Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1310
Views
0
Helpful
6
Replies

VPN users connect but won't reach the inside network.

Davo_Guz
Level 1
Level 1

‎12-18-2018 11:40 AM

Hello,

 

I'm configuring an ASA5508-X and I'm getting issues with the VPN. I'm able to authenticate with no issues and the computers from inside the network can reach the VPN computer (I can remote desktop) but I cant do the same the other way around. could someone help me please?

 

Here are my ACLs

 

access-list LAN_access standard permit any4

access-list LAN_access standard permit 192.168.1.0 255.255.255.0

access-list LAN_access remark VPNpool

access-list LAN_access standard permit 192.168.2.0 255.255.255.224

access-list LAN_access standard permit 192.168.0.0 255.255.255.0

access-list access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list access_in extended permit ip object VPNpool any

access-list access_in extended permit ip interface outside any

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎12-18-2018 12:17 PM

Hi,
It's not clear from your configuration as to where these ACLs are applied. Can you please provide the full configuation to provide some context.

Can you indicate what IP address(es) is the inside network and which IP address is the "VPN computer"?

Can you also run packet-tracer from the cli and upload the output?
0 Helpful

Davo_Guz
Level 1
Level 1
In response to Rob Ingram

‎12-18-2018 12:52 PM

the inside addresses are on the 192.168.1.0 network and the vpn addresses are on the 192.168.2.0. Here is the config:

 

names

no mac-address auto

ip local pool VPNpool 192.168.2.0-192.168.2.31 mask 255.255.255.224

 

!

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet1/2

bridge-group 1

nameif inside_1

security-level 100

!

interface GigabitEthernet1/3

bridge-group 1

nameif inside_2

security-level 100

!

interface GigabitEthernet1/4

bridge-group 1

nameif inside_3

security-level 100

!

interface GigabitEthernet1/5

bridge-group 1

nameif inside_4

security-level 100

!

interface GigabitEthernet1/6

bridge-group 1

nameif inside_5

security-level 100

!

interface GigabitEthernet1/7

bridge-group 1

nameif inside_6

security-level 100

!

interface GigabitEthernet1/8

bridge-group 1

nameif inside_7

security-level 100

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

interface BVI1

nameif inside

security-level 100

ip address 192.168.1.17 255.255.255.0

!

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any1

subnet 0.0.0.0 0.0.0.0

object network obj_any2

subnet 0.0.0.0 0.0.0.0

object network obj_any3

subnet 0.0.0.0 0.0.0.0

object network obj_any4

subnet 0.0.0.0 0.0.0.0

object network obj_any5

subnet 0.0.0.0 0.0.0.0

object network obj_any6

subnet 0.0.0.0 0.0.0.0

object network obj_any7

subnet 0.0.0.0 0.0.0.0

object network VPNpool

subnet 192.168.2.0 255.255.255.224

object network VPN

host 192.168.1.19

object network vpn

host 192.168.1.19

object network inside_out

subnet 192.168.1.0 255.255.255.0

object network outside_in

subnet 192.168.0.0 255.255.255.0

access-list LAN_access standard permit any4

access-list LAN_access standard permit 192.168.1.0 255.255.255.0

access-list LAN_access remark VPNpool

access-list LAN_access standard permit 192.168.2.0 255.255.255.224

access-list LAN_access standard permit 192.168.0.0 255.255.255.0

access-list access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list access_in extended permit ip object VPNpool any

access-list access_in extended permit ip interface outside any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside_1 1500

mtu inside_2 1500

mtu inside_3 1500

mtu inside_4 1500

mtu inside_5 1500

mtu inside_6 1500

mtu inside_7 1500

no failover

no monitor-interface inside

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

!

object network obj_any4

nat (inside_4,outside) dynamic interface

object network obj_any5

nat (inside_5,outside) dynamic interface

object network obj_any6

nat (inside_6,outside) dynamic interface

object network obj_any7

nat (inside_7,outside) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication login-history

http server enable

http 192.168.1.0 255.255.255.0 inside_4

http 192.168.1.0 255.255.255.0 inside_5

http 192.168.1.0 255.255.255.0 inside_6

http 192.168.1.0 255.255.255.0 inside_7

no snmp-server location

no snmp-server contact

service sw-reset-button

 

dhcpd auto_config outside

!

dhcpd address 192.168.1.18-192.168.1.254 inside

dhcpd enable inside

!

webvpn

enable outside

enable inside_4

enable inside_5

enable inside_6

enable inside_7

enable inside

anyconnect enable

tunnel-group-list enable

cache

  disable

error-recovery disable

group-policy GroupPolicy_VPN internal

group-policy GroupPolicy_VPN attributes

wins-server none

dns-server value 142.165.21.5 142.165.200.5

vpn-simultaneous-logins 15

vpn-idle-timeout 30

vpn-session-timeout 600

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy excludespecified

split-tunnel-network-list value access_in

default-domain none

vlan none

dynamic-access-policy-record DfltAccessPolicy

tunnel-group VPN type remote-access

tunnel-group VPN general-attributes

address-pool (inside) VPNpool

address-pool VPNpool

default-group-policy GroupPolicy_VPN

tunnel-group VPN webvpn-attributes

group-alias VPN enable

0 Helpful

Rob Ingram
VIP
VIP
In response to Davo_Guz

‎12-18-2018 01:06 PM

OK, when you say you cannot access the internal network, what have you attempted to do to test? From the RDP server can you ping a device (other than the ASA itself) on the inside network?

Try enabling logging and seeing what the output is, look for denied traffic. You could also run a packet capture and upload the output here

What is the LAN_access ACL doing? I don't see it referenced anywhere
0 Helpful

Davo_Guz
Level 1
Level 1
In response to Rob Ingram

‎12-18-2018 01:14 PM

I can authenticate to the VPN from a computer not connected to the ASA directly and ping the ASA but wont go any further. From the inside I can ping the ASA and the computer that is connected to the VPN, I can even make a remote desk connection.

0 Helpful

Roy Harrington
Cisco Employee
Cisco Employee
In response to Davo_Guz

‎12-19-2018 05:26 PM

not seeing any nat exemption here.

 

can you do a packet tracer and attach the output using the following:

"pack in in icmp 192.168.1.99 8 0 192.168.2.29 det"

 

also i see the following config :

split-tunnel-policy excludespecified

split-tunnel-network-list value access_in

access-list access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list access_in extended permit ip object VPNpool any

access-list access_in extended permit ip interface outside any

 

you are excluding the addresses in the acl from going over the tunnel. From your anyconnect client right click and go to settings and check your secured routes. Secured routes are the subnets that you will be encrypting and be able to reach over the tunnel.

 

Screen Shot 2018-12-18 at 10.37.17 AM.png

 

0 Helpful

Davo_Guz
Level 1
Level 1
In response to Rob Ingram

‎12-18-2018 01:04 PM

I'm attaching the result of the trace, I hope I have the command details right

 

#  packet-tracer input outside tcp 192.168.2.1 echo 192.168.1.19 echo de$

 

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7fcd529b8170, priority=1, domain=permit, deny=false

        hits=51023, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=outside, output_ifc=any

 

Phase: 2

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 192.168.1.19 using egress ifc  inside

 

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7fcd51c7af40, priority=0, domain=nat-per-session, deny=false

        hits=17896, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

 

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7fcd529b95a0, priority=0, domain=permit, deny=true

        hits=388, user_data=0xa, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=outside, output_ifc=any

 

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful
Customers Also Viewed These Support Documents