VPN Users cannot access lan resources

This is the network setup:  Internet => cisco asa => hp switch => lan hosts.

Local machines can get to internet and can access one another.  Servers are on 10.40.1.x,

Clients on 10.40.4.x /16,  Servers on 10.40.1.x.  The asa is not the gateway, the gateway is 10.40.1.1 which is a HP Procurve 2610 (J9088A).

When connecting with cisco ipsec client addresses in 10.40.101.x / 16 are given.  The vpn clients can not get to lan machines or servers.  The vpn clients can ping the asa and ping the switch at 10.40.1.1.  The switch can ping a 10.40.101.x addess (vpn client) and the asa, however the asa cannot ping the vpn clients.  

LVL 14
dmwynneAsked:
Who is Participating?
 
dmwynneConnect With a Mentor Author Commented:
I matched the configs line for line with another working device and it is working.
0
 
memo_tntCommented:
Hi

are defining split tunnel in your ASA configuration ??

it looks like the following example ::

access-list cisco_splitTunnelAcl standard permit any

group-policy NAME internal
group-policy NAME attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN


0
 
Neil RussellTechnical Development LeadCommented:
Your switch needs to be able to route if it is the DGW. It needs a route t0 10.40.101.x/16 via the IP of the cisco asa.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
dmwynneAuthor Commented:
I do have split tunneling defined.

I added that route to the switch but still do not have access.  
0
 
DRbobCommented:
Hi there!  I would suggest that you do traceroute from your lan client to vpn and from your vpn client to the lan clients to see how the packets are getting routed.  That should tell you where your losing your packets.   I have set up a remote VPN connection on my 5505 and can see the backside network systems using ping and tracert however I can not ping, telnet, or manage the backside gateway which is the inside gateway IP.   That has me baffled a bit.
Hope this helps you.
Drbobf
0
 
dmwynneAuthor Commented:
Yes I've done the traces and The trace from the inside machine 10.40.1.11 fails immediately yet I can ping the switch and and asa from that machine.  
0
 
Pete LongTechnical ConsultantCommented:
On the ASA issue the following command
crypto isakmp nat-traversal  20
Any difference?
0
 
dmwynneAuthor Commented:
I added crypto isakmp nat-traversal  20 but still do not have access.
0
 
Pete LongTechnical ConsultantCommented:
does the client connect without error but no traffic passes?
0
 
dmwynneAuthor Commented:
Yes the client connects fine and it can ping the asa interface and switch ip address.
0
 
Pete LongTechnical ConsultantCommented:
If you plug a PC into the inside Interface of the firewall direcly can a remote client ping that?
also show me the resilts of a "show run nat" command
0
 
DRbobCommented:
Just thought of this when I was working with my setup.  If you are using the Cisco VPN client, make sure that you have a checbox on the VPN client on the transport tab to "allow local LAN Access".  I this is the case I have found that I had to close the client and restart the VPN client for this setting to take place!  
0
 
dmwynneAuthor Commented:
PeteLong - Unfortunately I don't have physical access to the asa.  One thing I can add is there is another switch connected to the 1st HP switch and when I add a static route to its network I can get to hosts on that switch from vpn clients.  Not sure if that may shed some light on things.

DRbob:  I had already verified this box was checked but thanks for the suggestion.
0
 
dmwynneAuthor Commented:
Here is show run nat

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
0
 
Pete LongTechnical ConsultantCommented:
does
sho run access-list inside_nat0_outbound
list ACL entries for the remote VPN client subnet?
0
 
dmwynneAuthor Commented:
Show run access list does have entries for the remote clients.
0
 
dmwynneAuthor Commented:
So I am still fighting with this.  I've spoken with both HP and Cisco and they blame the other device.  If I enter a route on a host that is on 10.40.1.x to 10.40.101.x then all is well.  Does that stir up any possible reasons why I need this route on the host for it to work.
0
 
memo_tntCommented:
add the following

access-list inside_nat0_outbound extended permit ip any 10.40.101.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
0
 
dmwynneAuthor Commented:
I can't see how it's and access list problem if it works with the route manually added but does not if the route is there.  If it was access list based I would expect it would fail regardless of whether I had the route or not.
0
 
memo_tntCommented:
the above is NAT configuration not ACL alone ...

did you try it ??

also if doesn't work ,, then post the whole configuration !!
0
 
dmwynneAuthor Commented:
Did not work.

