Solved

Cisco ASA Remote VPN LAN Access Isuse

Posted on 2014-01-06
4
2,077 Views
Last Modified: 2014-01-06
I have an issue where I have setup Remote client VPN and successfully connect, but cannot access any of the LAN endpoints, and particularly cannot RDP to any of the machines that are set to receive RDP. I think that it has something to do with NONAT. I have pasted the config here for you guys "eyeball" and give me a fresh perspective.  Here's the config:


 
ASA Version 9.1(2)
!
hostname Company
domain-name Company.com
enable password thepassword encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd /thepassword encrypted
names
ip local pool ag-pool 10.10.11.1-10.10.11.254
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 shutdown
 nameif management
 security-level 0
 no ip address
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.248
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Company.com
object network inside-subnet
 subnet 10.10.10.0 255.255.255.0
object network LOCAL_LAN
 subnet 10.10.10.0 255.255.255.0
object network REMOTE-VPN-NET
 subnet 10.10.11.0 255.255.255.0
object network NONAT
access-list LAN standard permit 10.10.10.0 255.255.255.0
access-list split standard permit 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
no pager
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static REMOTE-VPN-NET REMOTE-VPN-NET destination static LOCAL_LAN LOCAL_LAN
!
object network inside-subnet
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 5.6.7.8 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
group-policy ag-group-policy internal
group-policy ag-group-policy attributes
 dns-server value 10.10.10.2
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 split-dns value Company.local
username myusername password mypassword encrypted
tunnel-group ag-remote type remote-access
tunnel-group ag-remote general-attributes
 address-pool ag-pool
 default-group-policy ag-group-policy
tunnel-group ag-remote ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
password encryption aes
 
: end

Company# login as: me
me@1.2.3.4's password:
Type help or '?' for a list of available commands.

Company>
0
Comment
Question by:cyberchrisrock
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
Jordan Medlen earned 500 total points
ID: 39759155
Maybe a problem with your manual "NONAT" statement. Other than that, I'm not seeing it right now.

Try putting your nonat in the object-group...

object network REMOTE-VPN-NET
 nat (inside,outside) 1 source static LOCAL_LAN LOCAL_LAN destination static REMOTE-VPN-NET REMOTE-VPN-NET
!
no nat (inside,outside) source static REMOTE-VPN-NET REMOTE-VPN-NET destination static LOCAL_LAN LOCAL_LAN

Open in new window

0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39760319
nat (inside,outside) source static REMOTE-VPN-NET REMOTE-VPN-NET destination static LOCAL_LAN LOCAL_LAN

Should the above line be the other way around?

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE-VPN-NET REMOTE-VPN-NET
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39760549
That's what I thought as well, henkva. That's why I was having the config changed as stated above. Also changing it to be within the object-group instead of the manual nat statement.
0
 

Author Closing Comment

by:cyberchrisrock
ID: 39761205
This fixed the issue completely. Thanks very much  Jordan Medlen
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question