Unable to access internal networks over Remote acces VPN
Hi,
I have set up a Remote access VPN from Home to Cisco ASA 5512-X.
I am able to connect successfully and even getting a valid IP address from VPN pool 172.21.3.1-. However I am unable to access any of the internal resources.
Internal Network: 172.20.0.0 255.255.0.0
Please if someone can help identifying the issue.
Below is the running config:-
Result of the command: "sh run"
: Saved
ASA Version 9.1(1)
hostname ASA
domain-name M8fl.com
enable password Aoz9GlxLLvkWrTUy encrypted
passwd Gc1jA6zbgOsj63RW encrypted
names
ip local pool vpnclients 172.21.3.1-172.21.3.20 mask 255.255.0.0
ip local pool test 172.21.3.21-172.21.3.40 mask 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.20.254.250 255.255.0.0
interface GigabitEthernet0/2
description vodafone 100mb internet 195.11.180.40_29
speed 100
duplex full
nameif outside1
security-level 1
ip address 195.11.180.42 255.255.255.248
interface GigabitEthernet0/3
description Voice
nameif Voice
security-level 80
ip address 192.168.2.1 255.255.255.252
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa911-smp-k8.bin
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside1
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.0.0.4
name-server 172.20.0.100
domain-name M8fl.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VLAN1
subnet 172.20.0.0 255.255.0.0
object network NETWORK_OBJ_172.20.3.0_27
subnet 172.21.3.0 255.255.255.224
object network Voice_Net
subnet 172.21.20.0 255.255.255.0
object network PBX_Internal
host 192.168.2.2
description PBX Internal
object network Voice_External
host 195.11.180.43
description For PBX
object network Raith_Remote_Network
subnet 192.168.20.0 255.255.255.0
description Raith Remote Network
object network NETWORK_OBJ_172.21.3.0_27
subnet 172.21.3.0 255.255.255.224
object network NETWORK_OBJ_172.21.3.0_26
subnet 172.21.3.0 255.255.255.192
object-group network azure-networks
network-object 10.0.0.0 255.0.0.0
object-group network onprem-networks
network-object 172.20.0.0 255.255.0.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service test_PPTP
service-object ip
service-object tcp destination eq pptp
access-list azure-vpn-acl extended permit ip object-group onprem-networks object-group azure-networks
access-list outside_access_in extended permit ip object-group azure-networks object-group onprem-networks
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in_1 extended permit ip object-group onprem-networks object-group azure-networks
access-list inside_access_in_1 extended permit ip any object Voice_Net log debugging
access-list inside_access_in_1 extended permit ip any any
access-list outside_access_in_1 extended permit ip object-group azure-networks object-group onprem-networks
access-list outside_access_in_1 extended permit icmp any any
access-list outside_access_in_1 extended permit ip any any inactive
access-list Voice_access_in extended permit ip any any log debugging
access-list outside_cryptomap extended permit ip object-group onprem-networks object Raith_Remote_Network
pager lines 24
logging enable
logging buffer-size 40000
logging buffered notifications
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu outside1 1500
mtu Voice 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside1) source static onprem-networks onprem-networks destination static azure-networks azure-networks
nat (inside,outside1) source dynamic VLAN1 interface
nat (inside,Voice) source static VLAN1 VLAN1 destination static Voice_Net Voice_Net no-proxy-arp route-lookup
nat (Voice,outside1) source static PBX_Internal Voice_External
nat (inside,outside) source static onprem-networks onprem-networks destination static Raith_Remote_Network Raith_Remote_Network no-proxy-arp route-lookup
nat (inside,outside1) source static any any destination static NETWORK_OBJ_172.21.3.0_27 NETWORK_OBJ_172.21.3.0_27 no-proxy-arp route-lookup
nat (inside,outside1) source static any any destination static NETWORK_OBJ_172.21.3.0_26 NETWORK_OBJ_172.21.3.0_26 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside1
access-group Voice_access_in in interface Voice
route outside1 0.0.0.0 0.0.0.0 195.11.180.41 10
route inside 172.21.20.0 255.255.255.0 172.20.20.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 management
http 172.20.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1350
sysopt noproxyarp outside
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ASA
crl configure
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 28800
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 enable outside1
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 172.20.0.0 255.255.0.0 inside
telnet timeout 5
ssh 172.20.0.0 255.255.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd address 172.20.2.1-172.20.2.254 inside
dhcpd dns 10.0.0.4 172.20.0.100 interface inside
dhcpd enable inside
dhcpd dns 172.21.20.254 interface Voice
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 172.20.2.34 /tftp
webvpn
enable outside1
