VPN into ASA 5510 unable to access internet and other network

Discussion in 'Cisco' started by HRileyBSG, Sep 14, 2006.

  1. HRileyBSG

    HRileyBSG Guest

    All,

    We have two locations (office and hosting), each with a 5510, connected
    via VPN connection. There are no issues accessing the hosting
    environment or the internet from within the office. However, when users
    VPN into the office using the Cisco client, they can not access
    internet hosts and anything in the hosting environment. Accessing
    systems in the office network is not an issue.

    I've attached most of the running-config (obviously unimportant parts
    stripped out) below. Any help would be greatly appreciated.

    Hugh


    names
    name 192.168.242.1 INT-primary
    name 1.2.3.34 EXT-34
    name 1.2.3.35 EXT-35
    name 1.2.3.36 EXT-36
    name 1.2.3.49 EXT-49
    name 1.2.3.50 EXT-50
    name 1.2.3.51 EXT-51
    name 1.2.3.52 EXT-52
    name 4.5.6.250 Hosting-250
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address EXT-36 255.255.255.240
    !
    interface Ethernet0/1
    duplex full
    nameif inside
    security-level 100
    ip address INT-primary 255.255.255.0
    !
    interface Ethernet0/2
    nameif phone
    security-level 75
    ip address 10.10.10.1 255.255.255.0
    !
    interface Ethernet0/3
    nameif dmz
    security-level 25
    ip address 10.20.30.1 255.255.255.0
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    object-group network Hosting-45
    network-object 192.168.245.0 255.255.255.0
    object-group network Office-42
    description Internal office IPs
    network-object 192.168.242.0 255.255.255.0
    access-list outside_access_in extended permit icmp any any echo-reply
    access-list outside_access_in extended permit icmp any any
    time-exceeded
    access-list outside_20_cryptomap extended permit ip 192.168.242.0
    255.255.255.0 192.168.245.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.242.0
    255.255.255.0 192.168.245.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any 192.168.242.240
    255.255.255.240
    access-list inside_nat0_outbound extended permit ip any 192.168.242.248
    255.255.255.248
    access-list outside_cryptomap_3 extended permit ip any 192.168.242.240
    255.255.255.240
    access-list outside_cryptomap extended permit ip any 192.168.242.248
    255.255.255.248
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu phone 1500
    mtu dmz 1500
    mtu management 1500
    ip local pool Employees 192.168.242.250-192.168.242.252 mask
    255.255.255.0
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ip verify reverse-path interface phone
    ip verify reverse-path interface dmz
    no failover
    monitor-interface outside
    monitor-interface inside
    monitor-interface phone
    monitor-interface dmz
    monitor-interface management
    arp timeout 14400
    nat-control
    global (outside) 10 EXT-49 netmask 255.255.255.240
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 10 192.168.242.0 255.255.255.0
    nat (phone) 10 10.10.10.0 255.255.255.0
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 1.2.3.33 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server AD protocol radius
    aaa-server NT protocol nt
    aaa-server NT host INT-AD
    nt-auth-domain-controller AD
    group-policy OffVPN internal
    group-policy OffVPN attributes
    wins-server value 192.168.242.2
    dns-server value 192.168.242.2 192.168.242.27
    vpn-tunnel-protocol IPSec
    default-domain value domain.local
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
    crypto map outside_map 20 match address outside_20_cryptomap
    crypto map outside_map 20 set peer Hosting-250
    crypto map outside_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption aes
    hash sha
    group 5
    lifetime 86400
    tunnel-group OffVPN type ipsec-ra
    tunnel-group OffVPN general-attributes
    address-pool Employees
    authentication-server-group NT
    default-group-policy OffVPN
    tunnel-group OffVPN ipsec-attributes
    pre-shared-key *
    tunnel-group 4.5.6.250 type ipsec-l2l
    tunnel-group 4.5.6.250 ipsec-attributes
    pre-shared-key *
    console timeout 0
    !
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    !
     
    HRileyBSG, Sep 14, 2006
    #1
    1. Advertisements

  2. HRileyBSG

    zarmice Guest

    I'm more proficient with ASDM but just a guess: Are there routes set
    up for the users connecting via office VPN to the hosting ips? Do all
    the intermediate network devices have a route to get to the natted
    addresses of the office vpn users (the ip local employees pool)? Could
    there be a firewall or access list on one of the intermediate devices
    that block access from the 192.168.242.250-192.168.242.252 ip range?


    HTH,
    Z
     
    zarmice, Sep 15, 2006
    #2
    1. Advertisements

  3. HRileyBSG

    zarmice Guest

    I'm more proficient with ASDM but just a guess: Are there routes set
    up for the users connecting via office VPN to the hosting ips? Do all
    the intermediate network devices have a route to get to the natted
    addresses of the office vpn users (the ip local employees pool)? Could
    there be a firewall or access list on one of the intermediate devices
    that block access from the 192.168.242.250-192.168.242.252 ip range?


    HTH,
    Z
     
    zarmice, Sep 15, 2006
    #3
  4. HRileyBSG

    HRileyBSG Guest

    There are no routes specifically set up for the VPN users. They're
    given an IP address in the same network as those that are sitting in
    the office, so I would think that they wouldn't need a special route.
    There aren't any intermediate devices that would have an impact on
    access and there's definitely not any rule blocking the VPN IP
    addresses.

    My suspicion is that the VPN users aren't being regarded as truly in
    the inside network, therefore the rules for that network aren't
    applied. Would I be even remotely close on that?

    Thanks,

    Hugh
     
    HRileyBSG, Sep 15, 2006
    #4
  5. HRileyBSG

    Z Guest


    Are non-vpn users inside the office using a gateway other than the ASA? If so, they
    probably have a route to the hosting ips (192.168.245.0/24). I didn't see a 'route inside
    192.168.245.0 255.255.255.0 <next-hop-ip address> 1' type statement in your config.

    Z
     
    Z, Sep 15, 2006
    #5
  6. HRileyBSG

    HRileyBSG Guest

    Nope. There's only the ASA and everyone should be using that for access
    to the hosting site. Not sure how I could get it to work otherwise
    since they get to the hosting network via an ASA VPN connection, but
    that's neither here nor there.
     
    HRileyBSG, Sep 15, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.