Cisco ASA SSL VPN not able to reach my network

Well, it looks like you defined the outside as being the inside (public address).

AND

I don't see an inside network........... (the real inside private network).

ASKER

what is the best way to do this, again do not forget this is vpn only not really any NATTING is going on this ASA

Well you still need an outside and inside interface. How else do you want to connect to you internal network?

Here is an example of an ASA with webvpn (also have a look at how the interfaces are set up):

ASA Version 7.2(1)
hostname ciscoasa
domain-name cisco.com
enable password 9jNfZuG3TC5tCVH0 encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.22.1.160 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.2.2.1 255.255.255.0
interface Ethernet0/2
nameif DMZ1
security-level 50
no ip address
interface Management0/0
description For Mgt only
shutdown
nameif Mgt
security-level 0
ip address 10.10.10.1 255.255.255.0
management-only
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ1 1500
mtu Mgt 1500
icmp permit any outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.2.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 172.22.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
!

!--- group policy configurations
!

group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
webvpn
functions url-entry file-access file-entry file-browsing mapi port-forward filter
http-proxy auto-download citrix
username cisco password 53QNetqK.Kqqfshe encrypted
!

!--- asdm configurations
!

http server enable
http 10.2.2.0 255.255.255.0 inside
!
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!

!--- tunnel group configurations
!

tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy GroupPolicy1
tunnel-group DefaultWEBVPNGroup webvpn-attributes
nbns-server 10.2.2.2 master timeout 2 retry 2
!
telnet timeout 5
ssh 172.22.1.0 255.255.255.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
!

!--- webvpn configurations
!

webvpn
enable outside
url-list ServerList "WSHAWLAP" cifs://10.2.2.2 1
url-list ServerList "FOCUS_SRV_1" https://10.2.2.3 2
url-list ServerList "FOCUS_SRV_2" http://10.2.2.4 3
!
prompt hostname context
!
end

For the complete story, go to: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

Wait a sec.

I've been thinking (I sometimes do ;).

You have one public ip? So your router holds that ip and the ASA is behind it (and behind nat)?

ASKER

when I do that I get this message
ciscoasa(config)# int e0/3
ciscoasa(config-if)# nameif outside
ERROR: This command can only be configured on VLAN interfaces

Pete Long

Full walkthorugh http://www.petenetlive.com/KB/Article/0000069.htm

ASKER

erniebeek: yes I only have 1 static ip, the client is too cheap to buy a second for whatever reason

My wrong, 5505 works with vlans, something like this:

ASA Version 7.2(2)
!
hostname yourASA
domain-name yourdomain.com
enable password yourpassword
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 111.111.111.111 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd yourpassword
ftp mode passive
dns server-group DefaultDNS
domain-name yourdomain.com
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 111.111.111.4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global

ASKER

right but my router is controlling all vlans, which I could get a vlan mismatch and if I have 2 vlan 50's wouldnt that cause a bunch of errors?

ASKER

PeteLong:
I attempted to do this however again I do not have an outside interface

So, how is your router setp up?

Perhaps it's an idea to change the router so it bridges, that way the ASA gets the public ip and you would be able to set up everything from there.

ASKER CERTIFIED SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

ASKER

thanks, I will be able to try this tonight

ASKER

here is what i have now, and I am still getting the same issue

hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 50
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan50
nameif outside
security-level 0
ip address 50.0.0.200 255.255.255.0
!
ftp mode passive
access-list outsideACL extended permit icmp any any
access-list outsideACL extended permit ip any any
access-list http-list2 extended permit ip any any
access-list Split_Tunnel_List standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
ip local pool SSLClientPool 70.0.0.10-70.0.0.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outsideACL in interface outside
route outside 0.0.0.0 0.0.0.0 50.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.2017-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 50.0.0.1 4.2.2.2
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
address-pools value SSLClientPool
username mercxi password o0zmZzwk0jklo95r encrypted
username mercxi attributes
service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNCLIENT enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:3ba021f51e11b7e3d2bb3267f071035f
: end

SOLUTION

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

I agree with erniebeek on this one. These two commands should be added to your config.

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

I also agree that your network will need a route propagated through it directing traffic destined for your vpn pool address range back to your ASA.

