Link to home
Start Free TrialLog in
Avatar of nebb-alx

asked on

Remote VPN users can connect, but not ping or access LAN

I have run the Remote Client VPN Wizard and attempted creating ACLs. Our requirements are simple. We would like authenticated VPN users to gain access to the local network. This seems to be not so straight forward.

Clients get autheticated and assigned an IP address. They are able to ping the ASA inside IP, but not able to access any other inside IPs.

Please have a look through my config. There are loads of posts about this subject, but none seem to help me (most suggesting crypto isakmp nat-traversal 20.)

Please comment also if you see other mistakes in the config.
Result of the command: "show running-config"
: Saved
ASA Version 8.0(3) 
hostname gw01asa
domain-name ourdomain
enable password 57KWEXXXXXXXXqh2mBM encrypted
interface Ethernet0/0
 nameif wan
 security-level 0
 ip address aaa.bbb.176.34 
interface Ethernet0/1
 nameif lan
 security-level 100
 ip address 
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address 
passwd 2KFXXXXXXXX.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup lan
dns server-group DefaultDNS
 domain-name nabc.domain
access-list wan_access_in extended permit icmp any any echo-reply 
access-list NABC_ASA_splitTunnelAcl standard permit 
access-list lan_nat0_outbound extended permit ip 
access-list nonat extended permit ip any 
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu lan 1500
mtu wan 1500
ip local pool VPN_POOL mask
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any lan
icmp permit any wan
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (wan) 101 interface
nat (lan) 0 access-list nonat
nat (lan) 101
access-group wan_access_in in interface wan
route wan aaa.bbb.176.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server NABC_KERB protocol kerberos
aaa-server NABC_KERB (lan) host
 timeout 5
 kerberos-realm NABC.domain
http server enable
http lan
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto isakmp enable wan
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet management
telnet lan
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd enable management
vpn load-balancing 
 interface lbpublic lan
 interface lbprivate lan
threat-detection basic-threat
threat-detection statistics access-list
group-policy NABCASA internal
group-policy NABCASA attributes
 dns-server value
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value NABCASA_splitTunnelAcl
 default-domain value nabc.domain
tunnel-group NABCASA type remote-access
tunnel-group NABCASA general-attributes
 address-pool VPN_POOL
 authentication-server-group NABC_KERB
 default-group-policy NABCASA
tunnel-group NABCASA ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

Avatar of ck459
Flag of Belgium image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of nebb-alx


I see. We are trying to move from one gateway (Symantec SGS 360) to the ASA 5510 as our requrements have changed. But as we are trying a smooth transition we have kept all the existing equipment configured as it always have been.

Right, so I changed the gateway address on one of the inside PCs to the ASA and then I could ping it and browse it just fine. Thank you for that!

The problem now is how to smoothly transfer the systems. I don't think it is possible to create the routing you suggested in th SGS 360.
I managed to create the routing in the SGS just fine.

I just want to point out to any readers of this thread in the future that do note that the netmask must be (I misread your post.)

ip route

Thanks again ck459!
Cheers mate!
Well, if you cannot create a static route in the Symantic, the only way to do this is adding a static route to the hosts.
this is the command

This route will be persistent, which means it stays in the host when it reboots. You could make a script for this, and push it to the clients so that it gets installed in their PCs automatically.
Or if the remote VPN users only need access to the servers, add this route only to your servers.
You're welcome :-)