1. Home
  2. Cisco Systems
  3. VPN into ASA 5510 unable to access internet and other network

VPN into ASA 5510 unable to access internet and other network

All,

We have two locations (office and hosting), each with a 5510, connected via VPN connection. There are no issues accessing the hosting environment or the internet from within the office. However, when users VPN into the office using the Cisco client, they can not access internet hosts and anything in the hosting environment. Accessing systems in the office network is not an issue.

I've attached most of the running-config (obviously unimportant parts stripped out) below. Any help would be greatly appreciated.

Hugh

names name 192.168.242.1 INT-primary name 1.2.3.34 EXT-34 name 1.2.3.35 EXT-35 name 1.2.3.36 EXT-36 name 1.2.3.49 EXT-49 name 1.2.3.50 EXT-50 name 1.2.3.51 EXT-51 name 1.2.3.52 EXT-52 name 4.5.6.250 Hosting-250 dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address EXT-36 255.255.255.240 ! interface Ethernet0/1 duplex full nameif inside security-level 100 ip address INT-primary 255.255.255.0 ! interface Ethernet0/2 nameif phone security-level 75 ip address 10.10.10.1 255.255.255.0 ! interface Ethernet0/3 nameif dmz security-level 25 ip address 10.20.30.1 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! object-group network Hosting-45 network-object 192.168.245.0 255.255.255.0 object-group network Office-42 description Internal office IPs network-object 192.168.242.0 255.255.255.0 access-list outside_access_in extended permit icmp any any echo-reply access-list outside_access_in extended permit icmp any any time-exceeded access-list outside_20_cryptomap extended permit ip 192.168.242.0

255.255.255.0 192.168.245.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.242.0 255.255.255.0 192.168.245.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip any 192.168.242.240 255.255.255.240 access-list inside_nat0_outbound extended permit ip any 192.168.242.248 255.255.255.248 access-list outside_cryptomap_3 extended permit ip any 192.168.242.240 255.255.255.240 access-list outside_cryptomap extended permit ip any 192.168.242.248 255.255.255.248 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu phone 1500 mtu dmz 1500 mtu management 1500 ip local pool Employees 192.168.242.250-192.168.242.252 mask 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip verify reverse-path interface phone ip verify reverse-path interface dmz no failover monitor-interface outside monitor-interface inside monitor-interface phone monitor-interface dmz monitor-interface management arp timeout 14400 nat-control global (outside) 10 EXT-49 netmask 255.255.255.240 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 10 192.168.242.0 255.255.255.0 nat (phone) 10 10.10.10.0 255.255.255.0 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 1.2.3.33 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute aaa-server AD protocol radius aaa-server NT protocol nt aaa-server NT host INT-AD nt-auth-domain-controller AD group-policy OffVPN internal group-policy OffVPN attributes wins-server value 192.168.242.2 dns-server value 192.168.242.2 192.168.242.27 vpn-tunnel-protocol IPSec default-domain value domain.local crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set peer Hosting-250 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption aes hash sha group 5 lifetime 86400 tunnel-group OffVPN type ipsec-ra tunnel-group OffVPN general-attributes address-pool Employees authentication-server-group NT default-group-policy OffVPN tunnel-group OffVPN ipsec-attributes pre-shared-key * tunnel-group 4.5.6.250 type ipsec-l2l tunnel-group 4.5.6.250 ipsec-attributes pre-shared-key * console timeout 0 ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 !
Reply to
HRileyBSG
Loading thread data ...

I'm more proficient with ASDM but just a guess: Are there routes set up for the users connecting via office VPN to the hosting ips? Do all the intermediate network devices have a route to get to the natted addresses of the office vpn users (the ip local employees pool)? Could there be a firewall or access list on one of the intermediate devices that block access from the 192.168.242.250-192.168.242.252 ip range?

HTH, Z

snipped-for-privacy@gmail.com wrote:

Reply to
zarmice

I'm more proficient with ASDM but just a guess: Are there routes set up for the users connecting via office VPN to the hosting ips? Do all the intermediate network devices have a route to get to the natted addresses of the office vpn users (the ip local employees pool)? Could there be a firewall or access list on one of the intermediate devices that block access from the 192.168.242.250-192.168.242.252 ip range?

HTH, Z

snipped-for-privacy@gmail.com wrote:

Reply to
zarmice

There are no routes specifically set up for the VPN users. They're given an IP address in the same network as those that are sitting in the office, so I would think that they wouldn't need a special route. There aren't any intermediate devices that would have an impact on access and there's definitely not any rule blocking the VPN IP addresses.

My suspicion is that the VPN users aren't being regarded as truly in the inside network, therefore the rules for that network aren't applied. Would I be even remotely close on that?

Thanks,

Hugh

Reply to
HRileyBSG

Are non-vpn users inside the office using a gateway other than the ASA? If so, they probably have a route to the hosting ips (192.168.245.0/24). I didn't see a 'route inside

192.168.245.0 255.255.255.0 1' type statement in your config. Z
Reply to
Z

'route inside

config.

Nope. There's only the ASA and everyone should be using that for access to the hosting site. Not sure how I could get it to work otherwise since they get to the hosting network via an ASA VPN connection, but that's neither here nor there.

Reply to
HRileyBSG

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.