Solved

Cisco ASA Remote VPN LAN Access Isuse

Posted on 2014-01-06
4
2,043 Views
Last Modified: 2014-01-06
I have an issue where I have setup Remote client VPN and successfully connect, but cannot access any of the LAN endpoints, and particularly cannot RDP to any of the machines that are set to receive RDP. I think that it has something to do with NONAT. I have pasted the config here for you guys "eyeball" and give me a fresh perspective.  Here's the config:


 
ASA Version 9.1(2)
!
hostname Company
domain-name Company.com
enable password thepassword encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd /thepassword encrypted
names
ip local pool ag-pool 10.10.11.1-10.10.11.254
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 shutdown
 nameif management
 security-level 0
 no ip address
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.248
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Company.com
object network inside-subnet
 subnet 10.10.10.0 255.255.255.0
object network LOCAL_LAN
 subnet 10.10.10.0 255.255.255.0
object network REMOTE-VPN-NET
 subnet 10.10.11.0 255.255.255.0
object network NONAT
access-list LAN standard permit 10.10.10.0 255.255.255.0
access-list split standard permit 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
no pager
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static REMOTE-VPN-NET REMOTE-VPN-NET destination static LOCAL_LAN LOCAL_LAN
!
object network inside-subnet
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 5.6.7.8 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
group-policy ag-group-policy internal
group-policy ag-group-policy attributes
 dns-server value 10.10.10.2
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 split-dns value Company.local
username myusername password mypassword encrypted
tunnel-group ag-remote type remote-access
tunnel-group ag-remote general-attributes
 address-pool ag-pool
 default-group-policy ag-group-policy
tunnel-group ag-remote ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
password encryption aes
 
: end

Company# login as: me
me@1.2.3.4's password:
Type help or '?' for a list of available commands.

Company>
0
Comment
Question by:cyberchrisrock
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
Jordan Medlen earned 500 total points
ID: 39759155
Maybe a problem with your manual "NONAT" statement. Other than that, I'm not seeing it right now.

Try putting your nonat in the object-group...

object network REMOTE-VPN-NET
 nat (inside,outside) 1 source static LOCAL_LAN LOCAL_LAN destination static REMOTE-VPN-NET REMOTE-VPN-NET
!
no nat (inside,outside) source static REMOTE-VPN-NET REMOTE-VPN-NET destination static LOCAL_LAN LOCAL_LAN

Open in new window

0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39760319
nat (inside,outside) source static REMOTE-VPN-NET REMOTE-VPN-NET destination static LOCAL_LAN LOCAL_LAN

Should the above line be the other way around?

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE-VPN-NET REMOTE-VPN-NET
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39760549
That's what I thought as well, henkva. That's why I was having the config changed as stated above. Also changing it to be within the object-group instead of the manual nat statement.
0
 

Author Closing Comment

by:cyberchrisrock
ID: 39761205
This fixed the issue completely. Thanks very much  Jordan Medlen
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now