Solved

Need LAN access through Cisco VPN Remote client connected to Cisco ASA 5505

Posted on 2009-03-30
4
1,682 Views
Last Modified: 2012-06-22
I inherited a customer who has a Cisco ASA 5505 as their sole firewall.  I did not change the basic configuration of it.  Using ADSM 6.0 and version 5 of the Cisco VPN client, I'm trying to establish full network connectivity from a remote computer to network resources inside the LAN.  I have used the wizard and followed these directions (http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/rem_acc.html) completely.  The VPN policy connects without issue, but I cannot ping any resources within my LAN, including the inside of the 5505 itself.  Ping does work inside on these resources.  I'm using a Sprint Mobile Broadband card for Internet access, so there shouldn't be any "ipsec passthrough" issues on the client side.

I've copied my running config and changed any private information, such as domain names and IP addresses.  What is missing that is blocking connectivity?

I know only the basics when it comes to Cisco IOS configuration...I'm much more familiar with NetScreen, SonicWall, Linksys, etc.  So go easy on me please.  I can certainly enter commands via command line if instructed.  

I also haven't posted a question on EE in several years, so let me know if I'm doing something wrong.  Thanks in advance.

Michael
: Saved

:

ASA Version 8.0(2) 

!

hostname ASA5505

domain-name corp.domain.com

enable password --------------- encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.10.1.1 255.255.0.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 1.2.3.4 255.255.255.248 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd ------------ encrypted

banner login This is a Private network and is intended only for authorized use.

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 1.2.3.10

 name-server 1.2.3.11

 domain-name corp.domain.com

object-group network outside_block_ads_01

 description doubleclick akamai etc bandwidth wasters

 network-object 205.234.225.0 255.255.255.0

access-list outside_access_in remark Stop ADS sites

access-list outside_access_in extended deny ip 205.234.225.0 255.255.255.0 10.10.0.0 255.255.0.0 inactive 

access-list outside_access_in extended permit tcp any interface outside eq smtp 

access-list outside_access_in extended permit tcp any interface outside eq www 

access-list outside_access_in extended permit tcp any interface outside eq https 

access-list CustomVPN-tunnel_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0 

access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 209.165.201.0 255.255.255.224 

pager lines 24

logging enable

logging asdm informational

logging from-address asa5505@domain.com

logging recipient-address tech@domain.com level errors

mtu inside 1500

mtu outside 1500

ip local pool RemoteClientPool 209.165.201.1-209.165.201.20

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp 10.10.10.31 smtp netmask 255.255.255.255 

static (inside,outside) tcp interface www 10.10.10.31 www netmask 255.255.255.255 

static (inside,outside) tcp interface https 10.10.10.31 https netmask 255.255.255.255 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 1.2.3.4 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

eou allow none

http server enable

http 10.10.0.0 255.255.0.0 inside

http 192.168.1.0 255.255.255.0 outside

http 172.16.0.0 255.255.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

auth-prompt prompt Login AAA LOCAL on ASA5505 

auth-prompt accept Welcome VPN user 

auth-prompt reject Password rejected 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-DES-SHA ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal 30

client-update enable

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 10.10.0.0 255.255.0.0 inside

telnet timeout 5

ssh 10.10.0.0 255.255.0.0 inside

ssh timeout 5

console timeout 15

management-access inside

dhcpd lease 86400

dhcpd domain corp.domain.com

dhcpd update dns 

dhcpd option 4 ip 10.10.10.10

!

dhcpd address 10.10.10.101-10.10.10.199 inside

dhcpd dns 10.10.10.30 interface inside

dhcpd lease 86400 interface inside

dhcpd domain corp.domain.com interface inside

dhcpd update dns interface inside

dhcpd option 4 ip 10.10.10.1 interface inside

dhcpd enable inside

!
 

threat-detection basic-threat

threat-detection statistics

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

tftp-server inside 10.10.10.30 /ciscoasa5505.cfg

webvpn

 port 444

 dtls port 444

 svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1

 internal-password enable

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec 

group-policy CustomVPN-tunnel internal

group-policy CustomVPN-tunnel attributes

 dns-server value 10.10.10.30

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list none

 default-domain value corp.domain.com

username michael password ------------- encrypted privilege 0

username michael attributes

 vpn-group-policy CustomVPN-tunnel

tunnel-group CustomVPN-tunnel type remote-access

tunnel-group CustomVPN-tunnel general-attributes

 address-pool RemoteClientPool

 default-group-policy CustomVPN-tunnel

tunnel-group CustomVPN-tunnel ipsec-attributes

 pre-shared-key *

tunnel-group-map default-group OldVpnGroup

smtp-server 1.2.3.20

prompt hostname context 

Cryptochecksum:ce1dcffe9cc09b35dfd61c01bb0ed3ce

: end

asdm image disk0:/asdm-602.bin

no asdm history enable

Open in new window

0
Comment
Question by:brown705
  • 2
4 Comments
 
LVL 2

Expert Comment

by:faster4233
ID: 24027095
Hi,

We had a similar problem connecting the Cisco VPN Client to an ASA 5505.

After alot of messing about we worked out that it was neither the client or the ASA with the problem, but the Netgear DG834 we had providing the ADSL connection.

Version 1, 2 and 3 of the DG834 had similar results, but when we tried V4 it worked absolutly fine.  All DG834s where updated to the latest firmware.

Just throwing it out there.
0
 
LVL 7

Expert Comment

by:mitrushi
ID: 24027118
You do not have split tunneling configured so all your local traffic is routed through the vpn tunnel. you can enable split tunneling by defining specific subnets for which you want to allow access through the tunnel or if your policy is not to allow split tunneling you can enable local access. I am attaching a doc explaining local access.
local-lan-pix-asa.pdf
0
 
LVL 7

Accepted Solution

by:
mitrushi earned 250 total points
ID: 24027196
By the way you have an acl defining split tunneling no your config but it is not applied.
access-list CustomVPN-tunnel_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
If you want to enable split tunneling you can aply this list

group-policy CustomVPN-tunnel attributes
  split-tunnel-network-list value CustomVPN-tunnel_splitTunnelAcl


0
 

Author Closing Comment

by:brown705
ID: 31564687
@mitrushi:

Thanks for your help.  I think I activated the split tunneling within the ADSM after I copied the running config.  Enabling that policy did indeed allow local LAN and Internet access with the tunnel connected.  As far as accessing remote resources over the VPN, it works now...and I didn't really change anything other than restarting the client computer again.  I awarded the points to you because of the helpful comments you made about activating the split tunneling.  Thanks.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now