If those two tidbits don't help any, maybe you can get us a little more info on the error you get when you attempt to connect to a device after connecting to your vpn. Debug log info from the ASA might be helpful too.

ASKER

thanks ernie and alex, I will be able to try this tonight after the client office move

Good luck. I you need any more assistance, let us know.

I'll be logged on again later this evening and through the weekend too so if you need more assistance over the weekend, post up and I'll see what I can do.

ASKER

I added the 2 lines, I can ping the asa which is 50.0.0.200 but I cannot ping anything else on the network, am I doing something else wrong? below is my router config

mercrouter#sh run

Building configuration...



Current configuration : 6444 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname mercrouter

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

aaa new-model

!

!

aaa authentication login MYVPN local

aaa authorization network myvpnnetwork local 

!

!

aaa session-id common

memory-size iomem 10

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-1180740580

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1180740580

 revocation-check none

 rsakeypair TP-self-signed-1180740580

!

!

crypto pki certificate chain TP-self-signed-1180740580

 certificate self-signed 01

  30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 31313830 37343035 3830301E 170D3131 30313239 30323130 

  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383037 

  34303538 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  8100B1EB 6CDBB205 DDFDD5ED CE0B6830 99F62E28 7CC7B540 2C55CA39 9C550A5C 

  A6425AA8 15587DF4 F0DB8F91 D1DD5365 865F081C BB200B6D 22EE005B 7BF4E532 

  112FA528 F4046AF6 4F708E05 6CAB3E17 D00C608C BEAAC94C 2EFCE6E2 2C563E8D 

  6656A291 98AC4132 59A33002 DBFFB89C 905D17A3 BD03E09F 767C094D 04403168 

  68410203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603 

  551D1104 0E300C82 0A6D6572 63726F75 74657230 1F060355 1D230418 30168014 

  3908E4CF A30572BB C3AB5B41 2270B5C9 25EDCFAA 301D0603 551D0E04 16041439 

  08E4CFA3 0572BBC3 AB5B4122 70B5C925 EDCFAA30 0D06092A 864886F7 0D010104 

  05000381 81000E1D 2F01E667 360FD4AA FC197F5F F42B2B6D E6B162A3 730CB229 

  DECE8ACE 96CF1367 B990E1E9 42DC3CB4 04BCDC92 C6DFEAE1 2460D519 A064BD04 

  3F44CB3A 0D05FA9B 11549D81 23DCCAF4 D1D4E92F 88869C8E AA410919 225C4296 

  74246005 E5994F37 EBB07738 6F99FE0F 8156EADD 7E633A09 3C1851DC 81B753CE 

  C166F6DD 86A8

  	quit

ip source-route

!

!

!         

ip dhcp pool mypool

   network 50.0.0.0 255.255.255.0

   default-router 50.0.0.1 

   dns-server 50.0.0.1 4.2.2.2 

!

ip dhcp pool tvpool

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.1 

   dns-server 10.10.10.1 4.2.2.2 

!

ip dhcp pool vlan80pool

   network 80.0.0.0 255.255.255.0

   default-router 80.0.0.1 

   dns-server 80.0.0.1 4.2.2.2 

!

!

ip cef

ip name-server 4.2.2.1


!

no ipv6 cef

!

!

multilink bundle-name authenticated

license boot module c880-data level advipservices

!


!

crypto isakmp policy 1

 encr aes

 authentication pre-share

 group 2

!

crypto isakmp client configuration group XXXXXXXX

 key merc84

 dns 50.0.0.1

 domain xxxxxxxxxxx
 pool myvpnpool

 acl myvpnacl

 netmask 255.255.255.0

!

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac 

!

crypto dynamic-map DYN_MAP 1

 set transform-set myset 

!

!

crypto map mymap client authentication list MYVPN

crypto map mymap isakmp authorization list myvpnnetwork

crypto map mymap client configuration address respond

crypto map mymap 65535 ipsec-isakmp dynamic DYN_MAP 

!

archive

 log config

  hidekeys

!

!

!

!