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect enable
tunnel-group-list enable
internal-password enable
group-policy DefaultRAGroup_2 internal
group-policy DefaultRAGroup_2 attributes
dns-server value 10.0.0.4 172.20.0.100
vpn-tunnel-protocol l2tp-ipsec
default-domain value
group-policy DefaultRAGroup_3 internal
group-policy DefaultRAGroup_3 attributes
dns-server value 10.0.0.4 172.20.0.100
vpn-tunnel-protocol ikev1 l2tp-ipsec
default-domain value
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.0.0.4 172.20.0.100
vpn-tunnel-protocol l2tp-ipsec
default-domain value
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
dns-server value 10.0.0.4 172.20.0.100
vpn-tunnel-protocol l2tp-ipsec
default-domain value
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
group-policy RA_VPN internal
group-policy RA_VPN attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol ikev1
default-domain value
group-policy "GroupPolicy_Anyconnect _profile" internal
group-policy "GroupPolicy_Anyconnect _profile" attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
default-domain none
webvpn
file-browsing enable
group-policy GroupPolicy_89.241.208.14 internal
group-policy GroupPolicy_89.241.208.14 attributes
vpn-tunnel-protocol ikev1
username test2 password encrypted privilege 15
username test1 password nt-encrypted privilege 0
username test1 attributes
vpn-group-policy DefaultRAGroup_2
username test password encrypted privilege 15
username test attributes
vpn-group-policy DefaultRAGroup_1
username EdwardM password encrypted privilege 15
username vpntest password encrypted privilege 0
username vpntest attributes
vpn-group-policy RA_VPN
username vpntest3 password nt-encrypted privilege 15
username vpntest3 attributes
service-type remote-access
username rhunton password encrypted privilege 15
username rhunton attributes
service-type admin
username e.melaugh password encrypted privilege 15
username netx password encrypted privilege 15
username netx attributes
service-type remote-access
username colin password encrypted privilege 15
username colin attributes
service-type remote-access
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup general-attributes
address-pool vpnclients
default-group-policy DefaultRAGroup_3
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group "Anyconnect _profile" type remote-access
tunnel-group "Anyconnect _profile" general-attributes
address-pool vpnclients
default-group-policy "GroupPolicy_Anyconnect _profile"
tunnel-group "Anyconnect _profile" webvpn-attributes
group-alias "Anyconnect _profile" enable
tunnel-group 137.117.215.177 type ipsec-l2l
tunnel-group 137.117.215.177 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive disable
tunnel-group 89.241.208.14 type ipsec-l2l
tunnel-group 89.241.208.14 general-attributes
default-group-policy GroupPolicy_89.241.208.14
tunnel-group 89.241.208.14 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
policy-map type inspect ipsec-pass-thru Fairhurst
description to allow vpn to fairhurst network
parameters
esp
ah
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f4185106b309478da7804dc22d2c1a85
: end
Hi,
You seem to have this nat (inside,outside1) source dynamic VLAN1 interface at line 2 which is causing the identity Nat/ Nat exempt to fail.
It is always good to use the packet tracer feature on the ASA to see what exactly is happening.
Try this
nat (inside,outside1) 1 source static VLAN1 VLAN1 destination static NETWORK_OBJ_172.21.3.0_27 NETWORK_OBJ_172.21.3.0_27 no-pr route-lo
Let me know how it goes for you.
Regards,
Nitish Emmanuel
Similar Messages
-
VPN users unable to access internal network - ASA 8.3.1
Hello,
I have a base config of AnyConnect VPN below, however the ASA 8.3.1 code has deprecated some commands and the VPN/NAT/FW rule syntax is quite different. Can someone point out what's missing from the pertinent config below that prevents the VPN Pool from accessing the internal LAN?
The Core LAN router is 1.2.3.1.
ASA Version 8.3(1)
interface Ethernet0/0
nameif inside
security-level 100
ip address 1.2.3.2 255.255.255.0
ip local pool anyconnect-vpn-pool 1.2.9.10-1.2.9.20 mask 255.255.255.0
object network DataVLAN
subnet 1.2.3.0 255.255.255.0
object-group network Internal-Data
network-object object DataVLAN
nat (any,any) after-auto source dynamic Internal-Data Outside_INT
route inside 1.2.0.0 255.255.0.0 1.2.3.1 1
dynamic-access-policy-record DfltAccessPolicy
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
address-pools value anyconnect-vpn-pool
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
address-pools value anyconnect-vpn-pool
group-policy vpn-anyconnecct-policy internal
group-policy vpn-anyconnecct-policy attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable
tunnel-group vpn-users type remote-access
tunnel-group vpn-users general-attributes
address-pool anyconnect-vpn-pool
default-group-policy vpn-anyconnecct-policy
tunnel-group anyconnect2 type remote-access
tunnel-group anyconnect2 general-attributes
address-pool anyconnect-vpn-pool
TIA.
