09-20-2011 03:35 AM
We are trying to setup VPN client access into our network on an ASA5510.
All the remote users need, is to access our exchange server/DNS (192.168.101.32) and Call manager (209.xxx.xx.58) for IPC.
The Ipsec connects, the user recieves an IP on the 192.168.110.0 network. We can verify this on the ASA, and routes show up dynamically in the routing table. But remote users are unable to access or ping anything on the internal lan. (101 or 102 networks)
VPN statistics show no packets decrypted or encrypted. Its as if no traffic crosses the VPN link. Internet access on the remote machine works as normal, therefore we assume the split tunnel works.
At the moment we have put in any any access-list rules for testing purposes.
Here is the current config. Please can someone assist with spotting where we have gone wrong: (i've replaced some of the ip details with xx's)
#####################################################################################################
hostname ASA
domain-name aaaaa.co.za
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 41.xxx.xxx.90 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 11.11.11.1 255.255.255.252
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa823-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name aaaaa.co.za
object-group network OFFICE_LAN
network-object 192.168.101.0 255.255.255.0
network-object 192.168.102.0 255.255.255.0
network-object 192.168.100.0 255.255.255.0
network-object 11.11.11.0 255.255.255.0
network-object 209.xxx.xx.0 255.255.255.0
access-list AND extended permit ip any 192.168.110.0 255.255.255.0
access-list AND extended permit ip 192.168.110.0 255.255.255.0 any
access-list OUT-IN extended permit ip any any
access-list IN-OUT extended permit ip any any
access-list INTERNAL_TO_WEB extended permit ip 192.168.102.0 255.255.255.0 any
access-list INTERNAL_TO_WEB extended permit ip 192.168.103.0 255.255.255.0 any
access-list INTERNAL_TO_WEB extended permit ip host 192.168.101.33 any
access-list SPLIT_TUNNEL extended permit ip 209.xxx.xx.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 11.11.11.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.101.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.100.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 192.168.102.0 255.255.255.0 192.168.110.0 255.255.255.0
access-list NO_NAT extended permit ip 192.168.110.0 255.255.255.0 object-group OFFICE_LAN
access-list NO_NAT extended permit ip object-group OFFICE_LAN 192.168.110.0 255.255.255.0
pager lines 24
logging enable
logging buffered notifications
logging asdm warnings
mtu outside 1500
mtu inside 1500
ip local pool RA 192.168.110.1-192.168.110.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list INTERNAL_TO_WEB
static (inside,outside) 41.xxx.xxx.91 192.168.101.32 netmask 255.255.255.255
access-group OUT-IN in interface outside
access-group IN-OUT in interface inside
!
router rip
network 11.0.0.0
redistribute connected metric transparent
redistribute static
version 2
no auto-summary
!
route outside 0.0.0.0 0.0.0.0 41.xxx.xxx.89 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.102.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set router-set esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map ats 1 set transform-set router-set
crypto dynamic-map ats 1 set reverse-route
crypto map dyn-map 100 ipsec-isakmp dynamic ats
crypto map dyn-map interface outside
crypto isakmp identity key-id test
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet 192.168.102.0 255.255.255.0 inside
telnet 192.168.101.0 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
group-policy ATS internal
group-policy ATS attributes
wins-server value 192.168.101.32
dns-server value 192.168.101.32
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value aaaaa.co.za
split-dns value 1
username abcde password On/EBuFkg5wkwgoQ encrypted privilege 15
tunnel-group VPNClient type remote-access
tunnel-group VPNClient general-attributes
address-pool RA
default-group-policy ATS
tunnel-group VPNClient ipsec-attributes
pre-shared-key *****
isakmp ikev1-user-authentication none
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d972caa452f45f8c9384cf14eac2c2c4
: end
#######################################################################################
Thanks in advance.
Dean
09-20-2011 07:51 AM
Hi,
Please try by adding below lines...
nat (INSIDE) 0 access-list NO_NAT
!
same-security-traffic permit intra-interface
!
you can remove :
access-list NO_NAT extended permit ip 192.168.110.0 255.255.255.0 object-group OFFICE_LAN
Finally, make sure ASA learning about internal Networks,
hth
MS
09-21-2011 01:20 AM
Thank you for the response,
I have made the suggested changes, with no change to the current problem.
I have also since removed rip and replaced the routes with static routes. No change.
And have tried a more specific SPLIT_TUNNEL acl: for the call manager and exchange.
access-list SPLIT_TUNNEL extended permit ip 209.xxx.xx.76 255.255.255.252 192.168.110.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 11.11.11.0 255.255.255.252 192.168.110.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip 10.10.10.0 255.255.255.252 192.168.110.0 255.255.255.0
access-list SPLIT_TUNNEL extended permit ip host 192.168.101.32 192.168.110.0 255.255.255.0
Strange thing is that we cannot ping the 192.168.101.32 address from the ASA. Although we can ping other servers in the same range.30 and .33.
09-21-2011 09:08 AM
Hi,
I don't think you need to enable this, but try adding ' same-security-traffic permit inter-interface'
Also, make sure the split-tunnel networks being downloaded to the cleint when connected via VPN.
Enable 'debug icmp trace' on ASA and try to initiate a ping to internal resources from vpn client and see if the traffic is
hitting ASA.
As far as the server 192.168.101.32 reachability from ASA, please check server ip config as well.
hth
MS
09-22-2011 12:32 AM
Once again, thank you for the assistance, we seem to have resolved the problem in two ways:
1. We changed the link bewteen the ASA and our switch to layer 2. So Ethernet0/1 has an IP in the 192.168.101.0 network. Therefore .32 is pingable. Might have just been a routing issue, along the way.
2. We found that our 3G cards that we use to connect remotely, have recently updated the software, which somehow blocks encrypted data. So any other internet link works fine.
We'll take it up with the 3G service provider.
Regards,
Dean
09-22-2011 07:52 AM
Glad to hear that. Thanks for the updated.
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide