?
Solved

Cisco ASA - VPN users not able to access remote network

Posted on 2008-10-19
15
Medium Priority
?
4,789 Views
Last Modified: 2012-05-05
Experts!
I could really use your help right now. I have configured remote access VPN on my Cisco ASA 5505 but I'm not able to reach the internal network (the internal network of the ASA). I connect just fine through ISAKMP and IPSec but I just have no connectivity to the internal network (10.2.2.0 /24). I'm not able to reach the internet through the VPN connection either.

Can someone tell me where the problem is?
ASA Version 8.0(4)
!
hostname ASA
domain-name *****.com
enable password ***** encrypted
passwd **** encrypted
names
 
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.2.2.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
!
interface Ethernet0/0
 description - WAN Connection
 switchport access vlan 2
!
interface Ethernet0/1
 
!
interface Ethernet0/2
 
!
interface Ethernet0/3
 
!
interface Ethernet0/4
!
 
interface Ethernet0/5
!
 
interface Ethernet0/6
!
 
interface Ethernet0/7
!
 
 
boot system disk0:/asa804-k8.bin
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server **
 domain-name ****.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
 
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.248
access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 10.2.2.96 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.2.2.96 255.255.255.240
access-list ICMP_IN extended permit icmp any any echo-reply
access-list ICMP_IN extended permit icmp any any time-exceeded
access-list ICMP_IN remark Allows ping replies and traceroute
access-list inside_access_out extended permit ip any any
access-list VPN_Internal_Access remark Full access for all VPN users.
access-list VPN_Internal_Access extended permit ip any 10.2.2.0 255.255.255.0
 
pager lines 24
logging enable
logging asdm-buffer-size 150
logging console critical
logging monitor critical
logging trap critical
logging asdm informational
logging mail critical
logging host inside **
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool VPN_DMZ 10.5.5.1-10.5.5.10 mask 255.255.255.0
ip audit name Protect attack action alarm drop reset
ip audit name Alert info action alarm
ip audit interface inside Alert
ip audit interface inside Protect
ip audit interface outside Alert
ip audit interface outside Protect
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any time-exceeded outside
icmp permit any unreachable outside
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0 dns
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group ICMP_IN in interface outside
route outside 0.0.0.0 0.0.0.0 71.229.168.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server AD_Accts protocol ldap
aaa-server AD_Accts (inside) host **
 ldap-base-dn dc=**, dc=com
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *
 ldap-login-dn CN=**,OU=**,DC=**,DC=com
 server-type microsoft
aaa authentication telnet console AD_Accts LOCAL
aaa authentication http console AD_Accts LOCAL
http server enable
http 10.2.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-AES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set pfs group5
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set pfs group5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map Outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption aes-192
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 40
 authentication pre-share
 encryption aes
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.2.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 68.87.85.98
dhcpd auto_config outside
!
!
 
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server ** source inside prefer
webvpn
 port 62505
 enable outside
group-policy DfltGrpPolicy attributes
group-policy WEBVPN internal
group-policy WEBVPN attributes
 vpn-tunnel-protocol webvpn
 webvpn
group-policy HomeVPN internal
group-policy HomeVPN attributes
 wins-server value 10.2.2.1
 dns-server value 10.2.2.1
 vpn-filter value VPN_Internal_Access
 vpn-tunnel-protocol IPSec
 default-domain value **.com
username ** password ** encrypted privilege 15
username ** password ** encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
 default-group-policy WEBVPN
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server ** master timeout 2 retry 2
tunnel-group HomeVPN type remote-access
tunnel-group HomeVPN general-attributes
 address-pool VPN_DMZ
 authentication-server-group AD_Accts LOCAL
 default-group-policy HomeVPN
tunnel-group HomeVPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
smtp-server 10.2.2.1
prompt hostname context
Cryptochecksum:**
: end

Open in new window

0
Comment
Question by:COE-IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
15 Comments
 
LVL 4

Expert Comment

by:yurisk
ID: 22757916
Unclear what is the design goal here -
Do you want split tunnel - so to LAN you get through VPn tunnel and to the Internet you go through
your local ISP connection , or
Do you want all traffic to pass through the ASA (to the LAn behind ASA and to the internet ) ?
For 1st case you config lacks split tunnel plicy under group-policy HomeVPN
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL_NAME
where ACL:
access-list VPNencrypt permit ip 10.2.2.0 255.255.255.0  10.5.5.0 255.255.255.0
and NAT examption - adding the following
(config)# access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0  10.5.5.0 255.255.255.0
0
 
LVL 1

Author Comment

by:COE-IT
ID: 22757981
I'd like all traffic to pass through the VPN tunnel (no split tunneling).

