Solved

Can connect to VPN but cant ping or connect to servers?

Posted on 2008-10-15
19
1,505 Views
Last Modified: 2009-01-19
Hi There,

I've set up a VPN on a Cisco ASA and am using a Microsoft IAS to authenticate with a Cisco V5 VPN client.  The client connects fine and authenticates using the IAS as a radius server but I cannot connect to or ping any servers on the LAN side once connected!  I have set the VPN connection to assign an IP address from our MS DHCP server - please see the Cisco VPN client log and IPCONFIG/ALL results below:

Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      13:21:34.875  10/15/08  Sev=Warning/2      CVPND/0xE3400013
AddRoute failed to add a route: code 87
      Destination      192.168.0.255
      Netmask      255.255.255.255
      Gateway      194.129.15.1
      Interface      194.129.15.86

2      13:21:34.875  10/15/08  Sev=Warning/2      CM/0xA3100024
Unable to add route. Network: c0a800ff, Netmask: ffffffff, Interface: c2810f56, Gateway: c2810f01.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\ADMIN>ipconfig/all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : NET104
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : ADROOT.XXX.CO.UK

Ethernet adapter Local Area Connection 2:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network Connecti
on
        Physical Address. . . . . . . . . : 00-13-A9-3F-28-11

Ethernet adapter Wireless Network Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Networ
k Connection
        Physical Address. . . . . . . . . : 00-13-02-CD-57-D0
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.0.30
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . : 192.168.0.1
        DNS Servers . . . . . . . . . . . : 192.168.0.1
        NetBIOS over Tcpip. . . . . . . . : Disabled
        Lease Obtained. . . . . . . . . . : 15 October 2008 13:02:37
        Lease Expires . . . . . . . . . . : 16 October 2008 13:02:37

Ethernet adapter Local Area Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Bluetooth Personal Area Network from
 TOSHIBA
        Physical Address. . . . . . . . . : 00-02-C7-EC-EF-CD

Ethernet adapter Local Area Connection 3:

        Connection-specific DNS Suffix  . : ADROOT.XXX.CO.UK
        Description . . . . . . . . . . . : Cisco Systems VPN Adapter
        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 194.129.15.86
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 194.129.15.1
        DNS Servers . . . . . . . . . . . : 194.129.15.203
                                            194.129.15.198
        Primary WINS Server . . . . . . . : 194.129.15.198

C:\Documents and Settings\ADMIN>


Does anyone know what I might be doing wrong here?

Regards

Rob




Result of the command: "sho run"
 

: Saved

:

ASA Version 7.2(2) 

!

hostname XXXciscoasa

domain-name adroot.XXX.co.uk

enable password xxx encrypted

names

!

interface Ethernet0/0

 nameif WAN

 security-level 0

 ip address xx.xx.23.62 255.255.255.0 standby xx.xx.23.63 

!

interface Ethernet0/1

 nameif LAN

 security-level 50

 ip address xx.xx.15.252 255.255.255.0 standby xx.xx.15.251 

!

interface Ethernet0/2

 description LAN Failover Interface

!

interface Ethernet0/3

 description STATE Failover Interface

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.7 

 management-only

!

passwd xxx encrypted

boot system disk0:/asa722k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

 domain-name adroot.XXX.co.uk

object-group service FilemakerPro tcp-udp

 port-object range 5003 5003

object-group service CiscoVPN tcp

 description CiscoVPN allow ports 4500, 500

 port-object range 500 500

 port-object range 4500 4500

access-list WAN_access_out extended permit ip any any inactive 

access-list WAN_access_out extended permit udp any any eq ntp 

access-list WAN_access_out extended permit tcp any any eq 123 inactive 

access-list WAN_access_out remark Allow port 445 SMB MS File Sharing access to remote NAS device at James' Home

access-list WAN_access_out extended permit tcp interface WAN host 91.84.29.97 eq 445 

access-list WAN_access_out extended permit tcp any any eq ssh inactive 

access-list WAN_access_out remark Planning - Charnwood related documents link

access-list WAN_access_out extended permit tcp interface WAN host 193.129.245.154 eq 34965 

access-list WAN_access_out remark Planning - Barnet

access-list WAN_access_out extended permit tcp interface WAN host 195.171.200.80 eq 7778 

access-list WAN_access_out remark Planning - Breckland

access-list WAN_access_out extended permit tcp interface WAN host 212.240.79.100 eq 7778 

