Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 863
  • Last Modified:

ASA 5505 connects but no local share access

We have an ASA 5505 and the vpn connects without issue however the only thing that works when connect is Outlook works as connected.  Cant access the local servers or network shares.  The config and VPN was put in place by the previous network person but I don't see a reason why no local access.  Config attached:


ASA Version 7.2(4)
!
hostname ciscoasa
domain-name ALPHAOMEGA3
enable password (omitted)
passwd (omitted) encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.10 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.134.80.157 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name ALPHAOMEGA3
object-group service mainserver tcp
 port-object eq 1433
access-list out_access_in extended permit tcp any host 172.134.80.126 object-group DM_INLINE_TCP_1
access-list out_access_in remark Split tunnel
access-list out_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list out_access_in extended permit tcp any host 172.134.80.128 object-group mainserver
access-list inside_nat0_outbound extended permit ip any 192.168.4.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list ALPHAOMEGA3CS_splitTunnelACL extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list remoteusers_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list internal-out extended permit icmp any any echo-reply
access-list internal-out extended permit icmp any any time-exceeded
access-list internal-out extended permit icmp any any unreachable
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ALPHAOMEGA33 192.168.4.1-192.168.4.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 172.134.80.126 192.168.1.12 netmask 255.255.255.255
static (inside,outside) 172.134.80.128 192.168.1.13 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group out_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 172.134.80.123 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 192.168.1.13 community public
snmp-server location (omitted)
snmp-server contact (omitted)
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-AES-192-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-192
 hash sha
 group 5
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.14 255.255.255.255 inside
telnet 192.168.1.16 255.255.255.255 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

group-policy remoteusers internal
group-policy remoteusers attributes
 dns-server value 192.168.1.12 192.168.1.12
 vpn-tunnel-protocol IPSec
 ip-comp disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value remoteusers_splitTunnelAcl
 default-domain value ALPHAOMEGA3.local
username admin password (omitted) encrypted privilege 15
tunnel-group remoteusers type ipsec-ra
tunnel-group remoteusers general-attributes
 address-pool ALPHAOMEGA3
 default-group-policy remoteusers
 authorization-dn-attributes use-entire-name
tunnel-group remoteusers ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum: (omitted)
: end
0
OmegaKzoo
Asked:
OmegaKzoo
  • 7
  • 5
  • 3
  • +1
3 Solutions
 
RPPreacherCommented:
Add the VPN address range to the Windows firewall on the servers that you are attempting to connect to.

Control panel > Windows Firewall > Advanced Settings (in the left side panel). This Opens up an mmc window for advanced firewall configuration.
In the left panel, choose Inbound or Outbound rules.
Right panel, click New rule.
In the dialog, choose "custom".
In the left again, go to "Scope." When you add an IP, you can add a range.
0
 
SepistCommented:
Does Outlook work when not connected to VPN? If so then it may just be an ACL issue. This ACL looks backwards since it's permitting 1.0 INBOUND to 4.0 which is just wrong.

access-list out_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

should be

access-list out_access_in extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
0
 
OmegaKzooAuthor Commented:
Outlook does not work without VPN connection.  The firewall is turned off on that server and opened up through Trend.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
SepistCommented:
If you are sure it's not a local machine firewall I would commit the ACL change I mentioned earlier and test it. Part of the config is truncated such as the object group DM_INLINE_TCP_1 so I don't really know what is allowed in from the internet there to that server (assuming 172.134.80.126 is the mail server) so this is an educated guess as to the problem, everything else looks ok from a FW standpoint.
0
 
OmegaKzooAuthor Commented:
Made the adjustment and nothing changed.  I actually removed the entry and have the same result.  Do I need to reset the ASA after a change here to see results or is this a on the fly setting?
0
 
SepistCommented:
It would be an instantaneouus change. When you try to connect to the file shares are you trying to connect via hostname or by IP?
0
 
OmegaKzooAuthor Commented:
Either way no dice.
0
 
SepistCommented:
Hmm the only other thing I can think of is that your local LAN that you're testing the vpn from is also 192.168.1.x which would cause issues traversing a VPN to same range.
0
 
OmegaKzooAuthor Commented:
If I use packet trace on the ASDM it fails at any,any implicit rule inside or outside depending if I put the source as 192.168.1.1 or 192.168.4.1.  I think I just may blow out the whole config and start over unless there is something else that I am overlooking?
0
 
RPPreacherCommented:
>192.168.1.x which would cause issues traversing a VPN to same range.

If that were the case, the Exchange wouldn't work either.

It's a firewall issue, he's just missing it.
0
 
SepistCommented:
Well before blowing it out try exempting VPN from acl checks using the command sysopt connection permit-vpn
0
 
OmegaKzooAuthor Commented:
Added command "sysopt connection permit-vpn" no change verified the firewall is wide open for testing.
0
 
OmegaKzooAuthor Commented:
Update when connected to vpn at 192.168.4.2 I am able to get a ping response from the ASA 192.168.1.10 two network printers 192.168.1.25 & 27 and 4 ip phones 192.168.1.101-104 there is no response from any other computers or servers on the network and a ping from the mail server internally 192.168.1.12 gets request timeout when attempting to ping 192.168.4.2
0
 
RPPreacherCommented:
Printers and IP Phones don't have firewalls.
0
 
Ernie BeekExpertCommented:
Perhaps asking the obvious, but do these machines (the unreachables) have the ASA as their default gateway?
Also, does anything show in the ASA log when you're trying to connect to a server/share?
0
 
OmegaKzooAuthor Commented:
Turns out I overlooked Kaspersky firewall my apologies to RPPreacher.  All tested and working great.  Thanks for all the help!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 7
  • 5
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now