Solved

Cisco ASA 5505 VPN Can't Talk to Internal VLANs

Posted on 2009-05-11
17
1,384 Views
Last Modified: 2012-06-27
I have a Cisco ASA 5505 that I'm trying setup VPN on.  I got VPN to work fine, I get the VPN subnet (10.10.30.0) etc., but I can't talk to the internal nor the DMZ VLANs.  I tried running nat traversal but this didn't help.  Any help would be greatly appreciated!  I have attached my config below.
: Saved

:

ASA Version 7.2(4) 

!

hostname spike

domain-name censored.tld

enable password KF8NWWqsdpDicsd encrypted

passwd 2KFQnbNdI.2KYOU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.10.10.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address public.ip.address.censored.2 255.255.255.240 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address 10.10.20.1 255.255.255.0 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

 switchport access vlan 3

!

interface Ethernet0/2

 switchport access vlan 3

!

interface Ethernet0/3

 switchport access vlan 3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

 domain-name censored.tld

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list outside_access_in extended permit ip any any 

access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.0 any 

access-list spike_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0 

access-list spike_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.30.0 255.255.255.192 

access-list inside_nat0_outbound extended permit ip 10.10.20.0 255.255.255.0 10.10.30.0 255.255.255.192 

access-list inside_nat0_outbound extended permit ip any 10.10.30.0 255.255.255.0 

access-list dmz_access_in extended permit ip any any 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool vpnpool1 10.10.30.1-10.10.30.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 10.10.10.0 255.255.255.0

static (dmz,outside)  10.10.20.3 netmask 255.255.255.255 dns 

static (dmz,outside) public.ip.address.censored.4 10.10.20.4 netmask 255.255.255.255 dns 

static (dmz,outside) public.ip.address.censored.5 10.10.20.5 netmask 255.255.255.255 dns 

static (dmz,outside) public.ip.address.censored.6 10.10.20.6 netmask 255.255.255.255 dns 

static (dmz,outside) public.ip.address.censored.7 10.10.20.7 netmask 255.255.255.255 dns 

static (dmz,outside) public.ip.address.censored.8 10.10.20.8 netmask 255.255.255.255 dns 

static (dmz,outside) public.ip.address.censored.9 10.10.20.9 netmask 255.255.255.255 dns 

static (dmz,outside) public.ip.address.censored.10 10.10.20.10 netmask 255.255.255.255 dns 

static (dmz,outside) public.ip.address.censored.11 10.10.20.11 netmask 255.255.255.255 dns 

static (dmz,outside) public.ip.address.censored.12 10.10.20.12 netmask 255.255.255.255 dns 

static (dmz,outside) public.ip.address.censored.13 10.10.20.13 netmask 255.255.255.255 dns 

static (dmz,outside) public.ip.address.censored.14 10.10.20.14 netmask 255.255.255.255 dns 

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 public.ip.address.censored.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs group1

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.10.10.2-10.10.10.3 inside

!

 

group-policy spike_ internal

group-policy spike_attributes

 banner value Welcome to Cyberdog Internet Services VPN!

 banner value 

 banner value All activity is monitored.

 dns-server value 4.2.2.2 4.2.2.1

 vpn-idle-timeout 300

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value spike_splitTunnelAcl

 default-domain value censored.tld

 address-pools value vpnpool1

username cyberdog password liPXBcAk6V90DRO encrypted privilege 15

username cyberdog attributes

 vpn-group-policy spike_

tunnel-group spike_ type ipsec-ra

tunnel-group spike_ general-attributes

 address-pool vpnpool1

 default-group-policy spike_

tunnel-group spike_ ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:af43760deca807ca49136374c2971cfd

: end

asdm image disk0:/asdm-524.bin

no asdm history enable

Open in new window

0
Comment
Question by:Robert Davis
  • 9
  • 8
17 Comments
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 100 total points
Comment Utility
The config looks fine.  The inside hosts have a default gateway of 10.10.10.1, right? and the DMZ hosts have a default gateway of 10.10.20.1, right?

Add this:

conf t
management-access inside

Can you ping 10.10.10.1 when connected via VPN?
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
I ran your command, no dice.  I cannot ping 10.10.10.1.  I do not have a gateway ont he VPN Windows XP interface either but this is pretty standard as our Cisco 1811 and ASA 5510 at other locations work the same way...  I can't tell if this is an ACL issue, a NAT issue or a route issue, but I suspect one of these areas to the be cause of the internal subnets being unreachable.

Any ideas anyone?  Thanks!