MikeHi Rohan,
Are you saying to replace "nat (any,any)" with "nat (inside,outside)"? I was wondering about this because I'd always done "nat (inside,outside)" but a colleague had performed the initial configuration which already contained "nat (any,any)" statement and I was not sure if this was just something new in 8.3.1. I also noticed the "global" command is no longer available.
I will give this a try. Thanks.
-Mike -
Ok, I've had this problem for quite a while now
There's this 1 site that I cannot access on my computer it says "Unable to access the network Google Chrome is having trouble accessing the network." However I can access the site on my laptop, I don't see how I can fix the problem!?Bradley750 wrote:
Ok, I've had this problem for quite a while now
There's this 1 site that I cannot access on my computer it says "Unable to access the network Google Chrome is having trouble accessing the network." However I can access the site on my laptop, I don't see how I can fix the problem!?
Hi. Welcome to the forums.
Can you give a little more information, mainly the site you're havging problems with.
Have you tried a different browser ? What OS ?
There are a wide variety of reasons, security products interferring, hosts file problems, browser issues etc.
http://www.andyweb.co.uk/shortcuts
http://www.andyweb.co.uk/pictures -
Unable to access Verizon network!
Unable to access Verizon network! Got pop up window that "you've reached your mobile data usage limit. Mobile data turned off. " I have option to click re-enable button but doing so may result in additional charges. I've check settings, my mobile data box is checked. When I try to open a web page it tells me I'm off line with message "Wi-Fi and mobile data are turned off. The page can be loaded once you connect to a network. Error code: ERR_INTERNET_DISCONNECTED" My wi-fi DOES work, it's the Verizon network that I cannot access. Someone PLEASE HELP.
Check the graph in your Data Usage section; it sounds like you've enabled the Alert About Data Usage feature, have reached that limit, and the phone is now restricting your data usage accordingly. For more info., see:
How do I monitor online data usage on my Samsung Galaxy S5? | Support | SAMSUNG UK -
Unable to access shared files over network after period of time.
First off, I don't think that this issue is related to our router, but I have been searching for a fix and can not find one. We have a WRT54GS. Now, on to our issue:
At my work, we have a small network with computers sharing files between the others. I have attached a network diagram to help explain this better.
Our Win7 machine is our main computer that shares an external hard drive with much information that the other computers need to access. What we have noticed is either after a sleep, or even a period of time of say, 2 hours, those files are no longer able to be accessed. The Win7 machine is still sharing them, but the WinXP machines are unable to access them anymore and my Mac can see the computer is unable to connect to the folders. I have gone and attempted to get some help over at Microsofts site but that was a fail. Here is the link to the forum post there. http://social.answers.microsoft.com/Forums/en-US/w7network/thread/f0a2e8d6-f75a-41d7-a280-c6f3adbffa...
A member there gave me this:
The Network connection is probably not resuming after sleep.
First try this, http://www.ezlan.net/Win7/power_save_win7.jpg
It is in the Network Connection Properties under the Network card configuration.
If it already checked this way, or does not work after checking, the Network card has to be taken out of the computer's Power Saving loop, and stay on all the time.
Otherwise, Updating the Card with the latest OEM drivers (downloaded from the computer's support site) might help too.
On a rare occasions, some cards might be "Quirky" in this regards and need to be replaced.
--I would like to add that this DOESN'T ONLY happen after sleep, it also happens after a time of being used.
I attempted those and no luck. This problem is still occurring and the only way we can fix it is by restarting the Win7 machine. But even if it is being used, we have no idea when those files are unable to be accessed.
*I will add that the Win7 machine is still able to access the other computers when this problem occurs if that helps.
**The Win7 machine is a Dell T3500 running Windows 7 64bit. I can provide specific hardware if needed. The drivers are all up to date as of yesterday.
***So upon looking in the Windows XP machine, both of the folders from the Win7 machine disappear once this problem occurs in the My Network Places folder. And one folder is on the internal drive, one is on external. The computers are in this situation now where I am unable to access them. The Win7 machine can read and write from the other computers, but the other computers can even see the Win7 Machine.
****All the connections are wired and are not using the wireless.
Thanks for any help that anyone may have for me!