access-list WAN_access_out remark Planning website - havering.gov.uk

access-list WAN_access_out extended permit tcp any host 62.172.223.20 eq 7783 

access-list WAN_access_out remark Planning website - access to barking and dagenham

access-list WAN_access_out extended permit tcp interface WAN host 212.85.19.44 eq 8081 

access-list WAN_access_out remark Planning website - access to northamptonboroughcouncil.com

access-list WAN_access_out extended permit tcp interface WAN host 83.100.223.135 eq 8099 

access-list WAN_access_out remark Allow port 5003 file maker pro access to bulwein server - Bulwein allow access from our gateway IP

access-list WAN_access_out extended permit tcp any host 195.30.62.92 eq 5003 

access-list WAN_access_out remark Planning Website - Castle Morpeth Borough Council

access-list WAN_access_out extended permit tcp interface WAN host 195.224.122.231 eq 5757 

access-list WAN_access_out remark Planning website - St Helens Council

access-list WAN_access_out extended permit tcp any host 212.248.225.150 eq 7777 

access-list WAN_access_out remark planning

access-list WAN_access_out remark Planning Website - Uttlesford District Council

access-list WAN_access_out extended permit tcp any host 213.121.206.247 eq 7778 

access-list WAN_access_out remark planning

access-list WAN_access_out remark Planning Website - Ellesmere Port & Neston Borough Council

access-list WAN_access_out extended permit tcp any host 193.133.69.117 eq 7778 

access-list WAN_access_out remark Planning - Hartlepool

access-list WAN_access_out extended permit tcp interface WAN host 195.172.81.205 eq 7777 

access-list WAN_access_out remark planning

access-list WAN_access_out remark Planning Website - Arun District Council

access-list WAN_access_out extended permit tcp any host 195.224.159.100 eq 7778 

access-list WAN_access_out remark Planning Website - Maidstone Council

access-list WAN_access_out extended permit tcp any host 195.188.250.22 eq 8070 

access-list WAN_access_out remark Allow port 25 SMTP access from XXX to the Internet - in reality XXXs Exchange server only sends

access-list WAN_access_out remark outbound email to Messagelabs European cluster (set under SMTP connector on Exchange server)

access-list WAN_access_out extended permit tcp host xx.xx.23.56 any eq smtp 

access-list WAN_access_out remark Allow port 25 SMTP access from XXX NET25 Monitoring machine to the Internet for sending email alerts

access-list WAN_access_out remark  to external email servers

access-list WAN_access_out extended permit tcp host xx.xx.23.25 any eq smtp 

access-list WAN_access_out remark Allow UDP Port 53 DNS access from XXX to Internet

access-list WAN_access_out extended permit udp any any eq domain 

access-list WAN_access_out remark Allow TCP Port 53 DNS access from XXX to Internet

access-list WAN_access_out extended permit tcp any any eq domain 

access-list WAN_access_out remark Allow port 21 FTP access from XXX to Internet

access-list WAN_access_out extended permit tcp any any eq ftp 

access-list WAN_access_out extended permit tcp interface WAN any eq ftp-data inactive 

access-list WAN_access_out remark Allow XXX to Ping Internet

access-list WAN_access_out extended permit icmp any any echo 

access-list WAN_access_out remark Allow XXX to Ping Internet

access-list WAN_access_out extended permit icmp any any echo-reply 

access-list WAN_access_out remark Allow UDP Port 500 IKE key exchange for secure connections from XXX to Internet

access-list WAN_access_out extended permit udp any any eq isakmp 

access-list WAN_access_out remark Allow port 443 HTTPS secure access from XXX to Internet

access-list WAN_access_out extended permit tcp any any eq https 

access-list WAN_access_out remark Allow port 8080 HTTP access from XXX to Internet

access-list WAN_access_out remark Used for access to remote XXX routers and other websites (planning sites)

access-list WAN_access_out extended permit tcp any any eq 8080 

access-list WAN_access_out remark Allow port 1755 windows media player access from XXX to internet for website video streaming

access-list WAN_access_out extended permit tcp any any eq 1755 

access-list WAN_access_out remark Allow GRE from XXX VPN server to remote VPN users

access-list WAN_access_out extended permit gre host xx.xx.23.57 any 

access-list WAN_access_out remark Internal access to RTSP-Media Streaming servers on the internet - also requires TCP on same port.

