Solved

Cisco ASA - VPN users not able to access remote network

Posted on 2008-10-19
15
4,767 Views
Last Modified: 2012-05-05
Experts!
I could really use your help right now. I have configured remote access VPN on my Cisco ASA 5505 but I'm not able to reach the internal network (the internal network of the ASA). I connect just fine through ISAKMP and IPSec but I just have no connectivity to the internal network (10.2.2.0 /24). I'm not able to reach the internet through the VPN connection either.

Can someone tell me where the problem is?
ASA Version 8.0(4)

!

hostname ASA

domain-name *****.com

enable password ***** encrypted

passwd **** encrypted

names
 

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.2.2.254 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute

!

!

interface Ethernet0/0

 description - WAN Connection

 switchport access vlan 2

!

interface Ethernet0/1

 

!

interface Ethernet0/2

 

!

interface Ethernet0/3

 

!

interface Ethernet0/4

!
 

interface Ethernet0/5

!
 

interface Ethernet0/6

!
 

interface Ethernet0/7

!
 
 

boot system disk0:/asa804-k8.bin

ftp mode passive

dns domain-lookup inside

dns server-group DefaultDNS

 name-server **

 domain-name ****.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp
 

access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.248

access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0 10.2.2.96 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 10.2.2.96 255.255.255.240

access-list ICMP_IN extended permit icmp any any echo-reply

access-list ICMP_IN extended permit icmp any any time-exceeded

access-list ICMP_IN remark Allows ping replies and traceroute

access-list inside_access_out extended permit ip any any

access-list VPN_Internal_Access remark Full access for all VPN users.

access-list VPN_Internal_Access extended permit ip any 10.2.2.0 255.255.255.0
 

pager lines 24

logging enable

logging asdm-buffer-size 150

logging console critical

logging monitor critical

logging trap critical

logging asdm informational

logging mail critical

logging host inside **

logging permit-hostdown

mtu inside 1500

mtu outside 1500

ip local pool VPN_DMZ 10.5.5.1-10.5.5.10 mask 255.255.255.0

ip audit name Protect attack action alarm drop reset

ip audit name Alert info action alarm

ip audit interface inside Alert

ip audit interface inside Protect

ip audit interface outside Alert

ip audit interface outside Protect

icmp unreachable rate-limit 1 burst-size 1

icmp permit any echo-reply outside

icmp permit any time-exceeded outside

icmp permit any unreachable outside

asdm image disk0:/asdm-613.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0 dns

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group ICMP_IN in interface outside

route outside 0.0.0.0 0.0.0.0 71.229.168.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server AD_Accts protocol ldap

aaa-server AD_Accts (inside) host **

 ldap-base-dn dc=**, dc=com

 ldap-scope subtree

 ldap-naming-attribute sAMAccountName

 ldap-login-password *

 ldap-login-dn CN=**,OU=**,DC=**,DC=com

 server-type microsoft

aaa authentication telnet console AD_Accts LOCAL

aaa authentication http console AD_Accts LOCAL

http server enable

http 10.2.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-AES-SHA

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000

crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto dynamic-map outside_dyn_map 20 set pfs group5

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 40 set pfs group1

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 60 set pfs group5

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-AES-128-SHA

crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map Outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto isakmp enable outside

crypto isakmp policy 1

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 43200

crypto isakmp policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 20

 authentication pre-share

 encryption aes-192

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 40

 authentication pre-share

 encryption aes

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 50

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 10.2.2.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 68.87.85.98

dhcpd auto_config outside

!

!
 

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server ** source inside prefer

webvpn

 port 62505

 enable outside

group-policy DfltGrpPolicy attributes

group-policy WEBVPN internal

group-policy WEBVPN attributes

 vpn-tunnel-protocol webvpn

 webvpn

group-policy HomeVPN internal

group-policy HomeVPN attributes

 wins-server value 10.2.2.1

 dns-server value 10.2.2.1

 vpn-filter value VPN_Internal_Access

 vpn-tunnel-protocol IPSec

 default-domain value **.com

username ** password ** encrypted privilege 15

username ** password ** encrypted privilege 15

tunnel-group DefaultWEBVPNGroup general-attributes

 default-group-policy WEBVPN

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 nbns-server ** master timeout 2 retry 2

