Can't ping Outside or DMZ using ASA 8.4
Hello all,
Thanks for all of your help.
Ok, I have a ASA 8.4 firewall that I have been working on so long.
It was a hassle to configure the object group and nat for 8.4.
So, I put two host in both side of ASA to test pinging but I can not ping the outside or the DMZ.
I attached my nat config.
Thanks.
Shefat
Looks like I can ping from the firewall to outside interface and the outside host.
But I can not ping this two places from the inside host. But I pin ping the firewall from the inside host.
It is not going through the firewall ..... very confusing.
Same with DMZ.
Shefat.
Similar Messages
-
How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.
How To Using Two Different Public IP Address on My DMZ with ASA 5520
Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
Hi everyone out there.
can any one please help me regarding this situation that im looking for a solution
My old range of public ip address are finished, i mean (the 41.x.x.0 range)
So now i still need to have in my DMZ another two servers that will bring some new services.
Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
on Cisco ASA 5520 v8??
How my configuration should look like?
I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
attached is my network diagram for a better understanding
I thank every body in advance
JorgeHi,
So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
Now you have gotten a new public IP address range from the ISP and want to get it into use.
How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
Of the above ways
The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
- Jouni -
ASA 5505 VPN clients can't ping router or other clients on network
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
: end
Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
Thanks.I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
here is the runnign config again:
Result of the command: "show startup-config"
: Saved
: Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location Server 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:78864f4099f215f4ebdd710051bdb493 -
Cisco ASA 5510 - Cisco Client Can Connect To VPN But Can't Ping!
Hi,
I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.
Config
ciscoasa# sh run
: Saved
ASA Version 8.0(3)
hostname ciscoasa
enable password 5QB4svsHoIHxXpF/ encrypted
names
name xxx.xxx.xxx.xxx SAP_router_IP_on_SAP
name xxx.xxx.xxx.xxx ISA_Server_second_external_IP
name xxx.xxx.xxx.xxx Mail_Server
name xxx.xxx.xxx.xxx IncomingIP
name xxx.xxx.xxx.xxx SAP
name xxx.xxx.xxx.xxx WebServer
name xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold
name 192.168.2.2 isa_server_outside
interface Ethernet0/0
nameif outside
security-level 0
ip address IncomingIP 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.253 255.255.255.0
management-only
passwd 123
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object-group service TCP_8081 tcp
port-object eq 8081
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq ftp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq pop3
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
port-object eq 50000
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
port-object eq 587
port-object eq 993
port-object eq 8000
port-object eq 8443
port-object eq telnet
port-object eq 3901
group-object TCP_8081
port-object eq 1433
port-object eq 3391
port-object eq 3399
port-object eq 8080
port-object eq 3128
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
port-object eq 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
port-object eq 8181
port-object eq 7778
port-object eq 8180
port-object eq 22222
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP tcp
port-object eq 3389
object-group service 3901 tcp
description 3901
port-object eq 3901
object-group service 50000 tcp
description 50000
port-object eq 50000
object-group service Enable_Transparent_Tunneling_UDP udp
port-object eq 4500
access-list inside_access_in remark connection to SAP
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in remark VPN Outgoing - PPTP
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in remark VPN Outgoing - GRE
access-list inside_access_in extended permit gre 192.168.2.0 255.255.255.0 any
access-list inside_access_in remark VPN - GRE
access-list inside_access_in extended permit gre any any
access-list inside_access_in remark VPN Outgoing - IKE Client
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq isakmp
access-list inside_access_in remark VPN Outgoing - IPSecNAT - T
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq 4500
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in remark Outoing Ports
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit gre any host Mail_Server
access-list outside_access_in extended permit tcp any host Mail_Server eq pptp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit ah any any
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit udp any any object-group Enable_Transparent_Tunneling_UDP
access-list VPN standard permit 192.168.2.0 255.255.255.0
access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool POOL 172.16.1.10-172.16.1.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 2 Mail_Server netmask 255.0.0.0
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list corp_vpn
