Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Cisco ASA 5505 VPN won't allow access to inside network

Posted on 2009-04-12
5
718 Views
Last Modified: 2012-05-06
We have a small business server that we are using a Cisco ASA 5505 with. We have the ASA authenticating with the SBS 2003 server. Problem we are running into is that we can't talk to the inside network after the VPN authenticates. It will prompt for username and password, authenticate and then won't allow internal access. Thought the isakmp nat traversal part would fix it, but that didn't seem to help.

Thanks in advance. Show run is below.
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name asa.******.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address X.X.X.X 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name asa.*****.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.1.0 255.255.255
.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 19
2.168.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255
.240
access-list RemoteVPN_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNdhcp 192.168.10.2-192.168.10.11 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server WindowsAuth protocol nt
aaa-server WindowsAuth host 192.168.1.10
 timeout 5
 nt-auth-domain-controller server
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.100-192.168.1.130 inside
dhcpd dns 192.168.1.10 X.X.X.X interface inside
dhcpd domain ******.local interface inside
dhcpd enable inside
!
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
group-policy RemoteVPN internal
group-policy RemoteVPN attributes
 dns-server value 192.168.1.10
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteVPN_splitTunnelAcl
username user1 password KjQCkgbGUCMRig8J encrypted privilege 15
tunnel-group RemoteVPN type ipsec-ra
tunnel-group RemoteVPN general-attributes
 address-pool VPNdhcp
 authentication-server-group WindowsAuth
 default-group-policy RemoteVPN
tunnel-group RemoteVPN ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:ca84e97182a892c5fc1d67be92abede3
: end
ciscoasa#

Open in new window

0
Comment
Question by:K6465
5 Comments
 
LVL 13

Expert Comment

by:Quori
ID: 24127960
If you ping some part of your inside address range, how far can you get? At least to the inside interface of the ASA?

I am not as experienced with ASA's as some of the guys here, but am going to take a stab at it being one (if not both) of the following:
1) Security level traffic flow. Traffic cannot flow upwards in security level unless permitted to do so. You'll need to setup ACLs for this.
2) There is no default gateway specified for 'tunneled' users. IE: ip route 0.0.0.0 0.0.0.0 <next hop> tunneled
0
 
LVL 7

Expert Comment

by:mitrushi
ID: 24128589
remove "nat (inside) 0 access-list inside_nat0_outbound" and try. nat exempt is not needed for remote vpn, asa takes care of it automatically. You can use the packet tracer to identify where the traffic flow is broken and why.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24129289
>remove "nat (inside) 0 access-list inside_nat0_outbound" and try. nat exempt is not needed for remote vpn, asa takes care of it automatically.
This is not true. You need to keep the nat (inside) 0 command.

Since your internal network is 192.168.1.x  you could have an ip address overlap. What is the LAN IP address of the client? 90% chance it is also 192.168.1.0. Highly suggest changing the inside network on the ASA if you are going to be supporting many VPN clients.
0
 
LVL 2

Expert Comment

by:e3user
ID: 24147995
hey there,

according to your config here's what you have to do:

add these access-lists:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 192.168.10.0 255.255.255.0
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

remove these Access-lists after making sure the new ones were created:

no access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.240
no access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.240
no access-list RemoteVPN_splitTunnelAcl standard permit any
0
 

Accepted Solution

by:
K6465 earned 0 total points
ID: 24238627
Adding this line ended up fixing the issue.

crypto isakmp nat-traversal  20
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question