Steve
Network Map > http://scubasblog.com/network.jpg
Dell Support Forum with same issue I posted >> http://en.community.dell.com/support-forums/network-internet-wireless/f/3324/p/19337620/19716797.asp...It sounds like there is incompatibility issue with XP and Win7. To isolate this, do you have another Win7 machine? Try to add it to the network and check if the shared drives are accessible after sleep. If you don't have another computer, try virtual machine and create a Win7 system.
Update your LAN card driver from the manufacturer's site. Don't use the driver from windows update.
Lastly, does this happen to your XP machines? Like, one of the XP machine sharing a folder and falls asleep. When it wakes up, does Win7 machine can still access the shared folder? -
Unable to access the Internet over 3G Network, Wi-Fi fine.
Hi there,
I'm unable to access the internet on the iPhone 3G over the 3G network. Wi-Fi is fine, no problems there, but every time I try to bring up a website in Safari over 3G I get the message "Safari can't open the page because it is not connected to the Internet".
I have Enable 3G 'ON' under Settings > General > Network, and I have full strength on the signal meter in the top left of the Home screen. I'm in a city (Melbourne, Australia) on the Optus network, so the network itself shouldn't be the issue.
I've tried resetting the Network Settings under Settings > Reset > Reset Network Settings, but it didn't change anything. Any other ideas?
Cheers.Well, there you go, fixed! Called Optus Customer Service and they were actually helpful! Apparently there were "some components in their back-end that needed to be installed manually." The man wasn't sure why they weren't there, "glitches, blah, blah..." but at least they're there now and I have 3G access.
-
Vpn client can access internet but cannot access internal network
I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....
enable password ********** encrypted
passwd ********** encrypted
hostname Firewall
domain-name aqswdefrgt.com.sg
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nat permit tcp any host 65.165.123.142 eq smtp
access-list nat permit tcp any host 65.165.123.142 eq pop3
access-list nat permit tcp any host 65.165.123.143 eq smtp
access-list nat permit tcp any host 65.165.123.143 eq pop3
access-list nat permit tcp any host 65.165.123.143 eq www
access-list nat permit tcp any host 65.165.123.152 eq smtp
access-list nat permit tcp any host 65.165.123.152 eq pop3
access-list nat permit tcp any host 65.165.123.152 eq www
access-list nat permit tcp any host 65.165.123.143 eq https
access-list nat permit icmp any any
ip address outside 65.165.123.4 255.255.255.240
ip address inside 192.168.1.2 255.255.255.0
ip verify reverse-path interface outside
ip local pool clientpool 192.168.50.1-192.168.50.50
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255
.255 0 0
static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.
255.255 0 0
static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255
.255.255 0 0
access-group nat in interface outside
route outside 0.0.0.0 0.0.0.0 65.165.123.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server plexus protocol radius
aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map client authentication plexus
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup vpn3000 address-pool clientpool
vpngroup vpn3000 dns-server 192.168.1.55
vpngroup vpn3000 wins-server 192.168.1.55
vpngroup vpn3000 default-domain aqswdefrgt.com.sg
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80 -
Cisco ASA 5505 L2TP VPN cannot access internal network
Hi,
I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
Can you jhelp me to find out the issue?
I have Cisco ASA:
inside network - 192.168.1.0
VPN network - 192.168.168.0
I have router 192.168.1.2 and I cannot ping or get access to this router.
Here is my config:
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 198.X.X.A 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network net-all
subnet 0.0.0.0 0.0.0.0
object network vpn_local
subnet 192.168.168.0 255.255.255.0
object network inside_nw
subnet 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool sales_addresses 192.168.168.1-192.168.168.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic net-all interface
nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
object network vpn_local
nat (outside,outside) dynamic interface
object network inside_nw
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd dns 75.75.75.75 76.76.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy sales_policy internal
group-policy sales_policy attributes
dns-server value 75.75.75.75 76.76.76.76
vpn-tunnel-protocol l2tp-ipsec
username ----------
username ----------
tunnel-group DefaultRAGroup general-attributes
address-pool sales_addresses
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
: end
Thanks for your help.You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
policy-map global_policy
class inspection_default
inspect icmp
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Can't access internal network from VPN using PIX 506E
Hello,
I seem to be having an issue with my PIX configuration. I can ping the VPN client from the the internal network, but can cannot access any resources from the vpn client. My running configuration is as follows:
Building configuration...
