Having some trouble with this RA VPN on ASA
millworx
Member Posts: 290
So I'm having a bit of trouble with this VPN Remote access setup. I got connectivity to the ASA, I can VPN to it, get the address. Split tunnel is working I can get internet at the same. But I cannot access any resources over the VPN. I can't ping, I can't telnet, I cant access any internal web resources.
This is my config, am I missing something?
ASA Version 8.2(1)
!
hostname ciscoasa
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.52 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
access-list 101 extended permit ip 192.168.100.0 255.255.255.0 192.168.220.0 255.255.255.0
access-list NONAT extended permit ip 192.168.100.0 255.255.255.0 192.168.220.0 255.255.255.0
access-list split-tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.220.100-192.168.220.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.54 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp nat-traversal 30
telnet 192.168.100.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy ccvpn internal
group-policy ccvpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
username testaccount password xxxxxxxxxxx encrypted privilege 15
tunnel-group ccvpn type remote-access
tunnel-group ccvpn general-attributes
address-pool vpnpool
default-group-policy ccvpn
tunnel-group ccvpn ipsec-attributes
pre-shared-key *
!
!
**********************************
If I issue a show route this is what i get, so It is seeing the client. Some route issue maybe? I can't ping to and from either.
C 99.99.158.48 255.255.255.248 is directly connected, outside
S 192.168.220.100 255.255.255.255 [1/0] via xx.xx.xx.54, outside
C 192.168.100.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via xx.xx.xx.54, outside
This is my config, am I missing something?
ASA Version 8.2(1)
!
hostname ciscoasa
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.3 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.52 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit intra-interface
access-list 101 extended permit ip 192.168.100.0 255.255.255.0 192.168.220.0 255.255.255.0
access-list NONAT extended permit ip 192.168.100.0 255.255.255.0 192.168.220.0 255.255.255.0
access-list split-tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.220.100-192.168.220.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.54 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp nat-traversal 30
telnet 192.168.100.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy ccvpn internal
group-policy ccvpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
username testaccount password xxxxxxxxxxx encrypted privilege 15
tunnel-group ccvpn type remote-access
tunnel-group ccvpn general-attributes
address-pool vpnpool
default-group-policy ccvpn
tunnel-group ccvpn ipsec-attributes
pre-shared-key *
!
!
**********************************
If I issue a show route this is what i get, so It is seeing the client. Some route issue maybe? I can't ping to and from either.
C 99.99.158.48 255.255.255.248 is directly connected, outside
S 192.168.220.100 255.255.255.255 [1/0] via xx.xx.xx.54, outside
C 192.168.100.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via xx.xx.xx.54, outside
Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide
Comments
-
millworx Member Posts: 290I think I know what the issue is. See the Network guy that works there that originally setup the network did not want me to remove the router from the network which is assigned 192.168.100.1 and has an outside address of 99.99.158.51
Instead for the VPN access he wanted me to add the ASA to the network with internal address 192.168.100.3 and outside int of 99.99.158.52
Now Im pretty sure I got the config right, hell, I even used the config wizard to make sure I wasnt wrong, still couldnt get internal connectivity. I can get an IPSec connection up no problem.
So correct me if I'm wrong. But RA client connects to network, sends traffic, but since all the internal hosts have the gateway set for 192.168.100.1 they will never respond to the 192.168.100.3 (ASA) to reach the 192.168.220.0 network that is assigned to the RA clients?Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide -
millworx Member Posts: 290Yup my suspicions where correct. I had everything setup just perfect. It was the routing issue's that I thought. I guess their IT guy is an idiot, and thus why they hired a contractor like meCurrently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide