- Posts: 26
- Thank you received: 0
Can connect but not access LAN
- matoposb0y
- Topic Author
- Offline
- Junior Member
Less
More
14 years 2 months ago #35560
by matoposb0y
Can connect but not access LAN was created by matoposb0y
Hi there, I am having a problem accessing my LAN through the VPN. I can connect and login but I have no access. Here is my config, can you see anything obviously wrong?
ASA Version 8.2(1)
!
hostname FaDasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
name-server 192.168.1.1
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq 65100
access-list FDvpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool RemoteClientPool 209.165.201.1-209.165.201.15
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 65100 192.168.1.6 65100 netmask 255.255.25
5.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy FDvpn internal
group-policy FDvpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value FDvpn_splitTunnelAcl
username bob1 password rmLvvHLUthe9ahFo encrypted privilege 0
username bob1 attributes
vpn-group-policy FDvpn
username bob2 password eKwzKURFROhs60Y8 encrypted privilege 15
username bob3 password RYnHb7kyyB4/dldm encrypted privilege 0
username bob3 attributes
vpn-group-policy FDvpn
username bob4 password NGzhly1AoazPfSSa encrypted privilege 0
username bob4 attributes
vpn-group-policy FDvpn
username bob5 password jeBozWF5W3XCnmzZ encrypted privilege 0
username bob5 attributes
vpn-group-policy FaDvpn
tunnel-group FaDvpn type remote-access
tunnel-group FaDvpn general-attributes
address-pool RemoteClientPool
default-group-policy FaDvpn
tunnel-group FaDvpn ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:eb64f5a93211bc90fdb1fe147161343a
: end
ASA Version 8.2(1)
!
hostname FaDasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
name-server 192.168.1.1
same-security-traffic permit intra-interface
access-list outside_access_in extended permit tcp any interface outside eq 65100
access-list FDvpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool RemoteClientPool 209.165.201.1-209.165.201.15
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 65100 192.168.1.6 65100 netmask 255.255.25
5.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy FDvpn internal
group-policy FDvpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value FDvpn_splitTunnelAcl
username bob1 password rmLvvHLUthe9ahFo encrypted privilege 0
username bob1 attributes
vpn-group-policy FDvpn
username bob2 password eKwzKURFROhs60Y8 encrypted privilege 15
username bob3 password RYnHb7kyyB4/dldm encrypted privilege 0
username bob3 attributes
vpn-group-policy FDvpn
username bob4 password NGzhly1AoazPfSSa encrypted privilege 0
username bob4 attributes
vpn-group-policy FDvpn
username bob5 password jeBozWF5W3XCnmzZ encrypted privilege 0
username bob5 attributes
vpn-group-policy FaDvpn
tunnel-group FaDvpn type remote-access
tunnel-group FaDvpn general-attributes
address-pool RemoteClientPool
default-group-policy FaDvpn
tunnel-group FaDvpn ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:eb64f5a93211bc90fdb1fe147161343a
: end
14 years 2 months ago #35617
by Chris
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Replied by Chris on topic Re: Can connect but not access LAN
I can't seem to find anything wrong with your configuration, however, try the following:
1) can you verify in your Cisco VPN client you have access to your local network when connecting to the VPN ? Check the Statistics/Routes and ensure the 192.168.1.0 network is there
2) Can you try replacing :
access-list FDvpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
with
access-list FDvpn_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Good luck!
1) can you verify in your Cisco VPN client you have access to your local network when connecting to the VPN ? Check the Statistics/Routes and ensure the 192.168.1.0 network is there
2) Can you try replacing :
access-list FDvpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
with
access-list FDvpn_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
Good luck!
Chris Partsenidis.
Founder & Editor-in-Chief
www.Firewall.cx
Time to create page: 0.113 seconds