Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1342
Views
4
Helpful
4
Replies

VPN routing issues/ can't see both inside and the Internet

Go to solution
Scott Quinn
Level 1
Level 1

‎05-13-2011 09:33 PM

I've been trying to fight my way through the configuration of an ASA5505. So far we've got it running as a firewall, but now we're trying to get IPSec VPN running and it is becoming much more difficult. I managed to get it so that we could access the interior network only (with split tunnelling turned off), but once I activated split tunneling you could get at the Internet but no longer get to the internal network (not even the DNS). Sounds to me like a routing problem, but I'm not sure where to go ("show running config" output attached at the end).

I imagine one of the problems is that I've been trying to set it up with the ASDM rather than through the console, to some extent so I don't have to haul a terminal to where the ASA is, but really patching in a line or using SSH wouldn't be too hard, but I'm not sure where to start. What's the best place to start with to learn how to really use the ASA for someone whose experience has been /Mac/UNIX/bit of VMS/Windows systems? We're a nonprofit, so expensive training programs are out.

Point 2: We're on ASA software version 8.2.2. When we got the device about a year ago it was recommended we not go to 8.3 because it was (a) new and (b) had a new and different NAT interface. If it's now recommended to go with a newer version then we can do that as well.

Result of the command: "show running-config"

: Saved

:

ASA Version 8.2(2)

!

hostname {REDACTED}

domain-name {REDACTED}

enable password {REDACTED}

passwd {REDACTED}

names

dns-guard

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address {REDACTED}

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

banner login VMP ASA5505 Authorized Use Only

banner asdm VMP ASA5505 Authorized Use Only

boot system disk0:/asa822-k8.bin

boot system disk0:/asa724-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup outside

dns server-group DefaultDNS

name-server 192.168.0.110

name-server 68.87.69.146

name-server 68.87.85.98

domain-name vinemapleplace.org

same-security-traffic permit inter-interface

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo

icmp-object traceroute

icmp-object unreachable

object-group service DM_INLINE_TCP_1 tcp

port-object eq ftp

port-object eq ftp-data

object-group service DM_INLINE_TCP_2 tcp

port-object eq imap4

port-object eq pop2

port-object eq pop3

object-group service DM_INLINE_TCP_3 tcp

port-object eq ssh

port-object eq telnet

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service IPSEC tcp

description IPSEC

port-object eq 4500

object-group service ftp-highports tcp

description ftp-highports

port-object range 49423 49500

port-object range 49500 55000

access-list VMP_VPN_users_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.0.240 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.240 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 192.168.0.240 255.255.255.240 inactive

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list mgmt_access_in extended permit ip any any

access-list inside_access_in_1 remark HTTP out

access-list inside_access_in_1 extended permit object-group TCPUDP any any eq www log disable

access-list inside_access_in_1 remark FTP out

access-list inside_access_in_1 extended permit tcp any any object-group DM_INLINE_TCP_1 log disable

access-list inside_access_in_1 remark Telnet/SSH

access-list inside_access_in_1 extended permit tcp any any object-group DM_INLINE_TCP_3 log disable

access-list inside_access_in_1 remark DNS

access-list inside_access_in_1 extended permit object-group TCPUDP any any eq domain log disable

access-list inside_access_in_1 remark Mail

access-list inside_access_in_1 extended permit tcp any any object-group DM_INLINE_TCP_2 log disable

access-list inside_access_in_1 remark NTP

access-list inside_access_in_1 extended permit udp any any eq ntp log disable

access-list inside_access_in_1 extended permit icmp any any object-group DM_INLINE_ICMP_1

access-list inside_access_in_1 remark Mail to mail.vinemapleplace.org

access-list inside_access_in_1 extended permit tcp any host 207.97.245.100 eq smtp log disable

access-list inside_access_in_1 extended permit tcp any any eq https

access-list inside_access_in_1 extended permit ip any any inactive

access-list inside_access_in_1 extended permit tcp any any inactive

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit tcp any interface outside object-group IPSEC inactive

access-list outside_access_in extended permit tcp any any eq ftp-data

access-list VMP_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_POOL 192.168.0.240-192.168.0.255 mask 255.255.255.240

