Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN into ASA 5510 unable to access internet and other network

Reply
Thread Tools

VPN into ASA 5510 unable to access internet and other network

 
 
HRileyBSG@gmail.com
Guest
Posts: n/a
 
      09-14-2006
All,

We have two locations (office and hosting), each with a 5510, connected
via VPN connection. There are no issues accessing the hosting
environment or the internet from within the office. However, when users
VPN into the office using the Cisco client, they can not access
internet hosts and anything in the hosting environment. Accessing
systems in the office network is not an issue.

I've attached most of the running-config (obviously unimportant parts
stripped out) below. Any help would be greatly appreciated.

Hugh


names
name 192.168.242.1 INT-primary
name 1.2.3.34 EXT-34
name 1.2.3.35 EXT-35
name 1.2.3.36 EXT-36
name 1.2.3.49 EXT-49
name 1.2.3.50 EXT-50
name 1.2.3.51 EXT-51
name 1.2.3.52 EXT-52
name 4.5.6.250 Hosting-250
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address EXT-36 255.255.255.240
!
interface Ethernet0/1
duplex full
nameif inside
security-level 100
ip address INT-primary 255.255.255.0
!
interface Ethernet0/2
nameif phone
security-level 75
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
nameif dmz
security-level 25
ip address 10.20.30.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
object-group network Hosting-45
network-object 192.168.245.0 255.255.255.0
object-group network Office-42
description Internal office IPs
network-object 192.168.242.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any
time-exceeded
access-list outside_20_cryptomap extended permit ip 192.168.242.0
255.255.255.0 192.168.245.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.242.0
255.255.255.0 192.168.245.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.242.240
255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.242.248
255.255.255.248
access-list outside_cryptomap_3 extended permit ip any 192.168.242.240
255.255.255.240
access-list outside_cryptomap extended permit ip any 192.168.242.248
255.255.255.248
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu phone 1500
mtu dmz 1500
mtu management 1500
ip local pool Employees 192.168.242.250-192.168.242.252 mask
255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip verify reverse-path interface phone
ip verify reverse-path interface dmz
no failover
monitor-interface outside
monitor-interface inside
monitor-interface phone
monitor-interface dmz
monitor-interface management
arp timeout 14400
nat-control
global (outside) 10 EXT-49 netmask 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 192.168.242.0 255.255.255.0
nat (phone) 10 10.10.10.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.2.3.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
aaa-server AD protocol radius
aaa-server NT protocol nt
aaa-server NT host INT-AD
nt-auth-domain-controller AD
group-policy OffVPN internal
group-policy OffVPN attributes
wins-server value 192.168.242.2
dns-server value 192.168.242.2 192.168.242.27
vpn-tunnel-protocol IPSec
default-domain value domain.local
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer Hosting-250
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
tunnel-group OffVPN type ipsec-ra
tunnel-group OffVPN general-attributes
address-pool Employees
authentication-server-group NT
default-group-policy OffVPN
tunnel-group OffVPN ipsec-attributes
pre-shared-key *
tunnel-group 4.5.6.250 type ipsec-l2l
tunnel-group 4.5.6.250 ipsec-attributes
pre-shared-key *
console timeout 0
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!

 
Reply With Quote
 
 
 
 
zarmice@gmail.com
Guest
Posts: n/a
 
      09-15-2006
I'm more proficient with ASDM but just a guess: Are there routes set
up for the users connecting via office VPN to the hosting ips? Do all
the intermediate network devices have a route to get to the natted
addresses of the office vpn users (the ip local employees pool)? Could
there be a firewall or access list on one of the intermediate devices
that block access from the 192.168.242.250-192.168.242.252 ip range?


