?
Solved

Cisco ASA 5505 VPN Can't Talk to Internal VLANs

Posted on 2009-05-11
17
Medium Priority
?
1,410 Views
Last Modified: 2012-06-27
I have a Cisco ASA 5505 that I'm trying setup VPN on.  I got VPN to work fine, I get the VPN subnet (10.10.30.0) etc., but I can't talk to the internal nor the DMZ VLANs.  I tried running nat traversal but this didn't help.  Any help would be greatly appreciated!  I have attached my config below.
: Saved
:
ASA Version 7.2(4) 
!
hostname spike
domain-name censored.tld
enable password KF8NWWqsdpDicsd encrypted
passwd 2KFQnbNdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address public.ip.address.censored.2 255.255.255.240 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 10.10.20.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
 switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name censored.tld
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit ip any any 
access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.0 any 
access-list spike_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0 
access-list spike_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.30.0 255.255.255.192 
access-list inside_nat0_outbound extended permit ip 10.10.20.0 255.255.255.0 10.10.30.0 255.255.255.192 
access-list inside_nat0_outbound extended permit ip any 10.10.30.0 255.255.255.0 
access-list dmz_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool1 10.10.30.1-10.10.30.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.10.10.0 255.255.255.0
static (dmz,outside)  10.10.20.3 netmask 255.255.255.255 dns 
static (dmz,outside) public.ip.address.censored.4 10.10.20.4 netmask 255.255.255.255 dns 
static (dmz,outside) public.ip.address.censored.5 10.10.20.5 netmask 255.255.255.255 dns 
static (dmz,outside) public.ip.address.censored.6 10.10.20.6 netmask 255.255.255.255 dns 
static (dmz,outside) public.ip.address.censored.7 10.10.20.7 netmask 255.255.255.255 dns 
static (dmz,outside) public.ip.address.censored.8 10.10.20.8 netmask 255.255.255.255 dns 
static (dmz,outside) public.ip.address.censored.9 10.10.20.9 netmask 255.255.255.255 dns 
static (dmz,outside) public.ip.address.censored.10 10.10.20.10 netmask 255.255.255.255 dns 
static (dmz,outside) public.ip.address.censored.11 10.10.20.11 netmask 255.255.255.255 dns 
static (dmz,outside) public.ip.address.censored.12 10.10.20.12 netmask 255.255.255.255 dns 
static (dmz,outside) public.ip.address.censored.13 10.10.20.13 netmask 255.255.255.255 dns 
static (dmz,outside) public.ip.address.censored.14 10.10.20.14 netmask 255.255.255.255 dns 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 public.ip.address.censored.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.10.10.2-10.10.10.3 inside
!
 
group-policy spike_ internal
group-policy spike_attributes
 banner value Welcome to Cyberdog Internet Services VPN!
 banner value 
 banner value All activity is monitored.
 dns-server value 4.2.2.2 4.2.2.1
 vpn-idle-timeout 300
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value spike_splitTunnelAcl
 default-domain value censored.tld
 address-pools value vpnpool1
username cyberdog password liPXBcAk6V90DRO encrypted privilege 15
username cyberdog attributes
 vpn-group-policy spike_
tunnel-group spike_ type ipsec-ra
tunnel-group spike_ general-attributes
 address-pool vpnpool1
 default-group-policy spike_
tunnel-group spike_ ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:af43760deca807ca49136374c2971cfd
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Open in new window

0
Comment
Question by:Robert Davis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
17 Comments
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 400 total points
ID: 24357694
The config looks fine.  The inside hosts have a default gateway of 10.10.10.1, right? and the DMZ hosts have a default gateway of 10.10.20.1, right?

Add this:

conf t
management-access inside

Can you ping 10.10.10.1 when connected via VPN?
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 24358186
I ran your command, no dice.  I cannot ping 10.10.10.1.  I do not have a gateway ont he VPN Windows XP interface either but this is pretty standard as our Cisco 1811 and ASA 5510 at other locations work the same way...  I can't tell if this is an ACL issue, a NAT issue or a route issue, but I suspect one of these areas to the be cause of the internal subnets being unreachable.

Any ideas anyone?  Thanks!

