Solved

Can't access internet from workstation when connected via VPN on Cisco ASA 5505

Posted on 2008-10-15
15
316 Views
Last Modified: 2012-05-05
Hello, all okay (well it seems so!) with my config apart from the internet not working from the client computer when the VPN is connected. Have this working on my pix 506e firewalls no problem. Have contacted Cisco support who can't see anything wrong with the config and want to do some live troubleshooting. I'm not at the site for a good few days yet and was hoping someone could point out where I might be going wrong. Config attached and is also below. Many thanks.


Asa 5505 config:
hostname FW
domain-name office.company.com
enable password ******
names
!
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
 no shutdown
!
interface Ethernet0/1
 no shutdown
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ******
ftp mode passive
dns server-group DefaultDNS
domain-name office.company.com
access-list 101 extended permit ip 192.168.1.0 255.255.255.0 172.16.20.0 255.255.255.128
access-list 130 standard permit 192.168.1.0 255.255.255.0
access-list 130 standard permit any
access-list 150 extended permit esp any any
access-list 150 extended permit tcp any host xxx.xxx.xxx.xxx eq smtp
access-list 150 extended permit tcp any host xxx.xxx.xxx.xxx eq pop3
access-list 150 extended permit tcp any host xxx.xxx.xxx.xxx eq imap
access-list 201 extended permit tcp any any eq smtp
access-list 201 extended permit tcp any any eq pop3
access-list 201 extended permit tcp any any eq ftp
access-list 201 extended permit tcp any any eq www
access-list 201 extended permit tcp any any eq https
access-list 201 extended permit udp any any eq domain
access-list 201 extended permit udp any any eq 407
access-list 201 extended permit tcp any any eq 407
access-list 201 extended permit tcp any any eq 71
access-list 201 extended permit tcp any any eq 1417
access-list 201 extended permit tcp any any eq 1418
access-list 201 extended permit tcp any any eq 1419
access-list 201 extended permit tcp any any eq 1420
access-list 201 extended permit udp any any eq isakmp
access-list 201 extended permit udp any any eq 4500
access-list 201 extended permit udp any any eq 10000
access-list 201 extended permit tcp any any eq 50
access-list 201 extended permit tcp any any eq nntp
access-list 201 deny tcp any any eq 4444
access-list 201 deny tcp any any eq 135
access-list 201 deny udp any any eq tftp
access-list 201 deny tcp any any eq 5554
access-list 201 deny tcp any any eq 9996
access-list 201 deny tcp any any eq 445
access-list 201 extended permit udp any eq 9000 any
access-list 201 extended permit tcp any any eq 6001
access-list 201 extended permit tcp any any eq 6002
access-list 201 extended permit tcp any any eq 6004
access-list 201 extended permit tcp any any eq 135
access-list 201 extended permit tcp any any eq imap4
access-list 201 extended permit tcp any any eq 1755
access-list 201 extended permit tcp any any eq 1948
access-list 201 extended permit tcp any any eq 1947
access-list 201 extended permit tcp any any eq 4000
access-list 201 extended permit tcp any any eq 5000
access-list 201 extended permit tcp any any eq 8888
access-list 201 extended permit tcp any any eq 3389
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPN 172.16.20.1-172.16.20.128
icmp unreachable rate-limit 1 burst-size 1  
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp xxx.xxx.xxx.xxx smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 xxx.xxx.xxx.xxx pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface imap4 xxx.xxx.xxx.xxx imap4 netmask 255.255.255.255 0 0
access-group 150 in interface outside
access-group 201 in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!  
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy testinternal
group-policy testattributes
dns-server value 192.168.1.2 195.12.4.247
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 130
username vpnclient password testprivilege 0
username vpnclient attributes
vpn-group-policy test
tunnel-group testtype ipsec-ra
tunnel-group testgeneral-attributes
address-pool VPN
default-group-policy test
tunnel-group testipsec-attributes
pre-shared-key ******
prompt hostname context
END
ASA-5505.txt
0
Comment
Question by:ianritchiearchitects
  • 7
  • 7
15 Comments
 
LVL 4

Expert Comment

by:norcalty
Comment Utility
I had this problem once and it was caused by having the "Use remote gateway" option clicked on the workstation.  

