asa 5510 not allowing traffic inside

[IT412]

Hello,

Just configured this asa and it is not allowing traffic through the VPN and not alloing traffic to any natt'd ports. If anyone could assist it would be greatly appreciated.

Config:
interface Ethernet0/0
nameif outside
security-level 0
ip address 166.x.x.157 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
object network obj_192.168.1
subnet 192.168.1.0 255.255.255.0
object network obj-sharepoint
host 192.168.1.2
object network obj-nagios
host 192.168.1.11
object network obj-crm
host 192.168.1.13
object network obj-remote
host 192.168.1.9
object network obj-apple
host 192.168.1.8
object network obj-ftp
host 192.168.1.223
object network sharepointHTTP
host 192.168.1.2
object network nagiosHTTPS
host 192.168.1.11
object network crmHTTP
host 192.168.1.13
object network remoteHTTPS
host 192.168.1.9
object network remoteHTTP
host 192.168.1.9
object network remoteRDP
host 192.168.1.9
object network appleTCP84
host 192.168.1.8
object network centosFTP
host 192.168.1.223
object network besFTP
host 192.168.1.4
object network barracudaspamSMTP
host 192.168.1.153
object network mailman01HTTP
host 192.168.1.14
object network mailman01HTTPS
host 192.168.1.14
object network crmCWRMOBILITY
host 192.168.1.13
object network phonesystem
host 192.168.1.157
object network ipphones
host 192.168.1.167
object network ipphonesSIP
host 192.168.1.167
object network exportLocal
subnet 192.168.1.0 255.255.255.0
object network borlandlocal
subnet 192.168.3.0 255.255.255.0
object network vegaslocal
subnet 192.168.2.0 255.255.255.0
access-list outside_access_in extended permit tcp any object sharepointHTTP eq www
access-list outside_access_in extended permit tcp any object besFTP eq ftp
access-list outside_access_in extended permit tcp any object appleTCP84 eq 84
access-list outside_access_in extended permit tcp any object remoteHTTP eq www
access-list outside_access_in extended permit tcp any object nagiosHTTPS eq https
access-list outside_access_in extended permit tcp any object crmCWRMOBILITY eq 5556
access-list outside_access_in extended permit tcp any object crmHTTP eq www
access-list outside_access_in extended permit tcp any object mailman01HTTP eq www
access-list outside_access_in extended permit tcp any object mailman01HTTPS eq https
access-list outside_access_in extended permit udp any object ipphones eq 59104
access-list outside_access_in extended permit udp any object ipphonesSIP eq sip
access-list outside_access_in extended permit tcp any object centosFTP eq ftp
access-list outside_access_in extended permit tcp any object remoteHTTPS eq https
access-list outside_access_in extended permit tcp any object remoteRDP eq 3389
access-list outside_access_in extended permit tcp any object barracudaspamSMTP eq smtp
access-list outside_access_in extended permit tcp any object phonesystem eq 59002
access-list outside_site2site extended permit ip object exportLocal object vegaslocal
access-list outside_cryptomap_2 extended permit ip object exportLocal object borlandlocal
pager lines 24
mtu management 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static exportLocal exportLocal destination static borlandlocal borlandlocal
nat (inside,outside) source static exportLocal exportLocal destination static vegaslocal vegaslocal
!
object network obj_192.168.1
nat (inside,outside) dynamic interface
object network sharepointHTTP
nat (inside,outside) static 98.x.x.33 service tcp

http://www www

object network nagiosHTTPS
nat (inside,outside) static 98.x.x.34 service tcp https https
object network crmHTTP
nat (inside,outside) static 98.x.x.35 service tcp

http://www www

object network remoteHTTPS
nat (inside,outside) static 98.x.x.36 service tcp https https
object network remoteHTTP
nat (inside,outside) static 98.x.x.36 service tcp

http://www www

object network remoteRDP
nat (inside,outside) static 98.x.x.36 service tcp 3389 3389
object network appleTCP84
nat (inside,outside) static 98.x.x.37 service tcp 84 84
object network centosFTP
nat (inside,outside) static 98.x.x.38 service tcp ftp ftp
object network besFTP
nat (inside,outside) static interface service tcp ftp ftp
object network barracudaspamSMTP
nat (inside,outside) static interface service tcp smtp smtp
object network mailman01HTTP
nat (inside,outside) static interface service tcp

