Robert Davis
asked on
Cisco ASA 5505 VPN Can't Talk to Internal VLANs
I have a Cisco ASA 5505 that I'm trying setup VPN on. I got VPN to work fine, I get the VPN subnet (10.10.30.0) etc., but I can't talk to the internal nor the DMZ VLANs. I tried running nat traversal but this didn't help. Any help would be greatly appreciated! I have attached my config below.
: Saved
:
ASA Version 7.2(4)
!
hostname spike
domain-name censored.tld
enable password KF8NWWqsdpDicsd encrypted
passwd 2KFQnbNdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address public.ip.address.censored.2 255.255.255.240
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 10.10.20.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name censored.tld
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.0 any
access-list spike_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list spike_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.30.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.10.20.0 255.255.255.0 10.10.30.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip any 10.10.30.0 255.255.255.0
access-list dmz_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool1 10.10.30.1-10.10.30.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.10.10.0 255.255.255.0
static (dmz,outside) 10.10.20.3 netmask 255.255.255.255 dns
static (dmz,outside) public.ip.address.censored.4 10.10.20.4 netmask 255.255.255.255 dns
static (dmz,outside) public.ip.address.censored.5 10.10.20.5 netmask 255.255.255.255 dns
static (dmz,outside) public.ip.address.censored.6 10.10.20.6 netmask 255.255.255.255 dns
static (dmz,outside) public.ip.address.censored.7 10.10.20.7 netmask 255.255.255.255 dns
static (dmz,outside) public.ip.address.censored.8 10.10.20.8 netmask 255.255.255.255 dns
static (dmz,outside) public.ip.address.censored.9 10.10.20.9 netmask 255.255.255.255 dns
static (dmz,outside) public.ip.address.censored.10 10.10.20.10 netmask 255.255.255.255 dns
static (dmz,outside) public.ip.address.censored.11 10.10.20.11 netmask 255.255.255.255 dns
static (dmz,outside) public.ip.address.censored.12 10.10.20.12 netmask 255.255.255.255 dns
static (dmz,outside) public.ip.address.censored.13 10.10.20.13 netmask 255.255.255.255 dns
static (dmz,outside) public.ip.address.censored.14 10.10.20.14 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 public.ip.address.censored.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.10.10.2-10.10.10.3 inside
!
group-policy spike_ internal
group-policy spike_attributes
banner value Welcome to Cyberdog Internet Services VPN!
banner value
banner value All activity is monitored.
dns-server value 4.2.2.2 4.2.2.1
vpn-idle-timeout 300
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value spike_splitTunnelAcl
default-domain value censored.tld
address-pools value vpnpool1
username cyberdog password liPXBcAk6V90DRO encrypted privilege 15
username cyberdog attributes
vpn-group-policy spike_
tunnel-group spike_ type ipsec-ra
tunnel-group spike_ general-attributes
address-pool vpnpool1
default-group-policy spike_
tunnel-group spike_ ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:af43760deca807ca49136374c2971cfd
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
For the default gateway, not on the VPN client but rather the inside and DMZ hosts, is the ASA their default gateway or something else? Just making sure return routing is there...
ASKER
The only route is the router above the ASA. Traffic gets out by hitting the ASA and then seeing route 1 which is the next hop, the router. The route is on interface outside so traffic knows to go out that way.
route outside 0.0.0.0 0.0.0.0 router.ip.is.1 1
ASA outside int ip is .2
route outside 0.0.0.0 0.0.0.0 router.ip.is.1 1
ASA outside int ip is .2
You aren't using 10.10.30.0/24 as the local network where you are connecting from remotely, right? You have a router on the outside of the ASA? Is it filtering traffic?
ASKER
VPN subnet is 10.10.30.0, internal is .10, dmz is .20. No filtering. Only route is listed above.
I am referring to where you are attempting to VPN from. What is the local LAN subnet in use where you are testing from? Make sure it doesn't conflict since you are split tunneling. So the router on the outside isn't doing NAT or any filtering? I would take your test VPN PC and plug directly into the outside interface of the ASA and give yourself the router IP then try to VPN again.
ASKER
Ah, sorry, I set the subnets so they would no conflict with any others. My local subnet is 10.20.30.0 so I will not conflict. I'm not anywhere near the DC this ASA is in hence the need for VPN so I can't connect directly. When I was in the DC I did try it on the same network but it would still have gone through the router. The router is not doing any filtering and no NAT is required as it is a global IP. Hope this helps!
Regards,
Robert
Regards,
Robert
In the Cisco VPN client, under the Transport tab, you have UDP encapsulation selected, right? Is there anything on the network you are connecting from that could be filtering UDP 4500? Have you tried from home by chance?
ASKER
Tried from work and home :-\. Work is also not on the same subnet. Outbound everything is allowed. For that matter I've already tried it via my iPhone over ATT 3G, the VPN connected fine but I couldn't navigate to the https://10.10.10.1 address. I don't think firewalls are at play here...
Traffic just can't get form the VPN 10.10.30.0 to .10 or something. I really wish these ASAs would come with Easy VPN Server like the 1800 routers.
Traffic just can't get form the VPN 10.10.30.0 to .10 or something. I really wish these ASAs would come with Easy VPN Server like the 1800 routers.
ASKER
Client default setting UDP is a yes.
Okay, well, I took your config and loaded it on an ASA I had laying around and can connect successfully and ping 10.10.10.1. You can enable logging on the ASA and we can look at the logs...
conf t
logging enable
logging buffered debug
logging buffer-size 16384
Then do a "show log" after trying to connect via VPN.
conf t
logging enable
logging buffered debug
logging buffer-size 16384
Then do a "show log" after trying to connect via VPN.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Really? That makes no sense at all. That shouldn't make any difference and didn't effect the config on my ASA. Weird (bug?). Anyway, nice job using the packet tracer.
ASKER
Just retested it by disabling and enabling the ACL, did the trick :-S. I'm going to update to 8.0 one of these days anyway, I don't currently have a smartnet for this box.
Very odd. I would remove the access-list from the inside interface and see if it works also.
ASKER
Inside int has the inside vlan mapped, purhaps I misunderstood your request. Regardless, this did the trick :-).
Regards,
Robert
Regards,
Robert
ASKER
Any ideas anyone? Thanks!
Rgards,
Robert