Link to home
Start Free TrialLog in
Avatar of nebb-alx
nebb-alx

asked on

Remote VPN users can connect, but not ping or access LAN

I have run the Remote Client VPN Wizard and attempted creating ACLs. Our requirements are simple. We would like authenticated VPN users to gain access to the local network. This seems to be not so straight forward.

Clients get autheticated and assigned an IP address. They are able to ping the ASA inside IP, but not able to access any other inside IPs.

Please have a look through my config. There are loads of posts about this subject, but none seem to help me (most suggesting crypto isakmp nat-traversal 20.)

Please comment also if you see other mistakes in the config.
Result of the command: "show running-config"
 
: Saved
:
ASA Version 8.0(3) 
!
hostname gw01asa
domain-name ourdomain
enable password 57KWEXXXXXXXXqh2mBM encrypted
names
!
interface Ethernet0/0
 nameif wan
 security-level 0
 ip address aaa.bbb.176.34 255.255.255.224 
!
interface Ethernet0/1
 nameif lan
 security-level 100
 ip address 192.168.137.29 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd 2KFXXXXXXXX.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup lan
dns server-group DefaultDNS
 name-server 192.168.137.2
 name-server 192.168.137.4
 domain-name nabc.domain
access-list wan_access_in extended permit icmp any any echo-reply 
access-list NABC_ASA_splitTunnelAcl standard permit 192.168.137.0 255.255.255.0 
access-list lan_nat0_outbound extended permit ip 192.168.137.0 255.255.255.0 192.168.100.0 255.255.255.0 
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu lan 1500
mtu wan 1500
ip local pool VPN_POOL 192.168.100.100-192.168.100.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any lan
icmp permit any wan
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (wan) 101 interface
nat (lan) 0 access-list nonat
nat (lan) 101 0.0.0.0 0.0.0.0
access-group wan_access_in in interface wan
route wan 0.0.0.0 0.0.0.0 aaa.bbb.176.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server NABC_KERB protocol kerberos
aaa-server NABC_KERB (lan) host 192.168.137.2
 timeout 5
 kerberos-realm NABC.domain
http server enable
http 192.168.137.0 255.255.255.0 lan
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto isakmp enable wan
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.1.0 255.255.255.0 management
telnet 192.168.137.0 255.255.255.0 lan
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
vpn load-balancing 
 interface lbpublic lan
 interface lbprivate lan
threat-detection basic-threat
threat-detection statistics access-list
group-policy NABCASA internal
group-policy NABCASA attributes
 dns-server value 192.168.137.2 192.168.137.4
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value NABCASA_splitTunnelAcl
 default-domain value nabc.domain
tunnel-group NABCASA type remote-access
tunnel-group NABCASA general-attributes
 address-pool VPN_POOL
 authentication-server-group NABC_KERB
 default-group-policy NABCASA
tunnel-group NABCASA ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5d2f4291f045xx455x4x545x858221ef
: end

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of ck459
ck459
Flag of Belgium image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nebb-alx
nebb-alx

ASKER

I see. We are trying to move from one gateway (Symantec SGS 360) to the ASA 5510 as our requrements have changed. But as we are trying a smooth transition we have kept all the existing equipment configured as it always have been.

Right, so I changed the gateway address on one of the inside PCs to the ASA and then I could ping it and browse it just fine. Thank you for that!

The problem now is how to smoothly transfer the systems. I don't think it is possible to create the routing you suggested in th SGS 360.
I managed to create the routing in the SGS just fine.

I just want to point out to any readers of this thread in the future that do note that the netmask must be 255.255.255.0 (I misread your post.)

ip route 192.168.100.0 255.255.255.0 192.168.137.29

Thanks again ck459!
Cheers mate!
Well, if you cannot create a static route in the Symantic, the only way to do this is adding a static route to the hosts.
this is the command
ROUTE ADD 192.168.100.0 MASK 255.255.255.0 192.168.137.29 -P

This route will be persistent, which means it stays in the host when it reboots. You could make a script for this, and push it to the clients so that it gets installed in their PCs automatically.
Or if the remote VPN users only need access to the servers, add this route only to your servers.
 
You're welcome :-)