cisco vpn client cannot access hosts over remote lan, but remote hosts can access the vpnclient host
When Cisco VPN clients connect to the ASA5510, they successfully authenticate and the tunnel is established.
However, they cannot ping or access hosts on the remote LAN subnets 192.168.3.0/24, 192.168.4.0/24 From these remote subnets, you can establish remote sesssions into the the cisco vpnclient via rdp, realvnc, dameware, etc. The ip address pools in the asa 5510 are:
192.168.99.0/24
192.168.100.0/24
You can ping the ip address of the connected vpnclient host from the asa, but not from any of the remote hosts in the 192.168.3.0 or 192.168.4.0/24 networks
I was able to to access the remote hosts successfully a few days ago, and the configuration has not changed.
I used the packet tracer in the asdm using the ip address of the client as the source host and used addresses of the remote hosts on the subnets 192.168.3.0/24 and 192.168.4.0/24, it seems the packets are dropped due to a nat0 access list
This access list has not changed since everything was working about 2 days ago and the config has not changed
I can ping the inside interface of the asa - 192.168.1.1/24 from the vpn client.
Even though I have a default route to the inside interface of the asa, I statically added routes from the 192.168.99.0/24 and 192.168.100.0/24 networks (which are the internal ip pools) pointing to the inside interface of the asa.
The statistics on the vpnclient show very few decrypted packets, many dropped and bypassed packets.
This seems like a routing issue?
Any suggestions are appreciated.
Here is the current config:
ASA5510# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ASA5510
domain-name default.domain.invalid
enable password 0VHZzUN3Y8hDcg1h encrypted
names
name 192.168.4.0 InsideNetwork description 192.168.4.0 Network
name 192.168.3.0 InsideSubnet description 192.168.3.0 subnet
name ******* VPNOutside description VPN Public IP
!
interface Ethernet0/0
nameif outside
security-level 0
ip address **********255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
no nameif
security-level 100
no ip address
!
interface Ethernet0/3
shutdown
nameif dmz
security-level 50
ip address 192.168.5.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_in extended deny tcp any any eq 445
access-list acl_in extended permit ip any any
access-list acl_in extended permit udp any any eq isakmp
access-list acl_in extended permit udp any any eq 10000
access-list acl_in extended permit tcp any any eq 10000
access-list acl_in extended permit udp any any eq 1723
access-list acl_in extended permit esp any any
access-list acl_in extended permit udp any any eq 1701
access-list acl_in extended permit tcp any host 208.216.116.27 eq smtp
access-list acl_in extended permit tcp any host *** eq ssh
access-list acl_in extended permit tcp any host8 **** eq www
access-list acl_in extended permit tcp any host **** eq domain
access-list acl_in extended permit udp any host***** eq domain
access-list acl_in extended permit udp any host ***** eq ntp
access-list acl_in extended permit gre any any
access-list acl_in extended permit udp any any eq 4500
access-list acl_in extended permit icmp any any
access-list acl_out extended deny tcp any any eq 445
access-list acl_out extended permit udp any any eq isakmp
access-list acl_out extended permit udp any any eq 4500
access-list acl_out extended permit udp any any eq 10000
access-list acl_out extended permit tcp any any eq 10000
access-list acl_out extended permit udp any any eq 1723
access-list acl_out extended permit tcp any host ***eq smtp
access-list acl_out extended permit tcp any host **** eq https
access-list acl_out extended permit tcp any host **** eq www
access-list acl_out extended permit tcp any host **** eq smtp
access-list acl_out extended permit tcp any host **** eq www
access-list acl_out extended permit tcp any host **** eq https
access-list acl_out extended permit tcp any host **** eq https
access-list acl_out extended permit esp any any
access-list acl_out extended permit udp any any eq 1701
access-list acl_out extended permit esp host **** any
access-list acl_out extended permit udp host ** eq 1701 any
access-list acl_out extended permit udp host *** eq isakmp any
access-list acl_out extended permit tcp any host *** eq smtp
access-list acl_out extended permit tcp any host &**** eq www
access-list acl_out extended permit tcp any host *** eq https
access-list acl_out extended permit tcp any host *** eq 3389
access-list acl_out extended permit tcp any host **** eq 123
access-list acl_out extended permit udp any host ****eq domain
access-list acl_out extended permit udp any host**** eq ntp
access-list acl_out extended permit tcp any host**** eq www
access-list acl_out extended permit tcp any host **** eq smtp
access-list acl_out extended permit tcp any host **** eq domain
access-list acl_out extended permit tcp any host**** eq www
access-list acl_out extended permit tcp any host ***** eq ssh
access-list acl_out extended permit tcp any host***** eq www