HTH,
Z

http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> All,
>
> We have two locations (office and hosting), each with a 5510, connected
> via VPN connection. There are no issues accessing the hosting
> environment or the internet from within the office. However, when users
> VPN into the office using the Cisco client, they can not access
> internet hosts and anything in the hosting environment. Accessing
> systems in the office network is not an issue.
>
> I've attached most of the running-config (obviously unimportant parts
> stripped out) below. Any help would be greatly appreciated.
>
> Hugh
>
>
> names
> name 192.168.242.1 INT-primary
> name 1.2.3.34 EXT-34
> name 1.2.3.35 EXT-35
> name 1.2.3.36 EXT-36
> name 1.2.3.49 EXT-49
> name 1.2.3.50 EXT-50
> name 1.2.3.51 EXT-51
> name 1.2.3.52 EXT-52
> name 4.5.6.250 Hosting-250
> dns-guard
> !
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address EXT-36 255.255.255.240
> !
> interface Ethernet0/1
> duplex full
> nameif inside
> security-level 100
> ip address INT-primary 255.255.255.0
> !
> interface Ethernet0/2
> nameif phone
> security-level 75
> ip address 10.10.10.1 255.255.255.0
> !
> interface Ethernet0/3
> nameif dmz
> security-level 25
> ip address 10.20.30.1 255.255.255.0
> !
> interface Management0/0
> nameif management
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> management-only
> !
> object-group network Hosting-45
> network-object 192.168.245.0 255.255.255.0
> object-group network Office-42
> description Internal office IPs
> network-object 192.168.242.0 255.255.255.0
> access-list outside_access_in extended permit icmp any any echo-reply
> access-list outside_access_in extended permit icmp any any
> time-exceeded
> access-list outside_20_cryptomap extended permit ip 192.168.242.0
> 255.255.255.0 192.168.245.0 255.255.255.0
> access-list inside_nat0_outbound extended permit ip 192.168.242.0
> 255.255.255.0 192.168.245.0 255.255.255.0
> access-list inside_nat0_outbound extended permit ip any 192.168.242.240
> 255.255.255.240
> access-list inside_nat0_outbound extended permit ip any 192.168.242.248
> 255.255.255.248
> access-list outside_cryptomap_3 extended permit ip any 192.168.242.240
> 255.255.255.240
> access-list outside_cryptomap extended permit ip any 192.168.242.248
> 255.255.255.248
> pager lines 24
> logging enable
> logging asdm informational
> mtu outside 1500
> mtu inside 1500
> mtu phone 1500
> mtu dmz 1500
> mtu management 1500
> ip local pool Employees 192.168.242.250-192.168.242.252 mask
> 255.255.255.0
> ip verify reverse-path interface outside
> ip verify reverse-path interface inside
> ip verify reverse-path interface phone
> ip verify reverse-path interface dmz
> no failover
> monitor-interface outside
> monitor-interface inside
> monitor-interface phone
> monitor-interface dmz
> monitor-interface management
> arp timeout 14400
> nat-control
> global (outside) 10 EXT-49 netmask 255.255.255.240
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 10 192.168.242.0 255.255.255.0
> nat (phone) 10 10.10.10.0 255.255.255.0
> access-group outside_access_in in interface outside
> route outside 0.0.0.0 0.0.0.0 1.2.3.33 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server AD protocol radius
> aaa-server NT protocol nt
> aaa-server NT host INT-AD
> nt-auth-domain-controller AD
> group-policy OffVPN internal
> group-policy OffVPN attributes
> wins-server value 192.168.242.2
> dns-server value 192.168.242.2 192.168.242.27
> vpn-tunnel-protocol IPSec
> default-domain value domain.local
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
> crypto map outside_map 20 match address outside_20_cryptomap
> crypto map outside_map 20 set peer Hosting-250
> crypto map outside_map 20 set transform-set ESP-3DES-SHA
> crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 30
> authentication pre-share
> encryption aes
> hash sha
> group 5
> lifetime 86400
> tunnel-group OffVPN type ipsec-ra
> tunnel-group OffVPN general-attributes
> address-pool Employees
> authentication-server-group NT
> default-group-policy OffVPN
> tunnel-group OffVPN ipsec-attributes
> pre-shared-key *
> tunnel-group 4.5.6.250 type ipsec-l2l
> tunnel-group 4.5.6.250 ipsec-attributes
> pre-shared-key *
> console timeout 0
> !
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns migrated_dns_map_1
> parameters
> message-length maximum 512
> !


