Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN though ASA5505 can not see other computers within the network or w

Status
Not open for further replies.
mletendre

mletendre

Technical User
Dec 30, 2008
158
0
0
US

Any ideas why I can not view any other computers or workgroups?


as requested here is my show run for the ASA5505. I am using the remoteaccess tunneling group


ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
no names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 75.150.xx.xx 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.87.71.226
name-server 68.87.73.242
domain-name default.domain.invalid
dns server-group Primary
name-server 68.87.71.226
name-server 68.67.73.242
access-list http-list extended permit ip any any
access-list inbound extended permit tcp any host 75.150.xx.xx eq 3389
access-list inbound extended permit ip any host 75.150.xx.xx
access-list inbound extended permit tcp any host 75.150.xx.xx
access-list inbound extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any host 192.168.1.52
access-list capture1 extended permit ip any host 75.150.97.18
access-list capture1 extended permit ip host 75.150.xx.xx any
access-list inside_nat0_outbound_1 extended permit ip any 192.168.1.0 255.255.255.0
!
tcp-map tmap
exceed-mss allow
!
pager lines 12
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool nsaremote 192.168.1.120-192.168.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 75.150.xx.xx 192.168.1.52 netmask 255.255.255.255
static (inside,outside) 75.150.xx.xx 192.168.1.141 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 75.150.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto ca trustpoint remote
enrollment terminal
password *
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
client-update enable
telnet 192.168.1.131 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd wins 192.168.1.141
!
dhcprelay server 192.168.1.31 inside

!
class-map http
match access-list http-list
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2000
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class http
set connection advanced-options tmap
!
service-policy global_policy global
group-policy remoteaccess internal
group-policy remoteaccess attributes
wins-server value 192.168.1.141
dns-server value 68.87.71.226 68.87.73.242
vpn-tunnel-protocol IPSec
group-policy nsaremote internal
group-policy nsaremote attributes
vpn-tunnel-protocol IPSec
username rsteele password Q.vPSpFXcdY4Itmb encrypted privilege 0
username rsteele attributes
vpn-group-policy remoteaccess
vpn-framed-ip-address 192.168.1.23 255.255.255.0
tunnel-group nsaremote type ipsec-ra
tunnel-group nsaremote general-attributes
address-pool nsaremote
default-group-policy nsaremote
tunnel-group nsaremote ipsec-attributes
pre-shared-key *
tunnel-group remoteaccess type ipsec-ra
tunnel-group remoteaccess general-attributes
address-pool nsaremote
default-group-policy remoteaccess
tunnel-group remoteaccess ipsec-attributes
pre-shared-key *
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context

 
Sort by date Sort by votes
I've had issues when my local ip pool subnet overlaps with the inside subnet. Try using 192.168.2.xxx instead.
 
Upvote 0 Downvote
I would change your domain name to something that is valid to your internal network (domain-name default.domain.invalid) and use DNS servers inside your network. those look like public DNS or external DNS. Your ASA does not know what your host names are on the inside. can you ping any internal hostss by IP? Can you rdp into any servers by IP?

your remote access pool looks fine its from 192.168.1.120 - 254
 
Upvote 0 Downvote
The remote user is running Windows XP Home,

We are mostly using Workgroups here within the building, There is one Domain but it is not really being utilized (not my call on that)



: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
no names
ddns update method Update
ddns both
interval maximum 0 3 0 0
!
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 75.150.xx.xx 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.87.71.226
name-server 68.87.73.242
domain-name default.domain.invalid
dns server-group Local
name-server 192.168.1.141
domain-name nsa.local
dns server-group Primary
name-server 68.87.71.226
name-server 68.67.73.242
access-list http-list extended permit ip any any
access-list inbound extended permit tcp any host 75.150.xx.xx eq 3389
access-list inbound extended permit ip any host 75.150.xx.xx
access-list inbound extended permit tcp any host 75.150.xx.xx
access-list inbound extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any host 192.168.1.52
access-list capture1 extended permit ip any host 75.150.xx.xx
access-list capture1 extended permit ip host 75.150.97.18 any
access-list inside_nat0_outbound_1 extended permit ip any 192.168.1.0 255.255.255.0
!
tcp-map tmap
exceed-mss allow
!
pager lines 12
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool nsaremote 192.168.1.120-192.168.1.254 mask 255.255.255.0
ip local pool remoteaccess 192.168.2.1-192.168.2.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 75.150.xx.xx 192.168.1.52 netmask 255.255.255.255
static (inside,outside) 75.150.xx.xx 192.168.1.141 netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 75.150.xx.xx 1
!
router rip
network 192.168.1.0
network 192.168.2.0
version 2
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto ca trustpoint remote
enrollment terminal
password *
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
client-update enable
telnet 192.168.1.131 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd wins 192.168.1.141
!
dhcprelay server 192.168.1.31 inside

