Problems w/ Cisco VPN Client configuration: Cannot access anything
I can connect my Cisco VPN client (v 5.0.03) to the ASA 5510 firewall and see the tunnel come up on the ASDM interface. However, I cannot access anything on the internal network from my client. No email, no pinging, no browsing, nothing. I have split tunneling enabled, but I cannot access the internet after I establish the tunnel.
asdm image disk0:/asdm-507.bin
asdm location 10.0.0.0 255.255.255.0 Outside
no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname xxxxxx
domain-name xxxxxx.com
enable password ZxbzN033lVser1Gv encrypted
names
dns-guard
!
interface Ethernet0/0
description Outside Interface
duplex full
nameif Outside
security-level 0
ip address 208.139.xxx.66 255.255.255.192
!
interface Ethernet0/1
description Inside Interface
duplex full
nameif Inside
security-level 99
ip address 192.168.20.7 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns name-server 192.168.20.44
dns name-server 206.168.216.6
same-security-traffic permit intra-interface
object-group service Paraexchange_Service_Group
description Services allowed to Paraexchange
port-object eq www
port-object eq pop3
port-object eq smtp
port-object eq imap4
object-group service Paraccess_Service_Group tcp
description Services allowed to Paraccess
port-object eq ftp-data
port-object eq pptp
port-object eq ftp
access-list Outside_access_in extended permit tcp any host 208.139.xxx.69 object-group Paraccess_Service_Group
access-list Outside_access_in extended permit gre any host 208.139.xxx.69
access-list Outside_access_in extended permit tcp any host 208.139.xxx.70 eq www
access-list Outside_access_in extended permit tcp any host 208.139.xxx.100 object-group Paraexchange_Service_Group
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list Outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 208.139.xxx.71-208.139.205
global (Outside) 10 208.139.xxx.99
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 192.168.20.0 255.255.255.0
static (Inside,Outside) 208.139.xxx.70 192.168.20.6 netmask 255.255.255.255
static (Inside,Outside) 208.139.xxx.69 192.168.20.48 netmask 255.255.255.255
static (Inside,Outside) 208.139.xxx.100 192.168.20.43 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_out in interface Inside
route Outside 0.0.0.0 0.0.0.0 208.139.xxx.65 1
route Inside 10.10.10.0 255.255.255.0 192.168.20.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Para_RAS_VPN protocol nt
aaa-server Para_RAS_VPN host 192.168.20.46
nt-auth-domain-controller laniwot00
group-policy Para_RAS_VPN internal
group-policy Para_RAS_VPN attributes
vpn-filter none
webvpn
http server enable
http 192.168.20.208 255.255.255.255 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Please wait. Your identity is being authenticated.
auth-prompt accept Congratulations! You have been authenticated!
auth-prompt reject I'm sorry. You have not been authenticated. Only authorized personnel may use this service.
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer 195.239.41.254
crypto map Outside_map 20 set transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp identity address
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1000
tunnel-group 195.239.xxx.254 type ipsec-l2l
tunnel-group 195.239.xxx.254 ipsec-attributes
pre-shared-key *
tunnel-group Para_RAS_VPN type ipsec-ra
tunnel-group Para_RAS_VPN general-attributes
authentication-server-grou
authentication-server-grou
default-group-policy Para_RAS_VPN
dhcp-server 192.168.20.44
tunnel-group Para_RAS_VPN ipsec-attributes
pre-shared-key *
vpn-sessiondb max-session-limit 100
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
client-update enable
Cryptochecksum:3fa8498d557
: end
asdm image disk0:/asdm-507.bin
asdm location 10.0.0.0 255.255.255.0 Outside
no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname xxxxxx
domain-name xxxxxx.com
enable password ZxbzN033lVser1Gv encrypted
names
dns-guard
!
interface Ethernet0/0
description Outside Interface
duplex full
nameif Outside
security-level 0
ip address 208.139.xxx.66 255.255.255.192
!
