Solved

Cisco 5505 vpn client connects, but no access.

Posted on 2010-08-19
25
487 Views
Last Modified: 2012-08-14
5505 works fine as an internet router from inside. Ran the VPN Wizard. Now I can connect using the cisco VPN-client. I use Version 4.7. Problem is I cannot ping anything on the inside. Tried inside interface on the router, and other machines on the inside lan. Config as below, outside IP masked as *.*.*.'. Please help.


: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password e6IG26r0yJuKiPvk encrypted
passwd 2KFQneNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.*.* 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.1.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.115.0 255.255.255.0 192.168.1.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.5.48 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool tietopool 192.168.5.50-192.168.5.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 192.168.115.0 255.255.255.0 192.168.1.2 1
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.115.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs group1
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  30
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.50 inside
dhcpd dns 195.159.0.100 195.159.0.200 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!

group-policy tietogroup internal
group-policy tietogroup attributes
 dns-server value 192.168.115.40
 vpn-tunnel-protocol IPSec
username tieto password LPk9P32ZCXmyVNxz encrypted privilege 0
username tieto attributes
 vpn-group-policy tietogroup
tunnel-group tietogroup type ipsec-ra
tunnel-group tietogroup general-attributes
 address-pool tietopool
 default-group-policy tietogroup
tunnel-group tietogroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0eeccd37b0216e3f5498a978a912eb22
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

0
Comment
Question by:MrWhy
  • 14
  • 8
  • 3
25 Comments
 
LVL 16

Expert Comment

by:memo_tnt
Comment Utility
Hi

you need to add split tunnel that allow remote client to access your LAN

check the following post by me previously same scenario, try to do the same ..

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_25123268.html?cid=1131#a26513128


0
 

Author Comment

by:MrWhy
Comment Utility
I thought split tunneling was to enable the client to browse the internet outside of the tunnel while accessing the lan through the tunnel? Isn't it safer not to permit connections outside of the tunnel to coexist?
0
 
LVL 16

Expert Comment

by:memo_tnt
Comment Utility
aha you didn't mentioned that ..!
why your using this  route:?
route inside 192.168.115.0 255.255.255.0 192.168.1.2 1

you dont need for it?
0
 

Author Comment

by:MrWhy
Comment Utility
That route is for accessing a lan beyond another firewall further inside. Should also be accessible through the vpn also. It's reachable for ping from the 5505 via the ASDM as is, but not through vpn as the other range.
0
 
LVL 16

Expert Comment

by:memo_tnt
Comment Utility
try 1st to do the split tunnel and check if you can access them?
0
 

Author Comment

by:MrWhy
Comment Utility
Tried split tunnel by rerunning wizard. No different. Noticed that after connecting the client, internet would not work either, (on the client machine that is).

Here is the new config.

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password e6IG26r0yJuKiPvk encrypted
passwd 2KFQneNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address *.*.*.* 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.1.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.115.0 255.255.255.0 192.168.1.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.5.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.115.0 255.255.255.0 192.168.5.48 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool tietopool 192.168.5.50-192.168.5.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route inside 192.168.115.0 255.255.255.0 192.168.1.2 1
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
!
router rip
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.115.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs group1
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs group1
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  30
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.20-192.168.1.50 inside
dhcpd dns 195.159.0.100 195.159.0.200 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!

group-policy tietogroup_1 internal
group-policy tietogroup_1 attributes
 dns-server value 192.168.115.40
 vpn-tunnel-protocol IPSec
group-policy tietogroup internal
group-policy tietogroup attributes
 dns-server value 192.168.115.40
 vpn-tunnel-protocol IPSec
username tieto password LPk9P32ZCXmyVNxz encrypted privilege 0
username tieto attributes
 vpn-group-policy tietogroup
tunnel-group tietogroup type ipsec-ra
tunnel-group tietogroup general-attributes
 address-pool tietopool
 default-group-policy tietogroup_1
tunnel-group tietogroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0eeccd37b0216e3f5498a978a912eb22
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 500 total points
Comment Utility
try the following on ASA ( copy and paste )

access-list Split extended permit ip 192.168.1.0 255.255.255.0 any
access-list Split extended permit ip 192.168.115.0 255.255.255.0 any

sysopt connection permit-vpn
crypto isakmp nat-traversal 60

group-policy tietogroup_1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split

policy-map global_policy
class inspection_default
inspect icmp


if u are not using the below crypto maps , then better delete those, copy and paste the below lines

no crypto dynamic-map outside_dyn_map 20 set pfs group1
no crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 40 set pfs group1
no crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 60 set pfs group1
no crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 80 set pfs group1
no crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 100 set pfs group1
no crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
no crypto dynamic-map outside_dyn_map 120 set pfs group1
no crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
0
 