!
class-map http
match access-list http-list
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2000
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class http
set connection advanced-options tmap
!
service-policy global_policy global
group-policy remoteaccess internal
group-policy remoteaccess attributes
wins-server value 192.168.1.141
dns-server value 192.168.1.141 68.87.73.242
vpn-tunnel-protocol IPSec
username rsteele password Q.vPSpFXcdY4Itmb encrypted privilege 0
username rsteele attributes
vpn-group-policy remoteaccess
vpn-framed-ip-address 192.168.2.23 255.255.255.0
tunnel-group remoteaccess type ipsec-ra
tunnel-group remoteaccess general-attributes
address-pool remoteaccess
default-group-policy remoteaccess
tunnel-group remoteaccess ipsec-attributes
pre-shared-key *
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:244611b24155da4d588a3de54b062b08
: end
 
Upvote 0 Downvote
so you have one remote user that logs in and is unable to see other workgroups?
 
Upvote 0 Downvote
Yes, this is just one user who comes in to do some work with our quickbooks file.

The other users also have desktops here and use Go To My PC or remote Desktop.

Maybe I am mistaken and she shouldnt see other work groups. At one time when she logged into the VPN, her local laptop was set to a 3D workgroup and she was able to see another computer on that 3D workgroup, so I changed her workgroup on that laptop to WORKGROUP thinking she could see computers on that work group, but she could not.

On Cisco's VPN Client 5 that she is running to connect I did check the "allow local Lan access
 
Upvote 0 Downvote
Oh, I just had the remote user try pinging the server and she just gets a time out...
 
Upvote 0 Downvote
where does the user authenticate? AD? Do they have proper rights?
 
Upvote 0 Downvote
They are authenticated through the local database on the ASA 5505, as I set them up when I first srarted the VPN config on the firewall
 
Upvote 0 Downvote
so if they authentice on the ASA, why would they be able to see other computers? i do not know the destination of the other pc but are there acl's that allow traffic?
 
Upvote 0 Downvote
Ok... maybe I am going about this the wrong way.

We have a small office network here. We don't really have a DNS server or a DHCP server, so I have tried making one, before we were just using the router to do that.

We want to have 1 user who needs access to our QuickBooks file to have the ability to use the VPN and then while connected they can connect to that file (they have the QuickBooks program running on their local machine, just need to access our company file here).

What do I have to do in order to allow them to use the VPN client and then have access to the file as if they were plugged in locally....
 
Upvote 0 Downvote
Oh and we are not using domains here either. We have one domain but that is not being used for the majority of the users.
 
Upvote 0 Downvote
now you are talking about 'split tunnelling' the ability to connect to the vpn while keeping your local files...local. this could be a huge security issue. i would not recommend this at all. give them RDP access on your network that has quick books installed

google split tunnels and use your best judgement
 
Upvote 0 Downvote
well yes and no, I want them to be able to use the program that they have installed on thier local laptop, and then just connect to the file on our network here.
 
Upvote 0 Downvote
right now the remote user can connect with the VPN but can not even Ping anything using Run ->cmd
 
Upvote 0 Downvote
I GOT IT! All this time it was one stupid check box on the client VPN program for "local Lan Access" I unchecked that and it worked.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
138
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
145
intel233
intel233
ciscokid1984
  • Locked
  • Question
Watchguard RDP from external network
Replies
1
Views
97
hairlessupportmonkey
hairlessupportmonkey
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
167
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top