Solved

VPN connection - one user cannot see internal network

Posted on 2008-06-09
7
331 Views
Last Modified: 2008-06-10
Need Help! I have one user that can connect to our VPN but cannot see anything on our internal network. User has DSL (speedstream 4100). I have a different user with same setup and works fine. I don't see any error messages in ASDM, but I do see the problem user connect. Thanks, Bill
0
Comment
Question by:whbaxter
  • 4
  • 3
7 Comments
 
LVL 23

Expert Comment

by:debuggerau
ID: 21747725
It may be a client issue - reboot for that.
It may be a local firewall/protection suite issue, disable that.
It could be that the VPN server has a different split tunnel setting, but you ruled that out..
Could be the ASA has reached it limit, doubt it, but needed to reboot a few times in the past when not running the latest firmware. Updated the firmware and all is good.
Could be that he is seeing the network, but the application is not working.. Can you ping him?

0
 

Author Comment

by:whbaxter
ID: 21747764
I tried to connect with two different PC's at the users house.
i disabled Windows firewall - don't know if the speedstream has one - i will check that
25 IPSec licenses on the ASA.
could not ping him.
0
 
LVL 23

Accepted Solution

by:
debuggerau earned 500 total points
ID: 21747865
do you allow NAT Traversal? Or does the user need a direct public address?

Could be the speedstream, but what about client protection like Norton or other software firewalls.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:whbaxter
ID: 21748049
don't know enough about NAT T to try it. the pc at the users house was taken from our office, so i know that there is client protection enabled.
0
 
LVL 23

Expert Comment

by:debuggerau
ID: 21748672
Depending on your ASA config, Nat traversal will be enabled or not, allowing you to VPN in via a NAT firewalled Client.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html

Can you disable this client protection, or has it already been eliminated as a cause?

Maybe the clients need to configure port-forwarding on the slipstream?

0
 

Author Comment

by:whbaxter
ID: 21752496
maybe some one can look at my config. i tried to setup another user, and cannot get him to connect. now i have two users that cannot connect and three that can. there could be something wrong with the config, since this is the first ASA i have ever setup.
: Saved

:

ASA Version 7.2(3) 

!

hostname ciscoasa

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.4.0.254 255.255.240.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address x.x.x.x 255.255.255.0 

!

interface Vlan3

 nameif DMZ

 security-level 50

 ip address 172.31.4.254 255.255.255.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

 switchport access vlan 3

!

interface Ethernet0/3

 shutdown

!

interface Ethernet0/4

 shutdown

!

interface Ethernet0/5

 shutdown

!

interface Ethernet0/6

 shutdown

!

interface Ethernet0/7

 shutdown

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

access-list VPNTunnel_splitTunnelAcl standard permit any 

access-list inside_nat0_outbound extended permit ip any 10.4.0.224 255.255.255.224 

access-list inside_nat0_outbound extended permit ip any 172.31.4.0 255.255.255.0 

access-list DMZ_outbound extended permit ip host 172.31.4.127 host 10.4.0.39 

access-list DMZ_outbound extended permit ip host 172.31.4.127 host 10.4.0.12 

access-list DMZ_outbound extended permit ip host 172.31.4.127 host 10.4.0.13 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu DMZ 1500

ip local pool VPNPool 10.4.0.231-10.4.0.250 mask 255.255.240.0

no failover

monitor-interface inside

monitor-interface outside

monitor-interface DMZ

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

access-group DMZ_outbound in interface DMZ

route outside 0.0.0.0 0.0.0.0 24.154.70.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.4.0.0 255.255.240.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

group-policy VPNTunnel internal

group-policy VPNTunnel attributes

 dns-server value 10.4.0.12 

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value VPNTunnel_splitTunnelAcl

 default-domain value YNG.DPPipino.com

username sgmikalowsky password c5gLZlklIFf5r9a5 encrypted privilege 0

username sgmikalowsky attributes

 vpn-group-policy VPNTunnel

username mjsandoe password 34yfuhEtoXftzqlf encrypted privilege 0

username mjsandoe attributes

 vpn-group-policy VPNTunnel

username mpconnelly password zWJFUXT7FwuCi1SS encrypted privilege 0

username mpconnelly attributes

 vpn-group-policy VPNTunnel

username whbaxter password eCtuA/0MCMYZ4AXN encrypted privilege 0

username whbaxter attributes

 vpn-group-policy VPNTunnel

username ejhetrick password nJqA9VEnYxnDSCGZ encrypted privilege 0

username ejhetrick attributes

 vpn-group-policy VPNTunnel

tunnel-group VPNTunnel type ipsec-ra

tunnel-group VPNTunnel general-attributes

 address-pool VPNPool

 default-group-policy VPNTunnel

tunnel-group VPNTunnel ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:51865ce5a2646dc4a4df24b6f7d31678

: end

asdm image disk0:/asdm-523.bin

no asdm history enable

Open in new window

0
 

Author Comment

by:whbaxter
ID: 21753086
crypto isakmp nat-traversal worked!

but does this pose any security risks?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now