cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
13436
Views
5
Helpful
22
Replies
ccsoofficelan
Beginner

VPN CLIENT CAN'T ACCESS INSIDE NETWORK

hi,

Please find below the following configuration of my firewall.


ASA Version 7.2(3)

!
interface Management0/0
nameif VPN-TEST
security-level 0
ip address 192.168.92.1 255.255.255.252
  mtu VPN-TEST 1500

same-security-traffic permit inter-interface

access-list corpvpnsiem_splitTunnelAcl standard permit any
access-list VPN-TEST_access_in extended permit ip any any
access-group VPN-TEST_access_in in interface VPN-TEST

ip local pool local-pool 192.168.96.1-192.168.96.14 mask 255.255.255.240
ip verify reverse-path interface inside

icmp permit any inside
icmp permit any VPN-TEST

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map VPN-TEST_dyn_map 1 set transform-set ESP-3DES-SHA
crypto map VPN-TEST_map 65535 ipsec-isakmp dynamic VPN-TEST_dyn_map
crypto map VPN-TEST_map interface VPN-TEST
crypto isakmp enable VPN-TEST
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal  90
crypto isakmp ipsec-over-tcp port 10000

group-policy corpvpnsiem internal
group-policy corpvpnsiem attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value corpvpnsiem_splitTunnelAcl_1
username siecorpvpn password Zp283iAZlCNs9TWt encrypted
username root password lPtjCRUHSIvUjngf encrypted privilege 15
tunnel-group corpvpnsiem type ipsec-ra
tunnel-group corpvpnsiem general-attributes
address-pool local-pool
default-group-policy corpvpnsiem
tunnel-group corpvpnsiem ipsec-attributes

My vpn users connect and get the ip from the pool. but from there, they don seem to go further into the inside network. I am very new to this, and i am sure i have missed some detail.

Please advice.

Hassan

22 REPLIES 22

well i will have to check the upstream if ipsec over tcp port 10000 is allowed.

But if it wasnt then why does it connect. It shouldnt connect in the first place.
Moreover i noticed the following in my vpn client log after connection.

63     18:24:15.515  12/01/10  Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 1: code 87
Destination 192.168.93.255
Netmask 255.255.255.255
Gateway 192.168.96.9
Interface 192.168.96.9

64     18:24:15.515  12/01/10  Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a85dff, Netmask: ffffffff, Interface: c0a86009, Gateway: c0a86009.

what is it complaining about ?

Negotiation of ISAKMP happens on udp 500 or 4500(If there is any natting device between client and ASA), But when the tunnel comes up the data becomes ESP (IP 50). So if any device between client and asa allows udp 500 but blocks ESP, the tunnel will come up on udp ports, but when client will try to pass some traffic through the tunnel it will become ESP and will get routed to public ip address of the ASA. But if that esp packet is blocked somewhere in between the ASA will never recieve the packets.

There are some device which doesn't do nat for the ESP packets. Currently NAT traversal is already enabled on the ASA so the tunnel may come up udp 4500

So make sure that udp 4500 and esp are not blocked between the client and ASA.

Regards

Ashish

Can you please share the latest full config of your ASA.

Hello jennifer.

Glad to hear from you.

Well i have enclosed the vpn client status screenshot after connecting.

Please note my vpn clients connect and then then cannot reach my servers in

the INSIDE network.

well here is my ASA config output

==============================================

ASA Version 7.2(3)

!

interface Management0/0

nameif VPN-TEST

security-level 0

ip address 192.168.92.1 255.255.255.252

  mtu VPN-TEST 1500

!

interface GigabitEthernet0/1

description local lan

nameif inside

security-level 100

ip address 192.168.93.249 255.255.255.0

same-security-traffic permit inter-interface

access-list corpvpnsiem_splitTunnelAcl standard permit any

access-list VPN-TEST_access_in extended permit ip any any

access-group VPN-TEST_access_in in interface VPN-TEST

ip local pool local-pool 192.168.96.1-192.168.96.14 mask 255.255.255.240

ip verify reverse-path interface inside

icmp permit any inside

icmp permit any VPN-TEST

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map VPN-TEST_dyn_map 1 set transform-set ESP-3DES-SHA

crypto map VPN-TEST_map 65535 ipsec-isakmp dynamic VPN-TEST_dyn_map

crypto map VPN-TEST_map interface VPN-TEST

crypto isakmp enable VPN-TEST

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal  90

crypto isakmp ipsec-over-tcp port 10000

group-policy corpvpnsiem internal

group-policy corpvpnsiem attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value corpvpnsiem_splitTunnelAcl_1

username siecorpvpn password Zp283iAZlCNs9TWt encrypted

username root password lPtjCRUHSIvUjngf encrypted privilege 15

tunnel-group corpvpnsiem type ipsec-ra

tunnel-group corpvpnsiem general-attributes

address-pool local-pool

default-group-policy corpvpnsiem

tunnel-group corpvpnsiem ipsec-attributes

192.168.100.0 255.255.255.0 1/0 via 192.168.93.250, inside

=============================================================

Just to summarize.

ASA VPN INTERFACE =  192.168.92.1

ASA VPN POOL = 192.168.96.1 - 192.168.96.14

ASA INSIDE INTERFACE = 192.168.93.249 -----CONNECTED TO------ 192.168.93.250 CISCO 3750
DESTINATION SUBNET TO REACH FROM VPN POOL IS = 192.168.100.0/30


ASA : HERE there is already a route present  for 192.168.100.0 via 192.168.93.250
CISCO 3750 : HERE there is already a route present for vpn pool (192.168.96.0) via 192.168.93.249 in the 3750

Please advice.

Hassan

ccsoofficelan
Beginner

guys i am waiting for an update....please.. i need help in this.......

I apologize if you already answered this in earlier posts but can your ASA ping the servers that the VPN clients are trying to access? Also, have you tried actually specifying the 192.168.100.x/24 network in the split tunnel access-list to see if that works. I see that you are permitting any but worth a try at this point.

Hi Hassan,

Did you check the connectivity from a different location.

Regards

Ashish

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (40%)

Content for Community-Ad