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any host 192.168.3.3 eq smtp
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq ssh
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq telnet
access-list acl_out extended permit ip any InsideNetwork 255.255.255.0
access-list acl_out extended permit tcp InsideNetwork 255.255.255.0 host 192.168
.1.1 eq telnet
access-list inside_nat0_outbound extended permit ip InsideNetwork 255.255.255.0
any
access-list inside_nat_0_outbound extended permit ip InsideSubnet 255.255.255.0
192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
host 192.168.3.85
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 host 192.168.3.85
access-list outside_1_cryptomap extended permit ip InsideNetwork 255.255.255.0 1
92.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip InsideSubnet 255.255.255.0 19
2.168.1.0 255.255.255.0
access-list nonat extended permit ip any InsideSubnet 255.255.255.0
access-list nonat extended permit ip any InsideNetwork 255.255.255.0
access-list nonat extended permit ip any 192.168.5.0 255.255.255.0
access-list nonat extended permit ip any 192.168.99.0 255.255.255.0
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool NewinfosysPool 192.168.99.5-192.168.99.10
ip local pool BackupIPPool 192.168.100.5-192.168.100.
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 102 interface
nat (inside) 0 access-list nonat
nat (inside) 102 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (inside,outside) 208.216.116.19 192.168.3.20 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) 208.216.116.26 192.168.3.35 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) 208.216.116.25 192.168.3.33 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) 208.216.116.21 192.168.3.16 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) 208.216.116.20 192.168.3.3 netmask 255.255.255.255 tcp 1
000 100 udp 1000
static (inside,outside) 208.216.116.24 192.168.3.17 netmask 255.255.255.255 tcp
1000 100 udp 1000
route outside 0.0.0.0 0.0.0.0 208.216.116.17 255
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.3.1 1
route inside 192.168.99.0 255.255.255.0 192.168.4.1 1
route inside 192.168.100.0 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.1.1 1
route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
route inside 192.168.100.0 255.255.255.0 192.168.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner value You are connected to the Newfoundland Information Systems Private
Network. Unauthorized use is prohibited.
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value BackupIPPool NewinfosysPool
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy ipsecgroup internal
group-policy ipsecgroup attributes
vpn-access-hours none
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
ipsec-udp-port 10000
default-domain value Newinfosys.com
address-pools value BackupIPPool NewinfosysPool
username stassijoseph password /qBIjej5vwKt0K13 encrypted
username stassijoseph attributes
vpn-group-policy ipsecgroup
username bignewf password zF/jxLVcSJJYs2oW encrypted
username bignewf attributes
vpn-group-policy ipsecgroup
username maddog password rH928mPh3aV8PqyI encrypted privilege 0
username maddog attributes
vpn-group-policy ipsecgroup
http server enable
http InsideNetwork 255.255.255.0 management
http InsideSubnet 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 management
http InsideSubnet 255.255.255.0 inside
http InsideNetwork 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) BackupIPPool
address-pool (inside) NewinfosysPool
dhcp-server 192.168.5.2
strip-realm
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group ipsecgroup type ipsec-ra
tunnel-group ipsecgroup general-attributes
address-pool (inside) BackupIPPool
address-pool (inside) NewinfosysPool
address-pool BackupIPPool
address-pool NewinfosysPool
default-group-policy ipsecgroup
strip-group
tunnel-group ipsecgroup ipsec-attributes
pre-shared-key *
tunnel-group ipsecgroup ppp-attributes
authentication ms-chap-v2
tunnel-group newinfosys type ipsec-ra
tunnel-group newinfosys general-attributes
address-pool (inside) BackupIPPool
address-pool (inside) NewinfosysPool
address-pool BackupIPPool
address-pool NewinfosysPool
default-group-policy ipsecgroup
tunnel-group newinfosys ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet InsideSubnet 255.255.255.0 inside
telnet InsideNetwork 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet 208.216.116.0 255.255.255.240 inside
telnet 192.168.1.0 255.255.255.0 management
telnet InsideSubnet 255.255.255.0 management
telnet InsideNetwork 255.255.255.0 management
telnet 208.216.116.0 255.255.255.240 management
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh InsideSubnet 255.255.255.0 inside
ssh InsideNetwork 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh InsideSubnet 255.255.255.0 management
ssh InsideNetwork 255.255.255.0 management
ssh timeout 5
console timeout 20
dhcpd option 3 ip 192.168.1.1 interface inside
dhcpd option 6 ip 199.171.27.85 199.171.27.2 interface inside
!
