Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA 5505 IOS 8.4(2) VPN issues

Posted on 2011-09-02
11
Medium Priority
?
1,913 Views
Last Modified: 2012-05-12
It looks like Cisco changed the way that NAT is configured from the CLI from previous versions and I'm completely confused.  I have AnyConnect and Clientless SSL authenticating, but I'm 99% positive I have split-tunnel and NAT issues.  I even tried to use ASDM to set things up, but we won't discuss how much that hosed up the configuration.

I need the ability, from a remote location, to access the 192.168.0.0/24 network behind the 5505 without affecting any other routing.  Incoming AnyConnect clients get a 192.168.100.0/24 address.

It's a simple SOHO setup:  Cable modem - ASA - inside network with regular PC's and a Vonage device (which is why you'll see Vonage references.)  I've attached the config file, which has had the sensitive info removed.

If you can help, thanks!

Non-Working-Firewall.txt
0
Comment
Question by:gnurph
  • 5
  • 5
11 Comments
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36473803
Looks like your missing a few things:

Something like:
Object Network Vlan1
subnet 192.168.0.0 255.255.255.0         <=== Which you have in place

And add:

Object Network VPN
subnet 192.168.1.0 255.255.255.0

nat (inside,any) 1 source static VPN VPN destination static Vlan1 Vlan1

access-list DefaultWEBVPNGroup_splitTunnelAcl extended permit 192.168.1.0 255.255.255.0

Hope this helps.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36473850
Oh, and remove the following:

access-list no_nat extended permit ip 192.168.101.0 255.255.255.0 any log disable
0
 

Author Comment

by:gnurph
ID: 36477033
The "access-list DefaultWEBVPNGroup_splitTunnelAcl" command required some modification, the ASA threw an error, so I made it:

access-list DefaultWEBVPNGroup_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any

I'll need to test it to see if that change works; Anyconnect won't let me RDP into another box to try it.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 

Author Comment

by:gnurph
ID: 36481982
No go.

A ping to 192.168.0.4 via AnyConnect fails.

The access-list you suggest - it isn't applied anywhere, is it?  just creating the access list doesn't do anything, I believe.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36486251
What happens on your connection? Can you establish a connection and just can't get to local hosts?
Is it giving you an error? Please post it here if so...
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36486313
And are you configuring via CLI or asdm?
0
 

Author Comment

by:gnurph
ID: 36488290
CLI.  It connects, but unable to contact internal hosts on the 192.168.0.0/24 network.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 36495768
Please repost your current config so we can see what you have thus far and the changes that were made.  Thanks.
0
 

Accepted Solution

by:
gnurph earned 0 total points
ID: 36495838
I have found an alternative solution to the problem.
0
 

Author Closing Comment

by:gnurph
ID: 36521354
Found alternative solution.
0
 

Expert Comment

by:anttiva
ID: 37070848
Can you share your solution with us? I and many others are having similar problems and this could help a lot.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question