?
Solved

VPN Users cannot access lan resources

Posted on 2010-01-08
25
Medium Priority
?
392 Views
Last Modified: 2012-06-22
This is the network setup:  Internet => cisco asa => hp switch => lan hosts.

Local machines can get to internet and can access one another.  Servers are on 10.40.1.x,

Clients on 10.40.4.x /16,  Servers on 10.40.1.x.  The asa is not the gateway, the gateway is 10.40.1.1 which is a HP Procurve 2610 (J9088A).

When connecting with cisco ipsec client addresses in 10.40.101.x / 16 are given.  The vpn clients can not get to lan machines or servers.  The vpn clients can ping the asa and ping the switch at 10.40.1.1.  The switch can ping a 10.40.101.x addess (vpn client) and the asa, however the asa cannot ping the vpn clients.  

0
Comment
Question by:dmwynne
  • 12
  • 5
  • 4
  • +2
25 Comments
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26214815
Hi

are defining split tunnel in your ASA configuration ??

it looks like the following example ::

access-list cisco_splitTunnelAcl standard permit any

group-policy NAME internal
group-policy NAME attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN


0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 26214825
Your switch needs to be able to route if it is the DGW. It needs a route t0 10.40.101.x/16 via the IP of the cisco asa.
0
 
LVL 14

Author Comment

by:dmwynne
ID: 26228074
I do have split tunneling defined.

I added that route to the switch but still do not have access.  
0
Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

 

Expert Comment

by:DRbob
ID: 26272379
Hi there!  I would suggest that you do traceroute from your lan client to vpn and from your vpn client to the lan clients to see how the packets are getting routed.  That should tell you where your losing your packets.   I have set up a remote VPN connection on my 5505 and can see the backside network systems using ping and tracert however I can not ping, telnet, or manage the backside gateway which is the inside gateway IP.   That has me baffled a bit.
Hope this helps you.
Drbobf
0
 
LVL 14

Author Comment

by:dmwynne
ID: 26273068
Yes I've done the traces and The trace from the inside machine 10.40.1.11 fails immediately yet I can ping the switch and and asa from that machine.  
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 26273828
On the ASA issue the following command
crypto isakmp nat-traversal  20
Any difference?
0
 
LVL 14

Author Comment

by:dmwynne
ID: 26277526
I added crypto isakmp nat-traversal  20 but still do not have access.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 26278123
does the client connect without error but no traffic passes?
0
 
LVL 14

Author Comment

by:dmwynne
ID: 26278151
Yes the client connects fine and it can ping the asa interface and switch ip address.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 26282130
If you plug a PC into the inside Interface of the firewall direcly can a remote client ping that?
also show me the resilts of a "show run nat" command
0
 

Expert Comment

by:DRbob
ID: 26283054
Just thought of this when I was working with my setup.  If you are using the Cisco VPN client, make sure that you have a checbox on the VPN client on the transport tab to "allow local LAN Access".  I this is the case I have found that I had to close the client and restart the VPN client for this setting to take place!  
0
 
LVL 14

Author Comment

by:dmwynne
ID: 26283300
PeteLong - Unfortunately I don't have physical access to the asa.  One thing I can add is there is another switch connected to the 1st HP switch and when I add a static route to its network I can get to hosts on that switch from vpn clients.  Not sure if that may shed some light on things.

DRbob:  I had already verified this box was checked but thanks for the suggestion.
0
 
LVL 14

Author Comment

by:dmwynne
ID: 26283360
Here is show run nat

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 26283502
does
sho run access-list inside_nat0_outbound
list ACL entries for the remote VPN client subnet?
0
 
LVL 14

Author Comment

by:dmwynne
ID: 26283683
Show run access list does have entries for the remote clients.
0
 
LVL 14

Author Comment

by:dmwynne
ID: 26364433
So I am still fighting with this.  I've spoken with both HP and Cisco and they blame the other device.  If I enter a route on a host that is on 10.40.1.x to 10.40.101.x then all is well.  Does that stir up any possible reasons why I need this route on the host for it to work.
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26364584
add the following

access-list inside_nat0_outbound extended permit ip any 10.40.101.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
0
 
LVL 14

Author Comment

by:dmwynne
ID: 26364620
I can't see how it's and access list problem if it works with the route manually added but does not if the route is there.  If it was access list based I would expect it would fail regardless of whether I had the route or not.
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26364668
the above is NAT configuration not ACL alone ...

did you try it ??

also if doesn't work ,, then post the whole configuration !!
0
 
LVL 14

Author Comment

by:dmwynne
ID: 26364935
Did not work.