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password N/JZnmeC2l5j3YTN encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname SwantonFw2
domain-name *****.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list outside_access_in permit icmp any any
access-list allow_ping permit icmp any any echo-reply
access-list allow_ping permit icmp any any unreachable
access-list allow_ping permit icmp any any time-exceeded
access-list INSIDE-IN permit tcp interface inside interface outside
access-list INSIDE-IN permit udp any any eq domain
access-list INSIDE-IN permit tcp any any eq www
access-list INSIDE-IN permit tcp any any eq ftp
access-list INSIDE-IN permit icmp any any echo
access-list INSIDE-IN permit tcp any any eq https
access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
access-list swanton_splitTunnelAcl permit ip any any
access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
no pager
mtu outside 1500
mtu inside 1500
ip address outside 192.168.1.150 255.255.255.0
ip address inside 192.168.0.35 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN_Pool 192.168.240.1-192.168.240.254
pdm location 0.0.0.0 255.255.255.0 outside
pdm location 192.168.1.26 255.255.255.255 outside
pdm location 192.168.240.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
access-group outside_access_in in interface outside
access-group INSIDE-IN in interface inside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup swanton address-pool VPN_Pool
vpngroup swanton dns-server 192.168.1.1
vpngroup swanton split-tunnel swanton_splitTunnelAcl
vpngroup swanton idle-time 1800
vpngroup swanton password ********
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.0.36-192.168.0.254 inside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username scott password hwDnqhIenLiwIr9B encrypted privilege 15
username norm password ET3skotcnISwb3MV encrypted privilege 2
username tarmbrecht password Zre8euXN6HxXaSdE encrypted privilege 2
username jlillevik password 9JMTvNZm3dLhQM/W encrypted privilege 2
username ruralogic password 49ikl05C8VE6k1jG encrypted privilege 15
username bzeiter password 1XjpdpkwnSENzfQ0 encrypted privilege 2
username mwalla password l5frk9obrNMGOiOD encrypted privilege 2
username heavyfab1 password 6.yy0ys7BifWsa9k encrypted privilege 2
username heavyfab3 password 6.yy0ys7BifWsa9k encrypted privilege 2
username heavyfab2 password 6.yy0ys7BifWsa9k encrypted privilege 2
username djet password wj13fSF4BPQzUzB8 encrypted privilege 2
username cmorgan password y/NeUfNKehh/Vzj6 encrypted privilege 2
username cmayfield password Pe/felGx7VQ3I7ls encrypted privilege 2
username jeffg password zQEQceRITRrO4wJa encrypted privilege 2
terminal width 80
Cryptochecksum:9005f35a85fa5fe31dab579bbb1428c8
: end
[OK]
Any help will be greatly appreciatedBj,
Are you trying to access network resources behind the inside interface?
ip address inside 192.168.0.35 255.255.255.0
If so, please make the following changes:
1- access-list SWANTON_VPN_SPLIT permit ip 192.168.0.0 255.255.255.0 192.168.240.0 255.255.255.0
2- no vpngroup swanton split-tunnel swanton_splitTunnelAcl
vpngroup swanton split-tunnel SWANTON_VPN_SPLIT
3- no access-list outside_cryptomap_dyn_20 permit ip any 192.168.240.0 255.255.255.0
4- isakmp nat-traversal 30
Let me know how it goes.
Portu.
Please rate any helpful posts -
Unable to access mapped network drive, DFS
TL;DR: Unable to map a network drive on one particular computer, except if circumventing DFS.
OK - So I have exhausted all my options in this matter, so all suggestions are welcome.
Keep in mind the file system is DFS.
1. User has been set up the same as our other users in Active Directory.
2. Most network drives are connected via GPO. They are mapped via\\company.local\common\
3. The users' home folder is connected via setting in AD -> Profile -> Home folder ->
Connect X: To \\company.local\homedir\username
4. When the user logs on, all network drives defined in GPO are mapped OK, but the X: which is defined via "Home folder" in AD, is not connected. When trying to map it manually, we get "Access denied".
5. If the user tries the complete path via Explorer: \\company.local\homedir\username - Error 0x80004005 Unspecified error occurs. We have googled this particular code but found nothing that applies to us.
6. If the user tries the complete path to the folder on the actual file server, circumventing DFS, the home folder is mapped OK.
Strange thing is: This only happens on this particular computer. If users logs on to another computer, in the same domain, receiving the same GPO etc. The X: is mapped fine via \\company.local\homedir\username
Also if another user logs on to the problematic computer they also cannot access their X: on \\company.local\homedir\username
So we tried updating the WLAN/LAN drivers to no avail. Might there be any settings on the network adapters that might cause this?
