192.168.3.11

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object ip

protocol-object icmp

Is IPS would be creating any problem ?

Please suggest.

Thanks a lot in advance.

Regards

Dipak

Have you tried to connect to Oracle from the device where the vpn tunnel terminates?

Plug a PC in your DMZ zone and try to connect to Oracle server.

Eugen