I later figured out that another problem was that both the remote and local network were using 192.168.1.x
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
Hi ianritchiearchitects,

access-list 130 standard permit 192.168.1.0 255.255.255.0 172.16.20.0 255.255.255.128
no access-list 130 standard permit 192.168.1.0 255.255.255.0 any
no access-list 130 standard permit any

Regards
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
group-policy testinternal
group-policy testattributes

   Did you type above lines by yourself? There should be a space in between test and internal, attributes
0
 

Author Comment

by:ianritchiearchitects
Comment Utility
re: group-policy testinternal & group-policy testattributes

Sorry this was a typo when I was cleaning the config to put on the EE. Please ignore - the actual config has a space where it should do. Thanks for pointing out.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
 Please apply my suggestions in http:#22722350 then tell me about the results. What you have to see in clientside is, right-click VPN lock at right-bottom>Statistics>Route Details, in right-pane (Secured Routes) you should see only 192.168.1.0.
  In addition, norcalty's suggestion do count if you are using microsoft vpn client, but i am assuming you are using Cisco VPN client. Second thing, if clientside has a network of 192.168.1.0 this will certainly be the cause of the issue.
0
 

Author Comment

by:ianritchiearchitects
Comment Utility
MrHusy,
Thanks, I will be trying your suggestion in http:#22722350 tomorrow when I can do some further testing - I will let you know the results. I'm using the Cisco VPN client. I can confirm that the clientside network is not 192.168.1.0.
0
 

Author Comment

by:ianritchiearchitects
Comment Utility
Have tried the suggestion in http:#22722350 and the ASA gives the following error. The line of code below works on the pix but doesn't seem to be accepted on the ASA OS.

access-list 130 standard permit 192.168.55.0 255.255.255.0 172.16.20.0 255.255.255.128
                                                           ^
ERROR: % Invalid input detected at '^' marker.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:ianritchiearchitects
Comment Utility
Sorry, just noticed the marker moved when I pasted the code above. The marker should point to the 1 at  the start of 172.16.20.0 255.255.255.128.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
ah.. sorry
access-list 130 standard permit ip 192.168.1.0 255.255.255.0 172.16.20.0 255.255.255.128
no access-list 130 standard permit ip 192.168.1.0 255.255.255.0 any
no access-list 130 standard permit ip any
0
 

Author Comment

by:ianritchiearchitects
Comment Utility
This seems to have resolved it:

access-list 130 extended permit ip 192.168.55.0 255.255.255.0 any
no access-list 130 standard permit 192.168.55.0 255.255.255.0
no access-list 130 standard permit any

Thanks for all your suggestions.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
You are welcome :)
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
Comment Utility
"Solved after a pointer in the right direction from MrHusy plus figuring the final bit of code out myself."
    Can you please explain this? The cause of your problem was including an "permit any" statement in split-tunnel ACL, I removed that, then modified the rest according to best practises (best practises says do not include any statement in network configuration ACLs like split tunneling or NAT as possible). Since this is not a must, permit ip 192.168.55.0 255.255.255.0 any does also work. This seems to be your only modification, which has no relation to actual resolution I stated above


0
 

Author Comment

by:ianritchiearchitects
Comment Utility
This bit of code could not be entered into the config:
access-list 130 standard permit ip 192.168.1.0 255.255.255.0 172.16.20.0 255.255.255.128
It came up with an error. I trawled through loads of other posts, the Cisco site and the internet and found the following which worked: access-list 130 extended permit ip 192.168.55.0 255.255.255.0 any
I didnt accept your solution because it didnt completely work for me. I'm a novice at Cisco IOS and what might look very simple to you might take me hours to figure out! I didn't mean to cause any offence I just did what I thought was right in this case. I sounds like my inexperience has caused me to underestimate your input so I will accept you final post as the solution and award full points.
Ta.
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
I see, but as you did in http:#22728618, you could have told me that code didnt work, and I would again correct it, you didnt have to digg forums etc, this is why we are here for :) the bit of code that couldnt be entered has a typo that i copy & paste too much :) it should be as following

access-list 130 permit ip 192.168.1.0 255.255.255.0 172.16.20.0 255.255.255.128

Regards
0
 

Author Comment

by:ianritchiearchitects
Comment Utility
Thanks, I will use your code line above as it sounds like better practise than th one I've current got. Thanks again for your help.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now