in
Questions and answers to issues related to Software: Business, Database, Firewalls, Office, Graphics, Security, System, Server. » Firewalls » Enterprise Firewalls » Cisco PIX Firewall » Why is my Remote Access VPN and Static PAT not working?

Why is my Remote Access VPN and Static PAT not working?

I have an ASA 5505 with a public outside address and private inside address. I have a site-to-site VPN tunnel up and running properly. Recently I have tried to implement Static PAT (port forwarding) and Remote Access VPN, both of which do not work. I am able to authenticate to the Remote Access VPN but am unable to access any inside networks.
Code Snippet: 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:

ASA Version 7.2(3) 
!
hostname localhost
domain-name domain.local
enable password XXXXXXXX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.254.26 255.255.255.252 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 24.X.X.X 255.255.255.240 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXXXX encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
access-list acl_out extended permit icmp any any 
access-list outside_cryptomap_10 extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0 
access-list outside_cryptomap_10 extended permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.255.0 
access-list outside_cryptomap_10 extended permit ip 192.168.4.0 255.255.255.0 192.168.7.0 255.255.255.0 
access-list outside_cryptomap_10 extended permit ip 192.168.5.0 255.255.255.0 192.168.7.0 255.255.255.0 
access-list outside_cryptomap_10 extended permit ip 192.168.6.0 255.255.255.0 192.168.7.0 255.255.255.0 
access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.7.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.4.0 255.255.255.0 192.168.7.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.7.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.7.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 192.168.250.0 255.255.255.240 
access-list acl_inbound extended permit tcp any host 24.X.X.X eq www 
access-list acl_inbound extended permit tcp any host 24.X.X.X eq https 
access-list acl_inbound extended permit tcp any host 24.X.X.X eq 4125 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RA_Local_Pool 192.168.240.1-192.168.240.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any echo-reply outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www 192.168.5.108 www netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.5.108 https netmask 255.255.255.255 
static (inside,outside) tcp interface 4125 192.168.5.108 4125 netmask 255.255.255.255 
access-group acl_inbound in interface outside
route inside 192.168.2.0 255.255.255.0 192.168.254.25 1
route inside 192.168.3.0 255.255.255.0 192.168.254.25 1
route inside 192.168.4.0 255.255.255.0 192.168.254.25 1
route inside 192.168.5.0 255.255.255.0 192.168.254.25 1
route inside 192.168.6.0 255.255.255.0 192.168.254.25 1
route inside 192.168.1.0 255.255.255.0 192.168.254.25 1
route outside 0.0.0.0 0.0.0.0 24.204.31.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set esp-aes-256 esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 198.X.X.X
crypto map outside_map 10 set transform-set esp-aes-256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 1
 lifetime 1000
crypto isakmp policy 2
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
group-policy Remote_Access internal
group-policy Remote_Access attributes
 dns-server value 24.X.X.4 24.X.X.5
 vpn-tunnel-protocol IPSec 
 default-domain value domain.local
username user0 password XXXXXXXX encrypted privilege 15
username user1 password XXXXXXXX encrypted privilege 15
tunnel-group 198.X.X.X type ipsec-l2l
tunnel-group 198.X.X.X ipsec-attributes
 pre-shared-key ********
tunnel-group Remote_Access type ipsec-ra
tunnel-group Remote_Access general-attributes
 address-pool RA_Local_Pool
 default-group-policy Remote_Access
tunnel-group Remote_Access ipsec-attributes
 pre-shared-key ********
prompt hostname context 
Cryptochecksum:cd66a7219a05ba73a157882a6ac90353
: end
Open in New Window
Select All

Solution: Why is my Remote Access VPN and Static PAT not working?

Your no nat acl states:

access-list inside_nat0_outbound extended permit ip any 192.168.250.0 255.255.255.240

but your vpn pool is in this range

192.168.240.1-192.168.240.10 mask 255.255.255.0

So either the 192.168.250.x in the no nat acl is for something else or you need to add a line to your no not acl so that you can access your inside network.

Regards,

3nerds

Popular Tags

Browse All Tags