• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1284
  • Last Modified:

VPN client can't ping ASA5510

Dear,
1. I cannot ping from my VPN client the host inside my LAN on  ASA5510, can you please check on my configuration and tell me what is wrong.
vpn :172.16.1.1 -------- ASA -----HOST IP : 192.168.10.44

2. What i would like at the end, is the VPN client to access ONLY some servers (IP : 192.168.10.44 to 192.168.50) on my LAN

Please help
Regards
AIME

#sh run
: Saved
:
ASA Version 7.0(5)
!
hostname ciscoasa
domain-name mydomain
enable password oxHHVUhvm1EJfZCj encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 213.177.160.5 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.240
access-list cisco_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 172.16.1.1-172.16.1.14 mask 255.255.255.240
asdm image disk0:/asdm505.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 213.177.160.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy cisco internal
group-policy cisco attributes
 dns-server value 213.177.160.1 213.177.160.2
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value mydomain
 webvpn
username tel password xxxxx encrypted privilege 15
username vpnuser2 password xxxxxxxxx encrypted privilege 0
username vpnuser2 attributes
 vpn-group-policy cisco
 webvpn
username vpnuser1 password ccccc encrypted privilege 0
username vpnuser1 attributes
 vpn-group-policy cisco
 webvpn
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group cisco type ipsec-ra
tunnel-group cisco general-attributes
 address-pool vpnpool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:0c8461bd6e44b23f4d6c67197fa5a901
: end
ciscoasa#
0
aime14
Asked:
aime14
  • 2
1 Solution
 
lrmooreCommented:
Add these commands:
  isakmp nat-traversal 20
  isakmp identity address

If this fixes the primary issue, then we can work on access restrictions.


0
 
aime14Author Commented:
Dear Irmoore,
Thank you, i added the two commands, now it fixed.
Please lets continue with the ACL
0
 
lrmooreCommented:
Good. At least that is some progress!

Here's what I would to do restrict access:

\\-- create an object group that contains all the servers that you want VPn users to access:
object group network VPNACCESS
 network-object 192.168.10.44
 network-object 192.168.10.45
 network-object 192.168.10.46
 network-object 192.168.10.47
 network-object 192.168.10.48
 network-object 192.168.10.49
 network-object 192.168.10.50

\\-- create an acl to allow this object-group to talk to the vpn subnet, deny all other local systems to talk to the vpn subnet, but allow all hosts everything else
access-list inside_outbound permit ip object-group VPNACCESS 172.16.1.0 255.255.255.240
access-list inside_outbound deny ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.240
access-list inside_outbound permit ip any any
access-group inside_outbound in interface inside

\\-- Done! Just add/subtract individual IP's to the network object-group as needed.



0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now