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail_Server 8001 ISA_Server_second_external_IP 8001 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pptp isa_server_outside pptp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server smtp isa_server_outside smtp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 587 isa_server_outside 587 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9443 isa_server_outside 9443 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3389 isa_server_outside 3389 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3390 isa_server_outside 3390 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside,outside) tcp SAP 50000 isa_server_outside 50000 netmask 255.255.255.255
static (inside,outside) tcp SAP 3200 isa_server_outside 3200 netmask 255.255.255.255
static (inside,outside) tcp SAP 3299 isa_server_outside 3299 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside,outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pop3 isa_server_outside pop3 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server imap4 isa_server_outside imap4 netmask 255.255.255.255
static (inside,outside) tcp cms_eservices_projects_sharepointold 9999 isa_server_outside 9999 netmask 255.255.255.255
static (inside,outside) 192.168.2.0 access-list corp_vpn
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 set transform-set transet ESP-3DES-SHA
crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
crypto map cryptomap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain domain.local interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
tftp-server management 192.168.1.123 /
group-policy mypolicy internal
group-policy mypolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
username vpdn password 123
username vpdn attributes
vpn-group-policy mypolicy
service-type remote-access
tunnel-group mypolicy type remote-access
tunnel-group mypolicy general-attributes
address-pool POOL
default-group-policy mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
service-policy global_policy global
prompt hostname context
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.Here is the output:
ciscoasa# packet-tracer input outside icmp 172.16.1.10 8 0 192.168.2.1
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
static translation to 192.168.2.0
translate_hits = 0, untranslate_hits = 139
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.2.0/0 to 192.168.2.0/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
static translation to 192.168.2.0
translate_hits = 0, untranslate_hits = 140
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp
Hello all,
I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
MafSecASA# show run
: Saved
ASA Version 8.2(1)
hostname MafSecASA
domain-name mafsec.com
names
interface Vlan1
nameif inside
security-level 100
ip address 10.4.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 7.3.3.2 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.20.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mafsec.com
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.4.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.4.0.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd option 6 ip 8.8.8.8 8.8.4.4
dhcpd address 10.4.0.15-10.4.0.245 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 86400 interface inside
dhcpd option 3 ip 10.4.0.1 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol svc
group-lock none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside_split_tunnel
vlan none
address-pools value SSLVPNPool2
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username user1 password
username user1 attributes
service-type remote-access
username user2 password
tunnel-group SSLVPNGROUP type remote-access
tunnel-group SSLVPNGROUP general-attributes
address-pool SSLVPNPool2
default-group-policy SSLVPN
tunnel-group SSLVPNGROUP webvpn-attributes
group-alias SSLVPN enable
prompt hostname context
Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
: end
Thank in advance for any help!Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs? I'd try pinging a router or switch just to make sure.
--Jason -
Cisco ASA 5505 can ping gateway but can't ping internet
Good day to all!
Sorry if I post this on the wrong group, I am having a bit of a problem on configuring an ASA 5505 firewall. And I scoured google but can't seem to find a specific link to my issues.
It is on a routed mode, have successfully configured inside and outside vlans. Hosts inside vlan can ping each other. Hosts on outside vlan can also ping each other. Problem is, when I am pinging 8.8.8.8, I received ????? Please see config below.
Any help greatly appreciated.
TIA!
: Saved
ASA Version 8.4(3)
hostname ciscoasan
enable password bD3fGYMFeJJTATOJ encrypted
passwd 2KF1w9ErdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description INSIDE
nameif inside
security-level 100
ip address 10.10.10.2 255.255.255.0
interface Vlan2
description OUTSIDE
nameif outside
security-level 0
ip address 203.127.68.2 255.255.255.240
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 203.127.68.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.10.10.0 255.255.255.0 inside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6b3e0ce99eda3d2563cf9f392f8001b7
: endHi badingdong,
Remove these lines:
no nat (inside,outside) after-auto source dynamic any interface
no access-group outside_access_in in interface outside
If you have more inside subnets need access to internet, please make sure that you have a static route in place as shown below.
route inside 10.0.0.0 255.0.0.0 10.10.10.1
Also make sure that you have a correct DNS server is assigned on your internal hosts.
