We help IT Professionals succeed at work.

Problems w/ Cisco VPN Client configuration:  Cannot access anything

1,856 Views
Last Modified: 2012-05-05
I can connect my Cisco VPN client (v 5.0.03) to the ASA 5510 firewall and see the tunnel come up on the ASDM interface.  However, I cannot access anything on the internal network from my client.  No email, no pinging, no browsing, nothing.  I have split tunneling enabled, but I cannot access the internet after I establish the tunnel.

asdm image disk0:/asdm-507.bin
asdm location 10.0.0.0 255.255.255.0 Outside
no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname xxxxxx
domain-name xxxxxx.com
enable password ZxbzN033lVser1Gv encrypted
names
dns-guard
!
interface Ethernet0/0
 description Outside Interface
 duplex full
 nameif Outside
 security-level 0
 ip address 208.139.xxx.66 255.255.255.192
!
interface Ethernet0/1
 description Inside Interface
 duplex full
 nameif Inside
 security-level 99
 ip address 192.168.20.7 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns name-server 192.168.20.44
dns name-server 206.168.216.6
same-security-traffic permit intra-interface
object-group service Paraexchange_Service_Group tcp
 description Services allowed to Paraexchange
 port-object eq www
 port-object eq pop3
 port-object eq smtp
 port-object eq imap4
object-group service Paraccess_Service_Group tcp
 description Services allowed to Paraccess
 port-object eq ftp-data
 port-object eq pptp
 port-object eq ftp
access-list Outside_access_in extended permit tcp any host 208.139.xxx.69 object-group Paraccess_Service_Group
access-list Outside_access_in extended permit gre any host 208.139.xxx.69
access-list Outside_access_in extended permit tcp any host 208.139.xxx.70 eq www
access-list Outside_access_in extended permit tcp any host 208.139.xxx.100 object-group Paraexchange_Service_Group
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list Outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 208.139.xxx.71-208.139.205.98
global (Outside) 10 208.139.xxx.99
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 192.168.20.0 255.255.255.0
static (Inside,Outside) 208.139.xxx.70 192.168.20.6 netmask 255.255.255.255
static (Inside,Outside) 208.139.xxx.69 192.168.20.48 netmask 255.255.255.255
static (Inside,Outside) 208.139.xxx.100 192.168.20.43 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_out in interface Inside
route Outside 0.0.0.0 0.0.0.0 208.139.xxx.65 1
route Inside 10.10.10.0 255.255.255.0 192.168.20.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Para_RAS_VPN protocol nt
aaa-server Para_RAS_VPN host 192.168.20.46
 nt-auth-domain-controller laniwot00
group-policy Para_RAS_VPN internal
group-policy Para_RAS_VPN attributes
 vpn-filter none
 webvpn
http server enable
http 192.168.20.208 255.255.255.255 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Please wait. Your identity is being authenticated.
auth-prompt accept Congratulations! You have been authenticated!
auth-prompt reject I'm sorry. You have not been authenticated. Only authorized personnel may use this service.
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer 195.239.41.254
crypto map Outside_map 20 set transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp identity address
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1000
tunnel-group 195.239.xxx.254 type ipsec-l2l
tunnel-group 195.239.xxx.254 ipsec-attributes
 pre-shared-key *
tunnel-group Para_RAS_VPN type ipsec-ra
tunnel-group Para_RAS_VPN general-attributes
 authentication-server-group Para_RAS_VPN
 authentication-server-group (Outside) Para_RAS_VPN
 default-group-policy Para_RAS_VPN
 dhcp-server 192.168.20.44
tunnel-group Para_RAS_VPN ipsec-attributes
 pre-shared-key *
vpn-sessiondb max-session-limit 100
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
client-update enable
Cryptochecksum:3fa8498d5572d49ec73e2c8b1093b7ab
: end
Comment
Watch Question

I'm actually missing a couple of things in your config. Did you use the wizard to create your mobile VPN?

First the reason I think you can get the tunnel up but no traffic through is I would think you don't have your NAT0 setup correctly.
There is a site to site tunnel configured to a 10.0.0.0/24 network. NAT0 is configured for this tunnel. I don't see it for the RA VPN. (I reckon you use your inside DHCP server to provide an address to the VPN Clients because I don't see a IP pool at first glance)
Try adding:
access-list Inside_nat0_outbound extended permit ip <ip range VPN Clients> 255.255.255.0 192.168.20.0 255.255.255.0

Furthermore you say you have split tunnelling enabled, but I don't see an access-list that tells the ASA which networks to tunnel. Try adding:
access-list SPLITTUNNEL standard permit 192.168.20.0 255.255.255.0

Hope this helps.

JG
I was just thinking... I made a mistake on the NAT0 access-list.
It should be the other way around:
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 <VPNClients> 255.255.255.0

sorry.
Manoj PrasadIT Manager

Author

Commented:
Thanks for your help Jay.

The access-list SPLITTUNNEL standard permit 192.168.20.0 255.255.255.0
didn't do anything.  I still cannot access the internet while connected to the VPN.  You were correct in that I am using DHCP for the VPN clients.  With that said, what IP range for the VPN clients should I use?  If the VPN clients are using the same IP range as the rest of the network, then how does that access-list make sense?  I'm sorry, I just don't quite understand what that specific access list is trying to accomplish.
Starting off with your last question.
When you create a VPN tunnel and don't specify anything ALL traffic will be routed through the VPN tunnel. Using an access-list you can specify which traffic will be sent through the tunnel. With the access-list I told you to use you specify that you only want to have traffic sent to 192.168.20.0 (your LAN) through the tunnel, which means traffic destined to the internet won't be sent to the tunnel but to the default gateway of the pc. This way it allows you to access the internet.

To be honest, I've been told that it is possible to use the same IP segment for your VPN clients as well as your local LAN, but I'm unsure how this works for split tunneling. I suggest keeping it this way and first trying something else.

First go into the VPN group policy:
group-policy Para_RAS_VPN attributes

From there add the following lines to your config:
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLITTUNNEL

This final piece actually adds the split tunnel access-list to VPN tunnel, comparable to applying an access-list to an interface with the access-group command. I forgot to add that this afternoon. I must be having an off day ;-)

Anyway, if this also doens't work you might try using an IP range not yet present in your network for the VPN clients. But try this first.

Btw, can you already ping across the tunnel to your local LAN?
Manoj PrasadIT Manager

Author

Commented:
Will try this solution when I get in.  Thanks.

Jason
Manoj PrasadIT Manager

Author

Commented:
Jay,

We're getting closer!  I can now browse the internet while connected to the VPN.  I can also ping the internal network by IP address, but not by name.  I am trying to open email, and it keeps telling me that I need to connect to the exchange server.  It sounds like a DNS problem somewhere.  When I do an ipconfig /all, the Cisco VPN adapter says the following:

DHCP Enabled........... : No
IP Address................ : 192.168.20.122
Subnet Mask............. : 255.255.255.0
Default Gateway...... : {blank}
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Manoj PrasadIT Manager

Author

Commented:
Thanks for all your help Jay!  It is working perfectly!!

Jason

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.