• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 741
  • Last Modified:

Cisco ASA 5505 VPN won't allow access to inside network

We have a small business server that we are using a Cisco ASA 5505 with. We have the ASA authenticating with the SBS 2003 server. Problem we are running into is that we can't talk to the inside network after the VPN authenticates. It will prompt for username and password, authenticate and then won't allow internal access. Thought the isakmp nat traversal part would fix it, but that didn't seem to help.

Thanks in advance. Show run is below.
ASA Version 7.2(3)
hostname ciscoasa
domain-name asa.******.local
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address
interface Vlan2
 nameif outside
 security-level 0
 ip address X.X.X.X
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name asa.*****.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list RemoteAccess_splitTunnelAcl standard permit 255.255.255
access-list inside_nat0_outbound extended permit ip 19
access-list inside_nat0_outbound extended permit ip any 255.255.255
access-list RemoteVPN_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNdhcp mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
route outside X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server WindowsAuth protocol nt
aaa-server WindowsAuth host
 timeout 5
 nt-auth-domain-controller server
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address inside
dhcpd dns X.X.X.X interface inside
dhcpd domain ******.local interface inside
dhcpd enable inside
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
 dns-server value
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteVPN_splitTunnelAcl
username user1 password KjQCkgbGUCMRig8J encrypted privilege 15
tunnel-group RemoteVPN type ipsec-ra
tunnel-group RemoteVPN general-attributes
 address-pool VPNdhcp
 authentication-server-group WindowsAuth
 default-group-policy RemoteVPN
tunnel-group RemoteVPN ipsec-attributes
 pre-shared-key *
prompt hostname context
: end

Open in new window

1 Solution
If you ping some part of your inside address range, how far can you get? At least to the inside interface of the ASA?

I am not as experienced with ASA's as some of the guys here, but am going to take a stab at it being one (if not both) of the following:
1) Security level traffic flow. Traffic cannot flow upwards in security level unless permitted to do so. You'll need to setup ACLs for this.
2) There is no default gateway specified for 'tunneled' users. IE: ip route <next hop> tunneled
Ilir MitrushiIT Infrastructure and Security ArchitectCommented:
remove "nat (inside) 0 access-list inside_nat0_outbound" and try. nat exempt is not needed for remote vpn, asa takes care of it automatically. You can use the packet tracer to identify where the traffic flow is broken and why.
>remove "nat (inside) 0 access-list inside_nat0_outbound" and try. nat exempt is not needed for remote vpn, asa takes care of it automatically.
This is not true. You need to keep the nat (inside) 0 command.

Since your internal network is 192.168.1.x  you could have an ip address overlap. What is the LAN IP address of the client? 90% chance it is also Highly suggest changing the inside network on the ASA if you are going to be supporting many VPN clients.
hey there,

according to your config here's what you have to do:

add these access-lists:

access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list RemoteVPN_splitTunnelAcl standard permit

remove these Access-lists after making sure the new ones were created:

no access-list inside_nat0_outbound extended permit ip
no access-list inside_nat0_outbound extended permit ip any
no access-list RemoteVPN_splitTunnelAcl standard permit any
K6465Author Commented:
Adding this line ended up fixing the issue.

crypto isakmp nat-traversal  20
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now