Thanks
Rizwan Rafeek -
One router on ASA 5505 Site to Site VPN can't ping other router
I have two Cisco ASA routers and I have a site to site vpn set up between the two. The VPN link works but Site A can't ping anything on Site B. Site B can ping Site A. Site B can ping other pcs on it's own network. Site A has been in place for a while and has other site to site VPNs that work fine, so I think the problem is with Site B. Here is the config for Site B:
Result of the command: "show running-config"
: Saved
ASA Version 8.4(4)1
hostname SaskASA
enable password POgOWyKyb0jgJ1Hm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.16.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.16.0_23
subnet 192.168.16.0 255.255.254.0
object network NETWORK_OBJ_192.168.2.0_23
subnet 192.168.2.0 255.255.254.0
access-list outside_cryptomap extended permit ip 192.168.16.0 255.255.254.0 192.168.2.0 255.255.254.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.16.0_23 NETWORK_OBJ_192.168.16.0_23 destination static NETWORK_OBJ_192.168.2.0_23 NETWORK_OBJ_192.168.2.0_23 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 444
http 192.168.16.0 255.255.254.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 207.228.xx.xx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.16.100-192.168.16.200 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_207.228.xx.xxinternal
group-policy GroupPolicy_207.228.xx.xx attributes
vpn-tunnel-protocol ikev1 ikev2
username User password shbn5zbLkuHP/mJX encrypted privilege 15
tunnel-group 207.228.xx.xxtype ipsec-l2l
tunnel-group 207.228.xx.xxgeneral-attributes
default-group-policy GroupPolicy_207.228.xx.xx
tunnel-group 207.228.xx.xxipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f06bd1d6d063318339d98417b171175e
: end
Any ideas? Thanks.I looked over the config for Site A, but couldn't find anything unusual. Perhaps I'm overlooking something. Here is the config for site A:
Result of the command: "show running-config"
: Saved
ASA Version 8.2(1)
hostname SiteA
domain-name domain
enable password POgOWyKyb0jgJ1Hm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.6
domain-name domain
object-group network DM_INLINE_NETWORK_1
network-object 192.168.14.0 255.255.254.0
network-object 192.168.4.0 255.255.254.0
network-object 192.168.6.0 255.255.254.0
network-object 192.168.8.0 255.255.254.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.12.0 255.255.254.0
network-object 192.168.14.0 255.255.254.0
network-object 192.168.4.0 255.255.254.0
network-object 192.168.6.0 255.255.254.0
network-object 192.168.8.0 255.255.254.0
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip any 192.168.15.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 192.168.16.0 255.255.254.0
access-list VPNGeo_splitTunnelAcl standard permit any
access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.6.0 255.255.254.0
access-list outside_3_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.4.0 255.255.254.0
access-list outside_4_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.8.0 255.255.254.0
access-list outside_5_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.16.0 255.255.254.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool GeoVPNPool 192.168.15.200-192.168.15.254 mask 255.255.254.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 444
http 192.168.2.0 255.255.254.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 207.228.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 208.119.xx.xx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer 208.119.xx.xx
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 208.119.xx.xx
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs group1
crypto map outside_map 5 set peer 70.64.xx.xx
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.2.100-192.168.2.254 inside
dhcpd auto_config outside interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNGeo internal
group-policy VPNGeo attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNGeo_splitTunnelAcl
username user password shbn5zbLkuHP/mJX encrypted privilege 15
username namepassword vP98Lj8Vm5SLs9PW encrypted
username nameattributes
vpn-group-policy VPNGeo
tunnel-group 207.228.xx.xxtype ipsec-l2l
tunnel-group 207.228.xx.xxipsec-attributes
pre-shared-key *
tunnel-group VPNGeo type remote-access
tunnel-group VPNGeo general-attributes
address-pool GeoVPNPool
default-group-policy VPNGeo
tunnel-group VPNGeo ipsec-attributes
pre-shared-key *
tunnel-group 208.119.xx.xxtype ipsec-l2l
tunnel-group 208.119.xx.xxipsec-attributes
pre-shared-key *
tunnel-group 208.119.xx.xx type ipsec-l2l
tunnel-group 208.119.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group 208.119.xx.xxtype ipsec-l2l
tunnel-group 208.119.xx.xxipsec-attributes
pre-shared-key *
tunnel-group 70.64.xx.xxtype ipsec-l2l
tunnel-group 70.64.xx.xxipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e3adf4e597198f58cd21e508aabdbab9
: end -
Can not ping internal network from ASA
I can not ping internal computer from ASA. Comp IP address 192.168.187.15, gateway is 192.168.187.14 which is ASA internal interface. I've got an IP Phone connected to the same ASA with Ip address 192.168.185.15 and internal ASA interface 192.168.185.14 and everything works fine. We are doing testing, do not be surprised of configuration.
