Cisco asa vpn connectivity problem.

Hi,

When my vpn clients are connected, they cannot reach anything on the internal lan. 10.15.25.0 cannot talk to 10.10.25.0. I've used the vpn wizard, but it is not working. What have I forgotten?

TIA

Lasse

: Saved
:
ASA Version 7.2(4)
!
hostname xxx-asa
domain-name xxx.xx
enable password 2ODpSdIp.eAP3ZQS encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.25.3 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.237.234 255.255.255.248
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name sis-as.dk
access-list outside_1_cryptomap extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.15.25.0 255.255.255.128
access-list Ciscovpn_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 10.15.25.1-10.15.25.100 mask 255.255.255.128
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xx.xx.237.233 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.10.25.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer xx.xx.45.39
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy Ciscovpn internal
group-policy Ciscovpn attributes
 wins-server value 10.10.25.50
 dns-server value 10.10.25.50 8.8.8.8
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Ciscovpn_splitTunnelAcl
 default-domain value mhstaal
username xxxx password ANCZiCN68aFz2EKz encrypted privilege 0
username xxxx attributes
 vpn-group-policy Ciscovpn
username xxxxx password wtBuTBS2.ecgULKw encrypted
tunnel-group xx.xx.45.39 type ipsec-l2l
tunnel-group xx.xx.45.39 ipsec-attributes
 pre-shared-key *
tunnel-group Ciscovpn type ipsec-ra
tunnel-group Ciscovpn general-attributes
 address-pool vpnpool
 default-group-policy Ciscovpn
tunnel-group Ciscovpn ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:2703b66c4c546e34de49bad3c3d8846e
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

melfaritAsked:
Who is Participating?
 
FWestonConnect With a Mentor Commented:
The problem I see is that you are telling the VPN clients to use split tunneling, but you aren't supplying the list of networks to tunnel in your ACL.

Try this:

no access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit 10.10.25.0 255.255.255.0

If the software VPN clients also need to be able to access the remote network, also add this line:
access-list Ciscovpn_splitTunnelAcl standard permit 172.16.100.0  255.255.255.0
0
 
Istvan KalmarHead of IT Security Division Commented:
Hi,

YOu need to create another acl pool:

no access-list inside_nat0_outbound extended permit ip 10.10.25.0 255.255.255.0 172.16.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.25.0 255.255.255.0 110.15.25.0 255.255.255.0
no access-list Ciscovpn_splitTunnelAcl standard permit any
access-list Ciscovpn_splitTunnelAcl standard permit 10.10.25.0 255.255.255.0
clear xlate


 
0
 
melfaritAuthor Commented:
Hi Ikalmar.

On the same ASA 5505 I have a gateway to gateway vpn tunnel (172.16.100.0), it has nothing to do with my client vpn (10.15.25.0)

If I use your suggjestion I destroy that?

Best regards

Lasse
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
mwblszCommented:
can you do a packet tracer like this:

packet-tracer input inside icmp 10.10.25.x 8 0 10.15.25.x

and paste the results

also use ASDM to check the VPN sessions to see if there is some additional error message.

sincerely
0
 
melfaritAuthor Commented:
Hi FWeston!

Thank you SO MUCH. It worked! I now have access to the 10.10.25.0 network. How ever, the line:
 access-list Ciscovpn_splitTunnelAcl standard permit 172.16.100.0  255.255.255.0
did not give me access to the 172.16.100.0 network?

Best Regards

Lasse
0
 
FWestonCommented:
Try adding this line to your config:

same-security-traffic permit intra-interface
0
 
FWestonCommented:
Also, keep in mind that the firewall on the other end has to know that it should send traffic destined for 10.15.25.0/24 over the tunnel.

You'll need to add that subnet to the applicable cryptomap, and ensure that it's also in the nat 0 acl on the other side to tell that firewall not to nat that traffic, and to send it over the tunnel to you.
0
 
melfaritAuthor Commented:
HI again,

Thank you so much, It really meant alot, you saved me a lot of time!

Best regards

Lasse
0
All Courses

From novice to tech pro — start learning today.