Solved

Cisco 5505 vpn client connects, but no access.

Posted on 2010-08-19
25
490 Views
Last Modified: 2012-08-14
5505 works fine as an internet router from inside. Ran the VPN Wizard. Now I can connect using the cisco VPN-client. I use Version 4.7. Problem is I cannot ping anything on the inside. Tried inside interface on the router, and other machines on the inside lan. Config as below, outside IP masked as *.*.*.'. Please help.


: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password e6IG26r0yJuKiPvk encrypted
passwd 2KFQneNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.*.* 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.1.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.115.0 255.255.255.0 192.168.1.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.5.48 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool tietopool 192.168.5.50-192.168.5.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 192.168.115.0 255.255.255.0 192.168.1.2 1
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.115.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs group1
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  30
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.50 inside
dhcpd dns 195.159.0.100 195.159.0.200 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!

group-policy tietogroup internal
group-policy tietogroup attributes
 dns-server value 192.168.115.40
 vpn-tunnel-protocol IPSec
username tieto password LPk9P32ZCXmyVNxz encrypted privilege 0
username tieto attributes
 vpn-group-policy tietogroup
tunnel-group tietogroup type ipsec-ra
tunnel-group tietogroup general-attributes
 address-pool tietopool
 default-group-policy tietogroup
tunnel-group tietogroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0eeccd37b0216e3f5498a978a912eb22
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

0
Comment
Question by:MrWhy
  • 14
  • 8
  • 3
25 Comments
 
LVL 16

Expert Comment

by:memo_tnt
ID: 33473043
Hi

you need to add split tunnel that allow remote client to access your LAN

check the following post by me previously same scenario, try to do the same ..

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_25123268.html?cid=1131#a26513128


0
 

Author Comment

by:MrWhy
ID: 33473068
I thought split tunneling was to enable the client to browse the internet outside of the tunnel while accessing the lan through the tunnel? Isn't it safer not to permit connections outside of the tunnel to coexist?
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 33473089
aha you didn't mentioned that ..!
why your using this  route:?
route inside 192.168.115.0 255.255.255.0 192.168.1.2 1

you dont need for it?
0
 

Author Comment

by:MrWhy
ID: 33473111
That route is for accessing a lan beyond another firewall further inside. Should also be accessible through the vpn also. It's reachable for ping from the 5505 via the ASDM as is, but not through vpn as the other range.
0
 
LVL 16

Expert Comment

by:memo_tnt
ID: 33473138
try 1st to do the split tunnel and check if you can access them?
0
 

Author Comment

by:MrWhy
ID: 33473436
Tried split tunnel by rerunning wizard. No different. Noticed that after connecting the client, internet would not work either, (on the client machine that is).

Here is the new config.

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password e6IG26r0yJuKiPvk encrypted
passwd 2KFQneNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.*.* 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.1.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.115.0 255.255.255.0 192.168.1.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.5.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.115.0 255.255.255.0 192.168.5.48 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool tietopool 192.168.5.50-192.168.5.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 192.168.115.0 255.255.255.0 192.168.1.2 1
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.115.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs group1
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs group1
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  30
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.50 inside
dhcpd dns 195.159.0.100 195.159.0.200 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!

group-policy tietogroup_1 internal
group-policy tietogroup_1 attributes
 dns-server value 192.168.115.40
 vpn-tunnel-protocol IPSec
group-policy tietogroup internal
group-policy tietogroup attributes
 dns-server value 192.168.115.40
 vpn-tunnel-protocol IPSec
username tieto password LPk9P32ZCXmyVNxz encrypted privilege 0
username tieto attributes
 vpn-group-policy tietogroup
tunnel-group tietogroup type ipsec-ra
tunnel-group tietogroup general-attributes
 address-pool tietopool
 default-group-policy tietogroup_1
tunnel-group tietogroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0eeccd37b0216e3f5498a978a912eb22
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 500 total points
ID: 33473775
try the following on ASA ( copy and paste )

access-list Split extended permit ip 192.168.1.0 255.255.255.0 any
access-list Split extended permit ip 192.168.115.0 255.255.255.0 any

sysopt connection permit-vpn
crypto isakmp nat-traversal 60

group-policy tietogroup_1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split

policy-map global_policy
class inspection_default
inspect icmp


if u are not using the below crypto maps , then better delete those, copy and paste the below lines

no crypto dynamic-map outside_dyn_map 20 set pfs group1
no crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 40 set pfs group1
no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 60 set pfs group1
no crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 80 set pfs group1
no crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 100 set pfs group1
no crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 120 set pfs group1
no crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
0
 