dhcpd option 3 ip 192.168.5.1 interface dmz
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0524806cd8f
: end
I even tried the sysop connection permit-ipsec command to permit all decrypted IPSec packets to pass without being inspected against the acl lists
Here is the config, any help would be appreciated
thanks
However, they cannot ping or access hosts on the remote LAN subnets 192.168.3.0/24, 192.168.4.0/24 From these remote subnets, you can establish remote sesssions into the the cisco vpnclient via rdp, realvnc, dameware, etc. The ip address pools in the asa 5510 are:
192.168.99.0/24
192.168.100.0/24
You can ping the ip address of the connected vpnclient host from the asa, but not from any of the remote hosts in the 192.168.3.0 or 192.168.4.0/24 networks
I was able to to access the remote hosts successfully a few days ago, and the configuration has not changed.
I used the packet tracer in the asdm using the ip address of the client as the source host and used addresses of the remote hosts on the subnets 192.168.3.0/24 and 192.168.4.0/24, it seems the packets are dropped due to a nat0 access list
This access list has not changed since everything was working about 2 days ago and the config has not changed
I can ping the inside interface of the asa - 192.168.1.1/24 from the vpn client.
Even though I have a default route to the inside interface of the asa, I statically added routes from the 192.168.99.0/24 and 192.168.100.0/24 networks (which are the internal ip pools) pointing to the inside interface of the asa.
The statistics on the vpnclient show very few decrypted packets, many dropped and bypassed packets.
This seems like a routing issue?
Any suggestions are appreciated.
Here is the current config:
ASA5510# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ASA5510
domain-name default.domain.invalid
enable password 0VHZzUN3Y8hDcg1h encrypted
names
name 192.168.4.0 InsideNetwork description 192.168.4.0 Network
name 192.168.3.0 InsideSubnet description 192.168.3.0 subnet
name ******* VPNOutside description VPN Public IP
!
interface Ethernet0/0
nameif outside
security-level 0
ip address **********255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
no nameif
security-level 100
no ip address
!
interface Ethernet0/3
shutdown
nameif dmz
security-level 50
ip address 192.168.5.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_in extended deny tcp any any eq 445
access-list acl_in extended permit ip any any
access-list acl_in extended permit udp any any eq isakmp
access-list acl_in extended permit udp any any eq 10000
access-list acl_in extended permit tcp any any eq 10000
access-list acl_in extended permit udp any any eq 1723
access-list acl_in extended permit esp any any
access-list acl_in extended permit udp any any eq 1701
access-list acl_in extended permit tcp any host 208.216.116.27 eq smtp
access-list acl_in extended permit tcp any host *** eq ssh
access-list acl_in extended permit tcp any host8 **** eq www
access-list acl_in extended permit tcp any host **** eq domain
access-list acl_in extended permit udp any host***** eq domain
access-list acl_in extended permit udp any host ***** eq ntp
access-list acl_in extended permit gre any any
access-list acl_in extended permit udp any any eq 4500
access-list acl_in extended permit icmp any any
access-list acl_out extended deny tcp any any eq 445
access-list acl_out extended permit udp any any eq isakmp
access-list acl_out extended permit udp any any eq 4500
access-list acl_out extended permit udp any any eq 10000
access-list acl_out extended permit tcp any any eq 10000
access-list acl_out extended permit udp any any eq 1723
access-list acl_out extended permit tcp any host ***eq smtp
access-list acl_out extended permit tcp any host **** eq https
access-list acl_out extended permit tcp any host **** eq www
