Solved

Problems w/ Cisco VPN Client configuration:  Cannot access anything

Posted on 2008-10-06
8
1,786 Views
Last Modified: 2012-05-05
I can connect my Cisco VPN client (v 5.0.03) to the ASA 5510 firewall and see the tunnel come up on the ASDM interface.  However, I cannot access anything on the internal network from my client.  No email, no pinging, no browsing, nothing.  I have split tunneling enabled, but I cannot access the internet after I establish the tunnel.

asdm image disk0:/asdm-507.bin
asdm location 10.0.0.0 255.255.255.0 Outside
no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname xxxxxx
domain-name xxxxxx.com
enable password ZxbzN033lVser1Gv encrypted
names
dns-guard
!
interface Ethernet0/0
 description Outside Interface
 duplex full
 nameif Outside
 security-level 0
 ip address 208.139.xxx.66 255.255.255.192
!
interface Ethernet0/1
 description Inside Interface
 duplex full
 nameif Inside
 security-level 99
 ip address 192.168.20.7 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns name-server 192.168.20.44
dns name-server 206.168.216.6
same-security-traffic permit intra-interface
object-group service Paraexchange_Service_Group tcp
 description Services allowed to Paraexchange
 port-object eq www
 port-object eq pop3
 port-object eq smtp
 port-object eq imap4
object-group service Paraccess_Service_Group tcp
 description Services allowed to Paraccess
 port-object eq ftp-data
 port-object eq pptp
 port-object eq ftp
access-list Outside_access_in extended permit tcp any host 208.139.xxx.69 object-group Paraccess_Service_Group
access-list Outside_access_in extended permit gre any host 208.139.xxx.69
access-list Outside_access_in extended permit tcp any host 208.139.xxx.70 eq www
access-list Outside_access_in extended permit tcp any host 208.139.xxx.100 object-group Paraexchange_Service_Group
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list Outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 208.139.xxx.71-208.139.205.98
global (Outside) 10 208.139.xxx.99
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 192.168.20.0 255.255.255.0
static (Inside,Outside) 208.139.xxx.70 192.168.20.6 netmask 255.255.255.255
static (Inside,Outside) 208.139.xxx.69 192.168.20.48 netmask 255.255.255.255
static (Inside,Outside) 208.139.xxx.100 192.168.20.43 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group inside_access_out in interface Inside
route Outside 0.0.0.0 0.0.0.0 208.139.xxx.65 1
route Inside 10.10.10.0 255.255.255.0 192.168.20.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Para_RAS_VPN protocol nt
aaa-server Para_RAS_VPN host 192.168.20.46
 nt-auth-domain-controller laniwot00
group-policy Para_RAS_VPN internal
group-policy Para_RAS_VPN attributes
 vpn-filter none
 webvpn
http server enable
http 192.168.20.208 255.255.255.255 Inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Please wait. Your identity is being authenticated.
auth-prompt accept Congratulations! You have been authenticated!
auth-prompt reject I'm sorry. You have not been authenticated. Only authorized personnel may use this service.
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer 195.239.41.254
crypto map Outside_map 20 set transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp identity address
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1000
tunnel-group 195.239.xxx.254 type ipsec-l2l
tunnel-group 195.239.xxx.254 ipsec-attributes
 pre-shared-key *
tunnel-group Para_RAS_VPN type ipsec-ra
tunnel-group Para_RAS_VPN general-attributes
 authentication-server-group Para_RAS_VPN
 authentication-server-group (Outside) Para_RAS_VPN
 default-group-policy Para_RAS_VPN
 dhcp-server 192.168.20.44
tunnel-group Para_RAS_VPN ipsec-attributes
 pre-shared-key *
vpn-sessiondb max-session-limit 100
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
client-update enable
Cryptochecksum:3fa8498d5572d49ec73e2c8b1093b7ab
: end
0
Comment
Question by:jamjamiss
  • 4
  • 4
8 Comments
 
LVL 8

Expert Comment

by:Jay_Gridley
Comment Utility
I'm actually missing a couple of things in your config. Did you use the wizard to create your mobile VPN?

