Cisco ASA VPN Probs

I'm having a problem getting my little 5505 to pass VPN traffic into my internal network.  Currently I'm authenticating successfully with the ASA using a Win7 Cisco client (5.0.0.7.x) and the firewall rule shows permit for VPN-Clients in ADSM.  My network is as follows:

- 69.x (Primary Internet)
- 65.x (Backup Internet T1)

- ASA - Both Internet Interfaces above and Internal 10.x network, which tosses to Our 3750 core switch (total of three active interfaces)

- Core 3750 switch routes all traffic out the ASA through a single connection 10.10.254.25x/30

So I'm connecting in through the primary internet connection using the 5.0.0.7.x client on Win7 x64 (I've even tried on an XP client before).  The firewall rule is permitting me through the ASA, I'm getting an IP in the VPN Pool.  I can't ping my router 10.10.20.1 (which should be the 3750 switch), but I figured ICMP may be disabled by default.  I only have one nat rule in place and simple static routes on everything.  I still can't reach anything, ssh, RDP, etc.

Where do I go from here?  How do I get myself on the internal network for RDP purposes?

Thanks,
blunted1
blunted1Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shubhanshu_jaiswalCommented:
can you post the config of Cisco ASA...
is VPN pool ip subnet routed in internal network...
blunted1Author Commented:
The config is as follows on the 5505...  I'll follow up shortly with a quick diagram of the network.  I'm very close, but close isn't good enough :-)


ASA Version 8.2(1)
!
hostname gatekeeper
domain-name XXXXXX.com
names
name 10.10.20.0 VPN-Clients
!
interface Vlan2
 backup interface Vlan3
 nameif outside-XXX
 security-level 0
 ip address 69.XXX.XXX.XXX 255.255.255.248
!
interface Vlan3
 nameif outside-XXX
 security-level 1
 ip address 65.XXX.XXX.XXX 255.255.255.248
!
interface Vlan254
 nameif inside
 security-level 100
 ip address 10.10.254.254 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 254
 speed 100
 duplex full
!
interface Ethernet0/2
 switchport access vlan 3
 speed 100
 duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside-XXX
dns domain-lookup outside-XXX
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.10.10.5
 domain-name XXXXXXX.com
access-list 10 standard permit 10.0.0.0 255.0.0.0
access-list 10 standard deny any
access-list inbound extended permit ip any any
access-list outside-XXX_access_in extended permit ip VPN-Clients 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside-XXX 1500
mtu outside-XXX 1500
mtu inside 1500
ip local pool XXX-VPN 10.10.20.2-10.10.20.20 mask 255.255.255.0
ip local pool 10.10.1.0/24 10.10.1.20-10.10.1.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside-XXX) 20 interface
global (outside-XXX) 10 interface
nat (inside) 20 0.0.0.0 0.0.0.0
access-group outside-XXX_access_in in interface outside-XXX
!
router eigrp 1
 no auto-summary
 network 10.0.0.0 255.0.0.0
 network 65.XXX.XXX.XXX 255.255.255.252
!
route outside-XXX 0.0.0.0 0.0.0.0 69.XXX.XXX.XXX 1
route outside-XXX 0.0.0.0 0.0.0.0 65.XXX.XXX.XXX 20
route inside 10.0.0.0 255.0.0.0 10.10.254.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
 network-acl outside-XXX_access_in
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 10.10.10.20 community XXXXX
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside-XXX_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-XXX_map interface outside-XXX
crypto map outside-XXX_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-XXX_map interface outside-XXX
crypto isakmp enable outside-XXX
crypto isakmp enable outside-XXX
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable outside-XXX
group-policy XXX-Remote internal
group-policy XXX-Remote attributes
 wins-server value 10.10.10.5
 dns-server value 10.10.10.5
 vpn-tunnel-protocol IPSec svc webvpn
 default-domain value XXXXXX.com
 address-pools value XXX-VPN

tunnel-group XXX-Remote type remote-access
tunnel-group XXX-Remote general-attributes
 address-pool XXX-VPN
 default-group-policy XXX-Remote
tunnel-group XXX-Remote ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:df1c32460f4235ca8a8c165641c01aa4
: end
blunted1Author Commented:
Here is a quick overview of the network in question.  The VPN clients come in on 10.10.20.x and are unable to reach clients on 10.10.1.x/24 client subnet.

Where am I going wrong here?

Thanks,
blunted1

VPN-ASA-5505.jpg
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

Boilermaker85Commented:
You need a NoNAT rule for the VPN subnet traffic.
access-llist nonat permit ip 10.0.0.0 255.0.0.0 10.10.20.2 255.255.255.254
access-llist nonat permit ip 10.0.0.0 255.0.0.0 10.10.20.4 255.255.255.252
access-llist nonat permit ip 10.0.0.0 255.0.0.0 10.10.20.8 255.255.255.248
access-llist nonat permit ip 10.0.0.0 255.0.0.0 10.10.20.16 255.255.255.252
access-llist nonat permit ip 10.0.0.0 255.0.0.0 10.10.20.20 255.255.255.255
nat (inside) 0 access-list NoNAT

  <ip local pool XXX-VPN 10.10.20.2-10.10.20.20 mask 255.255.255.0>
and you have the 10.10.20.x network split up. Your pool is using 10.10.20.0/24 yet you say the inside 3750 router is also 10.10.20.1 and you have the 10.10.254.252/30 network in between. So if you want to ping 10.10.20.1, you need a host route
route inside 10.10.20.1 255.255.255.255 10.10.254.253 1

THis is doing nothing since it is not applied by an access group statement.
access-list inbound extended permit ip any any

And in order to ping to/from the ASA to the router, you'll need this:
icmp permit10.0.0.0 255.0.0.0 inside

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
blunted1Author Commented:
Boilermaker85,

Ok, so let me get this straight...

1.  I need the NoNAT statement for my 10.10.20.x network

2.  I should remove the vlan for 10.10.20.x from my core switch, I can only ping the 10.10.20.1 when I have host plugged into a port that has that vlan anyway

3.  Put a route in place on the ASA route inside 10.10.20.1 255.255.255.255 10.10.254.253 1, so I can ping the host.

4.  Add the ICMP permit line to allow ping traffic.

Did I understand you correctly? The main thing I was missing was the NoNAT statement for traffic to flow properly, right?

Thanks,
blunted1
Boilermaker85Commented:
Whoops, let me retype that no nat rule:
nat (inside) 0 access-list nonat
Boilermaker85Commented:
right. and if you do your number 2, you dont need #3, cause now you'll probably be pinging 10.10.254.253 or one of the other vlan IP's
blunted1Author Commented:
I updated the config this afternoon and have been successfully connected for hours now.  Works like a charm, thanks!

peace,
blunted1
blunted1Author Commented:
Right on point
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.