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside control-plane

access-group inside_access_in_1 in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 173.10.100.6 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

user-message "Not authorized for VPN access."

dynamic-access-policy-record "VPN access"

description "VPN access policy"

network-acl inside_access_in

network-acl mgmt_access_in

webvpn

  file-browsing enable

  file-entry enable

  http-proxy enable

  url-entry enable

aaa-server VMP_LDAP protocol ldap

aaa-server VMP_LDAP (inside) host 192.168.0.110

server-port 636

ldap-base-dn ou=MyBusiness,dc=vmp,dc=local

ldap-group-base-dn dc=local,dc=vmp,ou=MyBusiness

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn cn=VMPAdmin,ou=SBSUsers,ou=Users,ou=MyBusiness,dc=vmp,dc=local

ldap-over-ssl enable

server-type microsoft

eou allow none

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint Gatekeeper

crl configure

crypto ca trustpoint ASDM_TrustPoint1

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

subject-name CN=gatehouse.vinemapleplace.org,OU=IT,O=VineMaplePlace,C=US,St=Washington,L=MapleValley

no client-types

crl configure

crypto ca trustpoint VMProotca

enrollment terminal

crl configure

crypto ca trustpoint VMP_VPN

enrollment terminal

subject-name CN=gatehouse.vinemapleplace.org,OU=IT,O=VineMaplePlace,C=US,St=Washington,L=MapleValley

crl configure

crypto ca trustpoint ASDM_java

id-usage code-signer

crl configure

crypto ca trustpoint ASDM_Java_Sign

id-usage code-signer

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment terminal

subject-name CN=gatehouse.vinemapleplace.org,O=VineMaplePlace,C=US

id-usage code-signer

crl configure

crypto ca certificate chain VMProotca

certificate ca

{...trimmed...}

  quit

crypto ca certificate chain VMP_VPN

certificate 0b

    {...trimmed...}

  quit

crypto isakmp enable outside

crypto isakmp policy 10

authentication rsa-sig

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 30

authentication rsa-sig

encryption aes-192

hash sha

group 5

lifetime 86400

crypto isakmp policy 40

authentication rsa-sig

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10500 11000 11500

crypto isakmp am-disable

crypto isakmp reload-wait

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection scanning-threat shun duration 3600

threat-detection statistics host

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.0.110 source inside prefer

webvpn

enable outside

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol webvpn

group-policy VMP_VPN internal

group-policy VMP_VPN attributes

wins-server value 192.168.0.110 192.168.0.111

dns-server value 192.168.0.110 192.168.1.1

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VMP_VPN_splitTunnelAcl

default-domain value vinemapleplace.org

vlan none

webvpn

  url-list none

tunnel-group WebVPN type remote-access

tunnel-group WebVPN general-attributes

authentication-server-group VMP_LDAP

default-group-policy VMP_VPN

tunnel-group VMP_VPN type remote-access

tunnel-group VMP_VPN general-attributes

address-pool (inside) VPN_POOL

address-pool VPN_POOL

authentication-server-group VMP_LDAP

authentication-server-group (inside) VMP_LDAP

authorization-server-group VMP_LDAP

authorization-server-group (inside) LOCAL

default-group-policy VMP_VPN

tunnel-group VMP_VPN webvpn-attributes

group-alias VMP_remote enable

tunnel-group VMP_VPN ipsec-attributes

trust-point VMP_VPN

tunnel-group-map default-group VMP_VPN

!

class-map global-class

match default-inspection-traffic

class-map inspection_default

!