!

interface FastEthernet0

 switchport access vlan 50

 switchport trunk allowed vlan 1,2,10,50,80,1002-1005

 switchport mode trunk

!

interface FastEthernet1

 switchport access vlan 10

!

interface FastEthernet2

 switchport access vlan 50

!

interface FastEthernet3

 switchport access vlan 80

!

interface FastEthernet4


 ip address xxx
 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 crypto map mymap

!

interface wlan-ap0

 description Service module interface to manage the embedded AP

 ip address 51.0.0.1 255.255.255.0

 arp timeout 0

!

interface Wlan-GigabitEthernet0

 description Internal switch interface connecting to the embedded AP

 switchport access vlan 50

!

interface Vlan1

 no ip address

!

interface Vlan10

 ip address 10.10.10.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Vlan50

 ip address 50.0.0.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Vlan80

 ip address 80.0.0.1 255.255.255.0

 ip access-group 112 in

 ip nat inside

 ip virtual-reassembly

!

ip local pool myvpnpool 65.0.0.10 65.0.0.20

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

ip http server

ip http authentication local

no ip http secure-server

!

!

ip dns server

ip nat inside source static tcp 50.0.0.200 1000 interface FastEthernet4 1000

ip nat inside source static tcp 50.0.0.200 443 interface FastEthernet4 443

ip nat inside source route-map ISP1 interface FastEthernet4 overload

!

ip access-list extended aclblock1

 deny   ip 50.0.0.0 0.0.0.255 80.0.0.0 0.0.0.255

 deny   ip 80.0.0.0 0.0.0.255 50.0.0.0 0.0.0.255

 permit ip any any

ip access-list extended myvpnacl

 permit ip 50.0.0.0 0.0.0.255 65.0.0.0 0.0.0.255

!

access-list 101 deny   ip 80.0.0.0 0.0.0.255 65.0.0.0 0.0.0.255

access-list 101 deny   ip 10.10.10.0 0.0.0.255 65.0.0.0 0.0.0.255

access-list 101 deny   ip 50.0.0.0 0.0.0.255 65.0.0.0 0.0.0.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 50.0.0.0 0.0.0.255 any

access-list 101 permit ip 80.0.0.0 0.0.0.255 any

access-list 110 permit ip 80.0.0.0 0.0.0.255 host 50.0.0.1

access-list 110 deny   ip 80.0.0.0 0.0.0.255 50.0.0.0 0.0.0.255

access-list 110 permit ip any any

access-list 111 deny   ip 50.0.0.0 0.0.0.255 80.0.0.0 0.0.0.255

access-list 111 permit ip any any

access-list 112 deny   ip 80.0.0.0 0.0.0.255 50.0.0.0 0.0.0.255

access-list 112 permit ip any any

!

!

!

!

route-map ISP1 permit 10

 match ip address 101

 match interface FastEthernet4

!

!

control-plane

!

!

line con 0

 no modem enable

line aux 0

line 2

 no activation-character

 no exec

 transport preferred none

 transport input all

line vty 0 4

 privilege level 15

!

scheduler max-task-time 5000

end

Open in new window

ASKER

it finally worked
I had to add the 2 lines
global (outside) 10 interface
nat (outside) 10 70.0.0.0 255.255.255.0

ASKER

for anyone's knowledge below is the working config

ASA Version 8.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 50
!
interface Ethernet0/1
 shutdown
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan50
 nameif outside
 security-level 0
 ip address 50.0.0.200 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outsideACL extended permit icmp any any
access-list outsideACL extended permit ip any any
access-list http-list2 extended permit ip any any
access-list Split_Tunnel_List standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
ip local pool SSLClientPool 70.0.0.10-70.0.0.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (outside) 10 70.0.0.0 255.255.255.0
access-group outsideACL in interface outside
route outside 0.0.0.0 0.0.0.0 50.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 svc image disk0:/anyconnect-dart-win-2.5.2017-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 dns-server value 50.0.0.1 4.2.2.2
 vpn-tunnel-protocol svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 address-pools value SSLClientPool
username mercxi password o0zmZzwk0jklo95r encrypted
username mercxi attributes
 service-type remote-access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile webvpn-attributes
 group-alias SSLVPNCLIENT enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ac438d718f03c06d7b590baa7c0fbe52
: end
ciscoasa#

Open in new window

Good job! glad you got it working. And also great you posted the compete solution here. And last but not least: thx for the points.