Solved

Need LAN access through Cisco VPN Remote client connected to Cisco ASA 5505

Posted on 2009-03-30
4
1,691 Views
Last Modified: 2012-06-22
I inherited a customer who has a Cisco ASA 5505 as their sole firewall.  I did not change the basic configuration of it.  Using ADSM 6.0 and version 5 of the Cisco VPN client, I'm trying to establish full network connectivity from a remote computer to network resources inside the LAN.  I have used the wizard and followed these directions (http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/rem_acc.html) completely.  The VPN policy connects without issue, but I cannot ping any resources within my LAN, including the inside of the 5505 itself.  Ping does work inside on these resources.  I'm using a Sprint Mobile Broadband card for Internet access, so there shouldn't be any "ipsec passthrough" issues on the client side.

I've copied my running config and changed any private information, such as domain names and IP addresses.  What is missing that is blocking connectivity?

I know only the basics when it comes to Cisco IOS configuration...I'm much more familiar with NetScreen, SonicWall, Linksys, etc.  So go easy on me please.  I can certainly enter commands via command line if instructed.  

I also haven't posted a question on EE in several years, so let me know if I'm doing something wrong.  Thanks in advance.

Michael
: Saved
:
ASA Version 8.0(2) 
!
hostname ASA5505
domain-name corp.domain.com
enable password --------------- encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.1.1 255.255.0.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ------------ encrypted
banner login This is a Private network and is intended only for authorized use.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 1.2.3.10
 name-server 1.2.3.11
 domain-name corp.domain.com
object-group network outside_block_ads_01
 description doubleclick akamai etc bandwidth wasters
 network-object 205.234.225.0 255.255.255.0
access-list outside_access_in remark Stop ADS sites
access-list outside_access_in extended deny ip 205.234.225.0 255.255.255.0 10.10.0.0 255.255.0.0 inactive 
access-list outside_access_in extended permit tcp any interface outside eq smtp 
access-list outside_access_in extended permit tcp any interface outside eq www 
access-list outside_access_in extended permit tcp any interface outside eq https 
access-list CustomVPN-tunnel_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0 
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 209.165.201.0 255.255.255.224 
pager lines 24
logging enable
logging asdm informational
logging from-address asa5505@domain.com
logging recipient-address tech@domain.com level errors
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 209.165.201.1-209.165.201.20
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.10.10.31 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface www 10.10.10.31 www netmask 255.255.255.255 
static (inside,outside) tcp interface https 10.10.10.31 https netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
eou allow none
http server enable
http 10.10.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 outside
http 172.16.0.0 255.255.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Login AAA LOCAL on ASA5505 
auth-prompt accept Welcome VPN user 
auth-prompt reject Password rejected 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-DES-SHA ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
client-update enable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 15
management-access inside
dhcpd lease 86400
dhcpd domain corp.domain.com
dhcpd update dns 
dhcpd option 4 ip 10.10.10.10
!
dhcpd address 10.10.10.101-10.10.10.199 inside
dhcpd dns 10.10.10.30 interface inside
dhcpd lease 86400 interface inside
dhcpd domain corp.domain.com interface inside
dhcpd update dns interface inside
dhcpd option 4 ip 10.10.10.1 interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
tftp-server inside 10.10.10.30 /ciscoasa5505.cfg
webvpn
 port 444
 dtls port 444
 svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
 internal-password enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec 
group-policy CustomVPN-tunnel internal
group-policy CustomVPN-tunnel attributes
 dns-server value 10.10.10.30
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list none
 default-domain value corp.domain.com
username michael password ------------- encrypted privilege 0
username michael attributes
 vpn-group-policy CustomVPN-tunnel
tunnel-group CustomVPN-tunnel type remote-access
tunnel-group CustomVPN-tunnel general-attributes
 address-pool RemoteClientPool
 default-group-policy CustomVPN-tunnel
tunnel-group CustomVPN-tunnel ipsec-attributes
 pre-shared-key *
tunnel-group-map default-group OldVpnGroup
smtp-server 1.2.3.20
prompt hostname context 
Cryptochecksum:ce1dcffe9cc09b35dfd61c01bb0ed3ce
: end
asdm image disk0:/asdm-602.bin
no asdm history enable

Open in new window

0
Comment
Question by:brown705
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 2

Expert Comment

by:faster4233
ID: 24027095
Hi,

We had a similar problem connecting the Cisco VPN Client to an ASA 5505.

After alot of messing about we worked out that it was neither the client or the ASA with the problem, but the Netgear DG834 we had providing the ADSL connection.

Version 1, 2 and 3 of the DG834 had similar results, but when we tried V4 it worked absolutly fine.  All DG834s where updated to the latest firmware.

Just throwing it out there.
0
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24027118
You do not have split tunneling configured so all your local traffic is routed through the vpn tunnel. you can enable split tunneling by defining specific subnets for which you want to allow access through the tunnel or if your policy is not to allow split tunneling you can enable local access. I am attaching a doc explaining local access.
local-lan-pix-asa.pdf
0
 
LVL 7

Accepted Solution

by:
Ilir Mitrushi earned 250 total points
ID: 24027196
By the way you have an acl defining split tunneling no your config but it is not applied.
access-list CustomVPN-tunnel_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
If you want to enable split tunneling you can aply this list

group-policy CustomVPN-tunnel attributes
  split-tunnel-network-list value CustomVPN-tunnel_splitTunnelAcl


0
 

Author Closing Comment

by:brown705
ID: 31564687
@mitrushi:

Thanks for your help.  I think I activated the split tunneling within the ADSM after I copied the running config.  Enabling that policy did indeed allow local LAN and Internet access with the tunnel connected.  As far as accessing remote resources over the VPN, it works now...and I didn't really change anything other than restarting the client computer again.  I awarded the points to you because of the helpful comments you made about activating the split tunneling.  Thanks.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question