!

policy-map global-policy

class global-class

  inspect ftp

policy-map asa_global_fw_policy

class inspection_default

  inspect ftp

!

service-policy asa_global_fw_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:{REDACTED}

: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kishore Chennupati
Level 7
Level 7

‎05-14-2011 06:38 AM

Hi scott,

I can see your internal network is 192.168.0./24 and you are allowing access to this network to the remote clients

access-list VMP_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

And I can also see that you are using  "ip local pool VPN_POOL 192.168.0.240-192.168.0.255 mask 255.255.255.240"

for your Remote users.

Can  I make a quick suggestion here? I would recommend using a different IP block for the remote users. maybe say 172.16.0.0 or 172.31.0.0 whatever  anything that doesn't clash with the 192.168.0.0/24 subnet.
Give it a try and see how you go if you can. Below is some explanation taken from the link below

Overlapping Private Networks

Problem

If you are unable to access the internal network after the tunnel establishment, check the IP address assigned to the VPN client that overlaps with the internal network behind the head-end device.

Solution

Always make sure that the IP addresses in the pool to be assigned for the VPN clients, the internal network of the head-end device and the VPN Client internal network must be in different networks. You can assign the same major network with different subnets, but sometimes the routing issues occur.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#ra-sol-3

HTH,

Regards,

Kishore

Please rate if helpful

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎05-14-2011 12:33 AM

Hi,

   Please tell me what your internal networks are. It's a part of split-tunneling. They are 192.168.0.0/24 and 192.168.1.0/24. Right?

Toshi

Go to solution
Kishore Chennupati
Level 7
Level 7

‎05-14-2011 06:38 AM

Hi scott,

I can see your internal network is 192.168.0./24 and you are allowing access to this network to the remote clients

access-list VMP_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

And I can also see that you are using  "ip local pool VPN_POOL 192.168.0.240-192.168.0.255 mask 255.255.255.240"

for your Remote users.

Can  I make a quick suggestion here? I would recommend using a different IP block for the remote users. maybe say 172.16.0.0 or 172.31.0.0 whatever  anything that doesn't clash with the 192.168.0.0/24 subnet.
Give it a try and see how you go if you can. Below is some explanation taken from the link below

Overlapping Private Networks

Problem

If you are unable to access the internal network after the tunnel establishment, check the IP address assigned to the VPN client that overlaps with the internal network behind the head-end device.

Solution

Always make sure that the IP addresses in the pool to be assigned for the VPN clients, the internal network of the head-end device and the VPN Client internal network must be in different networks. You can assign the same major network with different subnets, but sometimes the routing issues occur.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#ra-sol-3

HTH,

Regards,

Kishore

Please rate if helpful

0 Helpful

Go to solution
Scott Quinn
Level 1
Level 1
In response to Kishore Chennupati

‎05-14-2011 06:38 PM

OK, that seems simple enough, throw the VPN on a separate network and add routing table entries to route between the two.

One more question: how does the VPN relate to the firewall, and will changing the address require that there be entries in the firewall to allow/deny traffic between Inside/VPN and VPN/Outside, or is VPN traffic automatically considered to be on the Inside interface? I'm a  bit confused because sometimes it seems as though VPN traffic is treated as "Inside" and other times not quite inside, but there isn't a "VPN" segment in the firewall panes.

0 Helpful

Go to solution
Kishore Chennupati
Level 7
Level 7
In response to Scott Quinn

‎05-14-2011 07:23 PM

Hi Scott,

Yep, you need to allow the remote VPN pool to access the internal networks in your firewall section.Your remote users will be coming from the outside interface as the crypto map would be assigned to outside interface.

create an object in the Network objects for remote users and you allow them to access whatever you want(internal,DMZ..etc) in the firewall section. If you want them to access everything then just allow permit ip any any.

when you use the ASA as a firewall, nothing is allowed by default. you have to specifically allow subnets to access what you want them to.

HTH,

Regards,

Kishore

Please rate if helpful

0 Helpful
Customers Also Viewed These Support Documents