access-list WAN_access_out extended permit udp any any eq 554 

access-list WAN_access_out remark Internal access to RTSP-Media Streaming servers on the internet - also requires UDP on same port.

access-list WAN_access_out extended permit tcp any any eq rtsp 

access-list WAN_access_out remark XXX LAN Access to remote users machines via Tight VNC

access-list WAN_access_out extended permit tcp any any eq 5900 

access-list WAN_access_out remark Allow port 80 HTTP access from XXX to internet - required for access to remote websites

access-list WAN_access_out extended permit tcp any any eq www 

access-list WAN_access_out remark Test Desk RDP connection

access-list WAN_access_out extended permit tcp any host 78.32.137.8 eq 3541 inactive 

access-list WAN_access_out extended permit tcp any any inactive 

access-list WAN_access_out extended permit udp any any inactive 

access-list WAN_access_out remark Default rule to block all traffic - subsequent rules allows traffic through

access-list WAN_access_out extended deny ip any any 

access-list WAN_access_in remark External access to XXX Backup WEB server.

access-list WAN_access_in remark xx.xx.15.194 translated from 194.74.191.44 using one-to-one NAT (see NAT rules).

access-list WAN_access_in extended permit tcp any host xx.xx.23.44 eq www 

access-list WAN_access_in remark Allow Port 1723 PPTP VPN Access from Internet to XXX VPN Server xx.xx.15.207

access-list WAN_access_in remark translated on one-to-one NAT from xx.xx.23.57

access-list WAN_access_in extended permit tcp any host xx.xx.23.57 eq pptp 

access-list WAN_access_in remark Allow GRE protocol for PPTP VPN Access from Internet to XXX VPN Server xx.xx.15.207

access-list WAN_access_in remark translated on one-to-one NAT from xx.xx.23.57

access-list WAN_access_in extended permit gre any host xx.xx.23.57 

access-list WAN_access_in remark Allow Internet to Ping XXX

access-list WAN_access_in extended permit icmp any any echo 

access-list WAN_access_in remark Allow Internet to Ping XXX - Public addresses only

access-list WAN_access_in extended permit icmp any any echo-reply 

access-list WAN_access_in remark Allow port 25 SMTP access to XXX Email server xx.xx.15.206

access-list WAN_access_in remark translated from one-to-one NAT address xx.xx.23.56

access-list WAN_access_in extended permit tcp any host xx.xx.23.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 216.82.240.0 255.255.240.0 host xx.xx.23.56 eq smtp inactive 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 85.158.136.0 255.255.248.0 host xx.xx.23.56 eq smtp inactive 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 117.120.16.0 255.255.248.0 host xx.xx.23.56 eq smtp inactive 

access-list WAN_access_in remark messagelabd email in

access-list WAN_access_in extended permit tcp 193.109.254.0 255.255.254.0 host xx.xx.23.56 eq smtp inactive 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 194.106.220.0 255.255.254.0 host xx.xx.23.56 eq smtp inactive 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 195.245.230.0 255.255.254.0 host xx.xx.23.56 eq smtp inactive 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 62.231.131.0 255.255.255.0 host xx.xx.23.56 eq smtp inactive 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 212.125.75.0 255.255.255.224 host xx.xx.23.56 eq smtp inactive 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 62.173.108.16 255.255.255.240 host xx.xx.23.56 eq smtp inactive 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 62.173.108.208 255.255.255.240 host xx.xx.23.56 eq smtp inactive 

access-list WAN_access_in remark Allow port 80 HTTP access to XXX Web server at xx.xx.15.211

access-list WAN_access_in remark translated from one-to-one NAT address of xx.xx.23.11

access-list WAN_access_in extended permit tcp any host xx.xx.23.11 eq www 

access-list WAN_access_in remark Allow port 80 HTTP access to XXX Web server at xx.xx.15.199

access-list WAN_access_in remark translated from one-to-one NAT address of xx.xx.23.49

access-list WAN_access_in extended permit tcp any host xx.xx.23.49 eq www 

access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Email Web server at xx.xx.15.206

access-list WAN_access_in remark translated from one-to-one NAT address of xx.xx.23.56

access-list WAN_access_in extended permit tcp any host xx.xx.23.56 eq https 

access-list WAN_access_in remark Allow port 80 HTTP access to XXX Email Web server at xx.xx.15.206