Her eis the running config.
: Saved
:
ASA Version 8.0(3)
!
hostname Montreal
domain-name 
enable password 
no names
name 10.30.0.0 D
name 10.50.0.0 S
name 10.20.0.0 W
name 10.10.0.0 W
name 172.16.1.0 W
name 192.168.129.0 M
name 10.40.xxx.x M
name 192.168.128.0 W
name 10.10.101.0 W
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.40.x.x 255.255.0.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 66.110.xxx.xxx 255.255.255.128
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd  encrypted
boot system disk0:/
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name .com
same-security-traffic permit intra-interface
object-group service RDP tcp
 description Remote Desktop
 port-object eq 3389
object-group network DM_INLINE_NETWORK_1
 network-object 10.40.0.x 255.255.0.0
 network-object 192.168.129.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 10.10.0.0 255.255.0.0
 network-object 192.168.128.0 255.255.255.0
 network-object 10.10.101.0 255.255.255.0
 network-object 10.20.0.0 255.255.0.0
 network-object 10.30.0.0 255.255.0.0
 network-object 10.50.0.0 255.255.0.0
 network-object 172.16.xxx.xxx 255.255.255.192
object-group network DM_INLINE_NETWORK_3
 network-object 10.20.0.0 255.255.0.0
 network-object 172.16.xxx.xxx 255.255.255.192
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list outside_1_cryptomap extended permit ip 10.40.0.0 255.255.0.0 10.10.101.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.40.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 10.40.0.0 255.255.0.0 10.50.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip any 192.168.37.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.40.1.x 255.255.255.0 10.40.101.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.129.0 255.255.255.0 10.40.101.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.xxx/xxx 255.255.255.192 10.40.101.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.20.0.0 255.255.0.0 10.40.101.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.0.0 255.255.255.0 10.40.101.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.50.0 255.255.255.0 10.40.101.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.40.101.x 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.40.0.x 255.255.0.0 object-group DM_INLINE_NETWORK_3
access-list captest extended permit ip host 10.40.101.x host 10.40.1.xx
access-list captest extended permit ip host 10.40.1.xx host 10.40.101.x
access-list _splitTunnelAcl standard permit 192.168.129.0 255.255.255.0
access-list _splitTunnelAcl standard permit 172.16.xxx/xxx 255.255.255.192
access-list _splitTunnelAcl standard permit 10.20.0.0 255.255.0.0
access-list _splitTunnelAcl standard permit 10.30.0.0 255.255.255.0
access-list _splitTunnelAcl standard permit 10.30.50.0 255.255.255.0
access-list_splitTunnelAcl standard permit 10.40.1.x 255.255.255.0
access-list _splitTunnelAcl_1 standard permit any
pager lines 24
logging enable
logging buffered debugging
logging asdm errors
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.37.1-192.168.37.254 mask 255.255.255.0
ip local pool  10.40.101.x-10.40.101.xxx mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 66.110.xxx.xxx 1
route inside 192.168.129.0 255.255.255.0 10.40.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server protocol nt
aaa-server  host 
 timeout 5
 nt-auth-domain-controller 
http server enable
http 10.0.0.0 255.0.0.0 inside
http  outside
http  outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1260
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 21
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 60
ssh timeout 15
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
ntp server 
group-policy DfltGrpPolicy attributes
group-policy  internal
group-policy  attributes
 dns-server value 10.40.1.xx 10.10.1.11
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value _splitTunnelAcl
 default-domain value .com
tunnel-group 
tunnel-group 
 pre-shared-key *
tunnel-group 
tunnel-group 
 pre-shared-key *
tunnel-group  type remote-access
tunnel-group  general-attributes
 address-pool 
 authentication-server-group 
 default-group-policy 
tunnel-group  ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ce48dd517a99ddd420d12862c1c06ffc
: end

Open in new window

0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26367454
hi

what exactly your address pool used for VPN ?

what all the following split.ACL, only underlined ACL are needed according to your configuration ?? is not?

access-list _splitTunnelAcl standard permit 192.168.129.0 255.255.255.0
access-list _splitTunnelAcl standard permit 172.16.1.0 255.255.255.192
access-list _splitTunnelAcl standard permit 10.20.0.0 255.255.0.0
access-list _splitTunnelAcl standard permit 10.30.0.0 255.255.255.0
access-list _splitTunnelAcl standard permit 10.30.50.0 255.255.255.0
access-list_splitTunnelAcl standard permit 10.40.1.0 255.255.255.0access-list _splitTunnelAcl_1 standard permit any

plus remove this one ,, explain what's for ?
route inside 192.168.129.0 255.255.255.0 10.40.1.1 1

and you aren't specifying which pool you are using here

tunnel-group  type remote-access
tunnel-group  general-attributes
 address-pool  ???


0
 
LVL 14

Author Comment

by:dmwynne
ID: 26370556
Split tunnel entries are needed for access to other internal networks.  


The route inside 192.168.129.0 255.255.255.0 10.40.1.1 1 is needed as there is another switch with vlan 192.168.129.x connected to the 1st switch.

I removed some info from the file for security reason but those but I've tried using two different pools 10.40.101.x /16 and 10.40.101.x /24 neither of which work.


0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 26559441
hi
 
 any update regarding this issue,,
 is it solved ??
0
 
LVL 14

Accepted Solution

by:
dmwynne earned 0 total points
ID: 26561483
I matched the configs line for line with another working device and it is working.
0
 

Expert Comment

by:DRbob
ID: 26570710
I do not know if you are having the same issues as myself.  I had remote access vpn and site to site vpn where I could not ping all the h osts on the destination subnet.  I could ping .1, .2, 5 however could not ping any others.  The issue could be that the ACL check is doing something strange.   I found this command which seems to have fixed my problem.  

sysopt connection permit-ipsec  

This command is a global command it bypasses the ACL check for all of the IPsec tunnels.

The other thing you could try if that does not fix your problem is  to set reverse-route in your crypto map  such as this
asa(config)#crypto map your_mapname 20 set reverse-route
DR B
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month16 days, 19 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question