VPN into ASA 5510 unable to access internet and other network

Discussion in 'Cisco' started by HRileyBSG@gmail.com, Sep 14, 2006.

  1. Guest

    All,

    We have two locations (office and hosting), each with a 5510, connected
    via VPN connection. There are no issues accessing the hosting
    environment or the internet from within the office. However, when users
    VPN into the office using the Cisco client, they can not access
    internet hosts and anything in the hosting environment. Accessing
    systems in the office network is not an issue.

    I've attached most of the running-config (obviously unimportant parts
    stripped out) below. Any help would be greatly appreciated.

    Hugh


    names
    name 192.168.242.1 INT-primary
    name 1.2.3.34 EXT-34
    name 1.2.3.35 EXT-35
    name 1.2.3.36 EXT-36
    name 1.2.3.49 EXT-49
    name 1.2.3.50 EXT-50
    name 1.2.3.51 EXT-51
    name 1.2.3.52 EXT-52
    name 4.5.6.250 Hosting-250
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address EXT-36 255.255.255.240
    !
    interface Ethernet0/1
    duplex full
    nameif inside
    security-level 100
    ip address INT-primary 255.255.255.0
    !
    interface Ethernet0/2
    nameif phone
    security-level 75
    ip address 10.10.10.1 255.255.255.0
    !
    interface Ethernet0/3
    nameif dmz
    security-level 25
    ip address 10.20.30.1 255.255.255.0
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    object-group network Hosting-45
    network-object 192.168.245.0 255.255.255.0
    object-group network Office-42
    description Internal office IPs
    network-object 192.168.242.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any
    time-exceeded
    access-list outside_20_cryptomap extended permit ip 192.168.242.0
    255.255.255.0 192.168.245.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.242.0
    255.255.255.0 192.168.245.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.242.240
    255.255.255.240
    access-list inside_nat0_outbound extended permit ip any 192.168.242.248
    255.255.255.248
    access-list outside_cryptomap_3 extended permit ip any 192.168.242.240
    255.255.255.240
    access-list outside_cryptomap extended permit ip any 192.168.242.248
    255.255.255.248
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu phone 1500
    mtu dmz 1500
    mtu management 1500
    ip local pool Employees 192.168.242.250-192.168.242.252 mask
    255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip verify reverse-path interface phone
    ip verify reverse-path interface dmz
    no failover
    monitor-interface outside
    monitor-interface inside
    monitor-interface phone
    monitor-interface dmz
    monitor-interface management
    arp timeout 14400
    nat-control
    global (outside) 10 EXT-49 netmask 255.255.255.240
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 10 192.168.242.0 255.255.255.0
    nat (phone) 10 10.10.10.0 255.255.255.0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 1.2.3.33 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server AD protocol radius
    aaa-server NT protocol nt
    aaa-server NT host INT-AD
    nt-auth-domain-controller AD
    group-policy OffVPN internal
    group-policy OffVPN attributes
    wins-server value 192.168.242.2
    dns-server value 192.168.242.2 192.168.242.27
    vpn-tunnel-protocol IPSec
    default-domain value domain.local
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
    crypto map outside_map 20 match address outside_20_cryptomap
    crypto map outside_map 20 set peer Hosting-250
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption aes
    hash sha
    group 5
    lifetime 86400
    tunnel-group OffVPN type ipsec-ra
    tunnel-group OffVPN general-attributes
    address-pool Employees
    authentication-server-group NT
    default-group-policy OffVPN
    tunnel-group OffVPN ipsec-attributes
    pre-shared-key *
    tunnel-group 4.5.6.250 type ipsec-l2l
    tunnel-group 4.5.6.250 ipsec-attributes
    pre-shared-key *
    console timeout 0
    !
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    !
     
    , Sep 14, 2006
    #1
    1. Advertising

  2. Guest

    I'm more proficient with ASDM but just a guess: Are there routes set
    up for the users connecting via office VPN to the hosting ips? Do all
    the intermediate network devices have a route to get to the natted
    addresses of the office vpn users (the ip local employees pool)? Could
    there be a firewall or access list on one of the intermediate devices
    that block access from the 192.168.242.250-192.168.242.252 ip range?


