VPN connects but wont route between LAN and client

[gurner]

We have an ASA5510 configured ok to acces the internet etc, users can access the portal ok and download the AnyConnect SSL client and get LAN access etc, but it only has the default 2 licenses.

They bought 250 IPSec licenses, so we set up IPSec VPN access, and have eventually got the client to connect to the VPN, but for the life of us we cant narrow down what is stopping access.

it looks like an ACL doing it, but we cant see which one could.

you can telnet the firewall and ping the LAN, and ping the VPN client, etc, but they cant access one another.

it continually logs

10.10.11.3 47070 UKDC01 53 Authorization denied (acl=DAP-ip-user-B0BF360E) for user 'administrator' from 10.10.11.3/47070 to UKDC01/53 on interface PublicINT using UDP

for all protocols from the VPN client.

if required i can paste the config here?

Cheers

Gurner

 

[NetworkGhost]

Post the scrubbed config. Looks like you are using acl authorization. Do you have a ACS server?

http://www.wr-mem.com

 

[gurner]

Heres the config, i think i know what you were referring to, someone suggested i removed authorization-required from the tunnels, so did from the ones i saw it on

but still get the same symptoms and error, so wonder if ive not turned it off right?

---------------------------------------
ASA Version 8.0(4)
!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
!
interface Ethernet0/0
nameif PublicINT
security-level 0
ip address PublicIP 255.255.255.240
!
interface Ethernet0/1
nameif DMZ
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/2
nameif LAN
security-level 100
ip address 172.27.1.201 255.255.0.0
!
interface Ethernet0/3
nameif WLAN
security-level 10
ip address 10.0.0.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

