Solved

cisco vpn client cannot access hosts over remote lan, but remote hosts can access the vpnclient host

Posted on 2008-10-18
5
1,740 Views
Last Modified: 2012-05-05
When Cisco VPN clients connect to the ASA5510, they successfully authenticate and the tunnel is established.
However, they cannot ping or access hosts on the remote LAN subnets  192.168.3.0/24, 192.168.4.0/24  From these remote subnets, you can establish remote sesssions into the the cisco vpnclient  via rdp, realvnc, dameware, etc. The ip address pools in the asa 5510 are:

192.168.99.0/24
192.168.100.0/24

You can ping the ip address of the connected vpnclient host from the asa, but not from any of the remote hosts in the 192.168.3.0 or 192.168.4.0/24 networks
I was able to to access the remote hosts successfully a few days ago, and the configuration has not changed.
I used the packet tracer in the asdm using the ip address of the client as the source host and used addresses of  the remote hosts on the subnets 192.168.3.0/24 and 192.168.4.0/24, it seems the packets are dropped due to a nat0 access list
This access list has not changed since everything was working about 2 days ago and the config has not changed
I can ping the inside interface of the asa - 192.168.1.1/24 from the vpn client.
Even though I have a default route to the inside interface of the asa, I statically added routes from the 192.168.99.0/24 and 192.168.100.0/24 networks (which are the internal ip pools) pointing  to the inside interface of the asa.
The statistics on the vpnclient show very few decrypted packets, many dropped and bypassed packets.
This seems like a routing issue?
Any suggestions are appreciated.
Here is the current config:

