Solved

Cisco asa vpn connectivity problem.

Posted on 2011-02-15
8
1,167 Views
Last Modified: 2012-05-11
Hi,

When my vpn clients are connected, they cannot reach anything on the internal lan. 10.15.25.0 cannot talk to 10.10.25.0. I've used the vpn wizard, but it is not working. What have I forgotten?

TIA

Lasse

: Saved
:
ASA Version 7.2(4)
!
hostname xxx-asa
domain-name xxx.xx
enable password 2ODpSdIp.eAP3ZQS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.25.3 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.237.234 255.255.255.248
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name sis-as.dk
access-list outside_1_cryptomap extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.15.25.0 255.255.255.128
access-list Ciscovpn_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 10.15.25.1-10.15.25.100 mask 255.255.255.128
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xx.xx.237.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.10.25.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer xx.xx.45.39
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy Ciscovpn internal
group-policy Ciscovpn attributes
 wins-server value 10.10.25.50
 dns-server value 10.10.25.50 8.8.8.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Ciscovpn_splitTunnelAcl
 default-domain value mhstaal
username xxxx password ANCZiCN68aFz2EKz encrypted privilege 0
username xxxx attributes
 vpn-group-policy Ciscovpn
username xxxxx password wtBuTBS2.ecgULKw encrypted
tunnel-group xx.xx.45.39 type ipsec-l2l
tunnel-group xx.xx.45.39 ipsec-attributes
 pre-shared-key *
tunnel-group Ciscovpn type ipsec-ra
tunnel-group Ciscovpn general-attributes
 address-pool vpnpool
 default-group-policy Ciscovpn
tunnel-group Ciscovpn ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:2703b66c4c546e34de49bad3c3d8846e
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

0
Comment
Question by:melfarit
8 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
Hi,

YOu need to create another acl pool:

no access-list inside_nat0_outbound extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.25.0 255.255.255.0 110.15.25.0 255.255.255.0
no access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit 10.10.25.0 255.255.255.0
clear xlate


 
0
 

Author Comment

by:melfarit
Comment Utility
Hi Ikalmar.

On the same ASA 5505 I have a gateway to gateway vpn tunnel (172.16.100.0), it has nothing to do with my client vpn (10.15.25.0)

If I use your suggjestion I destroy that?

Best regards

Lasse
0
 
LVL 3

Accepted Solution

by:
FWeston earned 500 total points
Comment Utility
The problem I see is that you are telling the VPN clients to use split tunneling, but you aren't supplying the list of networks to tunnel in your ACL.

Try this:

no access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit 10.10.25.0 255.255.255.0

If the software VPN clients also need to be able to access the remote network, also add this line:
access-list Ciscovpn_splitTunnelAcl standard permit 172.16.100.0  255.255.255.0
0
 
LVL 2

Expert Comment

by:mwblsz
Comment Utility
can you do a packet tracer like this:

packet-tracer input inside icmp 10.10.25.x 8 0 10.15.25.x

and paste the results

also use ASDM to check the VPN sessions to see if there is some additional error message.

sincerely
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:melfarit
Comment Utility
Hi FWeston!

Thank you SO MUCH. It worked! I now have access to the 10.10.25.0 network. How ever, the line:
 access-list Ciscovpn_splitTunnelAcl standard permit 172.16.100.0  255.255.255.0
did not give me access to the 172.16.100.0 network?

Best Regards

Lasse
0
 
LVL 3

Expert Comment

by:FWeston
Comment Utility
Try adding this line to your config:

same-security-traffic permit intra-interface
0
 
LVL 3

Expert Comment

by:FWeston
Comment Utility
Also, keep in mind that the firewall on the other end has to know that it should send traffic destined for 10.15.25.0/24 over the tunnel.

You'll need to add that subnet to the applicable cryptomap, and ensure that it's also in the nat 0 acl on the other side to tell that firewall not to nat that traffic, and to send it over the tunnel to you.
0
 

Author Comment

by:melfarit
Comment Utility
HI again,

Thank you so much, It really meant alot, you saved me a lot of time!

Best regards

Lasse
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now