access-list PublicINT_access_in remark VPN
access-list PublicINT_access_in extended permit udp any any eq isakmp
access-list PublicINT_access_in remark any NTL provided IP can ping another for testing
access-list PublicINT_access_in extended permit icmp xxx.xxx.xxx.xxx 255.255.255.240 any log disable
access-list PublicINT_access_in remark Allow LAN pinging
access-list PublicINT_access_in extended permit icmp 172.27.0.0 255.255.0.0 any log disable
access-list PublicINT_access_in remark Allow PPTP Tunnel back in to LAN after initialisation
access-list PublicINT_access_in extended permit gre any 172.27.0.0 255.255.0.0 log disable
access-list PublicINT_access_in remark Allow PPTP creation outbound
access-list PublicINT_access_in extended permit tcp any any eq pptp log disable
access-list PublicINT_access_in remark any ping will dooo
access-list PublicINT_access_in extended permit icmp any any log disable
access-list PublicINT_access_in remark for email inbound
access-list PublicINT_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 any eq smtp log disable
access-list PublicINT_access_in remark for OWA inbound to .91, includes this firewall too but that has a separate ACL
access-list PublicINT_access_in extended permit tcp any any eq https log disable
access-list PublicINT_access_in remark support can RDP like a goodun
access-list PublicINT_access_in extended permit tcp supportFurlong 255.255.255.0 any object-group RDP log disable
access-list PublicINT_access_in extended permit tcp 172.27.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list LAN_to_VPN_outbound remark Allow LAN route back to VPN users
access-list LAN_to_VPN_outbound extended permit ip 172.27.0.0 255.255.0.0 10.10.11.0 255.255.255.0 log disable
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 172.27.0.0 255.255.0.0
access-list LAN_access_in remark Allow LAN access other interfaces
access-list LAN_access_in extended permit ip 172.27.0.0 255.255.0.0 any log disable
access-list DMZ_access_in remark DMZ allowed out
access-list DMZ_access_in extended permit ip any any log disable
access-list DMZ_access_in remark Blocked from LAN
access-list DMZ_access_in extended deny ip any 172.27.0.0 255.255.0.0 log disable
access-list DefaultRAGroup_splitTunnelAcl standard permit 172.27.0.0 255.255.0.0
access-list DefaultRAGroup_splitTunnelAcl remark Access to LAN
access-list VPN-Pool_tun remark Access to VPN Pool
access-list VPN-Pool_tun standard permit 10.10.11.0 255.255.255.0
access-list VPN-Pool_tun remark Access to LAN
access-list VPN-Pool_tun standard permit 172.27.0.0 255.255.0.0
access-list VPN_to_LAN_Inbound remark Access for VPN Users to LAN
access-list VPN_to_LAN_Inbound extended permit ip 10.10.11.0 255.255.255.0 172.27.0.0 255.255.0.0 log disable
access-list management_nat_outbound remark for testing anywhere on management DHCP interface
access-list management_nat_outbound extended permit ip any any
access-list LAN_nat_outbound remark allow LAN/NAT access
access-list LAN_nat_outbound extended permit ip any any
access-list PublicINT_cryptomap extended permit ip 172.27.0.0 255.255.0.0 10.10.11.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl_2 standard permit 172.27.0.0 255.255.0.0
access-list CompanyVPN-Group_splitTunnelAcl standard permit 172.27.0.0 255.255.0.0
access-list PublicINT_dyn_map extended permit ip any 10.10.11.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging list VPN-Log level debugging class vpn
logging buffer-size 50000
logging console informational
logging buffered informational
logging history informational
logging asdm informational
mtu PublicINT 1500
mtu DMZ 1500
mtu LAN 1500
mtu WLAN 1500
mtu management 1500
ip local pool AnyConnectPool 10.10.11.0-10.10.11.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (PublicINT) 1 interface
nat (LAN) 0 access-list LAN_to_VPN_outbound
nat (LAN) 1 access-list LAN_nat_outbound
nat (management) 1 access-list management_nat_outbound
static (LAN,PublicINT) xxx.xxx.xxx.xxx ExchangeUK netmask 255.255.255.255
access-group PublicINT_access_in in interface PublicINT
access-group DMZ_access_in in interface DMZ
access-group LAN_access_in in interface LAN
route PublicINT 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
network-acl PublicINT_dyn_map
webvpn
url-list value CompanyBookmarks
file-browsing enable
file-entry enable
url-entry enable
svc ask enable default webvpn
aaa-server AD_RADIUS protocol radius
max-failed-attempts 5
aaa-server AD_RADIUS (LAN) host UKDC01
key c1sc0
radius-common-pw c1sc0
acl-netmask-convert auto-detect
aaa-server AD_RADIUS (LAN) host UKDC03
key c1sc0
radius-common-pw c1sc0
aaa authentication serial console AD_RADIUS LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
http server enable
http supportFurlong 255.255.255.0 PublicINT
http xxx.xxx.xxx.xxx 255.255.255.240 PublicINT
http 172.27.0.0 255.255.0.0 LAN
http 192.168.1.0 255.255.255.0 management
http xxx.xxx.xxx.xxx 255.255.252.0 PublicINT
http redirect management 81
http redirect LAN 81
http redirect PublicINT 81
snmp-server host PublicINT xx.xxx.167.6 community snmp version 2c udp-port 161
snmp-server location Abingdon
no snmp-server contact
snmp-server community snmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept *** Welcome to Company Abingdon ***