access-list acl_out extended permit tcp any host **** eq smtp
access-list acl_out extended permit tcp any host **** eq www
access-list acl_out extended permit tcp any host **** eq https
access-list acl_out extended permit tcp any host **** eq https
access-list acl_out extended permit esp any any
access-list acl_out extended permit udp any any eq 1701
access-list acl_out extended permit esp host **** any
access-list acl_out extended permit udp host ** eq 1701 any
access-list acl_out extended permit udp host *** eq isakmp any
access-list acl_out extended permit tcp any host *** eq smtp
access-list acl_out extended permit tcp any host &**** eq www
access-list acl_out extended permit tcp any host *** eq https
access-list acl_out extended permit tcp any host *** eq 3389
access-list acl_out extended permit tcp any host **** eq 123
access-list acl_out extended permit udp any host ****eq domain
access-list acl_out extended permit udp any host**** eq ntp
access-list acl_out extended permit tcp any host**** eq www
access-list acl_out extended permit tcp any host **** eq smtp
access-list acl_out extended permit tcp any host **** eq domain
access-list acl_out extended permit tcp any host**** eq www
access-list acl_out extended permit tcp any host ***** eq ssh
access-list acl_out extended permit tcp any host***** eq www
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any host 192.168.3.3 eq smtp
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq ssh
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq telnet
access-list acl_out extended permit ip any InsideNetwork 255.255.255.0
access-list acl_out extended permit tcp InsideNetwork 255.255.255.0 host 192.168
.1.1 eq telnet
access-list inside_nat0_outbound extended permit ip InsideNetwork 255.255.255.0
any
access-list inside_nat_0_outbound extended permit ip InsideSubnet 255.255.255.0
192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
host 192.168.3.85
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 host 192.168.3.85
access-list outside_1_cryptomap extended permit ip InsideNetwork 255.255.255.0 1
92.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip InsideSubnet 255.255.255.0 19
2.168.1.0 255.255.255.0
access-list nonat extended permit ip any InsideSubnet 255.255.255.0
access-list nonat extended permit ip any InsideNetwork 255.255.255.0
access-list nonat extended permit ip any 192.168.5.0 255.255.255.0
access-list nonat extended permit ip any 192.168.99.0 255.255.255.0
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool NewinfosysPool 192.168.99.5-192.168.99.10
ip local pool BackupIPPool 192.168.100.5-192.168.100.
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 102 interface
nat (inside) 0 access-list nonat
nat (inside) 102 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (inside,outside) 208.216.116.19 192.168.3.20 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) 208.216.116.26 192.168.3.35 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) 208.216.116.25 192.168.3.33 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) 208.216.116.21 192.168.3.16 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) 208.216.116.20 192.168.3.3 netmask 255.255.255.255 tcp 1
000 100 udp 1000
static (inside,outside) 208.216.116.24 192.168.3.17 netmask 255.255.255.255 tcp
1000 100 udp 1000
route outside 0.0.0.0 0.0.0.0 208.216.116.17 255
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.3.1 1
route inside 192.168.99.0 255.255.255.0 192.168.4.1 1
route inside 192.168.100.0 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.1.1 1
route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
route inside 192.168.100.0 255.255.255.0 192.168.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner value You are connected to the Newfoundland Information Systems Private
Network. Unauthorized use is prohibited.