Ah ha! I think you might be right on the NAT statement. Is that the only thing I need to add to allow VPN users access to the 10.2.2.x network?
0
 
LVL 1

Author Comment

by:COE-IT
ID: 22789239
I've added the NAT statement, still no luck. I can establish the VPN tunnel with no problem, just can't reach the 10.2.2.x network.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 15

Expert Comment

by:bignewf
ID: 22918737
For a start, (and to test) get rid of the nat0 outbound statements:

access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0  10.5.5.0 255.255.255.0

try this command:
sysopt connection permit-ipsec

this will permit all decrypted IPSec packets to pass thru the asa to the lan without inspection against the ACL's (bypasses traffic filtering)


you can do this also in the asdm by going to configuration>vpn>general>vpn system options and checking the box  "enable inbound IPSec sessions to bypass interface access lists, these access lists still apply to the traffic"
I have found that just by checking this, you can reach internal lan hosts

this is same as the above command

if this works,
then you can go back and try to fix the nat exempt rules using  the "nonat"  access-list scenario:

access list nonat extended permit ip extended 10.2.2.0 255.255.255.0  10.5.5.0 255.255.255.0
this allows hosts from ip range 10.5.5.0 to bypass nat translation to the inside lan hosts on 10.2.2.0/24

then add:  nat (inside) 0 access-list no nat




to allow vpn clients to reach the internet while connecting to the ASA via the IPSec tunnel, you need to enable a split tunnel policy. You can do this via the or the asdm:

Split tunnelling, if not required, is considered a security risk for the vpnclient.

If you want to enable split tunneling on the vpn client network 10.5.5.0/24 then:

access-list standard  split_tunnel permit 10.5.5.0 255.255.255.0
group policy    [name of group policy] attributes
split-tunnel-policy tunnelspecified

then link the above access list to the group-policy:

split-tunnel-network-list value split_tunnel



0
 
LVL 15

Expert Comment

by:bignewf
ID: 22918760
correction to above comment: to delete the nat0 statement(s)

no access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0  10.5.5.0 255.255.255.0

0
 
LVL 1

Author Comment

by:COE-IT
ID: 22925371
bignewf,

I've made some progress since my last post and I'm now able to VPN into my network and access the internal network. The only problem I have now is that I can't browse files on my Windows 2003 file server. I can ping the file server and RDP into it, but I can't browse the server files from my VPN client. Any idea how I can fix this?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 22925410
Please clarify:  are you able to map a share to this file server via ip:
Can you see the share(s) by typing the unc path of the file server shares from the run line or windows explorer?
0
 
LVL 1

Author Comment

by:COE-IT
ID: 22925497
From my VPN client (which has a 10.5.5.x IP) I cannot:
-access my file server from the run line using the IP (\\10.2.2.x\c$)
-access my file server from the run line using the DNS name (\\server\c$)
-map any network drive from the server through windows explorer

However, I am able to ping the server with no problem.
0
 
LVL 15

Expert Comment

by:bignewf
ID: 22925578
Have you tried the following command:

net view  \\servername
do you get these results?
error "there are currently no logon  servers available to service the logon request"
 
"System error 53 has occurred"

Are the remote users using a cached domain logon, or logged on locally to their remote machines?

Try placing a hosts file on a test machine with the domain controller, dns server and fileserver host names and let me know if this works
0
 
LVL 15

Expert Comment

by:bignewf
ID: 22925696
my apologies, I forgot this test in the last comment:

"net use * \\servername /user:domainname\username"

 That should force it to authenticate correctly - should come back and
 ask for a password.

I get "System error 67 has occurred" which basically means it can't find the
network name.

You will see these errors if the remote vpn client does not have a domain logon profile
0
 
LVL 15

Expert Comment

by:bignewf
ID: 22925973
Also, make sure netbios over tcp/ip is enabled on the network adapter as well.
Also, check your firewall to make sure TCP ports 135, 137, and 138, as well as UDP port 139 are not blocked.

