Solved

I am able to authenticate Remote access VPN but  not able to access inside LAN

Posted on 2011-09-08
14
382 Views
Last Modified: 2012-05-12
I configure Remote access VPN onASA firewall and able to authenticate but i am not able to access the inside network.I am using one more firewall cisco ASA to protect inside network.these two firewall are in the same network.ASA is for remote access vpn endpoint. and pix is a regular firewall and lan is behind Pix
ASA Version 8.2(1) 
!
hostname FHFW02
domain-name abc.net
enable password TuoG03LNtol5cyid encrypted
passwd vhSJ2Gjl22YiIWoj encrypted
name 12.175.185.19 ATT-gateway
name 12.175.185.91 fhfw02-ext
name 10.17.33.5 verizonrtr-new
name 10.17.33.74 marketplace-staging
dns-guard
!
interface Ethernet0/0
 description Out to AT&T ISP
 nameif outside
 security-level 0
 ip address fhfw02-ext 255.255.255.128 
!
interface Ethernet0/1
 description inside FHR 10.17.33.x network
 nameif inside
 security-level 100
 ip address 10.17.33.17 255.255.255.0 
!
interface Ethernet0/2
 description inside FHR 10.17.34.x network for users
 nameif inside1
 security-level 100
 ip address 10.17.34.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
 domain-name abc.net
object-group network FHR-inside-33-network
 description FHR network 10.17.33.x
 network-object 10.17.33.0 255.255.255.0
object-group network FHR-inside-34-network
 network-object 10.17.34.0 255.255.255.0
object-group network abc-mex-network
 network-object 10.17.35.0 255.255.255.0
object-group network PAN-network
 network-object 10.17.46.0 255.255.255.0
object-group network CAT-network
 description CAT Servers 
 network-object 172.70.0.0 255.255.252.0
 network-object 172.30.0.0 255.255.252.0
 network-object 172.40.0.0 255.255.252.0
object-group network BXB-network
 description BXB Internal Network
 network-object host 100.0.20.1
 network-object host 100.0.20.2
 network-object host 100.0.20.3
 network-object host 100.0.20.4
access-list acl-out extended permit icmp any any 
access-list acl-in extended permit icmp any any 
access-list acl-in extended permit ip any any 
access-list acl-in extended permit udp any any eq snmp 
access-list acl-in1 extended permit icmp any any 
access-list acl-voip-out extended permit ip host 10.17.33.187 host 10.17.35.10 
access-list acl-voip-out extended permit ip host 10.17.33.191 host 10.17.35.10 
no pager
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside1 1500
mtu management 1500
ip local pool vpnpool 10.17.254.10-10.17.254.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 10.17.33.0 255.255.255.0
nat (inside) 1 10.17.254.0 255.255.255.0
nat (inside1) 0 access-list no-nat
nat (inside1) 1 10.17.34.0 255.255.255.0
access-group acl-out in interface outside
access-group acl-in in interface inside
access-group acl-in1 in interface inside1
route outside 0.0.0.0 0.0.0.0 ATT-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http 10.17.33.0 255.255.255.0 inside
snmp-server host inside 10.17.33.250 community Abc
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
sysopt connection tcpmss 1200
crypto ipsec transform-set set2 esp-des esp-md5-hmac 
crypto ipsec transform-set set1 esp-des esp-sha-hmac 
crypto ipsec transform-set set3 esp-aes esp-md5-hmac 
crypto ipsec transform-set set4 esp-3des esp-md5-hmac 
crypto ipsec transform-set set5 esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set set4
crypto dynamic-map outside_dyn_map 60 set reverse-route
crypto map FHR2 60 ipsec-isakmp dynamic outside_dyn_map
crypto map FHR2 interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn sslabcfw.abc.net
 subject-name CN=sslabcfw. abc.net
 keypair m0rd0r
 crl configure
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 2
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 10.17.33.250 255.255.255.255 inside
telnet 0.0.0.0 0.0.0.0 inside1
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 inside1
ssh timeout 30
ssh version 2
console timeout 0
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 enable outside
 svc enable
group-policy testvpn internal
group-policy testvpn attributes
 dns-server value 10.17.33.56
 vpn-tunnel-protocol IPSec 
 default-domain value abc.net
username avb password QZTdpUt6Lq39fY7h encrypted privilege 0
username avb attributes
 vpn-group-policy remotevpn
 service-type remote-access
username abc password NYpqubgKNxc6U0bb encrypted privilege 15
pre-shared-key *

tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
 address-pool vpnpool
 default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
class-map Voice-OUT
 match access-list acl-voip-out
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
policy-map VoicePolicy
 class Voice-OUT
  priority
!
service-policy global_policy global
service-policy VoicePolicy interface outside
prompt hostname context 
Cryptochecksum:9e6754e20eff7a5db91dc538406b4c58
: end

Open in new window

0
Comment
Question by:sohoniprachi
  • 4
  • 4
  • 4
14 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36505021
So are the firewalls behind each other or are they both on the inside connected to the network and have on the outside their own public ip?
0
 

Author Comment

by:sohoniprachi
ID: 36505106
they are both on the inside connected to the network and have own public ip
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 250 total points
ID: 36505427
Ok, first thing. You have a nat exempt using accesslist nonat. I don't see that defined.
Second, do the machines on your lan have a route to the vpn range through the asa?
0
 
LVL 2

Expert Comment

by:genie4all
ID: 36505837
Create a ACL for nonat

access-list nonat extended permit ip any 10.17.254.0 255.255.255.0

0
 

Author Comment

by:sohoniprachi
ID: 36505957
I used the following command sysopt connection permit-ipsec
 pix ip 10.17.33.2 Firewall
ASA 10.17.33.17 VPN gateway

how should i direct traffic from asa to pix to get access to inside network which is same 10.17.33.0 network.
I have to go through pix as tunnel traffic will have ip address 10.17.254.0  
0
 
LVL 2

Assisted Solution

by:genie4all
genie4all earned 250 total points
ID: 36506191
1) You need nonat ACL on your ASA

2) The command sysopt connection permit-ipsec is for version 7.0 and earlier. sysopt connection permit-vpn is for 7.1 and later versions. These commands allow packets from an IPsec tunnel and their payloads to bypass interface ACLs on the security appliance. IPsec tunnels that are terminated on the security appliance are likely to fail if one of these commands is not enabled.

3) PIX should permit VPN traffic to your inside LAN

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:sohoniprachi
ID: 36506707
Thank you all.
Its working now. I added the nat rule on ASA
so now vpn ip 10.17.254.0 is nat to 10.17.33.0 and i am able to access inside lan now
0
 

Author Comment

by:sohoniprachi
ID: 36508648
I've requested that this question be closed as follows:

Accepted answer: 0 points for sohoniprachi's comment http:/Q_27298185.html#36506707

for the following reason:

Its working now
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36508649
Hi sohoniprachi,

As far as I can see you solved this using a solution which several of us posted here. So are you sure you closed this and assigned the points correctly?
Just curious.
0
 
LVL 2

Expert Comment

by:genie4all
ID: 36509139
I Agree with erniebeek
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 36512656
I would propose a split between ID: 36505427 and ID: 36506191
0
 
LVL 2

Expert Comment

by:genie4all
ID: 36512727
Thanks Erniebeek.

Moderator, I accept with Erniebeek
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now