ASA ACL Issue?

[joshglover72]

I have an issue with an ASA5505 vpn. I can connect to the vpn just fine. I can ping both interfaces of the asa from a vpn client. I can ping the default gateway of the asa network also. From the ASA interface I can ping everything. I cannot however ping or browse to network devices other that the ASA interfaces and gateway from the vpn client. I think it is an ACL issue but I cannot figure out what is the problem. This device sits behind a different firewall and is going to be used just for vpn client connection. Below is the running config, please help. Thanks

hostname ASA
domain-name .com
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
no shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name .com
same-security-traffic permit intra-interface
access-list acl_in extended permit icmp any any
access-list fass_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list f_splitTunnelAcl standard permit any
access-list 139 extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list abc extended permit esp any any
access-list split extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list split extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor critical
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool abc 192.168.10.3-192.168.10.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 192.168.10.0 255.255.255.0
nat (outside) 0 access-list nonat
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server e5group protocol radius
aaa-server e5group (outside) host 10.10.10.10
timeout 5
key *
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.0.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.255.0 outside
telnet 192.168.10.0 255.255.255.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
group-policy e5group internal
group-policy e5group attributes
dns-server value 10.10.10.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value .com
tunnel-group e5group type ipsec-ra
tunnel-group e5group general-attributes
address-pool abc
authentication-server-group e5group
default-group-policy e5group
tunnel-group e5group ipsec-attributes
pre-shared-key *
prompt hostname context

 

[North323]

access-group acl_in in interface outside you are only allowing ping 'in' on outside interface

and i am not sure these are needed:
nat (inside) 0 192.168.10.0 255.255.255.0
nat (outside) 0 access-list nonat


nat (inside) 0 access-list inside_nat0_outbound should be the only nat you need

 

[joshglover72]

Think maybe i'm lost here Is this what you mean?

same-security-traffic permit intra-interface
access-list acl_in extended permit icmp any any
access-list fass_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list inside_nat0_outbound permit icmp any any
access-list f_splitTunnelAcl standard permit any
access-list 139 extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list abc extended permit esp any any
access-list split extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list split extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor critical
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool abc 192.168.10.3-192.168.10.254 mask 255.255.255.0
ip local pool VPN 172.16.2.2-172.16.2.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group acl_in in interface outside
access-group inside_nat0_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

 

[North323]

no...the access-list acl_in is the only list you have on the outside interface and it only allows pings so may need to add more to that list to allow other services.

and this should be all you need:
nat (inside) 0 access-list inside_nat0_outbound

 

[joshglover72]

This is what I have:
BTW, not an ACL expert

same-security-traffic permit intra-interface
access-list acl_in extended permit icmp any any
access-list acl_in extended permit ip any any
access-list fass_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list f_splitTunnelAcl standard permit any
access-list 139 extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list abc extended permit esp any any
access-list split extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list split extended permit ip 192.168.10.0 255.255.255.0 10.10.10.0 255.255.255.0
ip local pool abc 192.168.10.3-192.168.10.254 mask 255.255.255.0
ip local pool VPN 172.16.2.2-172.16.2.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group acl_in in interface outside

 

[North323]

ok and you are trying to ping from what source IP to what destionation IP?

 

[joshglover72]

I am trying to ping, folder browse, RDP, SIP communications from the vpn client: 192.168.10.0 network to the 10.10.10.0 network.

Right now I can ping 10.10.10.1 (Gateway), 10.10.10.254 (asa Outside interface), 192.168.10.2 (asa inside interface) from the vpn client. I cannot ping 10.10.10.5 or 10.10.10.10 (servers), I cannot browse to those servers or RDP into them either.

From the ASA console I can ping all of the above addresses.

Hope this helps clarify.

Thanks again.

 

[North323]

is there a tunnel up? i dont see a peer address?

create an access list like
access-list crypto10 extended permit ip 192.168.10.0 any

then add that to your crpto policy so traffic goes through the tunnel
like
crypto map outside_map match crypto10

make sure you take a back up of your config too

 

[joshglover72]

There is no tunnel, it's not hardware to hardware. Just cisco vpn client software on a remote pc to asa.

 

[North323]

gotcha...so you can connect ok? and get a valid IP address? how does traffic get back to the remote pc with this route:

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

is that a non-routable IP?

 

[joshglover72]

Connect fine, get a valid address.

10.10.10.1 is the DSL Modem / Firewall. When connected to the vpn I can get to the web interface of it. It is the gateway for all devices on that network. I would assume that it's a routeable IP. I have added static routes in that device and that seems to be working properly. I'm lost here LOL.

 

[North323]

now it makes sense to me how things are set up....which IP address are you getting?
ip local pool abc 192.168.10.3-192.168.10.254 mask 255.255.255.0
ip local pool VPN 172.16.2.2-172.16.2.254 mask 255.255.255.0

 

[joshglover72]

192.168.10.0 IP's for the clients

 

[North323]

ok we need to look at the other firewall. something might be blocking it from accessing those machines. if you can ping the gateway, you are good on the ASA

 

[joshglover72]

I don't think it would be the other firewall. I think that you wouldn't be able to connect to device's internal web page if that were the case? Or even establish a vpn connection.

Ports that are open from that firewall to the ASA are:
10000
4500
1723
500

 

[North323]

it could be the other firewall...if its not allowing traffic both directions. once logged in, the vpn client can ping the gateway but nothing beyond

 

[joshglover72]

I disabled the firewall portion to see if it made a difference and it did not. It can ping the interfaces of the asa and that is beyond the fireall.

 

[unclerico]

1) You should ALWAYS have your RA VPN pools on a different subnet than your internal network(s)
2) Since this is behind another Firewall why do you even need to NAT??

I'll bet you any amount of money if you do #1 above and either alter your nat0 statement or remove NAT all together and you'll have connectivity. Granted I just skimmed the config, but that's what I see.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[joshglover72]

I tried removing nat and putting the VPN pools on different subnets and it still didn't work.

 

[unclerico]

post your new config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)