ASA5510# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ASA5510
domain-name default.domain.invalid
enable password 0VHZzUN3Y8hDcg1h encrypted
names
name 192.168.4.0 InsideNetwork description 192.168.4.0 Network
name 192.168.3.0 InsideSubnet description 192.168.3.0 subnet
name ******* VPNOutside description VPN Public IP
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address **********255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
 no nameif
 security-level 100
 no ip address
!
interface Ethernet0/3
 shutdown
 nameif dmz
 security-level 50
 ip address 192.168.5.2 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_in extended deny tcp any any eq 445
access-list acl_in extended permit ip any any
access-list acl_in extended permit udp any any eq isakmp
access-list acl_in extended permit udp any any eq 10000
access-list acl_in extended permit tcp any any eq 10000
access-list acl_in extended permit udp any any eq 1723
access-list acl_in extended permit esp any any
access-list acl_in extended permit udp any any eq 1701
access-list acl_in extended permit tcp any host 208.216.116.27 eq smtp
access-list acl_in extended permit tcp any host *** eq ssh
access-list acl_in extended permit tcp any host8 **** eq www
access-list acl_in extended permit tcp any host **** eq domain
access-list acl_in extended permit udp any host***** eq domain
access-list acl_in extended permit udp any host ***** eq ntp
access-list acl_in extended permit gre any any
access-list acl_in extended permit udp any any eq 4500
access-list acl_in extended permit icmp any any
access-list acl_out extended deny tcp any any eq 445
access-list acl_out extended permit udp any any eq isakmp
access-list acl_out extended permit udp any any eq 4500
access-list acl_out extended permit udp any any eq 10000
access-list acl_out extended permit tcp any any eq 10000
access-list acl_out extended permit udp any any eq 1723
access-list acl_out extended permit tcp any host ***eq smtp
access-list acl_out extended permit tcp any host **** eq https
access-list acl_out extended permit tcp any host **** eq www
access-list acl_out extended permit tcp any host **** eq smtp
access-list acl_out extended permit tcp any host **** eq www
access-list acl_out extended permit tcp any host **** eq https
access-list acl_out extended permit tcp any host **** eq https
access-list acl_out extended permit esp any any
access-list acl_out extended permit udp any any eq 1701
access-list acl_out extended permit esp host **** any
access-list acl_out extended permit udp host ** eq 1701 any
access-list acl_out extended permit udp host *** eq isakmp any
access-list acl_out extended permit tcp any host *** eq smtp
access-list acl_out extended permit tcp any host &**** eq www
access-list acl_out extended permit tcp any host *** eq https
access-list acl_out extended permit tcp any host *** eq 3389
access-list acl_out extended permit tcp any host **** eq 123
access-list acl_out extended permit udp any host ****eq domain
access-list acl_out extended permit udp any host**** eq ntp
access-list acl_out extended permit tcp any host**** eq www
access-list acl_out extended permit tcp any host **** eq smtp
access-list acl_out extended permit tcp any host **** eq domain
access-list acl_out extended permit tcp any host**** eq www
access-list acl_out extended permit tcp any host ***** eq ssh
access-list acl_out extended permit tcp any host***** eq www
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any host 192.168.3.3 eq smtp
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq ssh
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq telnet
access-list acl_out extended permit ip any InsideNetwork 255.255.255.0
access-list acl_out extended permit tcp InsideNetwork 255.255.255.0 host 192.168
.1.1 eq telnet
access-list inside_nat0_outbound extended permit ip InsideNetwork 255.255.255.0
any
access-list inside_nat_0_outbound extended permit ip InsideSubnet 255.255.255.0
192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
 host 192.168.3.85
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 host 192.168.3.85
access-list outside_1_cryptomap extended permit ip InsideNetwork 255.255.255.0 1
92.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip InsideSubnet 255.255.255.0 19
2.168.1.0 255.255.255.0
access-list nonat extended permit ip any InsideSubnet 255.255.255.0
access-list nonat extended permit ip any InsideNetwork 255.255.255.0
access-list nonat extended permit ip any 192.168.5.0 255.255.255.0
access-list nonat extended permit ip any 192.168.99.0 255.255.255.0
access-list nonat extended permit ip any 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool NewinfosysPool 192.168.99.5-192.168.99.10 mask 255.255.255.0
ip local pool BackupIPPool 192.168.100.5-192.168.100.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 102 interface
nat (inside) 0 access-list nonat
nat (inside) 102 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (inside,outside) 208.216.116.19 192.168.3.20 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) 208.216.116.26 192.168.3.35 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) 208.216.116.25 192.168.3.33 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) 208.216.116.21 192.168.3.16 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) 208.216.116.20 192.168.3.3 netmask 255.255.255.255 tcp 1
000 100 udp 1000
static (inside,outside) 208.216.116.24 192.168.3.17 netmask 255.255.255.255 tcp
1000 100 udp 1000
route outside 0.0.0.0 0.0.0.0 208.216.116.17 255
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.3.1 1
route inside 192.168.99.0 255.255.255.0 192.168.4.1 1
route inside 192.168.100.0 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.1.1 1
route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
route inside 192.168.100.0 255.255.255.0 192.168.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner value You are connected to the Newfoundland Information Systems Private
Network.  Unauthorized use is prohibited.
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value BackupIPPool NewinfosysPool
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not
 been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy ipsecgroup internal
group-policy ipsecgroup attributes
 vpn-access-hours none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 ipsec-udp enable
 ipsec-udp-port 10000
 default-domain value Newinfosys.com
 address-pools value BackupIPPool NewinfosysPool
username stassijoseph password /qBIjej5vwKt0K13 encrypted
username stassijoseph attributes
 vpn-group-policy ipsecgroup
username bignewf password zF/jxLVcSJJYs2oW encrypted
username bignewf attributes
 vpn-group-policy ipsecgroup
username maddog password rH928mPh3aV8PqyI encrypted privilege 0
username maddog attributes
 vpn-group-policy ipsecgroup
http server enable
http InsideNetwork 255.255.255.0 management
http InsideSubnet 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 management
http InsideSubnet 255.255.255.0 inside
http InsideNetwork 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) BackupIPPool
 address-pool (inside) NewinfosysPool
 dhcp-server 192.168.5.2
 strip-realm
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group ipsecgroup type ipsec-ra
tunnel-group ipsecgroup general-attributes
 address-pool (inside) BackupIPPool
 address-pool (inside) NewinfosysPool
 address-pool BackupIPPool
 address-pool NewinfosysPool
 default-group-policy ipsecgroup
 strip-group
tunnel-group ipsecgroup ipsec-attributes
 pre-shared-key *
tunnel-group ipsecgroup ppp-attributes
 authentication ms-chap-v2
tunnel-group newinfosys type ipsec-ra
tunnel-group newinfosys general-attributes
 address-pool (inside) BackupIPPool
 address-pool (inside) NewinfosysPool
 address-pool BackupIPPool
 address-pool NewinfosysPool
 default-group-policy ipsecgroup
tunnel-group newinfosys ipsec-attributes
 pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet InsideSubnet 255.255.255.0 inside
telnet InsideNetwork 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet 208.216.116.0 255.255.255.240 inside
telnet 192.168.1.0 255.255.255.0 management
telnet InsideSubnet 255.255.255.0 management
telnet InsideNetwork 255.255.255.0 management
telnet 208.216.116.0 255.255.255.240 management
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh InsideSubnet 255.255.255.0 inside
ssh InsideNetwork 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh InsideSubnet 255.255.255.0 management
ssh InsideNetwork 255.255.255.0 management
ssh timeout 5
console timeout 20
dhcpd option 3 ip 192.168.1.1 interface inside
dhcpd option 6 ip 199.171.27.85 199.171.27.2 interface inside
!
dhcpd option 3 ip 192.168.5.1 interface dmz
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0524806cd8f58c1d5a5bad10598948db
: end