KthxbaiIf other computer has the same policy ("Send NTLMv2 response only. Refuse LM"), it should not be the cause.
I agree that all clients should have the same Group Policy but sometimes the group policy may not be applied correctly on a client which causes issues. Thus you can try a "gpupdate /force" and see if issue persists.
Also you can test to access \\company.local to see if it will success. Try \\rootserver as well if it is different as DFS folder target.
As the issue only occurs on a specific client, maybe we can have a try with re-join domain.
If you have any feedback on our support, please send to [email protected] -
Cannot access internal network after Tiger upgrade
I've just upgraded an eMac (1.25GHz, 768MB) from 10.3.9 to 10.4.6. Although I can get online, access Mail and all applications, I cannot access the internal network at all.
I've updated to 10.4.9, but still no luck. I've restarted, logged in as a different user, logged out and in again, removed the 'com.apple.networkconfig.plist' file from the 'Library/Preferences' folder, but still doesn't work.
I can see all the aliases to the other machines on the network in the sidebar, but clicking on them brings up a message "The alias xxxx could not be opened, because the original alias could not be found.".
Other machines can see this on on the network. File Sharing is turned on.
Any thoughts, I'm tearing my hair out a bit!
Powerbook G4 Mac OS X (10.4.8)no good, is an afpmounter error, i solved it with an
Archive and Install
http://docs.info.apple.com/article.html?artnum=107120-en
maybe someone have a solution..
i think is an error during the update (i had the same from panther to tiger)
with A&I and half-hour, your machine work perfectly. -
Unable to access LAN behind RV042 from QUICK VPN Client once it connects
Hi,
Very recently, we had implemented Site-to-Site VPN tunnel between two Linksys RV042 4-port VPN routers. Everybody in our remote site is accessing and sharing the data through this tunnel and it is working fine.
Now, we have a plan to implement the same for our mobile clients also. For this, we had followed all the basic configuration procedures and user got connected to Quick VPN tunnel. Here is a problem we had observed. The mobile client user is connected to the tunnel, but unable to access the office LAN from the PC.
What's the problem in configuration? What i have to do?
Thanks
VC GundapaneniHi There.
have a look over here.
http://www.linksysinfo.org/index.php?threads/netbios-issues-with-vpn.16170/ -
Routing and Remote access - internal network not accessing internet through public network!
Hello,
Good Evening to all.
I got an issue in routing and remote access on windows 2003 server. This server is already configured as File server, domain server and Application server. Also configured as router (through routing & remote access) for connecting three different
network to each other. So This server has three NIC card installed and each NIC card represent separate network.
three different network are - 192.42.160.0/24 , 192.42.161.0/24, 192.42.162.0/24
Three NIC card installed on server as with following IP address -
NIC -1 = 192.42.160.220 , Sub- 255.255.255.0 , Gateway - NO
NIC -2 = 192.42.161.220 , Sub- 255.255.255.0 , Gateway - 192.161.220.112 (This ip for internet access so 4g router IP)
NIC -3 = 192.42.162.220, , Sub- 255.255.255.0 , Gateway - NO
Now the issue is I can reach to internet & (also pinging to router ip 192.42.161.112) from only one network that is - 192.42.161.0/24 , BUT when I trying to access internet from another two network (192.42.160.0/24 & 192.42.162.0/24) I cant access
it and moreover can't ping to internet router ip - 192.42.161.112...
So how I can access to internet from other two network also?
I was already configured static routing for all three network but still I was not success. really I don't know what exactly static routing it should be done in routing & remote access so that all three network can reach to internet?
Sorry if I am not able to explain properly. Please let me know if you need more explain on this...
Thanks to all.Dear Milos,
I am happy to hear from you....
1.- Actually the setup was done long before by another guy and right now I don't want to change it.
Nice to hear from you! Thank you so much. Actually this is first time I am using technet forum upon the suggestion from one of the my friend. So any your help from you will help me a great in this issue...
I ran the route print command and given follow are the results.
I have only added the default route as per the below routes. Please guide me know how to add other static routes for three network.
