VPN Client users cannot access lan (with split tunnel)

CSCO11476246 · ‎09-20-2011

We are trying to setup VPN client access into our network on an ASA5510.

All the remote users need, is to access our exchange server/DNS (192.168.101.32) and Call manager (209.xxx.xx.58) for IPC.

The Ipsec connects, the user recieves an IP on the 192.168.110.0 network. We can verify this on the ASA, and routes show up dynamically in the routing table. But remote users are unable to access or ping anything on the internal lan. (101 or 102 networks)

VPN statistics show no packets decrypted or encrypted. Its as if no traffic crosses the VPN link. Internet access on the remote machine works as normal, therefore we assume the split tunnel works.

At the moment we have put in any any access-list rules for testing purposes.

Here is the current config. Please can someone assist with spotting where we have gone wrong: (i've replaced some of the ip details with xx's)

#####################################################################################################

hostname ASA

domain-name aaaaa.co.za

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 41.xxx.xxx.90 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 11.11.11.1 255.255.255.252

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

boot system disk0:/asa823-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name aaaaa.co.za

object-group network OFFICE_LAN

network-object 192.168.101.0 255.255.255.0

network-object 192.168.102.0 255.255.255.0

network-object 192.168.100.0 255.255.255.0

network-object 11.11.11.0 255.255.255.0

network-object 209.xxx.xx.0 255.255.255.0

access-list AND extended permit ip any 192.168.110.0 255.255.255.0

access-list AND extended permit ip 192.168.110.0 255.255.255.0 any

access-list OUT-IN extended permit ip any any

access-list IN-OUT extended permit ip any any

access-list INTERNAL_TO_WEB extended permit ip 192.168.102.0 255.255.255.0 any

access-list INTERNAL_TO_WEB extended permit ip 192.168.103.0 255.255.255.0 any

access-list INTERNAL_TO_WEB extended permit ip host 192.168.101.33 any

access-list SPLIT_TUNNEL extended permit ip 209.xxx.xx.0 255.255.255.0 192.168.110.0 255.255.255.0

access-list SPLIT_TUNNEL extended permit ip 11.11.11.0 255.255.255.0 192.168.110.0 255.255.255.0

access-list SPLIT_TUNNEL extended permit ip 192.168.101.0 255.255.255.0 192.168.110.0 255.255.255.0

access-list SPLIT_TUNNEL extended permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0

access-list SPLIT_TUNNEL extended permit ip 192.168.102.0 255.255.255.0 192.168.110.0 255.255.255.0

access-list NO_NAT extended permit ip 192.168.110.0 255.255.255.0 object-group OFFICE_LAN

access-list NO_NAT extended permit ip object-group OFFICE_LAN 192.168.110.0 255.255.255.0

pager lines 24

logging enable

logging buffered notifications

logging asdm warnings

mtu outside 1500

mtu inside 1500

ip local pool RA 192.168.110.1-192.168.110.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 access-list INTERNAL_TO_WEB

static (inside,outside) 41.xxx.xxx.91 192.168.101.32 netmask 255.255.255.255

access-group OUT-IN in interface outside

access-group IN-OUT in interface inside

!

router rip

network 11.0.0.0

redistribute connected metric transparent

redistribute static

version 2

no auto-summary

!

route outside 0.0.0.0 0.0.0.0 41.xxx.xxx.89 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.102.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set router-set esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map ats 1 set transform-set router-set

crypto dynamic-map ats 1 set reverse-route

crypto map dyn-map 100 ipsec-isakmp dynamic ats

crypto map dyn-map interface outside

crypto isakmp identity key-id test

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

telnet 192.168.102.0 255.255.255.0 inside

telnet 192.168.101.0 255.255.255.0 inside

telnet 192.168.100.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1

webvpn

group-policy ATS internal

group-policy ATS attributes

wins-server value 192.168.101.32

dns-server value 192.168.101.32

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_TUNNEL

default-domain value aaaaa.co.za

split-dns value 1

username abcde password On/EBuFkg5wkwgoQ encrypted privilege 15

tunnel-group VPNClient type remote-access

tunnel-group VPNClient general-attributes

address-pool RA

default-group-policy ATS

tunnel-group VPNClient ipsec-attributes

pre-shared-key *****

isakmp ikev1-user-authentication none

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email

callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d972caa452f45f8c9384cf14eac2c2c4

: end

#######################################################################################

Thanks in advance.

Dean

mvsheik123 · ‎09-20-2011

Hi,

Please try by adding below lines...

nat (INSIDE) 0 access-list NO_NAT

!

same-security-traffic permit intra-interface

!

you can remove :

access-list NO_NAT extended permit ip 192.168.110.0 255.255.255.0 object-group OFFICE_LAN

Finally, make sure ASA learning about internal Networks,

hth

MS

CSCO11476246 · ‎09-21-2011

Thank you for the response,

I have made the suggested changes, with no change to the current problem.

I have also since removed rip and replaced the routes with static routes. No change.

And have tried a more specific SPLIT_TUNNEL acl: for the call manager and exchange.

access-list SPLIT_TUNNEL extended permit ip 209.xxx.xx.76 255.255.255.252 192.168.110.0 255.255.255.0

access-list SPLIT_TUNNEL extended permit ip 11.11.11.0 255.255.255.252 192.168.110.0 255.255.255.0

access-list SPLIT_TUNNEL extended permit ip 10.10.10.0 255.255.255.252 192.168.110.0 255.255.255.0

access-list SPLIT_TUNNEL extended permit ip host 192.168.101.32 192.168.110.0 255.255.255.0

Strange thing is that we cannot ping the 192.168.101.32 address from the ASA. Although we can ping other servers in the same range.30 and .33.

mvsheik123 · ‎09-21-2011

Hi,

I don't think you need to enable this, but try adding ' same-security-traffic permit inter-interface'

Also, make sure the split-tunnel networks being downloaded to the cleint when connected via VPN.

Enable 'debug icmp trace' on ASA and try to initiate a ping to internal resources from vpn client and see if the traffic is

hitting ASA.

As far as the server 192.168.101.32 reachability from ASA, please check server ip config as well.

hth

MS

CSCO11476246 · ‎09-22-2011

Once again, thank you for the assistance, we seem to have resolved the problem in two ways:

1. We changed the link bewteen the ASA and our switch to layer 2. So Ethernet0/1 has an IP in the 192.168.101.0 network. Therefore .32 is pingable. Might have just been a routing issue, along the way.

2. We found that our 3G cards that we use to connect remotely, have recently updated the software, which somehow blocks encrypted data. So any other internet link works fine.

We'll take it up with the 3G service provider.

Regards,

Dean

mvsheik123 · ‎09-22-2011

Glad to hear that. Thanks for the updated.

MS