VPN che non accede alle risorse locali

Virtual private networks e affini

Moderatore: Federico.Lagni

Rispondi
Pino6504
n00b
Messaggi: 5
Iscritto il: gio 13 giu , 2013 7:32 pm

Ciao a tutti ,
ho un problema che mi tiene bloccato da tempo ,con un ASA 5505 , premetto che non lo conosco benissimo .
Ho creato una VPN IPSEC secondo le direttive cisco , creando un pool specifico di indirizzi per la VPN 192.168.20.1 la rete interna invece é 192.168.1.1 , ho creato la regole di NAT (nat Exempt) da 192.168.1.1 a 192.168.20.1 , split tunneling con relativa ACL standard che permette la rete interna.
Sembra tutto ok , mi collego dall' esterno sull ip pubblico dell'interfaccia outside il collegamento va a buon fine , ma non riesco ad accedere alle risorse della rete interna ... Qualcosa mi sfugge o non è corretto , sapete darmi un aiuto?
Ho creato anche una vpn SSL ma da lo stesso identico problema ....
Grazie .
di seguito la configurazione
Result of the command: "show running-config"

ASA Version 8.2(5)
!
hostname asa
domain-name XXXXXXXXX
enable password XXXXXXXXXXXXX encrypted
passwd XXXXXXXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.10.10 255.255.255.248
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.35
name-server 151.99.125.2
name-server 151.99.125.3
name-server 62.211.69.150
domain-name XXXXXXXX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network obj_any
access-list vpn-ssl extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 inactive
access-list vpn-ssl extended permit ip any 192.168.10.0 255.255.255.0 inactive
access-list vpn-ssl extended permit ip any 192.168.1.0 255.255.255.0 inactive
access-list vpn-ssl extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 inactive
access-list VPN_cisco_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list vpn_SSL standard permit 192.168.1.0 255.255.255.0
access-list VPN_IPSEC_MARCONI_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool_ssl 192.168.10.1-192.168.10.100 mask 255.255.255.0
ip local pool pool_IPSEC 192.168.20.1-192.168.20.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.10.10.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
network-acl vpn-ssl
aaa-server marconi protocol nt
aaa-server marconi (inside) host 192.168.1.35
nt-auth-domain-controller marconi
aaa-server marconi_IPSEC protocol nt
aaa-server marconi_IPSEC (inside) host 192.168.1.35
timeout 5
nt-auth-domain-controller marconi
aaa authentication enable console marconi LOCAL
aaa authentication ssh console marconi LOCAL
http server enable
http 192.168.1.1 255.255.255.255 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=vpn.marconi
keypair vpn
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate f037c151
308201db 30820144 a0030201 020204f0 37c15130 0d06092a 864886f7 0d010105
05003032 31143012 06035504 03130b76 706e2e6d 6172636f 6e69311a 30180609
2a864886 f70d0109 02160b61 73612e6d 6172636f 6e69301e 170d3133 30363139
30353532 32315a17 0d323330 36313730 35353232 315a3032 31143012 06035504
03130b76 706e2e6d 6172636f 6e69311a 30180609 2a864886 f70d0109 02160b61
73612e6d 6172636f 6e693081 9f300d06 092a8648 86f70d01 01010500 03818d00
30818902 81810090 51652ad4 f68cebc3 9c19f646 b79ab111 9aef8ad7 b44c723c
d66de793 6e93e4ed e1596f07 3ef1c2d9 92efa003 ed8d7461 10d8b2d1 4db8a1c1
fc39af7a 3629333d a4535b4b 58e669a7 543898e5 8c28c869 63874d3e 000cc635
3b3d64a9 2fb42880 b9457121 070f0ff3 5f66a426 b7d639cd e02fb983 a7e0c28b
d0cf6484 13ad5102 03010001 300d0609 2a864886 f70d0101 05050003 81810030
cdd69551 6979350b dc44822d ef672157 202df0ae d80d6ac9 796f3874 638152f0
0be75349 2b669844 ad996d97 9990197a 42a2bc9e d9310832 184b1c39 5080dd31
e3924d11 d9269ce6 59187cf3 1d509895 55737dba f4ec02e0 a700cb17 610e3d85
38b24020 4853a32c f7d14c23 fbb35695 4b8c57f0 3b0e5292 78e9f023 377a13
quit
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.1.35 151.99.125.2
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SSL
default-domain value marconi
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value 151.99.125.2 151.99.125.3
vpn-tunnel-protocol svc
default-domain value marconi
group-policy VPN_IPSEC_MARCONI internal
group-policy VPN_IPSEC_MARCONI attributes
wins-server value 192.168.1.35
dns-server value 192.168.1.35
vpn-access-hours none
vpn-filter none
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_IPSEC_MARCONI_splitTunnelAcl
default-domain value marconi
split-dns value 192.168.1.35 151.99.125.2
vlan none
group-policy any_connect_marconi internal
group-policy any_connect_marconi attributes
wins-server value 192.168.1.35
dns-server value 192.168.1.35 151.99.125.2
vpn-tunnel-protocol svc webvpn
group-lock value vpn_ssl
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SSL
default-domain value marconi
address-pools value pool_ssl
webvpn
svc rekey time 30
svc rekey method ssl
svc ask none default svc
username admin password ujJAU1zjv3fWSa66 encrypted privilege 15
username pinotti password kAk1c.A/0zpq0Inh encrypted privilege 0
username pinotti attributes
vpn-group-policy any_connect_marconi
tunnel-group vpn_ssl type remote-access
tunnel-group vpn_ssl general-attributes
address-pool pool_ssl
authentication-server-group marconi LOCAL
authentication-server-group (inside) marconi LOCAL
default-group-policy any_connect_marconi
tunnel-group vpn_ssl webvpn-attributes
group-alias vpn enable
group-url https://10.10.10.10/vpn enable
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
address-pool (inside) pool_ssl
address-pool pool_ssl
authentication-server-group marconi
tunnel-group VPN_IPSEC_MARCONI type remote-access
tunnel-group VPN_IPSEC_MARCONI general-attributes
address-pool pool_IPSEC
authentication-server-group marconi_IPSEC
authentication-server-group (inside) marconi_IPSEC
default-group-policy VPN_IPSEC_MARCONI
tunnel-group VPN_IPSEC_MARCONI ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect dns
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/odd ... DCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:71fc0a49f69dab885a0ce2e7c9138c35
: end
Avatar utente
antomi
Cisco fan
Messaggi: 48
Iscritto il: mer 20 mag , 2009 11:24 am