tunnel-group HomeVPN type remote-access

tunnel-group HomeVPN general-attributes

 address-pool VPN_DMZ

 authentication-server-group AD_Accts LOCAL

 default-group-policy HomeVPN

tunnel-group HomeVPN ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

smtp-server 10.2.2.1

prompt hostname context

Cryptochecksum:**

: end

Open in new window

0
Comment
Question by:COE-IT
  • 8
  • 6
15 Comments
 
LVL 4

Expert Comment

by:yurisk
ID: 22757916
Unclear what is the design goal here -
Do you want split tunnel - so to LAN you get through VPn tunnel and to the Internet you go through
your local ISP connection , or
Do you want all traffic to pass through the ASA (to the LAn behind ASA and to the internet ) ?
For 1st case you config lacks split tunnel plicy under group-policy HomeVPN
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL_NAME
where ACL:
access-list VPNencrypt permit ip 10.2.2.0 255.255.255.0  10.5.5.0 255.255.255.0
and NAT examption - adding the following
(config)# access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0  10.5.5.0 255.255.255.0
0
 
LVL 1

Author Comment

by:COE-IT
ID: 22757981
I'd like all traffic to pass through the VPN tunnel (no split tunneling).

Ah ha! I think you might be right on the NAT statement. Is that the only thing I need to add to allow VPN users access to the 10.2.2.x network?
0
 
LVL 1

Author Comment

by:COE-IT
ID: 22789239
I've added the NAT statement, still no luck. I can establish the VPN tunnel with no problem, just can't reach the 10.2.2.x network.
0
 
LVL 15

Expert Comment

by:bignewf
ID: 22918737
For a start, (and to test) get rid of the nat0 outbound statements:

access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0  10.5.5.0 255.255.255.0

try this command:
sysopt connection permit-ipsec

this will permit all decrypted IPSec packets to pass thru the asa to the lan without inspection against the ACL's (bypasses traffic filtering)


you can do this also in the asdm by going to configuration>vpn>general>vpn system options and checking the box  "enable inbound IPSec sessions to bypass interface access lists, these access lists still apply to the traffic"
I have found that just by checking this, you can reach internal lan hosts

this is same as the above command

if this works,
then you can go back and try to fix the nat exempt rules using  the "nonat"  access-list scenario:

access list nonat extended permit ip extended 10.2.2.0 255.255.255.0  10.5.5.0 255.255.255.0
this allows hosts from ip range 10.5.5.0 to bypass nat translation to the inside lan hosts on 10.2.2.0/24

then add:  nat (inside) 0 access-list no nat




to allow vpn clients to reach the internet while connecting to the ASA via the IPSec tunnel, you need to enable a split tunnel policy. You can do this via the or the asdm:

Split tunnelling, if not required, is considered a security risk for the vpnclient.

If you want to enable split tunneling on the vpn client network 10.5.5.0/24 then:

access-list standard  split_tunnel permit 10.5.5.0 255.255.255.0
group policy    [name of group policy] attributes
split-tunnel-policy tunnelspecified

then link the above access list to the group-policy:

split-tunnel-network-list value split_tunnel



0
 
LVL 15

Expert Comment

by:bignewf
ID: 22918760
correction to above comment: to delete the nat0 statement(s)

no access-list inside_nat0_outbound extended permit ip 10.2.2.0 255.255.255.0  10.5.5.0 255.255.255.0

0
 
LVL 1

Author Comment

by:COE-IT
ID: 22925371
bignewf,

I've made some progress since my last post and I'm now able to VPN into my network and access the internal network. The only problem I have now is that I can't browse files on my Windows 2003 file server. I can ping the file server and RDP into it, but I can't browse the server files from my VPN client. Any idea how I can fix this?
0
 
LVL 15

Expert Comment

by:bignewf
ID: 22925410
Please clarify:  are you able to map a share to this file server via ip:
Can you see the share(s) by typing the unc path of the file server shares from the run line or windows explorer?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 1

Author Comment

by:COE-IT
ID: 22925497
From my VPN client (which has a 10.5.5.x IP) I cannot:
-access my file server from the run line using the IP (\\10.2.2.x\c$)
-access my file server from the run line using the DNS name (\\server\c$)
-map any network drive from the server through windows explorer

However, I am able to ping the server with no problem.
0
 
LVL 15

Expert Comment

by:bignewf
ID: 22925578
Have you tried the following command:

net view  \\servername
do you get these results?
error "there are currently no logon  servers available to service the logon request"
 
"System error 53 has occurred"

Are the remote users using a cached domain logon, or logged on locally to their remote machines?

Try placing a hosts file on a test machine with the domain controller, dns server and fileserver host names and let me know if this works
0
 
LVL 15

Expert Comment

by:bignewf
ID: 22925696
my apologies, I forgot this test in the last comment:

"net use * \\servername /user:domainname\username"

 That should force it to authenticate correctly - should come back and
 ask for a password.