I even tried the sysop connection permit-ipsec command to permit all decrypted IPSec packets to pass without being inspected against the acl lists
Here is the config, any help would be appreciated

thanks
0
Comment
Question by:bignewf
  • 3
  • 2
5 Comments
 
LVL 10

Expert Comment

by:cstosgale
ID: 22750122
You have a whole load of static routes that don't make sense:-

route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.3.1 1
route inside 192.168.99.0 255.255.255.0 192.168.4.1 1
route inside 192.168.100.0 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.1.1 1
route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
route inside 192.168.100.0 255.255.255.0 192.168.4.1 1

First of all, your VPN pools should be being routed to the internet, so take out:-

route inside 192.168.99.0 255.255.255.0 192.168.3.1 1
route inside 192.168.99.0 255.255.255.0 192.168.4.1 1
route inside 192.168.100.0 255.255.255.0 192.168.1.1 1
route inside 192.168.99.0 255.255.255.0 192.168.1.1 1
route inside 192.168.100.0 255.255.255.0 192.168.3.1 1
route inside 192.168.100.0 255.255.255.0 192.168.4.1 1

And these static routes don't make sense as they are all pointing to the ASA itself:-

route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1

You will need a route to the 192.168.3.0 and 4.0 networks e.g.:-

route inside 192.168.3.0 192.168.1.10

where 192.168.1.10 is your next hop.
0
 
LVL 10

Assisted Solution

by:cstosgale
cstosgale earned 500 total points
ID: 22750125
Sorry, that should be:-

You will need a route to the 192.168.3.0 and 4.0 networks e.g.:-

route inside 192.168.3.0 255.255.255.0 192.168.1.10

where 192.168.1.10 is your next hop.
0
 
LVL 15

Author Comment

by:bignewf
ID: 22750224
sorry, the config is confusing:  These routes do exist in the config as:

route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
The InsideNetwork route is 192.168.3.0
The InsideSubnet route is   192.168.4.0

This is because I started the config with the gui, and finished it with command line. The asa labeled the 192.168.3.0 and 192.168.4.0 with the "InsideNetwork" and InsideSubnet"  respectively

Again, the config has remained the same, 2 days ago everything worked


thanks
0
 
LVL 15

Author Comment

by:bignewf
ID: 22750269
all the above routes are the inside networks which point to 192.168.1.1, the inside interface of the asa. If I remove those, then the hosts on the those networks cannot access the internet. You stated that the internal address pools should be routed to the internet. There is a static route statement that points to the internet router. Do you mean that the 192.168.99.0 and 192.168.100.0 address pools should point to the internet router?

Please clarify, since these static routes have worked previously and the vpn clients could reach hosts on these subnets


thanks
0
 
LVL 15

Accepted Solution

by:
bignewf earned 0 total points
ID: 22754653
I found the solution. I just enabled the "allow inbound IPSec sessions to bypass inbound access-lists" in the ASDM. When I tried the command "sysopt connection permit-ipsec in the CLI, it didn't work. All hosts on all the internal LANS are pingable and all tcp services/ports can be reached. When I did a packet trace from the ASDM, packets were dropping due to the nat access list. I will troubleshoot the access lists later, it least now everything works.


Thanks for your help
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5506 5 40
C3650 Web interface login not working 2 15
NSD FAIL 2 25
Quality settings for cisco routers 8 26
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now