Rgards,
Robert
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
For the default gateway, not on the VPN client but rather the inside and DMZ hosts, is the ASA their default gateway or something else?  Just making sure return routing is there...
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
The only route is the router above the ASA.  Traffic gets out by hitting the ASA and then seeing route 1 which is the next hop, the router.  The route is on interface outside so traffic knows to go out that way.

route outside 0.0.0.0 0.0.0.0 router.ip.is.1 1

ASA outside int ip is .2
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
You aren't using 10.10.30.0/24 as the local network where you are connecting from remotely, right?  You have a router on the outside of the ASA?  Is it filtering traffic?
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
VPN subnet is 10.10.30.0, internal is .10, dmz is .20.  No filtering.  Only route is listed above.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
I am referring to where you are attempting to VPN from.  What is the local LAN subnet in use where you are testing from?  Make sure it doesn't conflict since you are split tunneling.  So the router on the outside isn't doing NAT or any filtering?  I would take your test VPN PC and plug directly into the outside interface of the ASA and give yourself the router IP then try to VPN again.
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
Ah, sorry, I set the subnets so they would no conflict with any others.  My local subnet is 10.20.30.0 so I will not conflict.  I'm not anywhere near the DC this ASA is in hence the need for VPN so I can't connect directly.  When I was in the DC I did try it on the same network  but it would still have gone through the router.  The router is not doing any filtering and no NAT is required as it is a global IP.  Hope this helps!

Regards,
Robert
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
In the Cisco VPN client, under the Transport tab, you have UDP encapsulation selected, right?  Is there anything on the network you are connecting from that could be filtering UDP 4500?  Have you tried from home by chance?
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
Tried from work and home :-\.  Work is also not on the same subnet.  Outbound everything is allowed.  For that matter I've already tried it via my iPhone over ATT 3G, the VPN connected fine but I couldn't navigate to the https://10.10.10.1 address.  I don't think firewalls are at play here...

Traffic just can't get form the VPN 10.10.30.0 to .10 or something.  I really wish these ASAs would come with Easy VPN Server like the 1800 routers.
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
Client default setting UDP is a yes.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Okay, well, I took your config and loaded it on an ASA I had laying around and can connect successfully and ping 10.10.10.1.  You can enable logging on the ASA and we can look at the logs...

conf t
logging enable
logging buffered debug
logging buffer-size 16384

Then do a "show log" after trying to connect via VPN.
0
 
LVL 1

Accepted Solution

by:
Robert Davis earned 0 total points
Comment Utility
I already have logging enabled which never really helped me with this.  I did use the packet tracer though and try a packet from inside .30.2 to inside .10.1, I hit an ACL drop, which turned out to be my inplicit deny on the inside ACLs.  I noticed that my inside ACLs only allow inside (10.0/24) traffic out to any destination.  I added an ACL for 10.10.30.0/26 traffic out to any dest as well and this fixed my issue.  I can now ping 10.1 from the 30.0 subnet (vpn).

I'm not sure why your setup with my old config worked but this did the trick for me.  It also occured to me that not being able to ping 10.10.20.1 from the vpn subnet makes sense since nothing on the dmz vlan is allowed to talk to the inside vlan for security purposes (which covers .10.0 ->20.0 as well as .30.0 -> 20.0).

My new ACLs are attached.

I hope this helps someone out.  I obviously just didn't notice this ACL issue but was able to track it down with the packet tracker (man I love that thing).  I guess I figured the inside-vlan statement would cover the vpn statement but I was wrong.  Thanks for your help JFred, keep up the support!

Regards,
Robert
access-list outside_access_in extended permit ip any any 

access-list inside_access_in extended permit ip 10.10.10.0 255.255.255.0 any 

--->access-list inside_access_in extended permit ip 10.10.30.0 255.255.255.192 any <---

access-list spike_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0 

access-list spike_splitTunnelAcl standard permit 10.10.20.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.30.0 255.255.255.192 

access-list inside_nat0_outbound extended permit ip 10.10.20.0 255.255.255.0 10.10.30.0 255.255.255.192 

access-list inside_nat0_outbound extended permit ip any 10.10.30.0 255.255.255.0 

access-list dmz_access_in extended permit ip any any 

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Really?  That makes no sense at all.   That shouldn't make any difference and didn't effect the config on my ASA.  Weird (bug?).  Anyway, nice job using the packet tracer.
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
Just retested it by disabling and enabling the ACL, did the trick :-S.  I'm going to update to 8.0 one of these days anyway, I don't currently have a smartnet for this box.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Very odd.  I would remove the access-list from the inside interface and see if it works also.
0
 
LVL 1

Author Comment

by:Robert Davis
Comment Utility
Inside int has the inside vlan mapped, purhaps I misunderstood your request.  Regardless, this did the trick :-).

Regards,
Robert
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now