access-list WAN_access_in remark translated from one-to-one NAT address of xx.xx.23.56

access-list WAN_access_in extended permit tcp any host xx.xx.23.56 eq www 

access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Web server at xx.xx.15.211

access-list WAN_access_in remark translated from one-to-one NAT address of xx.xx.23.11

access-list WAN_access_in extended permit tcp any host xx.xx.23.11 eq https 

access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Web server at xx.xx.15.199

access-list WAN_access_in remark translated from one-to-one NAT address of xx.xx.23.49

access-list WAN_access_in extended permit tcp any host xx.xx.23.49 eq https 

access-list WAN_access_in extended permit udp any any eq ntp inactive 

access-list WAN_access_in extended permit tcp any host xx.xx.23.25 eq 15401 

access-list WAN_access_in extended permit tcp any host xx.xx.23.11 eq 3541 inactive 

access-list WAN_access_in extended permit tcp any any object-group CiscoVPN 

access-list management_nat0_outbound extended permit ip any xx.xx.15.128 255.255.255.224 

access-list Inside_nat0_outbound extended permit ip any xx.xx.15.128 255.255.255.224 

access-list outside_cryptomap_dyn_20 extended permit ip any xx.xx.15.0 255.255.255.0 

access-list XXX_VPN_ACL remark XXX Lan

access-list XXX_VPN_ACL standard permit xx.xx.15.0 255.255.255.0 

no pager

logging enable

logging timestamp

logging list Email_Alerts level warnings

logging asdm informational

logging mail Email_Alerts

logging from-address FirewallLogs@XXX.co.uk

logging recipient-address FirewallLogs@XXX.co.uk level errors

logging class auth mail warnings 

logging class np mail warnings 

logging class sys mail warnings 

logging class vpdn mail warnings 

mtu WAN 1500

mtu LAN 1500

mtu management 1500

ip local pool VPN_IPS xx.xx.15.140-xx.xx.15.150 mask 255.255.255.0

ip local pool VPN_XXX 192.168.0.2-192.168.0.10 mask 255.255.255.0

ip verify reverse-path interface WAN

failover

failover lan unit primary

failover lan interface LANFailover Ethernet0/2

failover key *****

failover replication http

failover link StateFailover Ethernet0/3

failover interface ip LANFailover 192.168.250.1 255.255.255.0 standby 192.168.250.2

failover interface ip StateFailover 192.168.251.1 255.255.255.0 standby 192.168.251.2

monitor-interface WAN

monitor-interface LAN

no monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (WAN) 10 interface

nat (LAN) 0 access-list Inside_nat0_outbound

nat (LAN) 10 0.0.0.0 0.0.0.0

nat (management) 0 access-list management_nat0_outbound

nat (management) 10 0.0.0.0 0.0.0.0

static (LAN,WAN) xx.xx.23.25 xx.xx.15.25 netmask 255.255.255.255 

static (LAN,WAN) xx.xx.23.56 xx.xx.15.206 netmask 255.255.255.255 

static (LAN,WAN) xx.xx.23.57 xx.xx.15.207 netmask 255.255.255.255 

static (LAN,WAN) xx.xx.23.11 xx.xx.15.211 netmask 255.255.255.255 

static (LAN,WAN) xx.xx.23.49 xx.xx.15.199 netmask 255.255.255.255 

static (LAN,WAN) xx.xx.15.252 xx.xx.15.252 netmask 255.255.255.255 

static (LAN,WAN) xx.xx.23.44 xx.xx.15.194 netmask 255.255.255.255 

access-group WAN_access_in in interface WAN

access-group WAN_access_out out interface WAN

route WAN 0.0.0.0 0.0.0.0 xx.xx.23.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server ADROOT protocol nt

aaa-server ADROOT (LAN) host xx.xx.15.203

 nt-auth-domain-controller adroot.XXX.co

aaa-server XXX_Auth protocol radius

aaa-server XXX_Auth (LAN) host xx.xx.15.214

 key ctWAmYogyVect8a9pGow

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 vpn-tunnel-protocol IPSec 

group-policy DfltGrpPolicy attributes

 banner none

 wins-server value xx.xx.15.197

 dns-server value xx.xx.15.203 xx.xx.15.198

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 50

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec 

 password-storage disable

 ip-comp disable

 re-xauth enable

 group-lock none

 pfs enable

 ipsec-udp enable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy xx.xx.240.154 internal

