Solved

Cisco asa vpn connectivity problem.

Posted on 2011-02-15
8
1,173 Views
Last Modified: 2012-05-11
Hi,

When my vpn clients are connected, they cannot reach anything on the internal lan. 10.15.25.0 cannot talk to 10.10.25.0. I've used the vpn wizard, but it is not working. What have I forgotten?

TIA

Lasse

: Saved
:
ASA Version 7.2(4)
!
hostname xxx-asa
domain-name xxx.xx
enable password 2ODpSdIp.eAP3ZQS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.25.3 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.237.234 255.255.255.248
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name sis-as.dk
access-list outside_1_cryptomap extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.15.25.0 255.255.255.128
access-list Ciscovpn_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 10.15.25.1-10.15.25.100 mask 255.255.255.128
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xx.xx.237.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.10.25.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer xx.xx.45.39
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy Ciscovpn internal
group-policy Ciscovpn attributes
 wins-server value 10.10.25.50
 dns-server value 10.10.25.50 8.8.8.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Ciscovpn_splitTunnelAcl
 default-domain value mhstaal
username xxxx password ANCZiCN68aFz2EKz encrypted privilege 0
username xxxx attributes
 vpn-group-policy Ciscovpn
username xxxxx password wtBuTBS2.ecgULKw encrypted
tunnel-group xx.xx.45.39 type ipsec-l2l
tunnel-group xx.xx.45.39 ipsec-attributes
 pre-shared-key *
tunnel-group Ciscovpn type ipsec-ra
tunnel-group Ciscovpn general-attributes
 address-pool vpnpool
 default-group-policy Ciscovpn
tunnel-group Ciscovpn ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:2703b66c4c546e34de49bad3c3d8846e
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

0
Comment
Question by:melfarit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34895799
Hi,

YOu need to create another acl pool:

no access-list inside_nat0_outbound extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.25.0 255.255.255.0 110.15.25.0 255.255.255.0
no access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit 10.10.25.0 255.255.255.0
clear xlate


 
0
 

Author Comment

by:melfarit
ID: 34895816
Hi Ikalmar.

On the same ASA 5505 I have a gateway to gateway vpn tunnel (172.16.100.0), it has nothing to do with my client vpn (10.15.25.0)

If I use your suggjestion I destroy that?

Best regards

Lasse
0
 
LVL 3

Accepted Solution

by:
FWeston earned 500 total points
ID: 34896741
The problem I see is that you are telling the VPN clients to use split tunneling, but you aren't supplying the list of networks to tunnel in your ACL.

Try this:

no access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit 10.10.25.0 255.255.255.0

If the software VPN clients also need to be able to access the remote network, also add this line:
access-list Ciscovpn_splitTunnelAcl standard permit 172.16.100.0  255.255.255.0
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 2

Expert Comment

by:mwblsz
ID: 34897771
can you do a packet tracer like this:

packet-tracer input inside icmp 10.10.25.x 8 0 10.15.25.x

and paste the results

also use ASDM to check the VPN sessions to see if there is some additional error message.

sincerely
0
 

Author Comment

by:melfarit
ID: 34898938
Hi FWeston!

Thank you SO MUCH. It worked! I now have access to the 10.10.25.0 network. How ever, the line:
 access-list Ciscovpn_splitTunnelAcl standard permit 172.16.100.0  255.255.255.0
did not give me access to the 172.16.100.0 network?

Best Regards

Lasse
0
 
LVL 3

Expert Comment

by:FWeston
ID: 34899428
Try adding this line to your config:

same-security-traffic permit intra-interface
0
 
LVL 3

Expert Comment

by:FWeston
ID: 34899464
Also, keep in mind that the firewall on the other end has to know that it should send traffic destined for 10.15.25.0/24 over the tunnel.

You'll need to add that subnet to the applicable cryptomap, and ensure that it's also in the nat 0 acl on the other side to tell that firewall not to nat that traffic, and to send it over the tunnel to you.
0
 

Author Comment

by:melfarit
ID: 34904167
HI again,

Thank you so much, It really meant alot, you saved me a lot of time!

Best regards

Lasse
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question