Rgards,
Robert
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24358195
For the default gateway, not on the VPN client but rather the inside and DMZ hosts, is the ASA their default gateway or something else?  Just making sure return routing is there...
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 1

Author Comment

by:Robert Davis
ID: 24358258
The only route is the router above the ASA.  Traffic gets out by hitting the ASA and then seeing route 1 which is the next hop, the router.  The route is on interface outside so traffic knows to go out that way.

route outside 0.0.0.0 0.0.0.0 router.ip.is.1 1

ASA outside int ip is .2
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24364042
You aren't using 10.10.30.0/24 as the local network where you are connecting from remotely, right?  You have a router on the outside of the ASA?  Is it filtering traffic?
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 24364194
VPN subnet is 10.10.30.0, internal is .10, dmz is .20.  No filtering.  Only route is listed above.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24364248
I am referring to where you are attempting to VPN from.  What is the local LAN subnet in use where you are testing from?  Make sure it doesn't conflict since you are split tunneling.  So the router on the outside isn't doing NAT or any filtering?  I would take your test VPN PC and plug directly into the outside interface of the ASA and give yourself the router IP then try to VPN again.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 24364334
Ah, sorry, I set the subnets so they would no conflict with any others.  My local subnet is 10.20.30.0 so I will not conflict.  I'm not anywhere near the DC this ASA is in hence the need for VPN so I can't connect directly.  When I was in the DC I did try it on the same network  but it would still have gone through the router.  The router is not doing any filtering and no NAT is required as it is a global IP.  Hope this helps!

Regards,
Robert
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24364374
In the Cisco VPN client, under the Transport tab, you have UDP encapsulation selected, right?  Is there anything on the network you are connecting from that could be filtering UDP 4500?  Have you tried from home by chance?
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 24364457
Tried from work and home :-\.  Work is also not on the same subnet.  Outbound everything is allowed.  For that matter I've already tried it via my iPhone over ATT 3G, the VPN connected fine but I couldn't navigate to the https://10.10.10.1 address.  I don't think firewalls are at play here...

Traffic just can't get form the VPN 10.10.30.0 to .10 or something.  I really wish these ASAs would come with Easy VPN Server like the 1800 routers.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 24364466
Client default setting UDP is a yes.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24365844
Okay, well, I took your config and loaded it on an ASA I had laying around and can connect successfully and ping 10.10.10.1.  You can enable logging on the ASA and we can look at the logs...

conf t
logging enable
logging buffered debug
logging buffer-size 16384

Then do a "show log" after trying to connect via VPN.
0
 
LVL 1

Accepted Solution

by:
Robert Davis earned 0 total points
ID: 24369292
I already have logging enabled which never really helped me with this.  I did use the packet tracer though and try a packet from inside .30.2 to inside .10.1, I hit an ACL drop, which turned out to be my inplicit deny on the inside ACLs.  I noticed that my inside ACLs only allow inside (10.0/24) traffic out to any destination.  I added an ACL for 10.10.30.0/26 traffic out to any dest as well and this fixed my issue.  I can now ping 10.1 from the 30.0 subnet (vpn).

I'm not sure why your setup with my old config worked but this did the trick for me.  It also occured to me that not being able to ping 10.10.20.1 from the vpn subnet makes sense since nothing on the dmz vlan is allowed to talk to the inside vlan for security purposes (which covers .10.0 ->20.0 as well as .30.0 -> 20.0).

My new ACLs are attached.

I hope this helps someone out.  I obviously just didn't notice this ACL issue but was able to track it down with the packet tracker (man I love that thing).  I guess I figured the inside-vlan statement would cover the vpn statement but I was wrong.  Thanks for your help JFred, keep up the support!

Regards,
Robert
access-list outside_access_in extended permit ip any any 
access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.0 any 
--->access-list inside_access_in extended permit ip 10.10.30.0 255.255.255.192 any <---
access-list spike_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0 
access-list spike_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.30.0 255.255.255.192 
access-list inside_nat0_outbound extended permit ip 10.10.20.0 255.255.255.0 10.10.30.0 255.255.255.192 
access-list inside_nat0_outbound extended permit ip any 10.10.30.0 255.255.255.0 
access-list dmz_access_in extended permit ip any any 

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24370860
Really?  That makes no sense at all.   That shouldn't make any difference and didn't effect the config on my ASA.  Weird (bug?).  Anyway, nice job using the packet tracer.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 24370881
Just retested it by disabling and enabling the ACL, did the trick :-S.  I'm going to update to 8.0 one of these days anyway, I don't currently have a smartnet for this box.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24370896
Very odd.  I would remove the access-list from the inside interface and see if it works also.
0
 
LVL 1

Author Comment

by:Robert Davis
ID: 24379753
Inside int has the inside vlan mapped, purhaps I misunderstood your request.  Regardless, this did the trick :-).

Regards,
Robert
0

Featured Post

Tutorial: Introduction to Managing a Linux Server

In this tutorial on systemd, we will explore:
-OS/Distro Adoption
-chkconfig and Other Legacy Commands
-Summary and Key Commands

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question