Nebios broadcasts do not travel over IPSec tunnels, so try all the steps mentioned above

If all of the above steps still fail, then use an LMHosts file. Info on how to do this:

You might try adding a LMHOSTS file to the Client PC following this Microsoft KB Article
http://support.microsoft.com/kb/180094/EN-US/


0
 
LVL 1

Author Comment

by:COE-IT
ID: 22926016
Do I need to unblock those ports (135, 137, 138) on the outside interface coming in? Also, here's some info from my earlier tests..........

Just tried several things.........keep in mind that I can ping the file server by name and IP address.......

For simplicity, let's assume the domain is "testdomain", the server name is "DC1", and the user is "Bob"

"Net view \\DC1" AND "Net view \\10.2.2.x" gives me.....
System error 53 has occurred.
The network path was not found.

"Net use \\DC1 /user:testdomain\Bob"  gives me........
System error 53 has occurred
The network path was not found.

The good thing is that I've configured the ASA to give me the correct domain, DNS, and WINS information.





0
 
LVL 15

Expert Comment

by:bignewf
ID: 22926459
you don't want ports 135, 137 and 139 open as it is a security risk. In my previous comments, how are the remote clients logged on? locally, or a cached domain logon? Did you try the hosts/lmhosts file with the correct dns, wins (if needed) and domain servers?

Is netbios over tcp/ip enabled?
file and print sharing enabled?
client for microsoft networks running?
no firewalls blocking the above ports?
workstation service running on the remote computer? -restart
restart the server service on the vpnclient trying to connect
trying restarting the "server" service on the file server - this allows shares to be enumerated on the network

also, you  can temporarily add the following access list statement:
access-list acl_in extended permit ip any any
this should be use for troubleshooting only


0
 
LVL 1

Author Comment

by:COE-IT
ID: 22926592
The remote client I'm using is a member of a different domain than the domain I'm trying to access through the VPN session. I'm currently logging in locally under the Windows XP "administrator" account in my testing of this VPN connection.

-I did enable netbios over TCP/IP on the interface I'm using to VPN
-File/Print sharing is enabled on that same interface
-Client for MS networks is running

Back to my earlier question, what interface and direction do I need to use to unblock those ports? Aren't VPN clients considered by the ASA to be coming from the "outside" interface? If that was the case, I would need to open those ports on the outside interface, direction = incoming. I didn't think that would be a security risk given that I would specify the VPN address pool as the source addresses in the access list.

I had a bit of trouble with the LMHOSTS file. Do I need to delete all the standard stuff in that file and then paste in my information? For instance, all that I had in my LMHOSTS file was this:

10.2.2.1   SERVERNAME   #PRE #DOM:TESTDOMAIN
10.2.2.1   "TESTDOMAIN     \0x1b"   #PRE

With this, running "nbtstat -R" worked just fine (i.e. "Successful purge of NBT remote cache"). But then I get this when I run "nbtstat -c":

Wireless Network Connection 2:
Node IpAddress: [192.168.192.35] Scope Id: []

    No names in cache

I will try the service restarts.......

0
 
LVL 15

Accepted Solution

by:
bignewf earned 2000 total points
ID: 22926714
the only reason I had you try the access-list acl_in extended permit ip any any would be to temporarily check to see if any ports/services can reach the vpn clients. (just in case some traffic was being blocked from the inside>outside)

for the lmhosts file, your replace the ip address with the ip address of your primary domain controller
replace the pdcname with the netbios name of your pdc (fsmo role holder)
relace domain with your windows domain name.
Your error could be due to syntax errors in the file, and it is not seeing any netbios names in the cache

As for your logon on a different domain, does your internal dns servers have a zone for the domain you are trying to logon to? Is your dns server entries in the vpnclient dhcp pool have entries for the dns server that the fileserver is a member of? Is the domain your vpnclient logged on a childomain of the domain your fileserver is on, or is it in a different forest?

Again, the best way to troubleshoot is first have a remote vpnclient with a domain logon profile that is in the same domain as the fileserver. Then you can eliminate the netbios filesharing issue. If that is resolved, then you can configure the remote clients with the correct dns server information if they have other domain logons

T
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question