brown705
asked on
Need LAN access through Cisco VPN Remote client connected to Cisco ASA 5505
I inherited a customer who has a Cisco ASA 5505 as their sole firewall. I did not change the basic configuration of it. Using ADSM 6.0 and version 5 of the Cisco VPN client, I'm trying to establish full network connectivity from a remote computer to network resources inside the LAN. I have used the wizard and followed these directions (http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/rem_acc.html) completely. The VPN policy connects without issue, but I cannot ping any resources within my LAN, including the inside of the 5505 itself. Ping does work inside on these resources. I'm using a Sprint Mobile Broadband card for Internet access, so there shouldn't be any "ipsec passthrough" issues on the client side.
I've copied my running config and changed any private information, such as domain names and IP addresses. What is missing that is blocking connectivity?
I know only the basics when it comes to Cisco IOS configuration...I'm much more familiar with NetScreen, SonicWall, Linksys, etc. So go easy on me please. I can certainly enter commands via command line if instructed.
I also haven't posted a question on EE in several years, so let me know if I'm doing something wrong. Thanks in advance.
Michael
I've copied my running config and changed any private information, such as domain names and IP addresses. What is missing that is blocking connectivity?
I know only the basics when it comes to Cisco IOS configuration...I'm much more familiar with NetScreen, SonicWall, Linksys, etc. So go easy on me please. I can certainly enter commands via command line if instructed.
I also haven't posted a question on EE in several years, so let me know if I'm doing something wrong. Thanks in advance.
Michael
: Saved
:
ASA Version 8.0(2)
!
hostname ASA5505
domain-name corp.domain.com
enable password --------------- encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.2.3.4 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd ------------ encrypted
banner login This is a Private network and is intended only for authorized use.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 1.2.3.10
name-server 1.2.3.11
domain-name corp.domain.com
object-group network outside_block_ads_01
description doubleclick akamai etc bandwidth wasters
network-object 205.234.225.0 255.255.255.0
access-list outside_access_in remark Stop ADS sites
access-list outside_access_in extended deny ip 205.234.225.0 255.255.255.0 10.10.0.0 255.255.0.0 inactive
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq https
access-list CustomVPN-tunnel_splitTunnelAcl standard permit 10.10.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.10.0.0 255.255.0.0 209.165.201.0 255.255.255.224
pager lines 24
logging enable
logging asdm informational
logging from-address asa5505@domain.com
logging recipient-address tech@domain.com level errors
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 209.165.201.1-209.165.201.20
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.10.10.31 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.10.10.31 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.10.10.31 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
eou allow none
http server enable
http 10.10.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 outside
http 172.16.0.0 255.255.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Login AAA LOCAL on ASA5505
auth-prompt accept Welcome VPN user
auth-prompt reject Password rejected
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-DES-SHA ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
client-update enable
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.10.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 15
management-access inside
dhcpd lease 86400
dhcpd domain corp.domain.com
dhcpd update dns
dhcpd option 4 ip 10.10.10.10
!
dhcpd address 10.10.10.101-10.10.10.199 inside
dhcpd dns 10.10.10.30 interface inside
dhcpd lease 86400 interface inside
dhcpd domain corp.domain.com interface inside
dhcpd update dns interface inside
dhcpd option 4 ip 10.10.10.1 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tftp-server inside 10.10.10.30 /ciscoasa5505.cfg
webvpn
port 444
dtls port 444
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
internal-password enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy CustomVPN-tunnel internal
group-policy CustomVPN-tunnel attributes
dns-server value 10.10.10.30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value corp.domain.com
username michael password ------------- encrypted privilege 0
username michael attributes
vpn-group-policy CustomVPN-tunnel
tunnel-group CustomVPN-tunnel type remote-access
tunnel-group CustomVPN-tunnel general-attributes
address-pool RemoteClientPool
default-group-policy CustomVPN-tunnel
tunnel-group CustomVPN-tunnel ipsec-attributes
pre-shared-key *
tunnel-group-map default-group OldVpnGroup
smtp-server 1.2.3.20
prompt hostname context
Cryptochecksum:ce1dcffe9cc09b35dfd61c01bb0ed3ce
: end
asdm image disk0:/asdm-602.bin
no asdm history enable
You do not have split tunneling configured so all your local traffic is routed through the vpn tunnel. you can enable split tunneling by defining specific subnets for which you want to allow access through the tunnel or if your policy is not to allow split tunneling you can enable local access. I am attaching a doc explaining local access.
local-lan-pix-asa.pdf
local-lan-pix-asa.pdf
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@mitrushi:
Thanks for your help. I think I activated the split tunneling within the ADSM after I copied the running config. Enabling that policy did indeed allow local LAN and Internet access with the tunnel connected. As far as accessing remote resources over the VPN, it works now...and I didn't really change anything other than restarting the client computer again. I awarded the points to you because of the helpful comments you made about activating the split tunneling. Thanks.
Thanks for your help. I think I activated the split tunneling within the ADSM after I copied the running config. Enabling that policy did indeed allow local LAN and Internet access with the tunnel connected. As far as accessing remote resources over the VPN, it works now...and I didn't really change anything other than restarting the client computer again. I awarded the points to you because of the helpful comments you made about activating the split tunneling. Thanks.
We had a similar problem connecting the Cisco VPN Client to an ASA 5505.
After alot of messing about we worked out that it was neither the client or the ASA with the problem, but the Netgear DG834 we had providing the ADSL connection.
Version 1, 2 and 3 of the DG834 had similar results, but when we tried V4 it worked absolutly fine. All DG834s where updated to the latest firmware.
Just throwing it out there.