cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2317
Views
0
Helpful
15
Replies
CCNCISCOSVC
Beginner

VPN Client Cannot Access Anything at Main Site

I am sure this problem has been solved a million times over but I can't get this to work.  Can someone take a look at this config quick and tell me what is wrong?

The Cisco VPN client connects no problem but I can't access anything.

ASA Version 8.4(4)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 15

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.43.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address a.a.a.a 255.255.255.248

!

interface Vlan15

no forward interface Vlan1

nameif IPOffice

security-level 100

ip address 192.168.42.254 255.255.255.0

!

boot system disk0:/asa844-k8.bin

ftp mode passive

object network obj-192.168.43.0

subnet 192.168.43.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_10.11.12.0_24

subnet 10.11.12.0 255.255.255.0

object network NETWORK_OBJ_192.168.43.160_28

subnet 192.168.43.160 255.255.255.240

object network IPOffice

subnet 0.0.0.0 0.0.0.0

access-list outside_access_in extended permit icmp any 192.168.42.0 255.255.255.0

access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel

access-list vpn_SplitTunnel standard permit 192.168.43.0 255.255.255.0

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu IPOffice 1500

ip local pool newvpnpool 10.11.12.100-10.11.12.150 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.11.12.0_24 NETWORK_OBJ_10.11.12.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 no-proxy-arp route-lookup

nat (IPOffice,outside) source static any any destination static NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network IPOffice

nat (IPOffice,outside) dynamic interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 b.b.b.b 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

http 192.168.43.0 255.255.255.0 inside

http 192.168.42.0 255.255.255.0 IPOffice

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set strong-des esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set encrypt-method-1 esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dynmap 30 set pfs group1

crypto dynamic-map dynmap 30 set ikev1 transform-set strong-des

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map rpVPN 65535 ipsec-isakmp dynamic dynmap

crypto map rpVPN interface outside

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 2

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.43.5-192.168.43.36 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy RPVPN internal

group-policy RPVPN attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev1

username admin password gP3lHsTOEfvj7Z3g encrypted privilege 15

username mark password blPoPZBKFYhjYewF encrypted privilege 0

tunnel-group RPVPN type remote-access

tunnel-group RPVPN general-attributes

address-pool newvpnpool

default-group-policy RPVPN

tunnel-group RPVPN ipsec-attributes

ikev1 pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b3f15dda5472d65341d7c457f2e8b2a2

: end

1 ACCEPTED SOLUTION

Accepted Solutions

Yup, you are totally correct, spot on!!

Asymmetric routing is not supported on the firewall, as traffic in and out must be through the same interfaces, otherwise, it thinks it is an attack and drop the packet.

Default gateway on the devices in IPOffice subnet should be the ASA IPOffice interface (192.168.42.254), not the switch if it is a shared switch with your inside network. And likewise for devices in the inside subnet, the default gateway should be the ASA 192.168.43.254.

With regards to the switch, you can pick a default gateway either the ASA inside or the ASA IPOffice interface IP, and the return traffic needs to route via the same path

View solution in original post

15 REPLIES 15