First the reason I think you can get the tunnel up but no traffic through is I would think you don't have your NAT0 setup correctly.
There is a site to site tunnel configured to a 10.0.0.0/24 network. NAT0 is configured for this tunnel. I don't see it for the RA VPN. (I reckon you use your inside DHCP server to provide an address to the VPN Clients because I don't see a IP pool at first glance)
Try adding:
access-list Inside_nat0_outbound extended permit ip <ip range VPN Clients> 255.255.255.0 192.168.20.0 255.255.255.0

Furthermore you say you have split tunnelling enabled, but I don't see an access-list that tells the ASA which networks to tunnel. Try adding:
access-list SPLITTUNNEL standard permit 192.168.20.0 255.255.255.0

Hope this helps.

JG
0
 
LVL 8

Expert Comment

by:Jay_Gridley
Comment Utility
I was just thinking... I made a mistake on the NAT0 access-list.
It should be the other way around:
access-list Inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 <VPNClients> 255.255.255.0

sorry.
0
 

Author Comment

by:jamjamiss
Comment Utility
Thanks for your help Jay.

The access-list SPLITTUNNEL standard permit 192.168.20.0 255.255.255.0
didn't do anything.  I still cannot access the internet while connected to the VPN.  You were correct in that I am using DHCP for the VPN clients.  With that said, what IP range for the VPN clients should I use?  If the VPN clients are using the same IP range as the rest of the network, then how does that access-list make sense?  I'm sorry, I just don't quite understand what that specific access list is trying to accomplish.
0
 
LVL 8

Expert Comment

by:Jay_Gridley
Comment Utility
Starting off with your last question.
When you create a VPN tunnel and don't specify anything ALL traffic will be routed through the VPN tunnel. Using an access-list you can specify which traffic will be sent through the tunnel. With the access-list I told you to use you specify that you only want to have traffic sent to 192.168.20.0 (your LAN) through the tunnel, which means traffic destined to the internet won't be sent to the tunnel but to the default gateway of the pc. This way it allows you to access the internet.

To be honest, I've been told that it is possible to use the same IP segment for your VPN clients as well as your local LAN, but I'm unsure how this works for split tunneling. I suggest keeping it this way and first trying something else.

First go into the VPN group policy:
group-policy Para_RAS_VPN attributes

From there add the following lines to your config:
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLITTUNNEL

This final piece actually adds the split tunnel access-list to VPN tunnel, comparable to applying an access-list to an interface with the access-group command. I forgot to add that this afternoon. I must be having an off day ;-)

Anyway, if this also doens't work you might try using an IP range not yet present in your network for the VPN clients. But try this first.

Btw, can you already ping across the tunnel to your local LAN?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:jamjamiss
Comment Utility
Will try this solution when I get in.  Thanks.

Jason
0
 

Author Comment

by:jamjamiss
Comment Utility
Jay,

We're getting closer!  I can now browse the internet while connected to the VPN.  I can also ping the internal network by IP address, but not by name.  I am trying to open email, and it keeps telling me that I need to connect to the exchange server.  It sounds like a DNS problem somewhere.  When I do an ipconfig /all, the Cisco VPN adapter says the following:

DHCP Enabled........... : No
IP Address................ : 192.168.20.122
Subnet Mask............. : 255.255.255.0
Default Gateway...... : {blank}
0
 
LVL 8

Accepted Solution

by:
Jay_Gridley earned 250 total points
Comment Utility
Sounds like your tunnel is up and running, split tunneling and all. Good!

Add the following lines to use your internal DNS server when connecting to the VPN:
group-policy Para_RAS_VPN attributes
 dns-server value 192.168.20.44

This way you'll use your internal DNS server (who know's about the names / IP's of your corporate LAN machines) in stead of your local one. That should enable you to ping on hostname and consequentely also to use your email.

your ipconfig is fine the way it is, btw. No default gateway needed. (it acutally uses your local default gateway and only routes through the tunnel the traffic destined for your local network.

JG
0
 

Author Closing Comment

by:jamjamiss
Comment Utility
Thanks for all your help Jay!  It is working perfectly!!

Jason
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now