group-policy xx.xx.240.154 attributes

 wins-server value xx.xx.15.198

 dns-server value xx.xx.15.203 xx.xx.15.198

 vpn-tunnel-protocol IPSec 

 group-lock value xx.xx.240.154

 ipsec-udp enable

 split-tunnel-policy excludespecified

 split-tunnel-network-list value XXX_VPN_ACL

 default-domain value ADROOT.XXX.CO.UK

username rob_admin password oPv83W5h./yuqWL. encrypted privilege 15

username rob_admin attributes

 vpn-group-policy xx.xx.240.154

 vpn-tunnel-protocol IPSec 

aaa authentication telnet console LOCAL 

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map WAN_dyn_map 10 match address outside_cryptomap_dyn_20

crypto dynamic-map WAN_dyn_map 10 set transform-set ESP-DES-SHA ESP-3DES-SHA TRANS_ESP_3DES_SHA

crypto dynamic-map WAN_dyn_map 20 set pfs 

crypto dynamic-map WAN_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map WAN_dyn_map 40 set pfs 

crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 60 set pfs 

crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 80 set pfs 

crypto dynamic-map WAN_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 100 set pfs 

crypto dynamic-map WAN_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 120 set pfs 

crypto dynamic-map WAN_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 140 set pfs 

crypto dynamic-map WAN_dyn_map 140 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map management_dyn_map 20 set pfs 

crypto dynamic-map management_dyn_map 20 set transform-set ESP-DES-SHA

crypto dynamic-map management_dyn_map 40 set pfs 

crypto dynamic-map management_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map management_dyn_map 60 set pfs 

crypto dynamic-map management_dyn_map 60 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map management_dyn_map 80 set pfs 

crypto dynamic-map management_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map management_dyn_map 100 set pfs 

crypto dynamic-map management_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map

crypto map WAN_map interface WAN

crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map

crypto map management_map interface management

crypto isakmp enable WAN

crypto isakmp enable management

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

crypto isakmp ipsec-over-tcp port 10000 

tunnel-group DefaultRAGroup general-attributes

 address-pool VPN_IPS

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

 peer-id-validate nocheck

tunnel-group DefaultRAGroup ppp-attributes

 authentication ms-chap-v2

tunnel-group xx.xx.240.154 type ipsec-ra

tunnel-group xx.xx.240.154 general-attributes

 authentication-server-group XXX_Auth

 default-group-policy xx.xx.240.154

 dhcp-server xx.xx.15.198

tunnel-group xx.xx.240.154 ipsec-attributes

 pre-shared-key *

 peer-id-validate nocheck

tunnel-group xx.xx.240.154 ppp-attributes

 authentication pap

 authentication ms-chap-v2

vpn-sessiondb max-session-limit 250

telnet 0.0.0.0 0.0.0.0 LAN

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect ftp 

!

service-policy global_policy global

ntp server 130.88.202.49 source WAN prefer

client-update enable

prompt hostname context 

Cryptochecksum:80c27a5234b189dada3a4d01d544722b

: end

Open in new window

0
Comment
Question by:robclarke41
  • 10
  • 5
  • 4
19 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
add this line first

crypto isakmp nat-traversal  20


does that resolve the problem - VPN connecting  and no traffic passing are nearly always NAT problem related?
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
ah you have no NO NAT statement for your VPN Pool
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
add the following line assuming your remote clients are on 192.168.1.x and your internal network is xx.xx.15.252

access-list Inside_nat0_outbound extended permit ip xx.xx.15.252 255.255.255.0 192.168.0 255.255.255.0

0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Hi Pete,

Why would my remote clients be on 192.168.1.x? I've set the ASA to assign an IP address from our DHCP(which the Cisco client is picking up) so they would be on the same range as the internal network (xx.xx.15.0).  Can you not have your remote clients on the same IP range as your LAN?