I get "System error 67 has occurred" which basically means it can't find the
network name.

You will see these errors if the remote vpn client does not have a domain logon profile
0
 
LVL 15

Expert Comment

by:bignewf
ID: 22925973
Also, make sure netbios over tcp/ip is enabled on the network adapter as well.
Also, check your firewall to make sure TCP ports 135, 137, and 138, as well as UDP port 139 are not blocked.

Nebios broadcasts do not travel over IPSec tunnels, so try all the steps mentioned above

If all of the above steps still fail, then use an LMHosts file. Info on how to do this:

You might try adding a LMHOSTS file to the Client PC following this Microsoft KB Article
http://support.microsoft.com/kb/180094/EN-US/


0
 
LVL 1

Author Comment

by:COE-IT
ID: 22926016
Do I need to unblock those ports (135, 137, 138) on the outside interface coming in? Also, here's some info from my earlier tests..........

Just tried several things.........keep in mind that I can ping the file server by name and IP address.......

For simplicity, let's assume the domain is "testdomain", the server name is "DC1", and the user is "Bob"

"Net view \\DC1" AND "Net view \\10.2.2.x" gives me.....
System error 53 has occurred.
The network path was not found.

"Net use \\DC1 /user:testdomain\Bob"  gives me........
System error 53 has occurred
The network path was not found.

The good thing is that I've configured the ASA to give me the correct domain, DNS, and WINS information.





0
 
LVL 15

Expert Comment

by:bignewf
ID: 22926459
you don't want ports 135, 137 and 139 open as it is a security risk. In my previous comments, how are the remote clients logged on? locally, or a cached domain logon? Did you try the hosts/lmhosts file with the correct dns, wins (if needed) and domain servers?

Is netbios over tcp/ip enabled?
file and print sharing enabled?
client for microsoft networks running?
no firewalls blocking the above ports?
workstation service running on the remote computer? -restart
restart the server service on the vpnclient trying to connect
trying restarting the "server" service on the file server - this allows shares to be enumerated on the network

also, you  can temporarily add the following access list statement:
access-list acl_in extended permit ip any any
this should be use for troubleshooting only


0
 
LVL 1

Author Comment

by:COE-IT
ID: 22926592
The remote client I'm using is a member of a different domain than the domain I'm trying to access through the VPN session. I'm currently logging in locally under the Windows XP "administrator" account in my testing of this VPN connection.

-I did enable netbios over TCP/IP on the interface I'm using to VPN
-File/Print sharing is enabled on that same interface
-Client for MS networks is running

Back to my earlier question, what interface and direction do I need to use to unblock those ports? Aren't VPN clients considered by the ASA to be coming from the "outside" interface? If that was the case, I would need to open those ports on the outside interface, direction = incoming. I didn't think that would be a security risk given that I would specify the VPN address pool as the source addresses in the access list.

I had a bit of trouble with the LMHOSTS file. Do I need to delete all the standard stuff in that file and then paste in my information? For instance, all that I had in my LMHOSTS file was this:

10.2.2.1   SERVERNAME   #PRE #DOM:TESTDOMAIN
10.2.2.1   "TESTDOMAIN     \0x1b"   #PRE

With this, running "nbtstat -R" worked just fine (i.e. "Successful purge of NBT remote cache"). But then I get this when I run "nbtstat -c":

Wireless Network Connection 2:
Node IpAddress: [192.168.192.35] Scope Id: []

    No names in cache

I will try the service restarts.......

0
 
LVL 15

Accepted Solution

by:
bignewf earned 500 total points
ID: 22926714
the only reason I had you try the access-list acl_in extended permit ip any any would be to temporarily check to see if any ports/services can reach the vpn clients. (just in case some traffic was being blocked from the inside>outside)

for the lmhosts file, your replace the ip address with the ip address of your primary domain controller
replace the pdcname with the netbios name of your pdc (fsmo role holder)
relace domain with your windows domain name.
Your error could be due to syntax errors in the file, and it is not seeing any netbios names in the cache

As for your logon on a different domain, does your internal dns servers have a zone for the domain you are trying to logon to? Is your dns server entries in the vpnclient dhcp pool have entries for the dns server that the fileserver is a member of? Is the domain your vpnclient logged on a childomain of the domain your fileserver is on, or is it in a different forest?

Again, the best way to troubleshoot is first have a remote vpnclient with a domain logon profile that is in the same domain as the fileserver. Then you can eliminate the netbios filesharing issue. If that is resolved, then you can configure the remote clients with the correct dns server information if they have other domain logons

T
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now