• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 394
  • Last Modified:

I am able to authenticate Remote access VPN but not able to access inside LAN

I configure Remote access VPN onASA firewall and able to authenticate but i am not able to access the inside network.I am using one more firewall cisco ASA to protect inside network.these two firewall are in the same network.ASA is for remote access vpn endpoint. and pix is a regular firewall and lan is behind Pix
ASA Version 8.2(1) 
hostname FHFW02
domain-name abc.net
enable password TuoG03LNtol5cyid encrypted
passwd vhSJ2Gjl22YiIWoj encrypted
name ATT-gateway
name fhfw02-ext
name verizonrtr-new
name marketplace-staging
interface Ethernet0/0
 description Out to AT&T ISP
 nameif outside
 security-level 0
 ip address fhfw02-ext 
interface Ethernet0/1
 description inside FHR 10.17.33.x network
 nameif inside
 security-level 100
 ip address 
interface Ethernet0/2
 description inside FHR 10.17.34.x network for users
 nameif inside1
 security-level 100
 ip address 
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address 
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
 domain-name abc.net
object-group network FHR-inside-33-network
 description FHR network 10.17.33.x
object-group network FHR-inside-34-network
object-group network abc-mex-network
object-group network PAN-network
object-group network CAT-network
 description CAT Servers 
object-group network BXB-network
 description BXB Internal Network
 network-object host
 network-object host
 network-object host
 network-object host
access-list acl-out extended permit icmp any any 
access-list acl-in extended permit icmp any any 
access-list acl-in extended permit ip any any 
access-list acl-in extended permit udp any any eq snmp 
access-list acl-in1 extended permit icmp any any 
access-list acl-voip-out extended permit ip host host 
access-list acl-voip-out extended permit ip host host 
no pager
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside1 1500
mtu management 1500
ip local pool vpnpool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1
nat (inside) 1
nat (inside1) 0 access-list no-nat
nat (inside1) 1
access-group acl-out in interface outside
access-group acl-in in interface inside
access-group acl-in1 in interface inside1
route outside ATT-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http inside
snmp-server host inside community Abc
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
sysopt connection tcpmss 1200
crypto ipsec transform-set set2 esp-des esp-md5-hmac 
crypto ipsec transform-set set1 esp-des esp-sha-hmac 
crypto ipsec transform-set set3 esp-aes esp-md5-hmac 
crypto ipsec transform-set set4 esp-3des esp-md5-hmac 
crypto ipsec transform-set set5 esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set set4
crypto dynamic-map outside_dyn_map 60 set reverse-route
crypto map FHR2 60 ipsec-isakmp dynamic outside_dyn_map
crypto map FHR2 interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn sslabcfw.abc.net
 subject-name CN=sslabcfw. abc.net
 keypair m0rd0r
 crl configure
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 2
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet inside
telnet inside
telnet inside1
telnet timeout 5
ssh outside
ssh inside
ssh inside1
ssh timeout 30
ssh version 2
console timeout 0
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
 enable outside
 svc enable
group-policy testvpn internal
group-policy testvpn attributes
 dns-server value
 vpn-tunnel-protocol IPSec 
 default-domain value abc.net
username avb password QZTdpUt6Lq39fY7h encrypted privilege 0
username avb attributes
 vpn-group-policy remotevpn
 service-type remote-access
username abc password NYpqubgKNxc6U0bb encrypted privilege 15
pre-shared-key *

tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
 address-pool vpnpool
 default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
class-map Voice-OUT
 match access-list acl-voip-out
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
policy-map VoicePolicy
 class Voice-OUT
service-policy global_policy global
service-policy VoicePolicy interface outside
prompt hostname context 
: end

Open in new window

  • 4
  • 4
  • 4
2 Solutions
Ernie BeekExpertCommented:
So are the firewalls behind each other or are they both on the inside connected to the network and have on the outside their own public ip?
sohoniprachiAuthor Commented:
they are both on the inside connected to the network and have own public ip
Ernie BeekExpertCommented:
Ok, first thing. You have a nat exempt using accesslist nonat. I don't see that defined.
Second, do the machines on your lan have a route to the vpn range through the asa?
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Create a ACL for nonat

access-list nonat extended permit ip any

sohoniprachiAuthor Commented:
I used the following command sysopt connection permit-ipsec
 pix ip Firewall
ASA VPN gateway

how should i direct traffic from asa to pix to get access to inside network which is same network.
I have to go through pix as tunnel traffic will have ip address  
1) You need nonat ACL on your ASA

2) The command sysopt connection permit-ipsec is for version 7.0 and earlier. sysopt connection permit-vpn is for 7.1 and later versions. These commands allow packets from an IPsec tunnel and their payloads to bypass interface ACLs on the security appliance. IPsec tunnels that are terminated on the security appliance are likely to fail if one of these commands is not enabled.

3) PIX should permit VPN traffic to your inside LAN

sohoniprachiAuthor Commented:
Thank you all.
Its working now. I added the nat rule on ASA
so now vpn ip is nat to and i am able to access inside lan now
sohoniprachiAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for sohoniprachi's comment http:/Q_27298185.html#36506707

for the following reason:

Its working now
Ernie BeekExpertCommented:
Hi sohoniprachi,

As far as I can see you solved this using a solution which several of us posted here. So are you sure you closed this and assigned the points correctly?
Just curious.
I Agree with erniebeek
Ernie BeekExpertCommented:
I would propose a split between ID: 36505427 and ID: 36506191
Thanks Erniebeek.

Moderator, I accept with Erniebeek
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 4
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now