Go Premium for a chance to win a PS4. Enter to Win


I am able to authenticate Remote access VPN but  not able to access inside LAN

Posted on 2011-09-08
Medium Priority
Last Modified: 2012-05-12
I configure Remote access VPN onASA firewall and able to authenticate but i am not able to access the inside network.I am using one more firewall cisco ASA to protect inside network.these two firewall are in the same network.ASA is for remote access vpn endpoint. and pix is a regular firewall and lan is behind Pix
ASA Version 8.2(1) 
hostname FHFW02
domain-name abc.net
enable password TuoG03LNtol5cyid encrypted
passwd vhSJ2Gjl22YiIWoj encrypted
name ATT-gateway
name fhfw02-ext
name verizonrtr-new
name marketplace-staging
interface Ethernet0/0
 description Out to AT&T ISP
 nameif outside
 security-level 0
 ip address fhfw02-ext 
interface Ethernet0/1
 description inside FHR 10.17.33.x network
 nameif inside
 security-level 100
 ip address 
interface Ethernet0/2
 description inside FHR 10.17.34.x network for users
 nameif inside1
 security-level 100
 ip address 
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address 
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone PST -8
dns server-group DefaultDNS
 domain-name abc.net
object-group network FHR-inside-33-network
 description FHR network 10.17.33.x
object-group network FHR-inside-34-network
object-group network abc-mex-network
object-group network PAN-network
object-group network CAT-network
 description CAT Servers 
object-group network BXB-network
 description BXB Internal Network
 network-object host
 network-object host
 network-object host
 network-object host
access-list acl-out extended permit icmp any any 
access-list acl-in extended permit icmp any any 
access-list acl-in extended permit ip any any 
access-list acl-in extended permit udp any any eq snmp 
access-list acl-in1 extended permit icmp any any 
access-list acl-voip-out extended permit ip host host 
access-list acl-voip-out extended permit ip host host 
no pager
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside1 1500
mtu management 1500
ip local pool vpnpool mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1
nat (inside) 1
nat (inside1) 0 access-list no-nat
nat (inside1) 1
access-group acl-out in interface outside
access-group acl-in in interface inside
access-group acl-in1 in interface inside1
route outside ATT-gateway 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL 
http server enable
http inside
snmp-server host inside community Abc
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
sysopt connection tcpmss 1200
crypto ipsec transform-set set2 esp-des esp-md5-hmac 
crypto ipsec transform-set set1 esp-des esp-sha-hmac 
crypto ipsec transform-set set3 esp-aes esp-md5-hmac 
crypto ipsec transform-set set4 esp-3des esp-md5-hmac 
crypto ipsec transform-set set5 esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set set4
crypto dynamic-map outside_dyn_map 60 set reverse-route
crypto map FHR2 60 ipsec-isakmp dynamic outside_dyn_map
crypto map FHR2 interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn sslabcfw.abc.net
 subject-name CN=sslabcfw. abc.net
 keypair m0rd0r
 crl configure
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 2
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet inside
telnet inside
telnet inside1
telnet timeout 5
ssh outside
ssh inside
ssh inside1
ssh timeout 30
ssh version 2
console timeout 0
priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
 enable outside
 svc enable
group-policy testvpn internal
group-policy testvpn attributes
 dns-server value
 vpn-tunnel-protocol IPSec 
 default-domain value abc.net
username avb password QZTdpUt6Lq39fY7h encrypted privilege 0
username avb attributes
 vpn-group-policy remotevpn
 service-type remote-access
username abc password NYpqubgKNxc6U0bb encrypted privilege 15
pre-shared-key *

tunnel-group testvpn type remote-access
tunnel-group testvpn general-attributes
 address-pool vpnpool
 default-group-policy testvpn
tunnel-group testvpn ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
class-map Voice-OUT
 match access-list acl-voip-out
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
policy-map VoicePolicy
 class Voice-OUT
service-policy global_policy global
service-policy VoicePolicy interface outside
prompt hostname context 
: end

Open in new window

Question by:sohoniprachi
  • 4
  • 4
  • 4
LVL 35

Expert Comment

by:Ernie Beek
ID: 36505021
So are the firewalls behind each other or are they both on the inside connected to the network and have on the outside their own public ip?

Author Comment

ID: 36505106
they are both on the inside connected to the network and have own public ip
LVL 35

Accepted Solution

Ernie Beek earned 1000 total points
ID: 36505427
Ok, first thing. You have a nat exempt using accesslist nonat. I don't see that defined.
Second, do the machines on your lan have a route to the vpn range through the asa?
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 36505837
Create a ACL for nonat

access-list nonat extended permit ip any


Author Comment

ID: 36505957
I used the following command sysopt connection permit-ipsec
 pix ip Firewall
ASA VPN gateway

how should i direct traffic from asa to pix to get access to inside network which is same network.
I have to go through pix as tunnel traffic will have ip address  

Assisted Solution

genie4all earned 1000 total points
ID: 36506191
1) You need nonat ACL on your ASA

2) The command sysopt connection permit-ipsec is for version 7.0 and earlier. sysopt connection permit-vpn is for 7.1 and later versions. These commands allow packets from an IPsec tunnel and their payloads to bypass interface ACLs on the security appliance. IPsec tunnels that are terminated on the security appliance are likely to fail if one of these commands is not enabled.

3) PIX should permit VPN traffic to your inside LAN


Author Comment

ID: 36506707
Thank you all.
Its working now. I added the nat rule on ASA
so now vpn ip is nat to and i am able to access inside lan now

Author Comment

ID: 36508648
I've requested that this question be closed as follows:

Accepted answer: 0 points for sohoniprachi's comment http:/Q_27298185.html#36506707

for the following reason:

Its working now
LVL 35

Expert Comment

by:Ernie Beek
ID: 36508649
Hi sohoniprachi,

As far as I can see you solved this using a solution which several of us posted here. So are you sure you closed this and assigned the points correctly?
Just curious.

Expert Comment

ID: 36509139
I Agree with erniebeek
LVL 35

Expert Comment

by:Ernie Beek
ID: 36512656
I would propose a split between ID: 36505427 and ID: 36506191

Expert Comment

ID: 36512727
Thanks Erniebeek.

Moderator, I accept with Erniebeek

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question