troubleshooting Question

Cisco ASA Remote VPN LAN Access Isuse

Avatar of cyberchrisrock
cyberchrisrockFlag for United States of America asked on
Hardware FirewallsInternet Protocol SecurityNetwork Operations
4 Comments1 Solution2170 ViewsLast Modified:
I have an issue where I have setup Remote client VPN and successfully connect, but cannot access any of the LAN endpoints, and particularly cannot RDP to any of the machines that are set to receive RDP. I think that it has something to do with NONAT. I have pasted the config here for you guys "eyeball" and give me a fresh perspective.  Here's the config:


 
ASA Version 9.1(2)
!
hostname Company
domain-name Company.com
enable password thepassword encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd /thepassword encrypted
names
ip local pool ag-pool 10.10.11.1-10.10.11.254
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 shutdown
 nameif management
 security-level 0
 no ip address
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.248
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Company.com
object network inside-subnet
 subnet 10.10.10.0 255.255.255.0
object network LOCAL_LAN
 subnet 10.10.10.0 255.255.255.0
object network REMOTE-VPN-NET
 subnet 10.10.11.0 255.255.255.0
object network NONAT
access-list LAN standard permit 10.10.10.0 255.255.255.0
access-list split standard permit 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
no pager
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static REMOTE-VPN-NET REMOTE-VPN-NET destination static LOCAL_LAN LOCAL_LAN
!
object network inside-subnet
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 5.6.7.8 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
group-policy ag-group-policy internal
group-policy ag-group-policy attributes
 dns-server value 10.10.10.2
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 split-dns value Company.local
username myusername password mypassword encrypted
tunnel-group ag-remote type remote-access
tunnel-group ag-remote general-attributes
 address-pool ag-pool
 default-group-policy ag-group-policy
tunnel-group ag-remote ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
password encryption aes
 
: end

Company# login as: me
me@1.2.3.4's password:
Type help or '?' for a list of available commands.

Company>
ASKER CERTIFIED SOLUTION
Jordan Medlen

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 4 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros