Solved

Cant access local network while connecting via remote ipsec vpn

Posted on 2013-01-08
4
808 Views
Last Modified: 2013-01-10
Hi Experts,

Im testing out an ASA5505 (ver. 7.2) for my lab and cant get to the local network 192.168.1.x while connected via IPSEC VPN. I also cant connect via ASDM as well. Any help would be much appreciated.

Here is my config:

ASA Version 7.2(2)
!
hostname cisco
domain-name cisco.local
enable password XXXXXXXXXXXXXXXXXXXX
names
!
interface Vlan1
 description to outside interface (DHCP Cablemodem)
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan10
 description to inside VLAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 description physical connection to Cablemodem
!
interface Ethernet0/1
<--- More --->
             
 switchport access vlan 10
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 10
!
interface Ethernet0/4
 switchport access vlan 10
!
interface Ethernet0/5
 switchport access vlan 10
!
interface Ethernet0/6
 switchport access vlan 10
!
interface Ethernet0/7
 switchport access vlan 10
!
banner motd
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name cisco.local
object-group icmp-type DefaultICMP
 description Default ICMP Types permitted
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object time-exceeded
access-list acl_outside extended permit icmp any any object-group DefaultICMP

access-list test_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.1.1.0 255.255.255.0
access-list test1_splitTunnelAcl standard permit host 192.168.1.100
access-list test1_splitTunnelAcl standard permit host 192.168.1.1
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpn1 10.1.1.1-10.1.1.30 mask 255.255.255.252
ip local pool vpn2 209.165.201.1-209.165.201.20
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group acl_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy test1 internal

group-policy test1 attributes
 dns-server value 4.2.2.2 2.2.2.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value test1_splitTunnelAcl
 default-domain value vpn2
username XXXXXXX password XXXXXXXX encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group test1 type ipsec-ra
tunnel-group test1 general-attributes
 address-pool vpn2
 default-group-policy test1
tunnel-group test1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 5
management-access inside
dhcpd dns 4.2.2.2 2.2.2.2
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain cisco.local
!
dhcpd address 192.168.1.100-192.168.1.131 inside
dhcpd enable inside
!

!
!
prompt hostname context
Cryptochecksum:b36a1dd076f80d17908e38f7d5c5527a
!
!
0
Comment
Question by:iplexent
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38757624
Nat (inside) 0 access-list inside_nat0_outbound
0
 
LVL 1

Expert Comment

by:thpipfh
ID: 38757630
Yes, you would either need to configure split tunnel so the internet traffic goes out via your local ISP, OR/ as per current configuration you are tunneling all traffic (inc. internet traffic) towards the ASA, so you would need to create NAT for the internet traffic.
 
To configure split tunnel:
 
access-list split-acl permit 192.168.1.0 255.255.255.0
group-policy test1 attributes
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split-acl
 
Hope this helps.
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 500 total points
ID: 38757870
You are giving public ip addresses to remote clients, this is not a good idea

ip local pool vpn2 209.165.201.1-209.165.201.20

Change it to something private, for example ip local pool vpn1 10.1.1.1-10.1.1.30 mask 255.255.255.252 - you already have it

Place to change it is here:

tunnel-group test1 general-attributes
 address-pool vpn2

You would also need a NAT Exempt:

nat (inside) 0 access-list inside_nat0_outbound

Also, add this to permit ipsec traffic inside:

sysopt connection permit-vpn
0
 

Author Comment

by:iplexent
ID: 38758659
Ok thanks everyone I will try this today
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Read about achieving the basic levels of HRIS security in the workplace.
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question