Solved

Cisco VPN gets connected but internal network\machines or LAN is not accessible.

Posted on 2012-03-21
10
715 Views
Last Modified: 2012-05-26
Hi Experts,

My vpn was working fine. We changed ISP and now VPN gets connected from home but cannot access any machines inside the network for all the users.

 I can ping only internal ip (192.168.3.1) of firewall. Basically i am not from network domain. Please guide me in detail to resove this issue.



My firewall config is as below:
***************
blr-ciscoasa# sh config
: Saved
: Written by enable_15 at 08:26:22.911 UTC Fri Jan 10 2003
!
ASA Version 8.0(5)
!
hostname blr-ciscoasa
domain-name mcubeit.com
enable password vBQ/WDouSOJsNuQs encrypted
passwd .PbFocrmUvjjuNio encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 182.72.251.50 255.255.255.240
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
boot system disk0:/asa805-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name mcubeit.com
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_2
 service-object icmp
 service-object tcp eq ftp
 service-object tcp eq ftp-data
 service-object tcp eq www
object-group service DM_INLINE_SERVICE_3
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_4
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_5
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_6
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_7
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service rdp tcp
 description Remote desktop protocol
 port-object eq 3389
object-group service DM_INLINE_SERVICE_8
 service-object icmp
 service-object tcp eq www
object-group service DM_INLINE_SERVICE_9
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_10
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_11
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_12
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_15
 service-object tcp eq https
 service-object tcp eq www
 service-object icmp
object-group service DM_INLINE_SERVICE_16
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_17
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_18
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_19
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_20
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_21
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
object-group service DM_INLINE_SERVICE_22
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_15
any host 182.72.251.51
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_16
any host 182.72.251.52
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_17
any host 182.72.251.155
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_18
any host 182.72.251.54
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_19
any host 182.72.251.56
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_20
any host 182.72.251.59
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_21
any host 182.72.251.57
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_22
any host 182.72.251.53
access-list outside_acess_in extended permit object-group DM_INLINE_SERVICE_17 a
ny host 182.72.251.53
access-list SplitTunnelACL standard permit 192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
no logging message 710005
no logging message 302015
no logging message 302016
mtu Outside 1500
mtu Inside 1500
ip local pool vpnpool1 192.168.10.1-192.168.10.32 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (Inside) 101 0.0.0.0 0.0.0.0
static (Inside,Outside) 182.72.251.51 192.168.3.36 netmask 255.255.255.255 dns
static (Inside,Outside) 182.72.251.52 192.168.3.53 netmask 255.255.255.255 dns
static (Inside,Outside) 182.72.251.53 192.168.3.33 netmask 255.255.255.255 dns
static (Inside,Outside) 182.72.251.59 192.168.3.22 netmask 255.255.255.255 dns
static (Inside,Outside) 182.72.251.57 192.168.3.38 netmask 255.255.255.255 dns
static (Inside,Outside) 182.72.251.54 192.168.3.4 netmask 255.255.255.255 dns
static (Inside,Outside) 182.72.251.56 192.168.3.3 netmask 255.255.255.255 dns
access-group outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 182.72.251.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
http 192.168.3.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set peer 206.123.70.36
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map 3 set peer 96.226.59.137
crypto map Outside_map 3 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp identity hostname
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.3.0 255.255.255.0 Inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 60
ssh version 2
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
ntp server 66.250.45.2 source Outside
tftp-server Outside 206.123.71.48 /blr-ciscoasa
group-policy DfltGrpPolicy attributes
 dns-server value 192.168.3.8 192.168.3.32
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunnelACL
 default-domain value mcubeit.com
group-policy gns-noc internal
group-policy gns-noc attributes
 dns-server value 192.168.3.3
 vpn-tunnel-protocol IPSec
 default-domain value mcubeit.com
group-policy mcube-india internal
group-policy mcube-india attributes
 dns-server value 192.168.3.3
 vpn-tunnel-protocol IPSec
 default-domain value mcubeit.com
**NOTE: Admin Edit - NM
{ section removed due to risk }

tunnel-group 206.123.70.36 type ipsec-l2l
tunnel-group 206.123.70.36 ipsec-attributes
 pre-shared-key *
tunnel-group 96.226.59.137 type ipsec-l2l
tunnel-group 96.226.59.137 ipsec-attributes
 pre-shared-key *
tunnel-group gns-noc type remote-access
tunnel-group gns-noc general-attributes
 address-pool vpnpool1
 default-group-policy gns-noc
tunnel-group gns-noc ipsec-attributes
 pre-shared-key *
tunnel-group mcube-india type remote-access
tunnel-group mcube-india general-attributes
 address-pool vpnpool1
 default-group-policy mcube-india
tunnel-group mcube-india ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e61264ae645c07bef67b0759d95b79cd
*************
0
Comment
Question by:anuboggaram
10 Comments
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
I see this:

interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 182.72.251.50 255.255.255.240


Then down farther, your route is not right:

route Outside 0.0.0.0 0.0.0.0 182.72.251.49 1
0
 

Author Comment

by:anuboggaram
Comment Utility
Local user name entries are for authenticating VPN users.

What is the correct route path to be mentioned.
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
Check fire Men :)

The default route has to be different to the outside interface its the IP of your router - so it would not be unusual for it to be .49?

route Outside 0.0.0.0 0.0.0.0 182.72.251.49 1

is OK if that's your router IP :)

Your Problem is probably NAT related - VPN connects but only the inside Interface is pingable - smacks of NAT to me?


Cisco VPN Client Connects but no traffic will Pass


Pete
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
Comment Utility
I agree with that Pete.  We are using an ASA in place of a router - thus why I neglected to consider there may be a router in between.

NAT is the only logical issue in this case.
0
 
LVL 17

Expert Comment

by:MAG03
Comment Utility
NAT as mentioned above is your problem.  you need to create an exemption from the 192.168.3.0 network to the 192.168.10.0 network

so something like this:
access-list NONAT extended permit 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0

NAT (inside) 0 access-list NONAT
0
 
LVL 9

Expert Comment

by:neilpage99
Comment Utility
Is this question abandoned?  Does the author still need help?
0
 
LVL 17

Expert Comment

by:MAG03
Comment Utility
Oops wrong post
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now