Her eis the running config.
: Saved
:
ASA Version 8.0(3)
!
hostname Montreal
domain-name 
enable password 
no names
name 10.30.0.0 D
name 10.50.0.0 S
name 10.20.0.0 W
name 10.10.0.0 W
name 172.16.1.0 W
name 192.168.129.0 M
name 10.40.xxx.x M
name 192.168.128.0 W
name 10.10.101.0 W
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.40.x.x 255.255.0.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 66.110.xxx.xxx 255.255.255.128
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd  encrypted
boot system disk0:/
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name .com
same-security-traffic permit intra-interface
object-group service RDP tcp
 description Remote Desktop
 port-object eq 3389
object-group network DM_INLINE_NETWORK_1
 network-object 10.40.0.x 255.255.0.0
 network-object 192.168.129.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object 10.10.0.0 255.255.0.0
 network-object 192.168.128.0 255.255.255.0
 network-object 10.10.101.0 255.255.255.0
 network-object 10.20.0.0 255.255.0.0
 network-object 10.30.0.0 255.255.0.0
 network-object 10.50.0.0 255.255.0.0
 network-object 172.16.xxx.xxx 255.255.255.192
object-group network DM_INLINE_NETWORK_3
 network-object 10.20.0.0 255.255.0.0
 network-object 172.16.xxx.xxx 255.255.255.192
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list outside_1_cryptomap extended permit ip 10.40.0.0 255.255.0.0 10.10.101.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.40.0.0 255.255.0.0 10.30.0.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip 10.40.0.0 255.255.0.0 10.50.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip any 192.168.37.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.40.1.x 255.255.255.0 10.40.101.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.129.0 255.255.255.0 10.40.101.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.xxx/xxx 255.255.255.192 10.40.101.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.20.0.0 255.255.0.0 10.40.101.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.0.0 255.255.255.0 10.40.101.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.50.0 255.255.255.0 10.40.101.x 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.40.101.x 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.40.0.x 255.255.0.0 object-group DM_INLINE_NETWORK_3
access-list captest extended permit ip host 10.40.101.x host 10.40.1.xx
access-list captest extended permit ip host 10.40.1.xx host 10.40.101.x
access-list _splitTunnelAcl standard permit 192.168.129.0 255.255.255.0
access-list _splitTunnelAcl standard permit 172.16.xxx/xxx 255.255.255.192
access-list _splitTunnelAcl standard permit 10.20.0.0 255.255.0.0
access-list _splitTunnelAcl standard permit 10.30.0.0 255.255.255.0
access-list _splitTunnelAcl standard permit 10.30.50.0 255.255.255.0
access-list_splitTunnelAcl standard permit 10.40.1.x 255.255.255.0
access-list _splitTunnelAcl_1 standard permit any
pager lines 24
logging enable
logging buffered debugging
logging asdm errors
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.37.1-192.168.37.254 mask 255.255.255.0
ip local pool  10.40.101.x-10.40.101.xxx mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 66.110.xxx.xxx 1
route inside 192.168.129.0 255.255.255.0 10.40.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server protocol nt
aaa-server  host 
 timeout 5
 nt-auth-domain-controller 
http server enable
http 10.0.0.0 255.0.0.0 inside
http  outside
http  outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1260
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 21
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 60
ssh timeout 15
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
ntp server 
group-policy DfltGrpPolicy attributes
group-policy  internal
group-policy  attributes
 dns-server value 10.40.1.xx 10.10.1.11
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value _splitTunnelAcl
 default-domain value .com
tunnel-group 
tunnel-group 
 pre-shared-key *
tunnel-group 
tunnel-group 
 pre-shared-key *
tunnel-group  type remote-access
tunnel-group  general-attributes
 address-pool 
 authentication-server-group 
 default-group-policy 
tunnel-group  ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ce48dd517a99ddd420d12862c1c06ffc
: end

Open in new window

0
 
memo_tntCommented:
hi

what exactly your address pool used for VPN ?

what all the following split.ACL, only underlined ACL are needed according to your configuration ?? is not?

access-list _splitTunnelAcl standard permit 192.168.129.0 255.255.255.0
access-list _splitTunnelAcl standard permit 172.16.1.0 255.255.255.192
access-list _splitTunnelAcl standard permit 10.20.0.0 255.255.0.0
access-list _splitTunnelAcl standard permit 10.30.0.0 255.255.255.0
access-list _splitTunnelAcl standard permit 10.30.50.0 255.255.255.0
access-list_splitTunnelAcl standard permit 10.40.1.0 255.255.255.0access-list _splitTunnelAcl_1 standard permit any

plus remove this one ,, explain what's for ?
route inside 192.168.129.0 255.255.255.0 10.40.1.1 1

and you aren't specifying which pool you are using here

tunnel-group  type remote-access
tunnel-group  general-attributes
 address-pool  ???


0
 
dmwynneAuthor Commented:
Split tunnel entries are needed for access to other internal networks.  


The route inside 192.168.129.0 255.255.255.0 10.40.1.1 1 is needed as there is another switch with vlan 192.168.129.x connected to the 1st switch.

I removed some info from the file for security reason but those but I've tried using two different pools 10.40.101.x /16 and 10.40.101.x /24 neither of which work.


0
 
memo_tntCommented:
hi
 
 any update regarding this issue,,
 is it solved ??
0
 
DRbobCommented:
I do not know if you are having the same issues as myself.  I had remote access vpn and site to site vpn where I could not ping all the h osts on the destination subnet.  I could ping .1, .2, 5 however could not ping any others.  The issue could be that the ACL check is doing something strange.   I found this command which seems to have fixed my problem.  

sysopt connection permit-ipsec  

This command is a global command it bypasses the ACL check for all of the IPsec tunnels.

The other thing you could try if that does not fix your problem is  to set reverse-route in your crypto map  such as this
asa(config)#crypto map your_mapname 20 set reverse-route
DR B
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.