ThePhreakshow
asked on
Cisco ASA VPN Routing Issue
I have a Cisco ASA firewall and I am having some very slight issues with my VPN clients.
I have several internal networks, all connected by point-to-point private T1's... They are the networks located at:
192.168.0.x
192.168.1.x
192.168.3.x
192.168.5.x
192.168.6.x
192.168.7.x
The ASA is located at 192.168.1.1.... The VPN clients are given addresses from a pool at 192.168.4.x
Here is the problem... When a client is connected via VPN they can reach ANY of the internal networks (p.s. all the routers are at 192.168.x.254)... EXCEPT the devices on the 192.168.0.x network.....
Here is the (pertinant) portion of the running config:
: Saved
:
ASA Version 8.2(2)
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
shutdown
nameif vacant
security-level 75
no ip address
!
interface Ethernet0/2
nameif dmz
security-level 25
ip address 10.1.1.177 255.255.255.240
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 203.66.100.178 255.255.255.240
!
ftp mode passive
dns server-group DefaultDNS
access-list outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.192
access-list to-dmz extended permit icmp any any
access-list dmz-in extended permit ip DMZ-Net 255.255.255.0 any
access-list dmz-in extended permit icmp any any
access-list inside extended deny udp any any eq 135
access-list inside extended permit udp any any eq tftp
access-list inside extended deny udp any any eq netbios-ns
access-list inside extended deny udp any any eq netbios-dgm
access-list inside extended deny udp any any eq 139
access-list inside extended deny tcp any any eq 135
access-list inside extended deny tcp any any eq 137
access-list inside extended deny tcp any any eq 138
access-list inside extended deny tcp any any eq netbios-ssn
access-list inside extended deny tcp any any eq 445
access-list inside extended deny tcp any any eq 593
access-list inside extended deny tcp any any eq 4444
access-list inside extended permit ip any any
ip local pool VPN-Pool 192.168.4.25-192.168.4.50 mask 255.255.255.0
global (dmz) 10 interface
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.0.0 255.255.240.0
access-group inside in interface inside
access-group dmz-in in interface dmz
access-group to-dmz in interface outside
route outside 0.0.0.0 0.0.0.0 203.66.100.177 1
route inside 192.168.0.0 255.255.255.0 192.168.1.254 1
route inside 192.168.3.0 255.255.255.0 192.168.1.254 1
route inside 192.168.5.0 255.255.255.0 192.168.1.254 1
route inside 192.168.5.0 255.255.255.0 192.168.1.254 1
route inside 192.168.7.0 255.255.255.0 192.168.1.254 1
group-policy unity internal
group-policy unity attributes
wins-server value 192.168.1.2 192.168.3.2
dns-server value 192.168.1.2 192.168.3.2
vpn-tunnel-protocol IPSec
default-domain value mydomain.com
username unity password txOP8663574s9f6 encrypted privilege 0
username unity attributes
vpn-group-policy unity
tunnel-group unity type remote-access
tunnel-group unity general-attributes
address-pool VPN-Pool
default-group-policy unity
tunnel-group unity ipsec-attributes
pre-shared-key *****
I have several internal networks, all connected by point-to-point private T1's... They are the networks located at:
192.168.0.x
192.168.1.x
192.168.3.x
192.168.5.x
192.168.6.x
192.168.7.x
The ASA is located at 192.168.1.1.... The VPN clients are given addresses from a pool at 192.168.4.x
Here is the problem... When a client is connected via VPN they can reach ANY of the internal networks (p.s. all the routers are at 192.168.x.254)... EXCEPT the devices on the 192.168.0.x network.....
