Jump to content


VPN Client cannot access to LOCAL LAN


  • Please log in to reply
3 replies to this topic

#1 Vuong Huu Dung

Vuong Huu Dung

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 12 September 2013 - 07:05 PM

I have configured a lab VPN Client to Site using Ipsec. When i connected to ASA Firewall via Cisco VPN Client, i can't access to Local Network. (192.168.2.x can't ping to 192.168.1.x)

My topology : ASA Firewall  - Cisco Router - Internet  -  Remote Users

 

Sorry for my English.

 

Cisco Router configuration :

 

interface FastEthernet0/0

 ip address 1.1.1.2 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface FastEthernet0/1
 ip address 192.168.255.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list internet interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.255.2 443 interface FastEthernet0/0 443
ip nat inside source static udp 192.168.255.2 500 1.1.1.2 500 extendable
ip nat inside source static udp 192.168.255.2 4500 1.1.1.2 4500 extendable
ip nat inside source static tcp 192.168.255.2 10000 1.1.1.2 10000 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 192.168.1.0 255.255.255.0 192.168.255.2
!
ip access-list extended internet
 permit ip 192.168.255.0 0.0.0.255 any
 permit ip 192.168.0.0 0.0.0.255 any
 permit ip 192.168.1.0 0.0.0.255 any
 deny   ip any any
 

 

ASA configuration below :

 

interface GigabitEthernet0

 nameif outside
 security-level 0
 ip address 192.168.255.2 255.255.255.0 
!
interface GigabitEthernet1
 nameif inseide
 security-level 0
 ip address 192.168.1.1 255.255.255.0 
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
access-list LAN standard permit 192.168.1.0 255.255.255.0 
access-list outside_access_in extended permit ip any any 
access-list inseide_access_in extended permit ip any any 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inseide 1500
ip local pool VPN-POOL 192.168.2.10-192.168.2.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-661.bin
no asdm history enable
arp timeout 14400
nat (any,any) source static any any destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24
access-group outside_access_in in interface outside
access-group inseide_access_in in interface inseide
route outside 0.0.0.0 0.0.0.0 192.168.255.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 1.1.2.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN internal
group-policy RA_VPN attributes
 wins-server value 192.168.1.5
 dns-server value 192.168.1.5
 vpn-tunnel-protocol ikev1 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value LAN
 default-domain value dungvh.com
username vpnclient password UXU1JqgAdj2zRJuP encrypted privilege 0
username vpnclient attributes
 vpn-group-policy RA_VPN
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
 address-pool VPN-POOL
 default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
 ikev1 pre-shared-key 123456
!
!
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco....ces/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:11f33a3aec383c8a166b05a1eb87b07b
: end

Attached Files


Edited by Vuong Huu Dung, 12 September 2013 - 07:07 PM.

  • 0

#2 Vuong Huu Dung

Vuong Huu Dung

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 13 September 2013 - 05:45 PM

Anybody help, please.


  • 0

#3 martinlo

martinlo

    V.I.P. Member

  • Global Moderators
  • PipPipPipPipPip
  • 2697 posts
  • Gender:Male
  • Location:Land Of 10,000 Lakes

Posted 20 September 2013 - 08:19 AM

try supportforums . cisco . com  guys over there are more technical


Edited by martinlo, 20 September 2013 - 08:20 AM.

  • 0

#4 Cromac

Cromac

    Super Member

  • Members
  • PipPipPipPip
  • 840 posts
  • Gender:Male
  • Location:Czech Republic

Posted 20 September 2013 - 07:50 PM

Hi,

 

I am not sure if the rule about same security levels on interface apply to the VPN traffic as well. But for testing purposes try to enable

"same-security-traffic inter-interface".

 

Cromac


  • 0





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users