?
Solved

Cisco ASA-5505 - VPN Connects, but cannot access or ping internal hosts

Posted on 2008-11-14
3
Medium Priority
?
880 Views
Last Modified: 2012-05-05
I have inherited an ASA 5505 at my job and I am having problems with getting it working.  Users can connect to the device, but are unable to access anything on the inside.
: Saved
:
ASA Version 7.2(2) 
!
!
interface Vlan1
 description internal CR interface
 nameif inside
 security-level 100
 ip address 10.1.156.4 255.255.254.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 201.199.241.130 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd KnSfSehchp8Y0c/t encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name fdbl-int.com
same-security-traffic permit intra-interface
access-list outside_20_cryptomap extended permit ip host 192.168.201.5 host 192.168.201.6 
access-list inside_nat0_outbound extended permit ip 10.1.156.0 255.255.254.0 10.1.156.0 255.255.254.0 
access-list outside_access_in extended permit ip 65.126.56.0 255.255.255.0 any 
access-list inside_access_in extended permit ip 10.1.156.0 255.255.254.0 any 
access-list inside_access_in extended permit icmp 10.1.156.0 255.255.254.0 any 
access-list split standard permit 10.1.156.0 255.255.254.0 
access-list split standard permit 10.1.12.0 255.255.252.0 
access-list DefaultRAGroup_splitTunnelAcl standard permit any 
access-list split_extACL extended permit ip 10.1.12.0 255.255.252.0 10.1.160.0 255.255.252.0 
access-list split_extACL extended permit ip 10.1.156.0 255.255.254.0 10.1.160.0 255.255.252.0 
access-list RWC_cryptomap_1 extended permit ip 10.1.156.0 255.255.254.0 10.1.76.0 255.255.252.0 
access-list CR_VPN_splitTunnelAcl standard permit any 
access-list CR-VPN3_splitTunnelAcl standard permit any 
access-list inside_cryptomap extended permit ip any any 
access-list Local_LAN_Access extended permit ip 10.1.156.0 255.255.254.0 10.1.156.0 255.255.254.0 
pager lines 24
logging enable
logging asdm informational
logging from-address glands@fragomen.com
logging recipient-address fdblgarrod@yahoo.com level emergencies
logging host inside 10.1.12.125
mtu inside 1500
mtu outside 1500
ip local pool CR_IP_POOL 10.1.156.200-10.1.156.225 mask 255.255.254.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 10.0.0.0 255.0.0.0 10.1.156.1 1
route outside 0.0.0.0 0.0.0.0 201.199.241.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server FDBL-INT protocol nt
aaa-server FDBL-INT (outside) host 10.1.156.2
 timeout 25
 nt-auth-domain-controller toomucho
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 10.1.12.36 10.1.12.35
 dns-server value 10.1.12.36 10.1.12.35
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Local_LAN_Access
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value 10.1.156.2 10.1.12.36
 dns-server value 10.1.156.2 10.1.12.35
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 50
 vpn-idle-timeout 10
 vpn-session-timeout 360
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value inside_cryptomap
 default-domain none
 split-dns none
 intercept-dhcp enable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value CR_IP_POOL
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc required
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
username fdbl password /dGFesCQ.xJa/jBi encrypted privilege 15
username fragomen password Ar1DLY+NBHiUEpQ4uriAxQ== nt-encrypted privilege 15
username fragomen attributes
 vpn-group-policy DfltGrpPolicy
 vpn-access-hours none
 vpn-simultaneous-logins 50
 vpn-idle-timeout 10
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 group-lock none
aaa authentication ssh console LOCAL 
aaa authentication telnet console FDBL-INT LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 171.69.89.187 255.255.255.255 outside
http 65.126.56.0 255.255.255.0 outside
snmp-server host inside 10.1.12.125 community frag0m3n
snmp-server location Costa Rica
no snmp-server contact
snmp-server community frag0m3n
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs 
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs 
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs 
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs 
crypto map outside_map 20 set peer 65.119.108.70 
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map RWC_map 1 match address RWC_cryptomap_1
crypto map RWC_map 1 set peer 216.148.234.212 
crypto map RWC_map 1 set transform-set ESP-3DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp identity address 
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000 
tunnel-group DefaultL2LGroup general-attributes
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool CR_IP_POOL
 authentication-server-group FDBL-INT LOCAL
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool CR_IP_POOL
 authentication-server-group FDBL-INT LOCAL
 default-group-policy DefaultRAGroup
telnet 10.1.0.0 255.255.0.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcprelay server 10.1.12.35 inside
dhcprelay server 10.1.12.43 outside
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
webvpn
 port 444
 enable outside
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 svc enable

Open in new window

0
Comment
Question by:Jaime Larsen
3 Comments
 
LVL 18

Expert Comment

by:decoleur
ID: 22964788
one issue that you might have is that the dhcp addresses handed out to the vpn users are the same as the network on the inside I would use a different subnet altogether for the vpn users. this will do two things for you. You can be granular as far as what the remote users can have access to (like go for servers, no for workstations) and you can tell when a user on your network is originating locally or remotely by their ip address.

hope this helps,

-t
0
 
LVL 28

Accepted Solution

by:
batry_boy earned 2000 total points
ID: 22965544
Try this:

group-policy DfltGrpPolicy attributes
no address-pools value CR_IP_POOL
tunnel-group DefaultRAGroup general-attributes
no address-pool CR_IP_POOL
tunnel-group DefaultWEBVPNGroup general-attributes
no address-pool CR_IP_POOL
no ip local pool CR_IP_POOL 10.1.156.200-10.1.156.225 mask 255.255.254.0
ip local pool CR_IP_POOL 192.168.70.1-192.168.70.254 mask 255.255.255.0
group-policy DfltGrpPolicy attributes
address-pools value CR_IP_POOL
tunnel-group DefaultRAGroup general-attributes
address-pool CR_IP_POOL
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool CR_IP_POOL
no crypto isakmp enable inside
access-list Local_LAN_Access extended permit ip 10.1.156.0 255.255.254.0 any
no access-list Local_LAN_Access extended permit ip 10.1.156.0 255.255.254.0 10.1.156.0 255.255.254.0

See if that helps...
0
 
LVL 6

Expert Comment

by:ricks_v
ID: 22966205
best way to troubleshoot this is to use the command:
sysopt connection permit-vpn

what it does, basically just bypass ACL for all ipsec traffic, so now you can only analyse your ipsec / crypto map and ike and other vpn related setting.

please provide some logs from local or remote asa if still not working
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question