Here is the (pertinant) portion of the running config:
: Saved
:
ASA Version 8.2(2)
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
shutdown
nameif vacant
security-level 75
no ip address
!
interface Ethernet0/2
nameif dmz
security-level 25
ip address 10.1.1.177 255.255.255.240
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 203.66.100.178 255.255.255.240
!
ftp mode passive
dns server-group DefaultDNS
access-list outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.192
access-list to-dmz extended permit icmp any any
access-list dmz-in extended permit ip DMZ-Net 255.255.255.0 any
access-list dmz-in extended permit icmp any any
access-list inside extended deny udp any any eq 135
access-list inside extended permit udp any any eq tftp
access-list inside extended deny udp any any eq netbios-ns
access-list inside extended deny udp any any eq netbios-dgm
access-list inside extended deny udp any any eq 139
access-list inside extended deny tcp any any eq 135
access-list inside extended deny tcp any any eq 137
access-list inside extended deny tcp any any eq 138
access-list inside extended deny tcp any any eq netbios-ssn
access-list inside extended deny tcp any any eq 445
access-list inside extended deny tcp any any eq 593
access-list inside extended deny tcp any any eq 4444
access-list inside extended permit ip any any
ip local pool VPN-Pool 192.168.4.25-192.168.4.50 mask 255.255.255.0
global (dmz) 10 interface
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.0.0 255.255.240.0
access-group inside in interface inside
access-group dmz-in in interface dmz
access-group to-dmz in interface outside
route outside 0.0.0.0 0.0.0.0 203.66.100.177 1
route inside 192.168.0.0 255.255.255.0 192.168.1.254 1
route inside 192.168.3.0 255.255.255.0 192.168.1.254 1
route inside 192.168.5.0 255.255.255.0 192.168.1.254 1
route inside 192.168.5.0 255.255.255.0 192.168.1.254 1
route inside 192.168.7.0 255.255.255.0 192.168.1.254 1
group-policy unity internal
group-policy unity attributes
wins-server value 192.168.1.2 192.168.3.2
dns-server value 192.168.1.2 192.168.3.2
vpn-tunnel-protocol IPSec
default-domain value mydomain.com
username unity password txOP8663574s9f6 encrypted privilege 0
username unity attributes
vpn-group-policy unity
tunnel-group unity type remote-access
tunnel-group unity general-attributes
address-pool VPN-Pool
default-group-policy unity
tunnel-group unity ipsec-attributes
pre-shared-key *****
What about the router on the 192.168.0.x end of the P2P T1?
Does it have a route to 192.168.4.0 pointing the wrong direction?
Does it have a route to 192.168.4.0 pointing the wrong direction?
Can the VPN client tracert into 192.168.0.x? Do you see the router as 192.168.1.254 as a 'hop'? If you do, then I think you can eliminate the ASA as the source of the issue.
As lrmoore mentioned, check the route on the router. I would also mention to look at any ACL on the router as well.
As lrmoore mentioned, check the route on the router. I would also mention to look at any ACL on the router as well.
ASKER
It does NOT see the 192.168.1.254 router as a hop, and times out straight away.
When I try ANY of the other networks (3.x, 5.x, 6.x, 7.x) from a VPN client, the first hop in the route is the 192.168.1.254 router which is also on the same local private segment as the inside interface of the ASA.
The router at 192.168.0.254 is "managed" (poorly) by our new AT&T PTP services, so despite many attempts to get them to give me at least a show run from that router have failed.
When I try ANY of the other networks (3.x, 5.x, 6.x, 7.x) from a VPN client, the first hop in the route is the 192.168.1.254 router which is also on the same local private segment as the inside interface of the ASA.
The router at 192.168.0.254 is "managed" (poorly) by our new AT&T PTP services, so despite many attempts to get them to give me at least a show run from that router have failed.
ASKER
what is strange, however is that the routers at 3.254, 5.254, 6.254 and 7.254 are all the same routers as the problem child at 0.254... They are all "managed" by AT&T and were all installed at the same time.
Again I will reiterate that the only problem I am having is with VPN clients that get something out of the 192.168.4.x pool. Otherwise connectivity from end to end on the PTP connections works fine.
Again I will reiterate that the only problem I am having is with VPN clients that get something out of the 192.168.4.x pool. Otherwise connectivity from end to end on the PTP connections works fine.
From the ASA CLI, can you ping into that subnet?
Can we see the entire sanitized config from the ASA also...
Can we see the entire sanitized config from the ASA also...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That was EXACTLY the problem... The far away place that I had was using a private IP range that was in conflict with one of the networks behind my VPN.. I changed the network I was on to a far off IP range unrelated to my work network and it worked perfect.
ASKER