http://www www

object network mailman01HTTPS
nat (inside,outside) static interface service tcp https https
object network crmCWRMOBILITY
nat (inside,outside) static 98.x.x.35 service tcp 5556 5556
object network phonesystem
nat (inside,outside) static interface service tcp 59002 59002
object network ipphones
nat (inside,outside) static interface service udp 59104 59104
object network ipphonesSIP
nat (inside,outside) static interface service udp sip sip
route outside 0.0.0.0 0.0.0.0 166.x.x.158 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.255 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_site2site 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_site2site
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 75.x.x.14
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 24.x.x.82
crypto map outside_map 2 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group point2point type ipsec-l2l
tunnel-group 24.x.x.82 type ipsec-l2l
tunnel-group 24.x.x.82 ipsec-attributes
tunnel-group 75.x.x.14 type ipsec-l2l
tunnel-group 75.x.x.14 ipsec-attributes
!
class-map inspection_default
match default-inspection-traffic

 

[tpulley]

You need a nat exceptions rule and allowance for the same. Also I didn't see a local ip pool to give users an IP address.

For example.

access-list 100 permit ip 10.1.100.0 255.255.255.0 172.16.252.0 255.255.255.0
ip local pool Remote_Users 172.16.252.1-172.16.252.25 mask 255.255.255.0
nat (inside) 0 access-list 100

 

[davy2k]

Hi All,
I have an almost similar issue, however I have been able to configure a vpn client user to be able to access inside but my challenge is to allow the same user to be able to access the DMZ as well.

Requirements:
1) create a connection profile for a developers who can only access the dmz network but denied access to inside network
2) another connection profile that can access both inside and dmz network...

Please help...

Thank you.

Here is my config...
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name domain.com
enable password sn0N6UkVSh7tHZw7 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan2
description CONNECTION TO OUTSIDE INTERNET
nameif outside
security-level 0
ip address 10.10.1.254 255.255.255.0
!
interface Vlan3
description CONNECTION TO INSIDE 1
nameif inside
security-level 100
ip address 192.168.70.254 255.255.255.0
!
interface Vlan4
description CONNECTION TO DMZ
nameif dmz
security-level 50
ip address 192.168.101.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner motd ** W A R N I N G **
banner motd Unauthorized access prohibited. All access is
banner motd monitored, and trespassers shall be prosecuted
banner motd to the fullest extent of the law.
ftp mode passive
dns server-group DefaultDNS
domain-name domain.com
access-list OUTSIDE_IN extended permit tcp any host 10.10.1.202 eq 3389
access-list OUTSIDE_IN extended permit tcp any host 10.10.1.202 eq 69
access-list splittunnel standard permit 192.168.70.0 255.255.255.0
access-list splittunnel2 standard permit 192.168.101.0 255.255.255.0
access-list dmz_in extended deny ip 192.168.101.0 255.255.255.0 192.168.70.0 255.255.255.0
access-list dmz_in extended permit ip 192.168.70.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list dmz_in extended permit ip 192.168.101.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool VPN_POOL 192.168.20.1-192.168.20.254
ip local pool DMZ_VPN 192.168.30.1-192.168.30.254
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.70.0 255.255.255.0
static (dmz,outside) 10.10.1.202 192.168.101.222 netmask 255.255.255.255
static (inside,dmz) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
access-group OUTSIDE_IN in interface outside
access-group dmz_in in interface dmz
route outside 0.0.0.0 0.0.0.0 10.10.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.70.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto map VPN_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy internal_access internal
group-policy internal_access attributes
dns-server value 4.2.2.2
vpn-idle-timeout 120
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel
group-policy dmz_access internal
group-policy dmz_access attributes
dns-server value 4.2.2.2
vpn-idle-timeout 120
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splittunnel2
username testuser password k83iXWPan0Gg1s04 encrypted
username testuser2 password k83iXWPan0Gg1s04 encrypted
username ciscoadmin password 9V/YrnChylN8IPx8 encrypted
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool VPN_POOL
default-group-policy internal_access
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
tunnel-group dmz_vpnclient type remote-access
tunnel-group dmz_vpnclient general-attributes
address-pool DMZ_VPN
default-group-policy dmz_access
tunnel-group dmz_vpnclient ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:65e879c01d09339d988868e856d2f53e
: end