 
Reply With Quote
 
 
 
 
zarmice@gmail.com
Guest
Posts: n/a
 
      09-15-2006
I'm more proficient with ASDM but just a guess: Are there routes set
up for the users connecting via office VPN to the hosting ips? Do all
the intermediate network devices have a route to get to the natted
addresses of the office vpn users (the ip local employees pool)? Could
there be a firewall or access list on one of the intermediate devices
that block access from the 192.168.242.250-192.168.242.252 ip range?


HTH,
Z

(E-Mail Removed) wrote:
> All,
>
> We have two locations (office and hosting), each with a 5510, connected
> via VPN connection. There are no issues accessing the hosting
> environment or the internet from within the office. However, when users
> VPN into the office using the Cisco client, they can not access
> internet hosts and anything in the hosting environment. Accessing
> systems in the office network is not an issue.
>
> I've attached most of the running-config (obviously unimportant parts
> stripped out) below. Any help would be greatly appreciated.
>
> Hugh
>
>
> names
> name 192.168.242.1 INT-primary
> name 1.2.3.34 EXT-34
> name 1.2.3.35 EXT-35
> name 1.2.3.36 EXT-36
> name 1.2.3.49 EXT-49
> name 1.2.3.50 EXT-50
> name 1.2.3.51 EXT-51
> name 1.2.3.52 EXT-52
> name 4.5.6.250 Hosting-250
> dns-guard
> !
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address EXT-36 255.255.255.240
> !
> interface Ethernet0/1
> duplex full
> nameif inside
> security-level 100
> ip address INT-primary 255.255.255.0
> !
> interface Ethernet0/2
> nameif phone
> security-level 75
> ip address 10.10.10.1 255.255.255.0
> !
> interface Ethernet0/3
> nameif dmz
> security-level 25
> ip address 10.20.30.1 255.255.255.0
> !
> interface Management0/0
> nameif management
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> management-only
> !
> object-group network Hosting-45
> network-object 192.168.245.0 255.255.255.0
> object-group network Office-42
> description Internal office IPs
> network-object 192.168.242.0 255.255.255.0
> access-list outside_access_in extended permit icmp any any echo-reply
> access-list outside_access_in extended permit icmp any any
> time-exceeded
> access-list outside_20_cryptomap extended permit ip 192.168.242.0
> 255.255.255.0 192.168.245.0 255.255.255.0
> access-list inside_nat0_outbound extended permit ip 192.168.242.0
> 255.255.255.0 192.168.245.0 255.255.255.0
> access-list inside_nat0_outbound extended permit ip any 192.168.242.240
> 255.255.255.240
> access-list inside_nat0_outbound extended permit ip any 192.168.242.248
> 255.255.255.248
> access-list outside_cryptomap_3 extended permit ip any 192.168.242.240
> 255.255.255.240
> access-list outside_cryptomap extended permit ip any 192.168.242.248
> 255.255.255.248
> pager lines 24
> logging enable
> logging asdm informational
> mtu outside 1500
> mtu inside 1500
> mtu phone 1500
> mtu dmz 1500
> mtu management 1500
> ip local pool Employees 192.168.242.250-192.168.242.252 mask
> 255.255.255.0
> ip verify reverse-path interface outside
> ip verify reverse-path interface inside
> ip verify reverse-path interface phone
> ip verify reverse-path interface dmz
> no failover
> monitor-interface outside
> monitor-interface inside
> monitor-interface phone
> monitor-interface dmz
> monitor-interface management
> arp timeout 14400
> nat-control
> global (outside) 10 EXT-49 netmask 255.255.255.240
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 10 192.168.242.0 255.255.255.0
> nat (phone) 10 10.10.10.0 255.255.255.0
> access-group outside_access_in in interface outside
> route outside 0.0.0.0 0.0.0.0 1.2.3.33 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server AD protocol radius
> aaa-server NT protocol nt
> aaa-server NT host INT-AD
> nt-auth-domain-controller AD
> group-policy OffVPN internal
> group-policy OffVPN attributes
> wins-server value 192.168.242.2
> dns-server value 192.168.242.2 192.168.242.27
> vpn-tunnel-protocol IPSec
> default-domain value domain.local
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
> crypto map outside_map 20 match address outside_20_cryptomap
> crypto map outside_map 20 set peer Hosting-250
> crypto map outside_map 20 set transform-set ESP-3DES-SHA
> crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 30
> authentication pre-share
> encryption aes
> hash sha
> group 5
> lifetime 86400
> tunnel-group OffVPN type ipsec-ra
> tunnel-group OffVPN general-attributes
> address-pool Employees
> authentication-server-group NT
> default-group-policy OffVPN
> tunnel-group OffVPN ipsec-attributes
> pre-shared-key *
> tunnel-group 4.5.6.250 type ipsec-l2l
> tunnel-group 4.5.6.250 ipsec-attributes
> pre-shared-key *
> console timeout 0
> !
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns migrated_dns_map_1
> parameters
> message-length maximum 512
> !