auth-prompt reject *** Please contact Support at support@wibble.net in the event of logon problems ***
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map PublicINT_dyn_map 20 match address PublicINT_dyn_map
crypto dynamic-map PublicINT_dyn_map 20 set pfs
crypto dynamic-map PublicINT_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map PublicINT_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map PublicINT_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map PublicINT_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map PublicINT_map 65535 ipsec-isakmp dynamic PublicINT_dyn_map
crypto map PublicINT_map interface PublicINT
crypto ca trustpoint CompanyASA
enrollment self
subject-name CN=Head Office FW,O=Company,C=UK,L=Abingdon
crl configure
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca server
crypto ca certificate chain CompanyASA
certificate 31
xxxxxxxxxxxxxxx
quit
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
xxxxxxxxxxxxxxx
quit
crypto isakmp identity address
crypto isakmp enable PublicINT
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-sessiondb max-webvpn-session-limit 2
~~~~~~~~~~~~~~~~~~~~~~~~~~
webvpn
enable PublicINT
enable LAN
enable management
csd image disk0:/images/securedesktop-asa-3.3.0.129-k9.pkg
svc image disk0:/images/anyconnect-win-2.2.0140-k9.pkg 1 regex "Windows NT"
svc image disk0:/images/anyconnect-linux-2.2.0140-k9.pkg 3 regex "Linux"
svc image disk0:/images/anyconnect-macosx-i386-2.2.0140-k9.pkg 4 regex "PPC Mac OS X"
svc enable
port-forward test smtp 172.27.1.80 smtp
tunnel-group-list enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 172.27.1.11 172.27.1.33
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_2
default-domain value Company.com
group-policy DfltGrpPolicy attributes
dns-server value 172.27.1.11 172.27.1.33
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-Pool_tun
default-domain value Company.com
secure-unit-authentication enable
address-pools value AnyConnectPool
webvpn
url-list value CompanyBookmarks
svc ask enable default webvpn timeout 5
group-policy CompanyVPN-Group internal
group-policy CompanyVPN-Group attributes
dns-server value 172.27.1.11 172.27.1.33
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PublicINT_cryptomap
default-domain value Company.com
username supporttemp password xxxxxxxxxxxxxxxxx encrypted
username admin password xxxxxxxxxxxxxxxxxxx encrypted privilege 15
username admin attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
password-storage disable
webvpn
customization value DfltCustomization
svc keep-installer none
username administrator password xxxxxxxxxxxxxxxxxx encrypted privilege 15
username Company password xxxxxxxxxxxxxxxxxxx encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool AnyConnectPool
authentication-server-group AD_RADIUS
authentication-server-group (PublicINT) AD_RADIUS LOCAL
authorization-server-group LOCAL
authorization-server-group (PublicINT) AD_RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup webvpn-attributes
group-alias VPNClientWin32 disable
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group AD_RADIUS LOCAL
authentication-server-group (LAN) AD_RADIUS LOCAL
authorization-server-group AD_RADIUS
authorization-server-group (LAN) AD_RADIUS
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias DefaultWEBVPNGroup disable
tunnel-group CompanyWebSSL type remote-access
tunnel-group CompanyWebSSL general-attributes
address-pool AnyConnectPool
authentication-server-group AD_RADIUS LOCAL
tunnel-group CompanyWebSSL webvpn-attributes
group-alias Company enable
dns-group InternalDNS
tunnel-group CompanyVPN-Group type remote-access
tunnel-group CompanyVPN-Group general-attributes
address-pool AnyConnectPool
authentication-server-group AD_RADIUS LOCAL
default-group-policy CompanyVPN-Group
tunnel-group CompanyVPN-Group ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
smtp-server xx.xxx.161.4
prompt hostname context

Gurner

 

[gurner]

I figured it out at last this morning, it is connected to the vpn and I have a continuous ping running and am able to RDP internal servers ok

I changed this set of lines, from

dynamic-access-policy-record DfltAccessPolicy
network-acl PublicINT_dyn_map

to

dynamic-access-policy-record DfltAccessPolicy
network-acl LAN_nat_outbound

The old ACL ‘PublicINT_dyn_map’ is defined as ‘access-list PublicINT_dyn_map extended permit ip any 10.10.11.0 255.255.255.0’

The one now currently being used, ‘LAN_nat_outbound’ was created for the outbound ‘dynamic’ NAT rule, and is just ‘access-list LAN_nat_outbound extended permit ip any any’ and when applied it just started working!

I changed the Split Tunnel used from VPN-Pool_tun to CompanyVPN-Group_splitTunnelAcl, but I think this was a coincidence, as they are the same except no ‘permit 10.10.11.0…’

access-list VPN-Pool_tun standard permit 10.10.11.0 255.255.255.0
access-list VPN-Pool_tun standard permit 172.27.0.0 255.255.0.0

access-list CompanyVPN-Group_splitTunnelAcl standard permit 172.27.0.0 255.255.0.0


However, i swear ive tried this before, so think some condition on the firewall is different this time around, and it has a better impact. what it is i cant really be sure.

so ive made multiple copies of the config and locked it all down so no one can change it (with out the main account)

Cheers

Gurner