    HTH,
    Z

    wrote:
    > All,
    >
    > We have two locations (office and hosting), each with a 5510, connected
    > via VPN connection. There are no issues accessing the hosting
    > environment or the internet from within the office. However, when users
    > VPN into the office using the Cisco client, they can not access
    > internet hosts and anything in the hosting environment. Accessing
    > systems in the office network is not an issue.
    >
    > I've attached most of the running-config (obviously unimportant parts
    > stripped out) below. Any help would be greatly appreciated.
    >
    > Hugh
    >
    >
    > names
    > name 192.168.242.1 INT-primary
    > name 1.2.3.34 EXT-34
    > name 1.2.3.35 EXT-35
    > name 1.2.3.36 EXT-36
    > name 1.2.3.49 EXT-49
    > name 1.2.3.50 EXT-50
    > name 1.2.3.51 EXT-51
    > name 1.2.3.52 EXT-52
    > name 4.5.6.250 Hosting-250
    > dns-guard
    > !
    > interface Ethernet0/0
    > nameif outside
    > security-level 0
    > ip address EXT-36 255.255.255.240
    > !
    > interface Ethernet0/1
    > duplex full
    > nameif inside
    > security-level 100
    > ip address INT-primary 255.255.255.0
    > !
    > interface Ethernet0/2
    > nameif phone
    > security-level 75
    > ip address 10.10.10.1 255.255.255.0
    > !
    > interface Ethernet0/3
    > nameif dmz
    > security-level 25
    > ip address 10.20.30.1 255.255.255.0
    > !
    > interface Management0/0
    > nameif management
    > security-level 100
    > ip address 192.168.1.1 255.255.255.0
    > management-only
    > !
    > object-group network Hosting-45
    > network-object 192.168.245.0 255.255.255.0
    > object-group network Office-42
    > description Internal office IPs
    > network-object 192.168.242.0 255.255.255.0
    > access-list outside_access_in extended permit icmp any any echo-reply
    > access-list outside_access_in extended permit icmp any any
    > time-exceeded
    > access-list outside_20_cryptomap extended permit ip 192.168.242.0
    > 255.255.255.0 192.168.245.0 255.255.255.0
    > access-list inside_nat0_outbound extended permit ip 192.168.242.0
    > 255.255.255.0 192.168.245.0 255.255.255.0
    > access-list inside_nat0_outbound extended permit ip any 192.168.242.240
    > 255.255.255.240
    > access-list inside_nat0_outbound extended permit ip any 192.168.242.248
    > 255.255.255.248
    > access-list outside_cryptomap_3 extended permit ip any 192.168.242.240
    > 255.255.255.240
    > access-list outside_cryptomap extended permit ip any 192.168.242.248
    > 255.255.255.248
    > pager lines 24
    > logging enable
    > logging asdm informational
    > mtu outside 1500
    > mtu inside 1500
    > mtu phone 1500
    > mtu dmz 1500
    > mtu management 1500
    > ip local pool Employees 192.168.242.250-192.168.242.252 mask
    > 255.255.255.0
    > ip verify reverse-path interface outside
    > ip verify reverse-path interface inside
    > ip verify reverse-path interface phone
    > ip verify reverse-path interface dmz
    > no failover
    > monitor-interface outside
    > monitor-interface inside
    > monitor-interface phone
    > monitor-interface dmz
    > monitor-interface management
    > arp timeout 14400
    > nat-control
    > global (outside) 10 EXT-49 netmask 255.255.255.240
    > nat (inside) 0 access-list inside_nat0_outbound
    > nat (inside) 10 192.168.242.0 255.255.255.0
    > nat (phone) 10 10.10.10.0 255.255.255.0
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 1.2.3.33 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    > 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server AD protocol radius
    > aaa-server NT protocol nt
    > aaa-server NT host INT-AD
    > nt-auth-domain-controller AD
    > group-policy OffVPN internal
    > group-policy OffVPN attributes
    > wins-server value 192.168.242.2
    > dns-server value 192.168.242.2 192.168.242.27
    > vpn-tunnel-protocol IPSec
    > default-domain value domain.local
    > crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    > crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
    > crypto map outside_map 20 match address outside_20_cryptomap
    > crypto map outside_map 20 set peer Hosting-250
    > crypto map outside_map 20 set transform-set ESP-3DES-SHA
    > crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
    > crypto map outside_map interface outside
    > crypto isakmp enable outside
    > crypto isakmp policy 10
    > authentication pre-share
    > encryption 3des
    > hash sha
    > group 2
    > lifetime 86400
    > crypto isakmp policy 30
    > authentication pre-share
    > encryption aes
    > hash sha
    > group 5
    > lifetime 86400
    > tunnel-group OffVPN type ipsec-ra
    > tunnel-group OffVPN general-attributes
    > address-pool Employees
    > authentication-server-group NT
    > default-group-policy OffVPN
    > tunnel-group OffVPN ipsec-attributes
    > pre-shared-key *
    > tunnel-group 4.5.6.250 type ipsec-l2l
    > tunnel-group 4.5.6.250 ipsec-attributes
    > pre-shared-key *
    > console timeout 0
    > !
    > !
    > class-map inspection_default
    > match default-inspection-traffic
    > !
    > !
    > policy-map type inspect dns migrated_dns_map_1
    > parameters
    > message-length maximum 512
    > !
     