interface Ethernet0/1
description Inside Interface
duplex full
nameif Inside
security-level 99
ip address 192.168.20.7 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns name-server 192.168.20.44
dns name-server 206.168.216.6
same-security-traffic permit intra-interface
object-group service Paraexchange_Service_Group
description Services allowed to Paraexchange
port-object eq www
port-object eq pop3
port-object eq smtp
port-object eq imap4
object-group service Paraccess_Service_Group tcp
description Services allowed to Paraccess
port-object eq ftp-data
port-object eq pptp
port-object eq ftp
access-list Outside_access_in extended permit tcp any host 208.139.xxx.69 object-group Paraccess_Service_Group
access-list Outside_access_in extended permit gre any host 208.139.xxx.69
access-list Outside_access_in extended permit tcp any host 208.139.xxx.70 eq www
access-list Outside_access_in extended permit tcp any host 208.139.xxx.100 object-group Paraexchange_Service_Group
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list Outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 208.139.xxx.71-208.139.205
global (Outside) 10 208.139.xxx.99
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 192.168.20.0 255.255.255.0
static (Inside,Outside) 208.139.xxx.70 192.168.20.6 netmask 255.255.255.255
static (Inside,Outside) 208.139.xxx.69 192.168.20.48 netmask 255.255.255.255
static (Inside,Outside) 208.139.xxx.100 192.168.20.43 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_out in interface Inside
route Outside 0.0.0.0 0.0.0.0 208.139.xxx.65 1
route Inside 10.10.10.0 255.255.255.0 192.168.20.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Para_RAS_VPN protocol nt
aaa-server Para_RAS_VPN host 192.168.20.46
nt-auth-domain-controller laniwot00
group-policy Para_RAS_VPN internal
group-policy Para_RAS_VPN attributes
vpn-filter none
webvpn
http server enable
http 192.168.20.208 255.255.255.255 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Please wait. Your identity is being authenticated.
auth-prompt accept Congratulations! You have been authenticated!
auth-prompt reject I'm sorry. You have not been authenticated. Only authorized personnel may use this service.
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer 195.239.41.254
crypto map Outside_map 20 set transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp identity address
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1000
tunnel-group 195.239.xxx.254 type ipsec-l2l
tunnel-group 195.239.xxx.254 ipsec-attributes
pre-shared-key *
tunnel-group Para_RAS_VPN type ipsec-ra
tunnel-group Para_RAS_VPN general-attributes
authentication-server-grou
authentication-server-grou
default-group-policy Para_RAS_VPN
dhcp-server 192.168.20.44
tunnel-group Para_RAS_VPN ipsec-attributes
pre-shared-key *
vpn-sessiondb max-session-limit 100
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
client-update enable
Cryptochecksum:3fa8498d557
: end
I was just thinking... I made a mistake on the NAT0 access-list.
It should be the other way around:
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 <VPNClients> 255.255.255.0
sorry.
It should be the other way around:
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 <VPNClients> 255.255.255.0
sorry.
ASKER
Thanks for your help Jay.
The access-list SPLITTUNNEL standard permit 192.168.20.0 255.255.255.0
didn't do anything. I still cannot access the internet while connected to the VPN. You were correct in that I am using DHCP for the VPN clients. With that said, what IP range for the VPN clients should I use? If the VPN clients are using the same IP range as the rest of the network, then how does that access-list make sense? I'm sorry, I just don't quite understand what that specific access list is trying to accomplish.
The access-list SPLITTUNNEL standard permit 192.168.20.0 255.255.255.0
didn't do anything. I still cannot access the internet while connected to the VPN. You were correct in that I am using DHCP for the VPN clients. With that said, what IP range for the VPN clients should I use? If the VPN clients are using the same IP range as the rest of the network, then how does that access-list make sense? I'm sorry, I just don't quite understand what that specific access list is trying to accomplish.
Starting off with your last question.