Author Comment

by:MrWhy
ID: 33473994
Still no ping on inside. I can now ping internet adresses from the client.
0
 

Author Comment

by:MrWhy
ID: 33474042
In addition, From the ASDM I can ping adresses on the 192.168.115.0-network, and the ASA's own address at 192.168.1.1, but I can't reach any other machines on the 192.168.1.0-network anymore. That was ok with the first config.
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33474060
did u enable NAT transperancy tunneling
,see the image

from the ASA can you give the out put of  below command while testing

show crypto ipsec sa

Untitled.gif
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33474075
ok  now we need to  check why ASA is not able to reach its own LAN.

from the ASA can u ping 192.168.1.2 ?

what is this 192.168.1.2 ? is it a router

did u add the proper routing for 192.168.5.48 255.255.255.240 on that router via
ASA
0
 

Author Comment

by:MrWhy
ID: 33474140
Result of the command: "show crypto ipsec sa"

There are no ipsec sas

Transparent tunneling is enabled on client.

Oops. My fault. 192.168.1.2 is a dmz leg on an ISA firewall.  That don't answer to ping by firewall rule. i can ping 192.168.1.20 on the same segment, so I guess this is in order.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:MrWhy
ID: 33474149
Btw. 192.168.115.40 is behind the ISA through the 192.168.1.2 leg
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33474196
what is the GW configured on 192.168.1.20  ?

if the gw of 192.168.1.20 is not 192.168.1.1 , then u have to add route for the VPN client Network .

ok now for the testing can u ping try to ping 192.168.1.20 from the von client
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33474265
did u add the proper routing on ISA server for the VPN client  address pool
0
 

Author Comment

by:MrWhy
ID: 33474433
GW on 192.168.1.20  is 192.168.1.1, e.g the cisco 5505.
Cannot ping 192.168.1.20, 192.168.1.2 or 192.168.1.1 from the client
Routing should be good as it worked with a previous PIX on the same segment.
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33474571
please give me the show crypto ipsec sa out while pinging
0
 

Author Comment

by:MrWhy
ID: 33474588
Tried Packet tracer from 192.168.5.50 to 192.168.1.2

Result:
Type - NAT     Action - DROP
Config
nat(inside) 1.0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 150, untranslate hits = 0
0
 

Author Comment

by:MrWhy
ID: 33474625
Result of the command: "show crypto ipsec sa"

interface: outside
    Crypto map tag: outside_dyn_map, seq num: 140, local addr: *.*.*.*

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.50/255.255.255.255/0/0)
      current_peer: *.*.*.*, username: tieto
      dynamic allocated peer ip: 192.168.5.50

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 148, #pkts decrypt: 148, #pkts verify: 148
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.:*.*.*.*/4500, remote crypto endpt.: *.*.*.*/1031
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 135962D8

    inbound esp sas:
      spi: 0x1EC5C33E (516277054)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 15, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 27550
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x135962D8 (324625112)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 15, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 27550
         IV size: 8 bytes
         replay detection support: Y
0
 

Author Comment

by:MrWhy
ID: 33474672
Btw, shouldn't RIP take care of the routing?
0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 500 total points
ID: 33474963
no need to enable RIP for the routing
static route is enough

from the show crypto ipsec sa I can see that packets are comming from client and our ASA is decapsulating it , but there is no reply .

disable any firewall i n 192.168.1.20 and try ping .

did u apply the below configs in asa ( just for my knowledge)

access-list Split extended permit ip 192.168.1.0 255.255.255.0 any
access-list Split extended permit ip 192.168.115.0 255.255.255.0 any
group-policy tietogroup_1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split



0
 

Author Comment

by:MrWhy
ID: 33475175
I have no access to 192.168.1.20, but I introduced a machine with 192.168.1.21. I could actually ping that one. Now all that's left is getting access to the 115.0-network.
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 500 total points
ID: 33475208
so 192.168.1.21 is reaching via tunnel .

ok for the 192.168.115.0 ,
1) u need to check the routing on 192.168.1.2 (  ISA ) ,
2) u need to check the ISA Firewall rule is allowing the necessary traffic or not ?
0
 

Author Comment

by:MrWhy
ID: 33475657
YESS Got it now. You put me on the right track. Solution was to add the vpn-iprange to the network definition for that perimeter network on the ISA.

Thank you for outstanding help..
0
 

Author Closing Comment

by:MrWhy
ID: 33475688
Quick answers and good communication.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cradle point vpn to sonicwall 5 49
BGP Code 12 42
PEAP authentication 7 30
Connecting to CISCO 4402 WLC 3 14
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now