BrotherJones
Technical User
thought I had it down pat, but still seem to be missing something when using a different subnet of addresses for my RAS clients ---
Useful info - - - - - - - - - - - - - - - - - - - - - - - - -
Internal network is 10.9.2.0 /23 - the custom mask allows addresses 10.9.2.1 - 10.9.3.255 to be on the same subnet.
I want users connecting via the Remote Access VPNs to be handed an address from the pool of 10.9.5.101 - through 200 using a mask of 255.255.255.0
I am currently using the local asa database for user authentication.
I connect (with the Cisco VPN client) using the tunnel group "wevpnusers" and am able to authenticate against the local database. I seem to be connecting fine and am handed an address from the 10.9.5.101 address range. Problem is that I can't access anything on the 10.9.2.0/23 subnet (where all the resources reside). I am pretty certain I messed up on my config somewhere.
Any assistance is greatly appreciated
here is a copy of my config - - - - -
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password wgeln50ki3DIV7ZM encrypted
names
dns-guard
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/1
nameif cable-isp
security-level 0
ip address x.x.237.146 255.255.255.240
!
interface Ethernet0/2
speed 100
duplex full
nameif iap
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
speed 100
duplex full
nameif elser
security-level 100
ip address 10.9.2.6 255.255.254.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd wgeln50ki3DIV7ZM encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 10.10.63.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 10.10.64.0 255.255.255.0
access-list nonat extended permit ip 10.9.2.0 255.255.254.0 10.9.5.0 255.255.255.0
access-list nonat extended permit ip 10.9.5.0 255.255.255.0 10.9.2.0 255.255.254.0
access-list L2L-ExecSuites extended permit ip 192.168.2.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list Outside_Access_In extended permit tcp any host x.x.237.148 eq domain
access-list Outside_Access_In extended permit udp any host x.x.237.148 eq domain
access-list Outside_Access_In extended permit tcp any host x.x.237.152 eq www
access-list Outside_Access_In extended permit tcp any host x.x.237.152 eq https
access-list L2L-SunGuard extended permit ip 192.168.2.0 255.255.255.0 10.10.63.0 255.255.255.0
access-list L2L-SunGuard extended permit ip 192.168.2.0 255.255.255.0 10.10.64.0 255.255.255.0
access-list SplitTunnel standard permit 10.9.2.0 255.255.254.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging asdm warnings
logging host iap 192.168.2.199
logging host elser 10.9.3.119
mtu cable-isp 1500
mtu iap 1500
mtu management 1500
mtu elser 1500
ip local pool RasVPNPool 10.9.5.101-10.9.5.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (cable-isp) 1 interface
nat (iap) 0 access-list nonat
nat (iap) 1 192.168.2.0 255.255.255.0
nat (elser) 1 10.9.2.0 255.255.254.0
static (iap,cable-isp) x.x.237.148 192.168.2.11 netmask 255.255.255.255
static (elser,cable-isp) x.x.237.152 10.9.2.45 netmask 255.255.255.255
access-group Outside_Access_In in interface cable-isp
route cable-isp 0.0.0.0 0.0.0.0 x.x.237.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy RemoteAccessUsersPolicy internal
group-policy RemoteAccessUsersPolicy attributes
dns-server value 10.9.2.200 204.60.0.2
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel
default-domain value xxx.local
username wilsonelser password /lc5VQmQzye56dwv encrypted
http server enable
http 10.9.2.0 255.255.254.0 elser
http 192.168.0.0 255.255.255.0 iap
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TripleDesMd5 esp-3des esp-md5-hmac
crypto ipsec transform-set TripleDesSha esp-3des esp-sha-hmac
crypto dynamic-map dynamicvpnmap 10 set transform-set TripleDesSha
crypto dynamic-map dynamicvpnmap 10 set reverse-route
crypto map VPNTUNNELS 10 match address L2L-ExecSuites
crypto map VPNTUNNELS 10 set peer x.x.178.110
crypto map VPNTUNNELS 10 set transform-set TripleDesMd5
crypto map VPNTUNNELS 10 set security-association lifetime seconds 86400
crypto map VPNTUNNELS 20 match address L2L-SunGuard
crypto map VPNTUNNELS 20 set peer x.x.69.196
crypto map VPNTUNNELS 20 set transform-set TripleDesMd5
crypto map VPNTUNNELS 20 set security-association lifetime seconds 86400
crypto map VPNTUNNELS 999 ipsec-isakmp dynamic dynamicvpnmap
crypto map VPNTUNNELS interface cable-isp
crypto isakmp enable cable-isp
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group x.x.178.110 type ipsec-l2l
tunnel-group x.x.178.110 ipsec-attributes
pre-shared-key *
tunnel-group x.x.69.196 type ipsec-l2l
tunnel-group x.x.69.196 ipsec-attributes
pre-shared-key *
tunnel-group wevpnusers type ipsec-ra
tunnel-group wevpnusers general-attributes
address-pool RasVPNPool
default-group-policy RemoteAccessUsersPolicy
tunnel-group wevpnusers ipsec-attributes
pre-shared-key *
tunnel-group xxxvpnusers type ipsec-ra
tunnel-group xxxvpnusers general-attributes
address-pool RasVPNPool
default-group-policy RemoteAccessUsersPolicy
tunnel-group xxxvpnusers ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 cable-isp
ssh 0.0.0.0 0.0.0.0 iap
ssh 0.0.0.0 0.0.0.0 elser
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect http
inspect pptp
inspect dns
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect ils
inspect ipsec-pass-thru
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
!
prompt hostname context
Cryptochecksum:3a6dc862b6f5de7ad65823e04d8ec110
: end
ciscoasa#
Useful info - - - - - - - - - - - - - - - - - - - - - - - - -
Internal network is 10.9.2.0 /23 - the custom mask allows addresses 10.9.2.1 - 10.9.3.255 to be on the same subnet.
