Sign in to follow this  
Followers 0
Vuong Huu Dung

VPN Client cannot access to LOCAL LAN

4 posts in this topic

I have configured a lab VPN Client to Site using Ipsec. When i connected to ASA Firewall via Cisco VPN Client, i can't access to Local Network. (192.168.2.x can't ping to 192.168.1.x)

My topology : ASA Firewall - Cisco Router - Internet - Remote Users

 

Sorry for my English.

 

Cisco Router configuration :

 

interface FastEthernet0/0

ip address 1.1.1.2 255.255.255.0
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface FastEthernet0/1
ip address 192.168.255.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list internet interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.255.2 443 interface FastEthernet0/0 443
ip nat inside source static udp 192.168.255.2 500 1.1.1.2 500 extendable
ip nat inside source static udp 192.168.255.2 4500 1.1.1.2 4500 extendable
ip nat inside source static tcp 192.168.255.2 10000 1.1.1.2 10000 extendable
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 192.168.1.0 255.255.255.0 192.168.255.2
!
ip access-list extended internet
permit ip 192.168.255.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any

 

ASA configuration below :

 

interface GigabitEthernet0

nameif outside
security-level 0
ip address 192.168.255.2 255.255.255.0
!
interface GigabitEthernet1
nameif inseide
security-level 0
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
access-list LAN standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list inseide_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inseide 1500
ip local pool VPN-POOL 192.168.2.10-192.168.2.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-661.bin
no asdm history enable
arp timeout 14400
nat (any,any) source static any any destination static NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24
access-group outside_access_in in interface outside
access-group inseide_access_in in interface inseide
route outside 0.0.0.0 0.0.0.0 192.168.255.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 1.1.2.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN internal
group-policy RA_VPN attributes
wins-server value 192.168.1.5
dns-server value 192.168.1.5
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value LAN
default-domain value dungvh.com
username vpnclient password UXU1JqgAdj2zRJuP encrypted privilege 0
username vpnclient attributes
vpn-group-policy RA_VPN
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool VPN-POOL
default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
ikev1 pre-shared-key 123456
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:11f33a3aec383c8a166b05a1eb87b07b
: end

running-config asa.txt

Edited by Vuong Huu Dung
0

Share this post


Link to post
Share on other sites

try supportforums . cisco . com guys over there are more technical

Edited by martinlo
0

Share this post


Link to post
Share on other sites

Hi,

 

I am not sure if the rule about same security levels on interface apply to the VPN traffic as well. But for testing purposes try to enable

"same-security-traffic inter-interface".

 

Cromac

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0