Ciao Scusa non ho capito bene, vuoi creare una Vpn Site to Site? o vuoi creare un remote access?
Pino6504
n00b
Messaggi: 5
Iscritto il: gio 13 giu , 2013 7:32 pm

Sto cercando di creare un remote access , si collega autenticandosi con l'utente di active directory , assume un indirizzò di rete del pool assegnato in configurazione vpn che è diverso da quello della rete LAN .
Una volta collegato da fuori non riesco ad accedere alle risorse della LAN Dell azienda .
paolomat75
Messianic Network master
Messaggi: 2965
Iscritto il: ven 29 gen , 2010 10:25 am
Località: Prov di GE

Usi come gateway la VPN?

Paolo
Non cade foglia che l'inconscio non voglia (S.B.)
Rizio
Messianic Network master
Messaggi: 1158
Iscritto il: ven 12 ott , 2007 2:48 pm
Contatta:

Nel mio asa che uso come accesso vpn ho dichiarato tutte le rotte per le reti internet verso il mio centro stella della LAN, nella tua conf non mi è sembrato di vedere altrettanto, prova a controllare che non sia solo quello.

Rizio
Si vis pacem para bellum
Avatar utente
antomi
Cisco fan
Messaggi: 48
Iscritto il: mer 20 mag , 2009 11:24 am

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

Hai queste 2 access list prova a togliere la prima e lascia solo
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0

Fammi sapere
Pino6504
n00b
Messaggi: 5
Iscritto il: gio 13 giu , 2013 7:32 pm

ho tolto la seconda ACl , era rimasta da un altro tentativo di configurazione.
il gateway VPN .. cosa intendi esattamente ?
se faccio ipconfig sul pc con la VPN attiva il campo gateway appare vuoto , serve forse una route statica ? da pool VPN all' indirzzo gateway della rete locale? che é poi l'indirizzo dell'interfaccia inside a cui la lan punta per uscire ?

sull ASA nella sezione Routing c'e' solo questa route :
outside 0.0.0.0 0.0.0.0 31.xx.xx.xx. 1
31.xx.xx.xx è l'indirizzo pubblico del router , l'asa ne ha un altro sulla outside 31.yy.yy.yy .

spero di essermi spiegato
Rispondi