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value BackupIPPool NewinfosysPool
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy ipsecgroup internal
group-policy ipsecgroup attributes
vpn-access-hours none
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
ipsec-udp-port 10000
default-domain value Newinfosys.com
address-pools value BackupIPPool NewinfosysPool
username stassijoseph password /qBIjej5vwKt0K13 encrypted
username stassijoseph attributes
vpn-group-policy ipsecgroup
username bignewf password zF/jxLVcSJJYs2oW encrypted
username bignewf attributes
vpn-group-policy ipsecgroup
username maddog password rH928mPh3aV8PqyI encrypted privilege 0
username maddog attributes
vpn-group-policy ipsecgroup
http server enable
http InsideNetwork 255.255.255.0 management
http InsideSubnet 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 management
http InsideSubnet 255.255.255.0 inside
http InsideNetwork 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) BackupIPPool
address-pool (inside) NewinfosysPool
dhcp-server 192.168.5.2
strip-realm
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group ipsecgroup type ipsec-ra
tunnel-group ipsecgroup general-attributes
address-pool (inside) BackupIPPool
address-pool (inside) NewinfosysPool
address-pool BackupIPPool
address-pool NewinfosysPool
default-group-policy ipsecgroup
strip-group
tunnel-group ipsecgroup ipsec-attributes
pre-shared-key *
tunnel-group ipsecgroup ppp-attributes
authentication ms-chap-v2
tunnel-group newinfosys type ipsec-ra
tunnel-group newinfosys general-attributes
address-pool (inside) BackupIPPool
address-pool (inside) NewinfosysPool
address-pool BackupIPPool
address-pool NewinfosysPool
default-group-policy ipsecgroup
tunnel-group newinfosys ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet InsideSubnet 255.255.255.0 inside
telnet InsideNetwork 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet 208.216.116.0 255.255.255.240 inside
telnet 192.168.1.0 255.255.255.0 management
telnet InsideSubnet 255.255.255.0 management
telnet InsideNetwork 255.255.255.0 management
telnet 208.216.116.0 255.255.255.240 management
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh InsideSubnet 255.255.255.0 inside
ssh InsideNetwork 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh InsideSubnet 255.255.255.0 management
ssh InsideNetwork 255.255.255.0 management
ssh timeout 5
console timeout 20
dhcpd option 3 ip 192.168.1.1 interface inside
dhcpd option 6 ip 199.171.27.85 199.171.27.2 interface inside
!
dhcpd option 3 ip 192.168.5.1 interface dmz
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0524806cd8f
: end
I even tried the sysop connection permit-ipsec command to permit all decrypted IPSec packets to pass without being inspected against the acl lists
Here is the config, any help would be appreciated
thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
sorry, the config is confusing: These routes do exist in the config as:
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
The InsideNetwork route is 192.168.3.0
The InsideSubnet route is 192.168.4.0
This is because I started the config with the gui, and finished it with command line. The asa labeled the 192.168.3.0 and 192.168.4.0 with the "InsideNetwork" and InsideSubnet" respectively
Again, the config has remained the same, 2 days ago everything worked
thanks
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
The InsideNetwork route is 192.168.3.0
The InsideSubnet route is 192.168.4.0
This is because I started the config with the gui, and finished it with command line. The asa labeled the 192.168.3.0 and 192.168.4.0 with the "InsideNetwork" and InsideSubnet" respectively
Again, the config has remained the same, 2 days ago everything worked
thanks
ASKER
all the above routes are the inside networks which point to 192.168.1.1, the inside interface of the asa. If I remove those, then the hosts on the those networks cannot access the internet. You stated that the internal address pools should be routed to the internet. There is a static route statement that points to the internet router. Do you mean that the 192.168.99.0 and 192.168.100.0 address pools should point to the internet router?
Please clarify, since these static routes have worked previously and the vpn clients could reach hosts on these subnets
thanks
Please clarify, since these static routes have worked previously and the vpn clients could reach hosts on these subnets
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.3.1 1
route inside 192.168.99.0 255.255.255.0 192.168.4.1 1
route inside 192.168.100.0 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.1.1 1
route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
route inside 192.168.100.0 255.255.255.0 192.168.4.1 1
First of all, your VPN pools should be being routed to the internet, so take out:-
route inside 192.168.99.0 255.255.255.0 192.168.3.1 1
route inside 192.168.99.0 255.255.255.0 192.168.4.1 1
route inside 192.168.100.0 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.1.1 1
route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
route inside 192.168.100.0 255.255.255.0 192.168.4.1 1
And these static routes don't make sense as they are all pointing to the ASA itself:-
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
You will need a route to the 192.168.3.0 and 4.0 networks e.g.:-
route inside 192.168.3.0 192.168.1.10
where 192.168.1.10 is your next hop.