Solved

Cisco VPN gets connected but internal network\machines or LAN is not accessible.

Posted on 2012-03-21
10
733 Views
Last Modified: 2012-05-26
Hi Experts,

My vpn was working fine. We changed ISP and now VPN gets connected from home but cannot access any machines inside the network for all the users.

 I can ping only internal ip (192.168.3.1) of firewall. Basically i am not from network domain. Please guide me in detail to resove this issue.



My firewall config is as below:
***************
blr-ciscoasa# sh config
: Saved
: Written by enable_15 at 08:26:22.911 UTC Fri Jan 10 2003
!
ASA Version 8.0(5)
!
hostname blr-ciscoasa
domain-name mcubeit.com
enable password vBQ/WDouSOJsNuQs encrypted
passwd .PbFocrmUvjjuNio encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 182.72.251.50 255.255.255.240
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name mcubeit.com
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_2
 service-object icmp
 service-object tcp eq ftp
 service-object tcp eq ftp-data
 service-object tcp eq www
object-group service DM_INLINE_SERVICE_3
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_4
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_5
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_6
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_7
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service rdp tcp
 description Remote desktop protocol
 port-object eq 3389
object-group service DM_INLINE_SERVICE_8
 service-object icmp
 service-object tcp eq www
object-group service DM_INLINE_SERVICE_9
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_10
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_11
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_12
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_15
 service-object tcp eq https
 service-object tcp eq www
 service-object icmp
object-group service DM_INLINE_SERVICE_16
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_17
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_18
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_19
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_20
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_21
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_22
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_15
any host 182.72.251.51
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_16
any host 182.72.251.52
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_17
any host 182.72.251.155
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_18
any host 182.72.251.54
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_19
any host 182.72.251.56
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_20
any host 182.72.251.59
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_21
any host 182.72.251.57
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_22
any host 182.72.251.53
access-list outside_acess_in extended permit object-group DM_INLINE_SERVICE_17 a
ny host 182.72.251.53
access-list SplitTunnelACL standard permit 192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
no logging message 710005
no logging message 302015
no logging message 302016
mtu Outside 1500
mtu Inside 1500
ip local pool vpnpool1 192.168.10.1-192.168.10.32 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) 182.72.251.51 192.168.3.36 netmask 255.255.255.255 dns
static (Inside,Outside) 182.72.251.52 192.168.3.53 netmask 255.255.255.255 dns
static (Inside,Outside) 182.72.251.53 192.168.3.33 netmask 255.255.255.255 dns
static (Inside,Outside) 182.72.251.59 192.168.3.22 netmask 255.255.255.255 dns
static (Inside,Outside) 182.72.251.57 192.168.3.38 netmask 255.255.255.255 dns
static (Inside,Outside) 182.72.251.54 192.168.3.4 netmask 255.255.255.255 dns
static (Inside,Outside) 182.72.251.56 192.168.3.3 netmask 255.255.255.255 dns
access-group outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 182.72.251.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
http 192.168.3.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set peer 206.123.70.36
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 3 set peer 96.226.59.137
crypto map Outside_map 3 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp identity hostname
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.3.0 255.255.255.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
ssh version 2
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
ntp server 66.250.45.2 source Outside
tftp-server Outside 206.123.71.48 /blr-ciscoasa
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.3.8 192.168.3.32
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunnelACL
 default-domain value mcubeit.com
group-policy gns-noc internal
group-policy gns-noc attributes
 dns-server value 192.168.3.3
 vpn-tunnel-protocol IPSec
 default-domain value mcubeit.com
group-policy mcube-india internal
group-policy mcube-india attributes
 dns-server value 192.168.3.3
 vpn-tunnel-protocol IPSec
 default-domain value mcubeit.com
**NOTE: Admin Edit - NM
{ section removed due to risk }

tunnel-group 206.123.70.36 type ipsec-l2l
tunnel-group 206.123.70.36 ipsec-attributes
 pre-shared-key *
tunnel-group 96.226.59.137 type ipsec-l2l
tunnel-group 96.226.59.137 ipsec-attributes
 pre-shared-key *
tunnel-group gns-noc type remote-access
tunnel-group gns-noc general-attributes
 address-pool vpnpool1
 default-group-policy gns-noc
tunnel-group gns-noc ipsec-attributes
 pre-shared-key *
tunnel-group mcube-india type remote-access
tunnel-group mcube-india general-attributes
 address-pool vpnpool1
 default-group-policy mcube-india
tunnel-group mcube-india ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e61264ae645c07bef67b0759d95b79cd
*************
0
Comment
Question by:anuboggaram
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 37750710
I see this:

interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 182.72.251.50 255.255.255.240


Then down farther, your route is not right:

route Outside 0.0.0.0 0.0.0.0 182.72.251.49 1
0
 

Author Comment

by:anuboggaram
ID: 37752358
Local user name entries are for authenticating VPN users.

What is the correct route path to be mentioned.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 37753970
Check fire Men :)

The default route has to be different to the outside interface its the IP of your router - so it would not be unusual for it to be .49?

route Outside 0.0.0.0 0.0.0.0 182.72.251.49 1

is OK if that's your router IP :)

Your Problem is probably NAT related - VPN connects but only the inside Interface is pingable - smacks of NAT to me?


Cisco VPN Client Connects but no traffic will Pass


Pete
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 37754140
I agree with that Pete.  We are using an ASA in place of a router - thus why I neglected to consider there may be a router in between.

NAT is the only logical issue in this case.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 37758626
NAT as mentioned above is your problem.  you need to create an exemption from the 192.168.3.0 network to the 192.168.10.0 network

so something like this:
access-list NONAT extended permit 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0

NAT (inside) 0 access-list NONAT
0
 
LVL 9

Expert Comment

by:neilpage99
ID: 37955352
Is this question abandoned?  Does the author still need help?
0
 
LVL 17

Expert Comment

by:MAG03
ID: 37955643
Oops wrong post
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let’s list some of the technologies that enable smooth teleworking. 
Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month10 days, 21 hours left to enroll

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question