Solved

Cant access local network while connecting via remote ipsec vpn

Posted on 2013-01-08
4
803 Views
Last Modified: 2013-01-10
Hi Experts,

Im testing out an ASA5505 (ver. 7.2) for my lab and cant get to the local network 192.168.1.x while connected via IPSEC VPN. I also cant connect via ASDM as well. Any help would be much appreciated.

Here is my config:

ASA Version 7.2(2)
!
hostname cisco
domain-name cisco.local
enable password XXXXXXXXXXXXXXXXXXXX
names
!
interface Vlan1
 description to outside interface (DHCP Cablemodem)
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan10
 description to inside VLAN
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 description physical connection to Cablemodem
!
interface Ethernet0/1
<--- More --->
             
 switchport access vlan 10
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 10
!
interface Ethernet0/4
 switchport access vlan 10
!
interface Ethernet0/5
 switchport access vlan 10
!
interface Ethernet0/6
 switchport access vlan 10
!
interface Ethernet0/7
 switchport access vlan 10
!
banner motd
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name cisco.local
object-group icmp-type DefaultICMP
 description Default ICMP Types permitted
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object time-exceeded
access-list acl_outside extended permit icmp any any object-group DefaultICMP

access-list test_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.1.1.0 255.255.255.0
access-list test1_splitTunnelAcl standard permit host 192.168.1.100
access-list test1_splitTunnelAcl standard permit host 192.168.1.1
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpn1 10.1.1.1-10.1.1.30 mask 255.255.255.252
ip local pool vpn2 209.165.201.1-209.165.201.20
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group acl_outside in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy test1 internal

group-policy test1 attributes
 dns-server value 4.2.2.2 2.2.2.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value test1_splitTunnelAcl
 default-domain value vpn2
username XXXXXXX password XXXXXXXX encrypted privilege 15
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group test1 type ipsec-ra
tunnel-group test1 general-attributes
 address-pool vpn2
 default-group-policy test1
tunnel-group test1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 5
management-access inside
dhcpd dns 4.2.2.2 2.2.2.2
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain cisco.local
!
dhcpd address 192.168.1.100-192.168.1.131 inside
dhcpd enable inside
!

!
!
prompt hostname context
Cryptochecksum:b36a1dd076f80d17908e38f7d5c5527a
!
!
0
Comment
Question by:iplexent
4 Comments
 
LVL 20

Expert Comment

by:rauenpc
ID: 38757624
Nat (inside) 0 access-list inside_nat0_outbound
0
 
LVL 1

Expert Comment

by:thpipfh
ID: 38757630
Yes, you would either need to configure split tunnel so the internet traffic goes out via your local ISP, OR/ as per current configuration you are tunneling all traffic (inc. internet traffic) towards the ASA, so you would need to create NAT for the internet traffic.
 
To configure split tunnel:
 
access-list split-acl permit 192.168.1.0 255.255.255.0
group-policy test1 attributes
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value split-acl
 
Hope this helps.
0
 
LVL 18

Accepted Solution

by:
fgasimzade earned 500 total points
ID: 38757870
You are giving public ip addresses to remote clients, this is not a good idea

ip local pool vpn2 209.165.201.1-209.165.201.20

Change it to something private, for example ip local pool vpn1 10.1.1.1-10.1.1.30 mask 255.255.255.252 - you already have it

Place to change it is here:

tunnel-group test1 general-attributes
 address-pool vpn2

You would also need a NAT Exempt:

nat (inside) 0 access-list inside_nat0_outbound

Also, add this to permit ipsec traffic inside:

sysopt connection permit-vpn
0
 

Author Comment

by:iplexent
ID: 38758659
Ok thanks everyone I will try this today
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
A few customers have recently asked my thoughts on Password Managers.  As Security is a big part of our industry I was initially very hesitant and sceptical about giving a program all of my secret passwords.  But as I was getting asked about them mo…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now