Solved

Cisco ASA 5505 VPN won't allow access to inside network

Posted on 2009-04-12
5
709 Views
Last Modified: 2012-05-06
We have a small business server that we are using a Cisco ASA 5505 with. We have the ASA authenticating with the SBS 2003 server. Problem we are running into is that we can't talk to the inside network after the VPN authenticates. It will prompt for username and password, authenticate and then won't allow internal access. Thought the isakmp nat traversal part would fix it, but that didn't seem to help.

Thanks in advance. Show run is below.
ASA Version 7.2(3)

!

hostname ciscoasa

domain-name asa.******.local

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address X.X.X.X 255.255.255.248

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name asa.*****.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list RemoteAccess_splitTunnelAcl standard permit 192.168.1.0 255.255.255

.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19

2.168.10.0 255.255.255.240

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255

.240

access-list RemoteVPN_splitTunnelAcl standard permit any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNdhcp 192.168.10.2-192.168.10.11 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server WindowsAuth protocol nt

aaa-server WindowsAuth host 192.168.1.10

 timeout 5

 nt-auth-domain-controller server

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.100-192.168.1.130 inside

dhcpd dns 192.168.1.10 X.X.X.X interface inside

dhcpd domain ******.local interface inside

dhcpd enable inside

!

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

group-policy RemoteVPN internal

group-policy RemoteVPN attributes

 dns-server value 192.168.1.10

 vpn-tunnel-protocol IPSec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value RemoteVPN_splitTunnelAcl

username user1 password KjQCkgbGUCMRig8J encrypted privilege 15

tunnel-group RemoteVPN type ipsec-ra

tunnel-group RemoteVPN general-attributes

 address-pool VPNdhcp

 authentication-server-group WindowsAuth

 default-group-policy RemoteVPN

tunnel-group RemoteVPN ipsec-attributes

 pre-shared-key *

prompt hostname context

Cryptochecksum:ca84e97182a892c5fc1d67be92abede3

: end

ciscoasa#

Open in new window

0
Comment
Question by:K6465
5 Comments
 
LVL 13

Expert Comment

by:Quori
Comment Utility
If you ping some part of your inside address range, how far can you get? At least to the inside interface of the ASA?

I am not as experienced with ASA's as some of the guys here, but am going to take a stab at it being one (if not both) of the following:
1) Security level traffic flow. Traffic cannot flow upwards in security level unless permitted to do so. You'll need to setup ACLs for this.
2) There is no default gateway specified for 'tunneled' users. IE: ip route 0.0.0.0 0.0.0.0 <next hop> tunneled
0
 
LVL 7

Expert Comment

by:mitrushi
Comment Utility
remove "nat (inside) 0 access-list inside_nat0_outbound" and try. nat exempt is not needed for remote vpn, asa takes care of it automatically. You can use the packet tracer to identify where the traffic flow is broken and why.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>remove "nat (inside) 0 access-list inside_nat0_outbound" and try. nat exempt is not needed for remote vpn, asa takes care of it automatically.
This is not true. You need to keep the nat (inside) 0 command.

Since your internal network is 192.168.1.x  you could have an ip address overlap. What is the LAN IP address of the client? 90% chance it is also 192.168.1.0. Highly suggest changing the inside network on the ASA if you are going to be supporting many VPN clients.
0
 
LVL 2

Expert Comment

by:e3user
Comment Utility
hey there,

according to your config here's what you have to do:

add these access-lists:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 192.168.10.0 255.255.255.0
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

remove these Access-lists after making sure the new ones were created:

no access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.240
no access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.240
no access-list RemoteVPN_splitTunnelAcl standard permit any
0
 

Accepted Solution

by:
K6465 earned 0 total points
Comment Utility
Adding this line ended up fixing the issue.

crypto isakmp nat-traversal  20
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now