I want users connecting via the Remote Access VPNs to be handed an address from the pool of 10.9.5.101 - through 200 using a mask of 255.255.255.0
I am currently using the local asa database for user authentication.
I connect (with the Cisco VPN client) using the tunnel group "wevpnusers" and am able to authenticate against the local database. I seem to be connecting fine and am handed an address from the 10.9.5.101 address range. Problem is that I can't access anything on the 10.9.2.0/23 subnet (where all the resources reside). I am pretty certain I messed up on my config somewhere.
Any assistance is greatly appreciated
here is a copy of my config - - - - -
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password wgeln50ki3DIV7ZM encrypted
names
dns-guard
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/1
nameif cable-isp
security-level 0
ip address x.x.237.146 255.255.255.240
!
interface Ethernet0/2
speed 100
duplex full
nameif iap
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
speed 100
duplex full
nameif elser
security-level 100
ip address 10.9.2.6 255.255.254.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd wgeln50ki3DIV7ZM encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 10.10.63.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 10.10.64.0 255.255.255.0
access-list nonat extended permit ip 10.9.2.0 255.255.254.0 10.9.5.0 255.255.255.0
access-list nonat extended permit ip 10.9.5.0 255.255.255.0 10.9.2.0 255.255.254.0
access-list L2L-ExecSuites extended permit ip 192.168.2.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list Outside_Access_In extended permit tcp any host x.x.237.148 eq domain
access-list Outside_Access_In extended permit udp any host x.x.237.148 eq domain
access-list Outside_Access_In extended permit tcp any host x.x.237.152 eq www
access-list Outside_Access_In extended permit tcp any host x.x.237.152 eq https
access-list L2L-SunGuard extended permit ip 192.168.2.0 255.255.255.0 10.10.63.0 255.255.255.0
access-list L2L-SunGuard extended permit ip 192.168.2.0 255.255.255.0 10.10.64.0 255.255.255.0
access-list SplitTunnel standard permit 10.9.2.0 255.255.254.0
pager lines 24
logging enable
logging timestamp
logging trap debugging
logging asdm warnings
logging host iap 192.168.2.199
logging host elser 10.9.3.119
mtu cable-isp 1500
mtu iap 1500
mtu management 1500
mtu elser 1500
ip local pool RasVPNPool 10.9.5.101-10.9.5.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (cable-isp) 1 interface
nat (iap) 0 access-list nonat
nat (iap) 1 192.168.2.0 255.255.255.0
nat (elser) 1 10.9.2.0 255.255.254.0
static (iap,cable-isp) x.x.237.148 192.168.2.11 netmask 255.255.255.255
static (elser,cable-isp) x.x.237.152 10.9.2.45 netmask 255.255.255.255
access-group Outside_Access_In in interface cable-isp
route cable-isp 0.0.0.0 0.0.0.0 x.x.237.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy RemoteAccessUsersPolicy internal
group-policy RemoteAccessUsersPolicy attributes
dns-server value 10.9.2.200 204.60.0.2
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel
default-domain value xxx.local
username wilsonelser password /lc5VQmQzye56dwv encrypted
http server enable
http 10.9.2.0 255.255.254.0 elser
http 192.168.0.0 255.255.255.0 iap
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TripleDesMd5 esp-3des esp-md5-hmac
crypto ipsec transform-set TripleDesSha esp-3des esp-sha-hmac
crypto dynamic-map dynamicvpnmap 10 set transform-set TripleDesSha
crypto dynamic-map dynamicvpnmap 10 set reverse-route
crypto map VPNTUNNELS 10 match address L2L-ExecSuites
crypto map VPNTUNNELS 10 set peer x.x.178.110
crypto map VPNTUNNELS 10 set transform-set TripleDesMd5
crypto map VPNTUNNELS 10 set security-association lifetime seconds 86400
crypto map VPNTUNNELS 20 match address L2L-SunGuard
crypto map VPNTUNNELS 20 set peer x.x.69.196
crypto map VPNTUNNELS 20 set transform-set TripleDesMd5
crypto map VPNTUNNELS 20 set security-association lifetime seconds 86400
crypto map VPNTUNNELS 999 ipsec-isakmp dynamic dynamicvpnmap
crypto map VPNTUNNELS interface cable-isp
crypto isakmp enable cable-isp
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group x.x.178.110 type ipsec-l2l
tunnel-group x.x.178.110 ipsec-attributes
pre-shared-key *
tunnel-group x.x.69.196 type ipsec-l2l
tunnel-group x.x.69.196 ipsec-attributes
pre-shared-key *
tunnel-group wevpnusers type ipsec-ra
tunnel-group wevpnusers general-attributes
address-pool RasVPNPool
default-group-policy RemoteAccessUsersPolicy
tunnel-group wevpnusers ipsec-attributes
pre-shared-key *
tunnel-group xxxvpnusers type ipsec-ra
tunnel-group xxxvpnusers general-attributes
address-pool RasVPNPool
default-group-policy RemoteAccessUsersPolicy
tunnel-group xxxvpnusers ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 cable-isp
ssh 0.0.0.0 0.0.0.0 iap
ssh 0.0.0.0 0.0.0.0 elser
ssh timeout 60
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect http
inspect pptp
inspect dns
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect ils
inspect ipsec-pass-thru
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
!
prompt hostname context
Cryptochecksum:3a6dc862b6f5de7ad65823e04d8ec110
: end
ciscoasa#