Cisco ASA 5505 - VPN users connect but cannot reach internal network 1

[briancox86]

So here is my issue. I have an ASA 5505 that is used for remote access by a few employees for access to file servers. The VPN is configured for split tunneling. I am able to connect, auth, and establish ipsec tunnel. I however cannot get to anything on the internal network. The network is simple... plugged in to the ASA is a switch and into that are servers. I want somon to VPN in and be able to access them. Currently they cant.

If you need more info please ask.

---------------CONFIG PROVIDED BELOW---------------
: Saved
:
ASA Version 7.2(2)
!
terminal width 150
hostname ciscoasa
domain-name default.domain.invalid
enable password CENSORED encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.29 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd CENSORED encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list VPNRA extended permit ip 10.1.0.0 255.255.255.0 10.10.0.0 255.255.255.0
access-list VPNRA extended permit ip 10.10.0.0 255.255.255.0 10.1.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN-POOL 10.10.0.1-10.10.0.255 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list VPNRA
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 67.100.156.25 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPNSPLITTUNNEL internal
group-policy VPNSPLITTUNNEL attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNRA
username user password CENSORED encrypted
aaa authentication ssh console LOCAL
http server enable
http 10.1.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable
crypto ipsec transform-set 3DESMD5 esp-3des esp-md5-hmac
crypto dynamic-map DYNOMAP 10 set transform-set 3DESMD5
crypto map VPNPEER 20 ipsec-isakmp dynamic DYNOMAP
crypto map VPNPEER interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group EMPLOYEES type ipsec-ra
tunnel-group EMPLOYEES general-attributes
address-pool VPN-POOL
default-group-policy VPNSPLITTUNNEL
tunnel-group EMPLOYEES ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 10
dhcpd address 10.1.0.100-10.1.0.129 inside
dhcpd dns 10.1.0.50 10.1.0.51 interface inside
dhcpd wins 10.1.0.50 interface inside
dhcpd domain CENSORED.local interface inside
dhcpd enable inside
!

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect tftp
!
service-policy global_policy global
prompt hostname context
: end

 

[NetworkGhost]

Try this:

no access-list VPNRA extended permit ip 10.10.0.0 255.255.255.0 10.1.0.0 255.255.255.0

access-list split_tunnel standard permit 10.1.0.0 255.255.255.0


group-policy VPNSPLITTUNNEL attributes
no split-tunnel-network-list value VPNRA
split-tunnel-network-list value split_tunnel

You should never use your NAT 0 access-list for anything other than NAT 0. Always create a new one. Also for split tunneling you need a standard ACL not extended.

http://www.wr-mem.com

 

[briancox86]

Ok... thanks for the tips. I tried what you suggested and still no lick. I thought that it might be that interesting traffic was not properly defined but this clearly states that traffic headed to 10.1.0.0/24 is interesting traffic:


access-list split_tunnel standard permit 10.1.0.0 255.255.255.0
group-policy VPNSPLITTUNNEL attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel

Hmmm... Any other ideas?

 

[NetworkGhost]

Once connected check the status of the connection by right clicking on the lock icon. One of the tabs that you can select will show you routes. Check the route and confirm 10.1.0.0 exists in the table.


Aslo place this in the ASA:

sysopt connection permit-vpn

How are you trying to connect? By name or IP?

Now connect from the client and start a PING to a host on the 10.1.0.0 network.

Do a debug icmp trace on the ASA. Make sure you do this before the ping. Post the results here.

http://www.wr-mem.com

 

[briancox86]

Attached is a screenshot of Cisco VPN client routing table.

http://bdcox.net/Picture2.png

Here is the output from a 'route print' on XP Pro SP3 box trying to connect to the VPN:

===============================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.20.69.1 172.20.69.144 10
10.1.0.0 255.255.255.0 10.10.0.2 10.10.0.2 1
10.10.0.0 255.255.255.0 10.10.0.2 10.10.0.2 10
10.10.0.2 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.10.0.2 10.10.0.2 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.20.69.0 255.255.255.0 172.20.69.144 172.20.69.144 10
172.20.255.255 255.255.255.255 172.20.69.144 172.20.69.144 10
224.0.0.0 240.0.0.0 10.10.0.2 10.10.0.2 10
224.0.0.0 240.0.0.0 172.20.69.144 172.20.69.144 10
255.255.255.255 255.255.255.255 10.10.0.2 10.10.0.2 1
255.255.255.255 255.255.255.255 172.20.69.144 172.20.69.144 1
Default Gateway: 172.20.69.1
===============================================

The following is the output of the icmp debug.

ciscoasa(config)# debug icmp trace 255
debug icmp trace enabled at level 255

Nothing showed up from the ping to the internal IP from the VPN remote user.

I did see this from pinging from inside network to VPN remote client.

ICMP echo request from inside:10.1.0.50 to outside:10.10.0.2 ID=1280 seq=2816 len=32
ICMP echo request from inside:10.1.0.50 to outside:10.10.0.2 ID=1280 seq=3072 len=32

This is from pinging the outside interface of the ASA.

ICMP echo request from <my IP> to <outside interface IP> ID=59176 seq=1533 len=56
ICMP echo reply from <outside interface IP> to <my IP> ID=59176 seq=1533 len=56
ICMP echo request from <my IP> to <outside interface IP> ID=59176 seq=28429 len=56
ICMP echo reply from <outside interface IP> to <my IP> ID=59176 seq=28429 len=56

 

[NetworkGhost]

Try enabling NAT T.


Seems like your encrypted traffic is not making it through but everything else is negotiating as should:

isakmp nat-traversal

http://www.wr-mem.com

 

[briancox86]

Well... Look at that...

It worked!

You rock dude. You just made my day! I knew it had to be something easy like that... I just overlooked it. Thanks alot!

Regards,

Brian

 

[NetworkGhost]

Thanks. Glad you got it working.

http://www.wr-mem.com