Thanks for your help

Rob
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Sorry Rob this pointed me there?
ip local pool VPN_XXX 192.168.0.2-192.168.0.10 mask 255.255.255.0

I never have my remote VPN client using the same IP addresses as my internal range - change it so they are getting allocated from the IP Pool.
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Yes sorry Pete, I did try experimenting with an IP range on a different network but couldnt get the VPN to connect unless it was assigned an address on the internal network.  I have that IP pool setup but not in use, its currently allocated addresses from a MS DHCP server.  Can you think of a reason why I lose the connection when using this IP range?
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
When you have remote client on the IP range 192.168.0.2-10; please notice that the remote client is already on the 192.168.0.0/24 subnet:
        Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Networ
        IP Address. . . . . . . . . . . . : 192.168.0.30
        Subnet Mask . . . . . . . . . . . : 255.255.255.0

So what happens the client is getting connected properly but as the directly connected route has precedence over other routes; all traffic destined for the remote traffic is not routed over the VPN adapter; as it never goes out over the VPN tunnel you never see any communication happening.

Hope this helps.

Thank you.
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Hi dpk,

I've change the remote clients to get an address from the range 192.168.1.2-10 but the client will still not connect - it only connects if I assign it an address from the internal network?

The client log states:

AddRoute failed to add a route: code 87
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Can anyone help with this? I think the problem has been narrowed down to me having my remote clients connecting in on the same IP address range as the internal LAN begind the Cisco ASA.  Can anyone tell me how to add in a new address range for the VPN clients to connect to? I have tried adding an additional address pool in a different range but the client doesnt connect - it will only connect under the internal LAN adress range!
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
We don't want the clients to get IP address in different range; the clients were correctly getting the IP virtual IP from cisco device in 192.168.0.x range. So, change this back to what it was originally.

What should be done is the network IP subnet of the client network needs to be changed from the existing 192.168.0.x/24 to may be 192.168.213.x/24 or anythig you like.

Thank you.
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
I'm pretty sure the client has never picked up an IP address from the the 192.168.0.x range - it only connects under the 194.129.15.x range which is the same range as the internal network!  Changing the IP subnet of the client network is not really an option.
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Here are all the settings which you have listed:

>> interface Ethernet0/1
>> nameif LAN
>> ip address xx.xx.15.252 255.255.255.0 standby xx.xx.15.251
>> access-list XXX_VPN_ACL standard permit xx.xx.15.0 255.255.255.0
>> ip local pool VPN_XXX 192.168.0.2-192.168.0.10 mask 255.255.255.0
>> split-tunnel-policy excludespecified
>> split-tunnel-network-list value XXX_VPN_ACL

If you observe above, the VPN_XXX pool is in the IP range 192.168.0.x; and the local subnet IP of the client is also 192.168.0.x. I am not sure how come the remote client is getting the IP in the same range as the internal IP.
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Ah ok I see why this is causing confusion, the VPN_XXX pool exists on the configuration but is not being used.  The one being used is address-pool VPN_IPS which has the range 194.129.15.140-150 which is the internal address range.  The VPN_XXX does not allow the client to connect.
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
I do not see any ACL permitting traffic for VPN_IPS group like you have for VPN_XXX:

>> access-list XXX_VPN_ACL standard permit xx.xx.15.0 255.255.255.0
>> split-tunnel-policy excludespecified
>> split-tunnel-network-list value XXX_VPN_ACL

You need to have a ACL to permit traffic. This was the reason I though VPN_XXX is used and not VPN_IPS.

Thank you.
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
So can I still use the VPN_IPS group if I just apply an ACL to it? even though it is on the same IP range as the internal network?
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
There must be an expert that knows why this is not working?!
0
 
LVL 32

Expert Comment

by:dpk_wal
Comment Utility
Set these commands for VPN_IPS group:

>> access-list XXX_VPN_ACL standard permit xx.xx.15.0 255.255.255.0
>> split-tunnel-policy excludespecified
>> split-tunnel-network-list value XXX_VPN_ACL

Please note use the correct policy; I have copied the CLIs so the name appears as excludespecified

Thank you.
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
I'm afraid you have me totally confused!

What have the VPN_IPS and VPN_XXX IP adress groups got to do with the XXX_VPN_ACL group?

I'm not sure what I need to add?

The main problem I have is that I want to use the VPN_IPS address pool as its on a seperate network to the internal LAN behind the ASA.  However whenever I try to connect using this address range it fails.  When I connect using the VPN_XXX address range which is the same as our internal LAN it connects but I cant connect to server etc.  What commands do I need to enter to allow my VPN client to connect to the servers on the internal network?
0
 
LVL 1

Accepted Solution

by:
robclarke41 earned 0 total points
Comment Utility
can anyone help with this?
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now