D:\Documents and Settings\Administrator>route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 30 05 ad 8f 5c ...... Broadcom NetXtreme Gigabit Ethernet - Teefer2 Mi
niport
0x3 ...00 0e 0c a7 c4 f8 ...... Intel(R) PRO/1000 GT Desktop Adapter - Teefer2 M
iniport
0x4 ...00 0e 0c a7 c5 85 ...... Intel(R) PRO/1000 GT Desktop Adapter #2 - Teefer
2 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.42.161.112 192.42.161.220 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.42.160.0 255.255.255.0 192.42.160.220 192.42.160.220 20
192.42.160.220 255.255.255.255 127.0.0.1 127.0.0.1 20
192.42.160.255 255.255.255.255 192.42.160.220 192.42.160.220 20
192.42.161.0 255.255.255.0 192.42.161.220 192.42.161.220 20
192.42.161.220 255.255.255.255 127.0.0.1 127.0.0.1 20
192.42.161.255 255.255.255.255 192.42.161.220 192.42.161.220 20
192.42.162.0 255.255.255.0 192.42.162.220 192.42.162.220 20
192.42.162.220 255.255.255.255 127.0.0.1 127.0.0.1 20
192.42.162.255 255.255.255.255 192.42.162.220 192.42.162.220 20
224.0.0.0 240.0.0.0 192.42.160.220 192.42.160.220 20
224.0.0.0 240.0.0.0 192.42.161.220 192.42.161.220 20
224.0.0.0 240.0.0.0 192.42.162.220 192.42.162.220 20
255.255.255.255 255.255.255.255 192.42.160.220 192.42.160.220 1
255.255.255.255 255.255.255.255 192.42.161.220 192.42.161.220 1
255.255.255.255 255.255.255.255 192.42.162.220 192.42.162.220 1
Default Gateway: 192.42.161.112
===========================================================================
Persistent Routes:
None
Regards & Thanks
Mahesh -
Unable to access Internal HTTPS through VPN conn
Anytime I have internal websites with HTTPS connections that do not have valid certificates, our VPN users are unable to make a connection. The wireshark trace shows acknowlegement number = broken TCP. I have run Packet Tracer and it shows a problem on my DMZ???? not sure why as the traffic flow is inside to inside interface. I am at a total lost as to why...
+++++++++++++++++++++++++++++++
ASA 5520 with 8.4(1) code
VPN Addressing = 172.25.17.0/24
HTTP Server = 172.18.2.13 (port 8443)
Can ping by IP Address or by server name
Can access site internally after responding to the Certificate Warning
++++++++++++++++++++++++++++
Any help is greatly appreciated!
DaveHi,
The NAT configuration mentioned in your screencapture is the configuration that causes all traffic from the VPN users to be diverted to the "HomeOffice" interface because "any any" is configured
You would either have to make the above rule more specific by removing the "any any" and adding the actual networks
OR
You could add a new rule BEFORE the above mentioned NAT configurations
I am not sure what the real local interface "nameif" is (the one where the server IP is actually located) but you would need this kind of configurations
object network SERVER
host 172.18.2.13
object network VPN-POOL
subnet 172.25.17.0 255.255.255.0
nat (serverint,outside2) 1 source static SERVER SERVER destination static VPN-POOL VPN-POOL
The above rule should match the traffic from the VPN-POOL to the SERVER. The number "1" seen in the CLI format configurations means that it would be added to the top of the rules. The "serverint" is meant to mean the actual name of the interface where the server is located as I presume that its not located behind the "HomeOffice"
- Jouni -
VPN Connects but unable to access internal devices
Thank you in advance for any assistance that can be provided.
I am using AnyConnect to create a VPN with an ASA 5505. Once connected, the client needs to access a device behind a 1941 router.
Internally, (not using VPN), all my routing is working correctly. My VPN client can connect and when I put a route on my 1941 router, I am able to ping that particular device. But my VPN client cannot appear to ping anything else, either the devices on the same internal range as the ASA 5505 or anything past the 1941.
VPN Client ASA 5505 Workstation 1941 Router Far Device
192.168.201.20 -----> Outside IP x.x.x.x // Internal 192.168.101.1 192.168.101.56 192.168.101.2 // 192.168.8.1 192.168.8.150
Client connects and get IP from ASA
Cannot ping this Cannot ping this
Can ping internal IP of 1941
*(after creating a static route)
I have been playing around with my configuration extensively to try and make this work. Split-tunneling is enabled and is required.