    , Sep 15, 2006
    #2
    1. Advertising

  3. Guest

    I'm more proficient with ASDM but just a guess: Are there routes set
    up for the users connecting via office VPN to the hosting ips? Do all
    the intermediate network devices have a route to get to the natted
    addresses of the office vpn users (the ip local employees pool)? Could
    there be a firewall or access list on one of the intermediate devices
    that block access from the 192.168.242.250-192.168.242.252 ip range?


    HTH,
    Z

    wrote:
    > All,
    >
    > We have two locations (office and hosting), each with a 5510, connected
    > via VPN connection. There are no issues accessing the hosting
    > environment or the internet from within the office. However, when users
    > VPN into the office using the Cisco client, they can not access
    > internet hosts and anything in the hosting environment. Accessing
    > systems in the office network is not an issue.
    >
    > I've attached most of the running-config (obviously unimportant parts
    > stripped out) below. Any help would be greatly appreciated.
    >
    > Hugh
    >
    >
    > names
    > name 192.168.242.1 INT-primary
    > name 1.2.3.34 EXT-34
    > name 1.2.3.35 EXT-35
    > name 1.2.3.36 EXT-36
    > name 1.2.3.49 EXT-49
    > name 1.2.3.50 EXT-50
    > name 1.2.3.51 EXT-51
    > name 1.2.3.52 EXT-52
    > name 4.5.6.250 Hosting-250
    > dns-guard
    > !
    > interface Ethernet0/0
    > nameif outside
    > security-level 0
    > ip address EXT-36 255.255.255.240
    > !
    > interface Ethernet0/1
    > duplex full
    > nameif inside
    > security-level 100
    > ip address INT-primary 255.255.255.0
    > !
    > interface Ethernet0/2
    > nameif phone
    > security-level 75
    > ip address 10.10.10.1 255.255.255.0
    > !
    > interface Ethernet0/3
    > nameif dmz
    > security-level 25
    > ip address 10.20.30.1 255.255.255.0
    > !
    > interface Management0/0
    > nameif management
    > security-level 100
    > ip address 192.168.1.1 255.255.255.0
    > management-only
    > !
    > object-group network Hosting-45
    > network-object 192.168.245.0 255.255.255.0
    > object-group network Office-42
    > description Internal office IPs
    > network-object 192.168.242.0 255.255.255.0
    > access-list outside_access_in extended permit icmp any any echo-reply
    > access-list outside_access_in extended permit icmp any any
    > time-exceeded
    > access-list outside_20_cryptomap extended permit ip 192.168.242.0
    > 255.255.255.0 192.168.245.0 255.255.255.0
    > access-list inside_nat0_outbound extended permit ip 192.168.242.0
    > 255.255.255.0 192.168.245.0 255.255.255.0
    > access-list inside_nat0_outbound extended permit ip any 192.168.242.240
    > 255.255.255.240
    > access-list inside_nat0_outbound extended permit ip any 192.168.242.248
    > 255.255.255.248
    > access-list outside_cryptomap_3 extended permit ip any 192.168.242.240
    > 255.255.255.240
    > access-list outside_cryptomap extended permit ip any 192.168.242.248
    > 255.255.255.248
    > pager lines 24
    > logging enable
    > logging asdm informational
    > mtu outside 1500
    > mtu inside 1500
    > mtu phone 1500
    > mtu dmz 1500
    > mtu management 1500
    > ip local pool Employees 192.168.242.250-192.168.242.252 mask
    > 255.255.255.0
    > ip verify reverse-path interface outside
    > ip verify reverse-path interface inside
    > ip verify reverse-path interface phone
    > ip verify reverse-path interface dmz
    > no failover
    > monitor-interface outside
    > monitor-interface inside
    > monitor-interface phone
    > monitor-interface dmz
    > monitor-interface management
    > arp timeout 14400
    > nat-control
    > global (outside) 10 EXT-49 netmask 255.255.255.240
    > nat (inside) 0 access-list inside_nat0_outbound
    > nat (inside) 10 192.168.242.0 255.255.255.0
    > nat (phone) 10 10.10.10.0 255.255.255.0
    > access-group outside_access_in in interface outside
    > route outside 0.0.0.0 0.0.0.0 1.2.3.33 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    > 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server AD protocol radius
    > aaa-server NT protocol nt
    > aaa-server NT host INT-AD
    > nt-auth-domain-controller AD
    > group-policy OffVPN internal
    > group-policy OffVPN attributes
    > wins-server value 192.168.242.2
    > dns-server value 192.168.242.2 192.168.242.27
    > vpn-tunnel-protocol IPSec
    > default-domain value domain.local
    > crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    > crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
    > crypto map outside_map 20 match address outside_20_cryptomap
    > crypto map outside_map 20 set peer Hosting-250
    > crypto map outside_map 20 set transform-set ESP-3DES-SHA
    > crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
    > crypto map outside_map interface outside
    > crypto isakmp enable outside
    > crypto isakmp policy 10
    > authentication pre-share
    > encryption 3des
    > hash sha
    > group 2
    > lifetime 86400
    > crypto isakmp policy 30
    > authentication pre-share
    > encryption aes
    > hash sha
    > group 5
    > lifetime 86400
    > tunnel-group OffVPN type ipsec-ra
    > tunnel-group OffVPN general-attributes
    > address-pool Employees
    > authentication-server-group NT
    > default-group-policy OffVPN
    > tunnel-group OffVPN ipsec-attributes
    > pre-shared-key *
    > tunnel-group 4.5.6.250 type ipsec-l2l
    > tunnel-group 4.5.6.250 ipsec-attributes
    > pre-shared-key *
    > console timeout 0
    > !
    > !
    > class-map inspection_default
    > match default-inspection-traffic
    > !
    > !
    > policy-map type inspect dns migrated_dns_map_1
    > parameters
    > message-length maximum 512
    > !
     