When you create a VPN tunnel and don't specify anything ALL traffic will be routed through the VPN tunnel. Using an access-list you can specify which traffic will be sent through the tunnel. With the access-list I told you to use you specify that you only want to have traffic sent to 192.168.20.0 (your LAN) through the tunnel, which means traffic destined to the internet won't be sent to the tunnel but to the default gateway of the pc. This way it allows you to access the internet.
To be honest, I've been told that it is possible to use the same IP segment for your VPN clients as well as your local LAN, but I'm unsure how this works for split tunneling. I suggest keeping it this way and first trying something else.
First go into the VPN group policy:
group-policy Para_RAS_VPN attributes
From there add the following lines to your config:
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLITTUNNEL
This final piece actually adds the split tunnel access-list to VPN tunnel, comparable to applying an access-list to an interface with the access-group command. I forgot to add that this afternoon. I must be having an off day ;-)
Anyway, if this also doens't work you might try using an IP range not yet present in your network for the VPN clients. But try this first.
Btw, can you already ping across the tunnel to your local LAN?
When you create a VPN tunnel and don't specify anything ALL traffic will be routed through the VPN tunnel. Using an access-list you can specify which traffic will be sent through the tunnel. With the access-list I told you to use you specify that you only want to have traffic sent to 192.168.20.0 (your LAN) through the tunnel, which means traffic destined to the internet won't be sent to the tunnel but to the default gateway of the pc. This way it allows you to access the internet.
To be honest, I've been told that it is possible to use the same IP segment for your VPN clients as well as your local LAN, but I'm unsure how this works for split tunneling. I suggest keeping it this way and first trying something else.
First go into the VPN group policy:
group-policy Para_RAS_VPN attributes
From there add the following lines to your config:
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLITTUNNEL
This final piece actually adds the split tunnel access-list to VPN tunnel, comparable to applying an access-list to an interface with the access-group command. I forgot to add that this afternoon. I must be having an off day ;-)
Anyway, if this also doens't work you might try using an IP range not yet present in your network for the VPN clients. But try this first.
Btw, can you already ping across the tunnel to your local LAN?
ASKER
Will try this solution when I get in. Thanks.
Jason
Jason
ASKER
Jay,
We're getting closer! I can now browse the internet while connected to the VPN. I can also ping the internal network by IP address, but not by name. I am trying to open email, and it keeps telling me that I need to connect to the exchange server. It sounds like a DNS problem somewhere. When I do an ipconfig /all, the Cisco VPN adapter says the following:
DHCP Enabled........... : No
IP Address................ : 192.168.20.122
Subnet Mask............. : 255.255.255.0
Default Gateway...... : {blank}
We're getting closer! I can now browse the internet while connected to the VPN. I can also ping the internal network by IP address, but not by name. I am trying to open email, and it keeps telling me that I need to connect to the exchange server. It sounds like a DNS problem somewhere. When I do an ipconfig /all, the Cisco VPN adapter says the following:
DHCP Enabled........... : No
IP Address................ : 192.168.20.122
Subnet Mask............. : 255.255.255.0
Default Gateway...... : {blank}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for all your help Jay! It is working perfectly!!
Jason
Jason
First the reason I think you can get the tunnel up but no traffic through is I would think you don't have your NAT0 setup correctly.
There is a site to site tunnel configured to a 10.0.0.0/24 network. NAT0 is configured for this tunnel. I don't see it for the RA VPN. (I reckon you use your inside DHCP server to provide an address to the VPN Clients because I don't see a IP pool at first glance)
Try adding:
access-list Inside_nat0_outbound extended permit ip <ip range VPN Clients> 255.255.255.0 192.168.20.0 255.255.255.0
Furthermore you say you have split tunnelling enabled, but I don't see an access-list that tells the ASA which networks to tunnel. Try adding:
access-list SPLITTUNNEL standard permit 192.168.20.0 255.255.255.0
Hope this helps.
JG