Cisco 5505 vpn client connects, but no access.

5505 works fine as an internet router from inside. Ran the VPN Wizard. Now I can connect using the cisco VPN-client. I use Version 4.7. Problem is I cannot ping anything on the inside. Tried inside interface on the router, and other machines on the inside lan. Config as below, outside IP masked as *.*.*.'. Please help.


: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password e6IG26r0yJuKiPvk encrypted
passwd 2KFQneNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.*.* 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.1.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.115.0 255.255.255.0 192.168.1.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.5.48 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool tietopool 192.168.5.50-192.168.5.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 192.168.115.0 255.255.255.0 192.168.1.2 1
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.115.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs group1
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  30
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.50 inside
dhcpd dns 195.159.0.100 195.159.0.200 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!

group-policy tietogroup internal
group-policy tietogroup attributes
 dns-server value 192.168.115.40
 vpn-tunnel-protocol IPSec
username tieto password LPk9P32ZCXmyVNxz encrypted privilege 0
username tieto attributes
 vpn-group-policy tietogroup
tunnel-group tietogroup type ipsec-ra
tunnel-group tietogroup general-attributes
 address-pool tietopool
 default-group-policy tietogroup
tunnel-group tietogroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0eeccd37b0216e3f5498a978a912eb22
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

MrWhyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

memo_tntCommented:
Hi

you need to add split tunnel that allow remote client to access your LAN

check the following post by me previously same scenario, try to do the same ..

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_25123268.html?cid=1131#a26513128


0
MrWhyAuthor Commented:
I thought split tunneling was to enable the client to browse the internet outside of the tunnel while accessing the lan through the tunnel? Isn't it safer not to permit connections outside of the tunnel to coexist?
0
memo_tntCommented:
aha you didn't mentioned that ..!
why your using this  route:?
route inside 192.168.115.0 255.255.255.0 192.168.1.2 1

you dont need for it?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

MrWhyAuthor Commented:
That route is for accessing a lan beyond another firewall further inside. Should also be accessible through the vpn also. It's reachable for ping from the 5505 via the ASDM as is, but not through vpn as the other range.
0
memo_tntCommented:
try 1st to do the split tunnel and check if you can access them?
0
MrWhyAuthor Commented:
Tried split tunnel by rerunning wizard. No different. Noticed that after connecting the client, internet would not work either, (on the client machine that is).

Here is the new config.

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password e6IG26r0yJuKiPvk encrypted
passwd 2KFQneNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.*.* 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.1.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.115.0 255.255.255.0 192.168.1.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.5.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.115.0 255.255.255.0 192.168.5.48 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool tietopool 192.168.5.50-192.168.5.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 192.168.115.0 255.255.255.0 192.168.1.2 1
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.115.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs group1
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs group1
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  30
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.50 inside
dhcpd dns 195.159.0.100 195.159.0.200 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!

group-policy tietogroup_1 internal
group-policy tietogroup_1 attributes
 dns-server value 192.168.115.40
 vpn-tunnel-protocol IPSec
group-policy tietogroup internal
group-policy tietogroup attributes
 dns-server value 192.168.115.40
 vpn-tunnel-protocol IPSec
username tieto password LPk9P32ZCXmyVNxz encrypted privilege 0
username tieto attributes
 vpn-group-policy tietogroup
tunnel-group tietogroup type ipsec-ra
tunnel-group tietogroup general-attributes
 address-pool tietopool
 default-group-policy tietogroup_1
tunnel-group tietogroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0eeccd37b0216e3f5498a978a912eb22
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

0
anoopkmrCommented:
try the following on ASA ( copy and paste )

access-list Split extended permit ip 192.168.1.0 255.255.255.0 any
access-list Split extended permit ip 192.168.115.0 255.255.255.0 any

sysopt connection permit-vpn
crypto isakmp nat-traversal 60

group-policy tietogroup_1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split

policy-map global_policy
class inspection_default
inspect icmp


if u are not using the below crypto maps , then better delete those, copy and paste the below lines

no crypto dynamic-map outside_dyn_map 20 set pfs group1
no crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 40 set pfs group1
no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 60 set pfs group1
no crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 80 set pfs group1
no crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 100 set pfs group1
no crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 120 set pfs group1
no crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
0
MrWhyAuthor Commented:
Still no ping on inside. I can now ping internet adresses from the client.
0
MrWhyAuthor Commented:
In addition, From the ASDM I can ping adresses on the 192.168.115.0-network, and the ASA's own address at 192.168.1.1, but I can't reach any other machines on the 192.168.1.0-network anymore. That was ok with the first config.
0
anoopkmrCommented:
did u enable NAT transperancy tunneling
,see the image

from the ASA can you give the out put of  below command while testing

show crypto ipsec sa

Untitled.gif
0
anoopkmrCommented:
ok  now we need to  check why ASA is not able to reach its own LAN.