Author Comment

by:MrWhy
Comment Utility
Still no ping on inside. I can now ping internet adresses from the client.
0
 

Author Comment

by:MrWhy
Comment Utility
In addition, From the ASDM I can ping adresses on the 192.168.115.0-network, and the ASA's own address at 192.168.1.1, but I can't reach any other machines on the 192.168.1.0-network anymore. That was ok with the first config.
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
did u enable NAT transperancy tunneling
,see the image

from the ASA can you give the out put of  below command while testing

show crypto ipsec sa

Untitled.gif
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
ok  now we need to  check why ASA is not able to reach its own LAN.

from the ASA can u ping 192.168.1.2 ?

what is this 192.168.1.2 ? is it a router

did u add the proper routing for 192.168.5.48 255.255.255.240 on that router via
ASA
0
 

Author Comment

by:MrWhy
Comment Utility
Result of the command: "show crypto ipsec sa"

There are no ipsec sas

Transparent tunneling is enabled on client.

Oops. My fault. 192.168.1.2 is a dmz leg on an ISA firewall.  That don't answer to ping by firewall rule. i can ping 192.168.1.20 on the same segment, so I guess this is in order.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:MrWhy
Comment Utility
Btw. 192.168.115.40 is behind the ISA through the 192.168.1.2 leg
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
what is the GW configured on 192.168.1.20  ?

if the gw of 192.168.1.20 is not 192.168.1.1 , then u have to add route for the VPN client Network .

ok now for the testing can u ping try to ping 192.168.1.20 from the von client
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
did u add the proper routing on ISA server for the VPN client  address pool
0
 

Author Comment

by:MrWhy
Comment Utility
GW on 192.168.1.20  is 192.168.1.1, e.g the cisco 5505.
Cannot ping 192.168.1.20, 192.168.1.2 or 192.168.1.1 from the client
Routing should be good as it worked with a previous PIX on the same segment.
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
please give me the show crypto ipsec sa out while pinging
0
 

Author Comment

by:MrWhy
Comment Utility
Tried Packet tracer from 192.168.5.50 to 192.168.1.2

Result:
Type - NAT     Action - DROP
Config
nat(inside) 1.0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 150, untranslate hits = 0
0
 

Author Comment

by:MrWhy
Comment Utility
Result of the command: "show crypto ipsec sa"

interface: outside
    Crypto map tag: outside_dyn_map, seq num: 140, local addr: *.*.*.*

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.50/255.255.255.255/0/0)
      current_peer: *.*.*.*, username: tieto
      dynamic allocated peer ip: 192.168.5.50

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 148, #pkts decrypt: 148, #pkts verify: 148
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.:*.*.*.*/4500, remote crypto endpt.: *.*.*.*/1031
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 135962D8

    inbound esp sas:
      spi: 0x1EC5C33E (516277054)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 15, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 27550
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x135962D8 (324625112)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 15, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 27550
         IV size: 8 bytes
         replay detection support: Y
0
 

Author Comment

by:MrWhy
Comment Utility
Btw, shouldn't RIP take care of the routing?
0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 500 total points
Comment Utility
no need to enable RIP for the routing
static route is enough

from the show crypto ipsec sa I can see that packets are comming from client and our ASA is decapsulating it , but there is no reply .

disable any firewall i n 192.168.1.20 and try ping .

did u apply the below configs in asa ( just for my knowledge)

access-list Split extended permit ip 192.168.1.0 255.255.255.0 any
access-list Split extended permit ip 192.168.115.0 255.255.255.0 any
group-policy tietogroup_1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split



0
 

Author Comment

by:MrWhy
Comment Utility
I have no access to 192.168.1.20, but I introduced a machine with 192.168.1.21. I could actually ping that one. Now all that's left is getting access to the 115.0-network.
0
 
LVL 14

Assisted Solution

by:anoopkmr
anoopkmr earned 500 total points
Comment Utility
so 192.168.1.21 is reaching via tunnel .

ok for the 192.168.115.0 ,
1) u need to check the routing on 192.168.1.2 (  ISA ) ,
2) u need to check the ISA Firewall rule is allowing the necessary traffic or not ?
0
 

Author Comment

by:MrWhy
Comment Utility
YESS Got it now. You put me on the right track. Solution was to add the vpn-iprange to the network definition for that perimeter network on the ISA.

Thank you for outstanding help..
0
 

Author Closing Comment

by:MrWhy
Comment Utility
Quick answers and good communication.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now