iplexent
asked on
Cant access local network while connecting via remote ipsec vpn
Hi Experts,
Im testing out an ASA5505 (ver. 7.2) for my lab and cant get to the local network 192.168.1.x while connected via IPSEC VPN. I also cant connect via ASDM as well. Any help would be much appreciated.
Here is my config:
ASA Version 7.2(2)
!
hostname cisco
domain-name cisco.local
enable password XXXXXXXXXXXXXXXXXXXX
names
!
interface Vlan1
description to outside interface (DHCP Cablemodem)
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan10
description to inside VLAN
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
description physical connection to Cablemodem
!
interface Ethernet0/1
<--- More --->
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
switchport access vlan 10
!
banner motd
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name cisco.local
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-list test_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.1.1.0 255.255.255.0
access-list test1_splitTunnelAcl standard permit host 192.168.1.100
access-list test1_splitTunnelAcl standard permit host 192.168.1.1
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpn1 10.1.1.1-10.1.1.30 mask 255.255.255.252
ip local pool vpn2 209.165.201.1-209.165.201.
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group acl_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy test1 internal
group-policy test1 attributes
dns-server value 4.2.2.2 2.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test1_splitTunnelAcl
default-domain value vpn2
username XXXXXXX password XXXXXXXX encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group test1 type ipsec-ra
tunnel-group test1 general-attributes
address-pool vpn2
default-group-policy test1
tunnel-group test1 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 5
management-access inside
dhcpd dns 4.2.2.2 2.2.2.2
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain cisco.local
!
dhcpd address 192.168.1.100-192.168.1.13
dhcpd enable inside
!
!
!
prompt hostname context
Cryptochecksum:b36a1dd076f
!
!
Im testing out an ASA5505 (ver. 7.2) for my lab and cant get to the local network 192.168.1.x while connected via IPSEC VPN. I also cant connect via ASDM as well. Any help would be much appreciated.
Here is my config:
ASA Version 7.2(2)
!
hostname cisco
domain-name cisco.local
enable password XXXXXXXXXXXXXXXXXXXX
names
!
interface Vlan1
description to outside interface (DHCP Cablemodem)
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan10
description to inside VLAN
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
description physical connection to Cablemodem
!
interface Ethernet0/1
<--- More --->
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 10
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
switchport access vlan 10
!
banner motd
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name cisco.local
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-list test_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.1.1.0 255.255.255.0
access-list test1_splitTunnelAcl standard permit host 192.168.1.100
access-list test1_splitTunnelAcl standard permit host 192.168.1.1
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpn1 10.1.1.1-10.1.1.30 mask 255.255.255.252
ip local pool vpn2 209.165.201.1-209.165.201.
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group acl_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy test1 internal
group-policy test1 attributes
dns-server value 4.2.2.2 2.2.2.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test1_splitTunnelAcl
default-domain value vpn2
username XXXXXXX password XXXXXXXX encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group test1 type ipsec-ra
tunnel-group test1 general-attributes
address-pool vpn2
default-group-policy test1
tunnel-group test1 ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 5
management-access inside
dhcpd dns 4.2.2.2 2.2.2.2
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain cisco.local
!
dhcpd address 192.168.1.100-192.168.1.13
dhcpd enable inside
!
!
!
prompt hostname context
Cryptochecksum:b36a1dd076f
!
!
rauenpc
Nat (inside) 0 access-list inside_nat0_outbound
Yes, you would either need to configure split tunnel so the internet traffic goes out via your local ISP, OR/ as per current configuration you are tunneling all traffic (inc. internet traffic) towards the ASA, so you would need to create NAT for the internet traffic.
To configure split tunnel:
access-list split-acl permit 192.168.1.0 255.255.255.0
group-policy test1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
Hope this helps.
To configure split tunnel:
access-list split-acl permit 192.168.1.0 255.255.255.0
group-policy test1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-acl
Hope this helps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok thanks everyone I will try this today