Solved: Re: VPN Client Cannot Access Anything at Main Site

CCNCISCOSVC · ‎06-15-2012

I am sure this problem has been solved a million times over but I can't get this to work. Can someone take a look at this config quick and tell me what is wrong?

The Cisco VPN client connects no problem but I can't access anything.

ASA Version 8.4(4)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 15

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.43.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address a.a.a.a 255.255.255.248

!

interface Vlan15

no forward interface Vlan1

nameif IPOffice

security-level 100

ip address 192.168.42.254 255.255.255.0

!

boot system disk0:/asa844-k8.bin

ftp mode passive

object network obj-192.168.43.0

subnet 192.168.43.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_10.11.12.0_24

subnet 10.11.12.0 255.255.255.0

object network NETWORK_OBJ_192.168.43.160_28

subnet 192.168.43.160 255.255.255.240

object network IPOffice

subnet 0.0.0.0 0.0.0.0

access-list outside_access_in extended permit icmp any 192.168.42.0 255.255.255.0

access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel

access-list vpn_SplitTunnel standard permit 192.168.43.0 255.255.255.0

access-list AnyConnect_Client_Local_Print extended deny ip any any

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu IPOffice 1500

ip local pool newvpnpool 10.11.12.100-10.11.12.150 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.11.12.0_24 NETWORK_OBJ_10.11.12.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 no-proxy-arp route-lookup

nat (IPOffice,outside) source static any any destination static NETWORK_OBJ_192.168.43.160_28 NETWORK_OBJ_192.168.43.160_28 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network IPOffice

nat (IPOffice,outside) dynamic interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 b.b.b.b 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

http 192.168.43.0 255.255.255.0 inside

http 192.168.42.0 255.255.255.0 IPOffice

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set strong-des esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set encrypt-method-1 esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map dynmap 30 set pfs group1

crypto dynamic-map dynmap 30 set ikev1 transform-set strong-des

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map rpVPN 65535 ipsec-isakmp dynamic dynmap

crypto map rpVPN interface outside

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 2

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.43.5-192.168.43.36 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy RPVPN internal

group-policy RPVPN attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev1

username admin password gP3lHsTOEfvj7Z3g encrypted privilege 15

username mark password blPoPZBKFYhjYewF encrypted privilege 0

tunnel-group RPVPN type remote-access

tunnel-group RPVPN general-attributes

address-pool newvpnpool

default-group-policy RPVPN

tunnel-group RPVPN ipsec-attributes

ikev1 pre-shared-key *****

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b3f15dda5472d65341d7c457f2e8b2a2

: end

Jennifer Halim · ‎06-15-2012

Yup, you are totally correct, spot on!!

Asymmetric routing is not supported on the firewall, as traffic in and out must be through the same interfaces, otherwise, it thinks it is an attack and drop the packet.

Default gateway on the devices in IPOffice subnet should be the ASA IPOffice interface (192.168.42.254), not the switch if it is a shared switch with your inside network. And likewise for devices in the inside subnet, the default gateway should be the ASA 192.168.43.254.

With regards to the switch, you can pick a default gateway either the ASA inside or the ASA IPOffice interface IP, and the return traffic needs to route via the same path

View solution in original post

Jennifer Halim · ‎06-15-2012

Missing the split tunnel policy under group-policy:

access-list split acl permit 192.168.43.0 255.255.255.0

group-policy RPVPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-acl

CCNCISCOSVC · ‎06-15-2012

I entered those commands.

Still not working.

Thanks.

Jennifer Halim · ‎06-15-2012

what ip are you trying to access?

If you add "management-access inside", can you ping 192.168.43.254?

CCNCISCOSVC · ‎06-15-2012

I added the management access command and I am able to ping 192.168.43.254.

I need to get to 192.168.43.1 in particular.

Thanks for your help.

CCNCISCOSVC · ‎06-15-2012

I get this error when I try to ping 192.168.43.1 from my laptop with the VPN client connected.

3

Jun 15 2012

08:44:00

10.11.12.100

LOCAL

regular translation creation failed for icmp src IPOffice:192.168.43.1 dst outside:10.11.12.100(LOCAL\ccnsupport) (type 0, code 0)

CCNCISCOSVC · ‎06-15-2012

regular translation creation failed for icmp src IPOffice:192.168.43.1 dst outside:10.11.12.100(LOCAL\ccnsupport) (type 0, code 0)

For this error message, I believe the src should be inside:192.168.43.1

How do I get it to do that?

IPOffice is 192.168.42.0/24 network.

Jennifer Halim · ‎06-15-2012

To get to the IPOffice network, pls add the following:

access-list split acl permit 192.168.42.0 255.255.255.0

nat (IPOffice,outside) source static any any destination static NETWORK_OBJ_10.11.12.0_24 NETWORK_OBJ_10.11.12.0_24

CCNCISCOSVC · ‎06-15-2012

When I added that, I can now ping 192.168.43.1 but I cannot access it.

CCNCISCOSVC · ‎06-15-2012

6

Jun 15 2012

11:32:41

192.168.43.250

80

10.11.12.100

11600

Deny TCP (no connection) from 192.168.43.250/80 to 10.11.12.100/11600 flags SYN ACK on interface IPOffice

Here is the error when I try to open up a switch GUI from my VPN connected client.

CCNCISCOSVC · ‎06-15-2012

Here is what I see.

I try to connect to the switch at 192.168.43.250 which is on the inside interface. The traffic goes to the inside interface but tries to return from the IPOffice interface. If it would return from the inside interface, I think it would work no problem.\

Maybe I am totally off.

Jennifer Halim · ‎06-15-2012

Yup, you are totally correct, spot on!!

Asymmetric routing is not supported on the firewall, as traffic in and out must be through the same interfaces, otherwise, it thinks it is an attack and drop the packet.

Default gateway on the devices in IPOffice subnet should be the ASA IPOffice interface (192.168.42.254), not the switch if it is a shared switch with your inside network. And likewise for devices in the inside subnet, the default gateway should be the ASA 192.168.43.254.

With regards to the switch, you can pick a default gateway either the ASA inside or the ASA IPOffice interface IP, and the return traffic needs to route via the same path

CCNCISCOSVC · ‎06-17-2012

I want the traffic to come in and out of the same interface but it is going out a different interface. What lines of config will fix that?

Thanks for your help.

Jennifer Halim · ‎06-18-2012

It's not the config on the ASA.

The reason why the return traffic is going through the IPOffice is probably because your switch default gateway is IPOffice instead of the inside interface. If you change your switch default gateway to be ASA inside interface, traffic towards the switch will go in and out the same interface.

CCNCISCOSVC · ‎06-18-2012

6

Jun 18 2012

06:34:03

10.11.12.100

5135

192.168.43.254

443

Teardown TCP connection 6990 for outside:10.11.12.100/5135(LOCAL\ccnsupport) to inside:192.168.43.254/443 duration 0:00:30 bytes 0 SYN Timeout (ccnsupport)

After connecting to the VPN, I tried to access the ASA using the inside address. The above message is what i received. I could not connect. That takes the switch out of the equation.