    , Sep 15, 2006
    #3
  4. Guest

    wrote:
    > I'm more proficient with ASDM but just a guess: Are there routes set
    > up for the users connecting via office VPN to the hosting ips? Do all
    > the intermediate network devices have a route to get to the natted
    > addresses of the office vpn users (the ip local employees pool)? Could
    > there be a firewall or access list on one of the intermediate devices
    > that block access from the 192.168.242.250-192.168.242.252 ip range?


    There are no routes specifically set up for the VPN users. They're
    given an IP address in the same network as those that are sitting in
    the office, so I would think that they wouldn't need a special route.
    There aren't any intermediate devices that would have an impact on
    access and there's definitely not any rule blocking the VPN IP
    addresses.

    My suspicion is that the VPN users aren't being regarded as truly in
    the inside network, therefore the rules for that network aren't
    applied. Would I be even remotely close on that?

    Thanks,

    Hugh
     
    , Sep 15, 2006
    #4
  5. Z Guest

    On 14 Sep 2006 23:21:46 -0700, wrote:

    >
    > wrote:
    >> I'm more proficient with ASDM but just a guess: Are there routes set
    >> up for the users connecting via office VPN to the hosting ips? Do all
    >> the intermediate network devices have a route to get to the natted
    >> addresses of the office vpn users (the ip local employees pool)? Could
    >> there be a firewall or access list on one of the intermediate devices
    >> that block access from the 192.168.242.250-192.168.242.252 ip range?

    >
    >There are no routes specifically set up for the VPN users. They're
    >given an IP address in the same network as those that are sitting in
    >the office, so I would think that they wouldn't need a special route.
    >There aren't any intermediate devices that would have an impact on
    >access and there's definitely not any rule blocking the VPN IP
    >addresses.
    >
    >My suspicion is that the VPN users aren't being regarded as truly in
    >the inside network, therefore the rules for that network aren't
    >applied. Would I be even remotely close on that?
    >
    >Thanks,
    >
    >Hugh



    Are non-vpn users inside the office using a gateway other than the ASA? If so, they
    probably have a route to the hosting ips (192.168.245.0/24). I didn't see a 'route inside
    192.168.245.0 255.255.255.0 <next-hop-ip address> 1' type statement in your config.

    Z
     
    Z, Sep 15, 2006
    #5
  6. Guest

    Z wrote:
    > Are non-vpn users inside the office using a gateway other than the ASA? If so, they
    > probably have a route to the hosting ips (192.168.245.0/24). I didn't see a 'route inside
    > 192.168.245.0 255.255.255.0 <next-hop-ip address> 1' type statement in your config.


    Nope. There's only the ASA and everyone should be using that for access
    to the hosting site. Not sure how I could get it to work otherwise
    since they get to the hosting network via an ASA VPN connection, but
    that's neither here nor there.
     
    , Sep 15, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    0
    Views:
    1,672
  2. sender4u

    can't access the internet ASA 5510

    sender4u, Nov 3, 2008, in forum: Cisco
    Replies:
    0
    Views:
    835
    sender4u
    Nov 3, 2008
  3. Lepkin

    ASA 5510 Remote VPN Access

    Lepkin, Jun 25, 2009, in forum: Hardware
    Replies:
    1
    Views:
    2,523
    adeelasher
    Jun 29, 2009
  4. Igor Mamuziæ aka Pseto
    Replies:
    0
    Views:
    1,120
    Igor Mamuziæ aka Pseto
    Jan 6, 2010
  5. Igor Mamuziæ aka Pseto
    Replies:
    0
    Views:
    1,112
    Igor Mamuziæ aka Pseto
    Jan 6, 2010
Loading...

Share This Page