[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 735
  • Last Modified:

Cisco ASA & Client VPN - Inside Access Problem

I have a Cisco ASA 5505 and Cisco client 5.0.03 - I am unable to see the inside network although I can connect to and send/recv traffic.  I have tried enabling for Nat Traversal but that didn't resolve my problem.  Thank you for looking at my code and the snapshot of my statistics screen.

-Dave
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password lpW.MGeEHg0ISQZq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
 
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.250 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.XX 255.255.255.0 
!
interface Vlan3
 nameif backup
 security-level 0
 ip address XX.XX.XX.XX 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service RDP tcp
 port-object eq 3389
object-group service SBS tcp
 port-object eq 4125
object-group service TimeClock tcp
 port-object eq 2500
object-group service rww tcp
 port-object eq 444
access-list outside extended permit icmp any any 
access-list outside extended permit tcp any host hbsrvr1 eq www 
access-list outside extended permit tcp any host hbsrvr1 eq smtp 
access-list outside extended permit tcp any host hbsrvr1 object-group rww 
access-list outside extended permit tcp any host hbsrvr1 object-group SBS 
access-list outside extended permit tcp any host hbsrvr1 object-group RDP 
access-list outside extended permit tcp any host hbsrvr1 object-group TimeClock 
access-list outside extended permit tcp any host hbsrvr1 eq https 
access-list split standard permit 192.168.10.0 255.255.255.0 
pager lines 24
mtu inside 1500
mtu outside 1500
mtu backup 1500
ip local pool vpnpool 192.168.10.215-192.168.10.240 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface backup
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1 track 1
route backup 0.0.0.0 0.0.0.0 XX.XX.XX.XX 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 204.16.20.1 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set hunter-trans esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set hunter-trans
crypto dynamic-map dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
crypto isakmp reload-wait
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
 
group-policy huntervpn internal
group-policy huntervpn attributes
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 address-pools value vpnpool
username admin password s8Vngsgpp8NmOJP7 encrypted
username bdiop password seRFYPliWAnlt8ip encrypted
tunnel-group huntervpn type ipsec-ra
tunnel-group huntervpn general-attributes
 address-pool vpnpool
 default-group-policy huntervpn
tunnel-group huntervpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5ed3af0ffbbb957eb8847867a906f48e

Open in new window

asa-vpn---no-inside.jpg
0
snchelpdesk
Asked:
snchelpdesk
  • 2
  • 2
2 Solutions
 
batry_boyCommented:
Try adding these statements:

access-list nonat permit ip any 192.168.10.192 255.255.255.192
nat (inside) 0 access-list nonat

I would go ahead and put back in the nat-traversal command...you will probably need it in the future.
0
 
lrmooreCommented:
Try setting up the clients on a different IP subnet instead of a sub-set of the inside network.
Are you providing the clients a DNS/WINS server IP and domain? I don't see them in the group policy.
0
 
snchelpdeskAuthor Commented:
The following works:

access-list nonat permit ip any 192.168.10.192 255.255.255.192
nat (inside) 0 access-list nonat

I am curious what these statement do?

Thank you again for your time and sharing of your expertise!

Dave
0
 
lrmooreCommented:
Basically, it exempts traffic from inside hosts to the vpn hosts from NAT. The architecture of the PIX/ASA generally requires nat between interfaces (inside to VPN client attached to outside interface). The nat "zero" is a special type of nat that bypasses nat for anything matching the stated acl.
0
 
snchelpdeskAuthor Commented:
Thank you all for your time and expertise!!  
Dave
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now