Solved

Cisco ASA Remote VPN LAN Access Isuse

Posted on 2014-01-06
4
2,051 Views
Last Modified: 2014-01-06
I have an issue where I have setup Remote client VPN and successfully connect, but cannot access any of the LAN endpoints, and particularly cannot RDP to any of the machines that are set to receive RDP. I think that it has something to do with NONAT. I have pasted the config here for you guys "eyeball" and give me a fresh perspective.  Here's the config:


 
ASA Version 9.1(2)
!
hostname Company
domain-name Company.com
enable password thepassword encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd /thepassword encrypted
names
ip local pool ag-pool 10.10.11.1-10.10.11.254
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 shutdown
 nameif management
 security-level 0
 no ip address
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.248
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name Company.com
object network inside-subnet
 subnet 10.10.10.0 255.255.255.0
object network LOCAL_LAN
 subnet 10.10.10.0 255.255.255.0
object network REMOTE-VPN-NET
 subnet 10.10.11.0 255.255.255.0
object network NONAT
access-list LAN standard permit 10.10.10.0 255.255.255.0
access-list split standard permit 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.10.0.0 255.255.0.0
no pager
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static REMOTE-VPN-NET REMOTE-VPN-NET destination static LOCAL_LAN LOCAL_LAN
!
object network inside-subnet
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 5.6.7.8 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 anyconnect-essentials
group-policy ag-group-policy internal
group-policy ag-group-policy attributes
 dns-server value 10.10.10.2
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 split-dns value Company.local
username myusername password mypassword encrypted
tunnel-group ag-remote type remote-access
tunnel-group ag-remote general-attributes
 address-pool ag-pool
 default-group-policy ag-group-policy
tunnel-group ag-remote ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
password encryption aes
 
: end

Company# login as: me
me@1.2.3.4's password:
Type help or '?' for a list of available commands.

Company>
0
Comment
Question by:cyberchrisrock
  • 2
4 Comments
 
LVL 6

Accepted Solution

by:
Jordan Medlen earned 500 total points
ID: 39759155
Maybe a problem with your manual "NONAT" statement. Other than that, I'm not seeing it right now.

Try putting your nonat in the object-group...

object network REMOTE-VPN-NET
 nat (inside,outside) 1 source static LOCAL_LAN LOCAL_LAN destination static REMOTE-VPN-NET REMOTE-VPN-NET
!
no nat (inside,outside) source static REMOTE-VPN-NET REMOTE-VPN-NET destination static LOCAL_LAN LOCAL_LAN

Open in new window

0
 
LVL 12

Expert Comment

by:Henk van Achterberg
ID: 39760319
nat (inside,outside) source static REMOTE-VPN-NET REMOTE-VPN-NET destination static LOCAL_LAN LOCAL_LAN

Should the above line be the other way around?

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE-VPN-NET REMOTE-VPN-NET
0
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39760549
That's what I thought as well, henkva. That's why I was having the config changed as stated above. Also changing it to be within the object-group instead of the manual nat statement.
0
 

Author Closing Comment

by:cyberchrisrock
ID: 39761205
This fixed the issue completely. Thanks very much  Jordan Medlen
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now