from the ASA can u ping 192.168.1.2 ?

what is this 192.168.1.2 ? is it a router

did u add the proper routing for 192.168.5.48 255.255.255.240 on that router via
ASA
0
MrWhyAuthor Commented:
Result of the command: "show crypto ipsec sa"

There are no ipsec sas

Transparent tunneling is enabled on client.

Oops. My fault. 192.168.1.2 is a dmz leg on an ISA firewall.  That don't answer to ping by firewall rule. i can ping 192.168.1.20 on the same segment, so I guess this is in order.
0
MrWhyAuthor Commented:
Btw. 192.168.115.40 is behind the ISA through the 192.168.1.2 leg
0
anoopkmrCommented:
what is the GW configured on 192.168.1.20  ?

if the gw of 192.168.1.20 is not 192.168.1.1 , then u have to add route for the VPN client Network .

ok now for the testing can u ping try to ping 192.168.1.20 from the von client
0
anoopkmrCommented:
did u add the proper routing on ISA server for the VPN client  address pool
0
MrWhyAuthor Commented:
GW on 192.168.1.20  is 192.168.1.1, e.g the cisco 5505.
Cannot ping 192.168.1.20, 192.168.1.2 or 192.168.1.1 from the client
Routing should be good as it worked with a previous PIX on the same segment.
0
anoopkmrCommented:
please give me the show crypto ipsec sa out while pinging
0
MrWhyAuthor Commented:
Tried Packet tracer from 192.168.5.50 to 192.168.1.2

Result:
Type - NAT     Action - DROP
Config
nat(inside) 1.0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 150, untranslate hits = 0
0
MrWhyAuthor Commented:
Result of the command: "show crypto ipsec sa"

interface: outside
    Crypto map tag: outside_dyn_map, seq num: 140, local addr: *.*.*.*

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.50/255.255.255.255/0/0)
      current_peer: *.*.*.*, username: tieto
      dynamic allocated peer ip: 192.168.5.50

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 148, #pkts decrypt: 148, #pkts verify: 148
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.:*.*.*.*/4500, remote crypto endpt.: *.*.*.*/1031
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 135962D8

    inbound esp sas:
      spi: 0x1EC5C33E (516277054)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 15, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 27550
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x135962D8 (324625112)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 15, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 27550
         IV size: 8 bytes
         replay detection support: Y
0
MrWhyAuthor Commented:
Btw, shouldn't RIP take care of the routing?
0
anoopkmrCommented:
no need to enable RIP for the routing
static route is enough

from the show crypto ipsec sa I can see that packets are comming from client and our ASA is decapsulating it , but there is no reply .

disable any firewall i n 192.168.1.20 and try ping .

did u apply the below configs in asa ( just for my knowledge)

access-list Split extended permit ip 192.168.1.0 255.255.255.0 any
access-list Split extended permit ip 192.168.115.0 255.255.255.0 any
group-policy tietogroup_1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split



0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MrWhyAuthor Commented:
I have no access to 192.168.1.20, but I introduced a machine with 192.168.1.21. I could actually ping that one. Now all that's left is getting access to the 115.0-network.
0
anoopkmrCommented:
so 192.168.1.21 is reaching via tunnel .

ok for the 192.168.115.0 ,
1) u need to check the routing on 192.168.1.2 (  ISA ) ,
2) u need to check the ISA Firewall rule is allowing the necessary traffic or not ?
0
MrWhyAuthor Commented:
YESS Got it now. You put me on the right track. Solution was to add the vpn-iprange to the network definition for that perimeter network on the ISA.

Thank you for outstanding help..
0
MrWhyAuthor Commented:
Quick answers and good communication.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.