 
Reply With Quote
 
HRileyBSG@gmail.com
Guest
Posts: n/a
 
      09-15-2006

(E-Mail Removed) wrote:
> I'm more proficient with ASDM but just a guess: Are there routes set
> up for the users connecting via office VPN to the hosting ips? Do all
> the intermediate network devices have a route to get to the natted
> addresses of the office vpn users (the ip local employees pool)? Could
> there be a firewall or access list on one of the intermediate devices
> that block access from the 192.168.242.250-192.168.242.252 ip range?


There are no routes specifically set up for the VPN users. They're
given an IP address in the same network as those that are sitting in
the office, so I would think that they wouldn't need a special route.
There aren't any intermediate devices that would have an impact on
access and there's definitely not any rule blocking the VPN IP
addresses.

My suspicion is that the VPN users aren't being regarded as truly in
the inside network, therefore the rules for that network aren't
applied. Would I be even remotely close on that?

Thanks,

Hugh

 
Reply With Quote
 
Z
Guest
Posts: n/a
 
      09-15-2006
On 14 Sep 2006 23:21:46 -0700, (E-Mail Removed) wrote:

>
>(E-Mail Removed) wrote:
>> I'm more proficient with ASDM but just a guess: Are there routes set
>> up for the users connecting via office VPN to the hosting ips? Do all
>> the intermediate network devices have a route to get to the natted
>> addresses of the office vpn users (the ip local employees pool)? Could
>> there be a firewall or access list on one of the intermediate devices
>> that block access from the 192.168.242.250-192.168.242.252 ip range?

>
>There are no routes specifically set up for the VPN users. They're
>given an IP address in the same network as those that are sitting in
>the office, so I would think that they wouldn't need a special route.
>There aren't any intermediate devices that would have an impact on
>access and there's definitely not any rule blocking the VPN IP
>addresses.
>
>My suspicion is that the VPN users aren't being regarded as truly in
>the inside network, therefore the rules for that network aren't
>applied. Would I be even remotely close on that?
>
>Thanks,
>
>Hugh



Are non-vpn users inside the office using a gateway other than the ASA? If so, they
probably have a route to the hosting ips (192.168.245.0/24). I didn't see a 'route inside
192.168.245.0 255.255.255.0 <next-hop-ip address> 1' type statement in your config.

Z

 
Reply With Quote
 
HRileyBSG@gmail.com
Guest
Posts: n/a
 
      09-15-2006
Z wrote:
> Are non-vpn users inside the office using a gateway other than the ASA? If so, they
> probably have a route to the hosting ips (192.168.245.0/24). I didn't see a 'route inside
> 192.168.245.0 255.255.255.0 <next-hop-ip address> 1' type statement in your config.


Nope. There's only the ASA and everyone should be using that for access
to the hosting site. Not sure how I could get it to work otherwise
since they get to the hosting network via an ASA VPN connection, but
that's neither here nor there.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: Looking for a solution where VPN Client access can use site to site VPN (can the ASA 5510 help?) Igor MamuziŠ aka Pseto Cisco 0 01-06-2010 05:58 PM
Re: Looking for a solution where VPN Client access can use site to site VPN (can the ASA 5510 help?) Igor MamuziŠ aka Pseto Cisco 0 01-06-2010 05:58 PM
ASA 5510 Remote VPN Access Lepkin Hardware 1 06-29-2009 02:45 PM
IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116 Tilman Schmidt Cisco 0 01-24-2008 10:49 AM
ASA 5510 Not routing remote vpn's to Internet squidvt@yahoo.com Cisco 0 07-25-2006 01:46 AM



Advertisments