Here is my current config:
hostnameMYHOST
enable password mUUvr2NINofYuSh2 encrypted
passwd UNDrnIuGV0tAPtz2 encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.0.0
interface Vlan7
no forward interface Vlan1
nameif DMZ
security-level 20
ip address 137.57.183.1 255.255.255.0
ftp mode passive
clock timezone MST -7
dns domain-lookup outside
object-group network obj_any_dmz
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 any
access-list nonat extended permit ip 192.168.201.0 255.255.255.0 any
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
ip local pool Internal_Range 192.168.101.125-192.168.101.130 mask 255.255.255.0
ip local pool vpn_pool 192.168.201.20-192.168.201.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 10 137.57.183.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 192.168.8.0 255.255.255.0 192.168.101.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 64000
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=MYHOST
keypair ClientX_cert
crl configure
crypto ca certificate chain ASDM_TrustPoint1
certificate 0f817951
308201e7 30820150 a0030201 0202040f 81795130 0d06092a 864886f7 0d010105
05003038 31173015 06035504 03130e41 494d452d 56504e2d 42415455 53311d30
1b06092a 864886f7 0d010902 160e4149 4d452d56 504e2d42 41545553 301e170d
31333036 32373137 32393335 5a170d32 33303632 35313732 3933355a 30383117
30150603 55040313 0e41494d 452d5650 4e2d4241 54555331 1d301b06 092a8648
86f70d01 0902160e 41494d45 2d56504e 2d424154 55533081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 818100c9 ff840bf4 cfb8d394 2c940430
1887f25a 49038aa0 1299cf10 bda2a436 227dcdbf f1c5566b c35c2f19 8b3514d3
4e24f5b1 c8840e8c 60e2b39d bdc0082f 08cce525 97ffefba d42bb087 81b9adb9
db0a8b2f b643e651 d17cd6f8 f67297f2 d785ef46 c3acbb39 615e1ef1 23db072c
783fe112 acd6dc80 dc38e94b 6e56fe94 d59d5d02 03010001 300d0609 2a864886
f70d0101 05050003 8181007e 29e90ea0 e337976e 9006bc02 402fd58a a1d30fe8
b2c1ab49 a1828ee0 488d1d2f 1dc5d150 3ed85f09 54f099b2 064cd622 dc3d3821
fca46c69 62231fd2 6e396cd1 7ef586f9 f41205af c2199174 3c5ee887 42b684c9
7f4d2045 4742adb5 d70c3805 4ad13191 8d802bbc b2bcd8c7 8eec111b 761d89f3
63ebd49d 30dd06f4 e0fa25
quit
crypto isakmp enable outside
crypto isakmp policy 40
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 DMZ
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point ASDM_TrustPoint1 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc enable
group-policy ClientX_access internal
group-policy ClientX_access attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunneling
default-domain value access.local
address-pools value vpn_pool
ipv6-address-pools none
webvpn
svc mtu 1406
svc rekey time none
svc rekey method ssl
username ClientX password ykAxQ227nzontdIh encrypted privilege 15
username ClientX attributes
vpn-group-policy ClientX_access
service-type admin
tunnel-group ClientX type remote-access
tunnel-group ClientX general-attributes
address-pool Internal_Range
default-group-policy ClientX_access
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy ClientX_access
tunnel-group ClientX_access type remote-access
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:da38065247f7334a5408b7ada3af29ae
: endok, lets go on ... ;-)
Split-Tunneling: The ACL must include all networks you want to reach through the VPN:
access-list split-tunneling standard permit 192.168.101.0 255.255.255.0
access-list split-tunneling standard permit 192.168.8.0 255.255.255.0
NAT: Don't use "any" in the nat-exemption, but specify all traffic that should not be natted:
access-list nonat extended permit ip 192.168.101.0 255.255.255.0 192.168.201.0 255.255.255.0
access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.201.0 255.255.255.0
Routing: The 1941 needs a route for the vpn-pool pointing to the ASA (just in case there is no default route to the ASA)
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Maybe you are looking for
-
Dear experts. After executing cooispi t-code and selecting "CONFIRMATION" from Drop down list and entering Material or Order Number.. The report does not show me the Material number and Material description for the following order.. both the fields a
-
Transfer money from one account to another one
Hi all I am using EBS 11i, and i have the following modules: General Ledger, Account Payables and Cash Management. I have different bank accounts in the system and now we want to transfer money from one bank account to another one. How should i do th
-
Hi, i installed Mandrake Linux and clicked for it to install MySQL when installed. how do i enter records and create a mysql database? what do i click on to start it? do i use telnet or shell, what do i type in? how do i call a mysql data base from a
-
I have all my videos on an external hd, and i used to stream everything (movies would be in shared movies, not my movies), but I synced my atv and it's been a nightmare, movies don't always appear on the list, they stop to buffer, or just stop comple
-
Flashing "Running Security Scan..."
On Windows 7, 64-bit, MS Office 2010; when I try to launch an online software that integrates a fillable-form into my Adobe Acrobat 9 Standard, at the bottom of my IE9 screen, flashing nearly 2 times per second, I see messages that say: "Running Sec