ASA Version 8.2(1)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface GigabitEthernet0/0
nameif ouside3
security-level 0
ip address 10.254.17.25 255.255.255.248
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.254.17.9 255.255.255.248
interface GigabitEthernet0/2
nameif Lan
security-level 100
ip address 192.168.185.14 255.255.255.0
interface GigabitEthernet0/3
nameif comp
security-level 50
ip address 192.168.187.14 255.255.255.0
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nat extended permit ip any any
access-list allow_ping extended permit icmp any any echo-reply
access-list allow_ping extended permit icmp any any source-quench
access-list allow_ping extended permit icmp any any unreachable
access-list allow_ping extended permit icmp any any time-exceeded
access-list allow_ping extended permit udp any any eq isakmp
access-list allow_ping extended permit esp any any
access-list allow_ping extended permit ah any any
access-list allow_ping extended permit gre any any
access-list nonat extended permit ip any any
access-list nat2 extended permit ip any any
access-list nonat2 extended permit ip any any
pager lines 24
logging asdm informational
mtu ouside3 1500
mtu outside 1500
mtu Lan 1500
mtu comp 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (Lan) 0 access-list nonat
nat (Lan) 1 access-list nat
nat (comp) 0 access-list nonat
nat (comp) 1 access-list nat
access-group allow_ping in interface outside
router eigrp 2008
neighbor 10.254.17.10 interface outside
network 10.254.17.8 255.255.255.248
network 192.168.185.0 255.255.255.0
network 192.168.187.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 10.254.17.10 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 110
crypto map mymap 10 set peer 10.254.17.10
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
crypto map mymap2 20 match address 110
crypto map mymap2 20 set peer 10.254.17.18
crypto map mymap2 20 set transform-set myset
crypto map mymap2 interface comp
crypto map mymap3 30 match address 110
crypto map mymap3 30 set peer 10.254.17.26
crypto map mymap3 30 set transform-set myset
crypto map mymap3 interface ouside3
crypto isakmp identity address
crypto isakmp enable ouside3
crypto isakmp enable outside
crypto isakmp enable comp
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
priority-queue outside
threat-detection basic-threatThis is what I get, looks like ASA does not reply. Why?
ciscoasa# sh capture cpi
5 packets captured
1: 05:20:14.494908 192.168.187.15 > 192.168.187.14: icmp: echo request
2: 05:20:19.526935 192.168.187.15 > 192.168.187.14: icmp: echo request
3: 05:20:25.026320 192.168.187.15 > 192.168.187.14: icmp: echo request
4: 05:20:30.525699 192.168.187.15 > 192.168.187.14: icmp: echo request
5: 05:20:36.025084 192.168.187.15 > 192.168.187.14: icmp: echo request -
Can't ping ASA 5510 inside interface
Hello, everyone,
I ran into a very strange icmp ping issue that I could not seem to undersatand, hope someone can provide a troubleshooting tip on this. The network has been working fine other than the issue listed below, L2L VPN works
fine and all three data centers can access each other via L2L VPN.
I have three ASA5510:
asa10
Location: datacenter10
Inside IP: 10.10.10.254
L2LVPN: asa10TOasa20, asa10TOasa30
asa20
Location: datacenter20
Inside IP: 10.20.20.254
L2LVPN: asa10TOasa20, asa10TOasa30
asa30
Location: datacenter30
Inside IP: 10.30.30.254
L2LVPN: asa10TOasa20, asa10TOasa30
Other than, global IP addresses, subnet IP addresses, the run configs are pretty much the same.
Problems:
From network 10.10.10.0, can ping 10.10.10.254, 10.20.20.254
Can't ping 10.30.30.254
From network 10.20.20.0, can ping 10.10.10.254, 10.20.20.254
Can't ping 10.30.30.254
From network 10.30.30.0, can ping 10.20.20.254, 10.30.30.254
Can't ping 10.10.10.254,
Please help by providing your insights or troubleshooting tips. My customer would not allow me to post configs.
Thanks.Hi Bin,
I have spent hours trying to resolve it first time...
In my case the issue was with dynamic nat. When you use object definition for PAT, please use range (excluding ip of the firewall) as opposed to subnet.
Let me know if that helps.
Kind Regards,
Paul Preston
Proxar IT Ltd. Registered in England and Wales: 6744401- VAT: 942985479
Tubs Hill House, London Road, Sevenoaks, Kent, TN13 1BL
Tel: (+44) 0844 809 4335
Fax: (+44) 01732 468 574
Mob: (+44) 077 9509 3450
Web: www.proxar.co.uk
Email: [email protected] -
Can I use ASA to be a DHCP Server use in WLC wireless Client
I want to use ASA to be a DHCP Server for Wireless Client not it can't.
I check the debug log in WLC, I confirm the WLC have send the request to ASA.
In the ASA, it don't have any hits in the rule when the WLC send the DHCP relay request.
I have try don't use dhcp relay in WLC but don't success. Anybody have the same case with me? And Is the ASA can't support DHCP relay agent to request to get the IP Addr.
P.S. In the Network Design limitation so I can't use WLC to be DHCP Server.
Equipment:
ASA5510
WLC4402
How can I fix it.
Thank you very muchThe issue is that the ASA doesn't accept DHCP requests from a relay agent, only broadcast DHCP requests. In the 4.2 version for the controllers there is now an option so you can change the way the controller forwards DHCP requests so that it is sent as a broadcast and not from a relay agent.
-
After installing an app on iPhone 5s, I can't use it outside of wifi (using cellular or mobile data) and the app is not listed in settings to enable its use of mobile data - any clues on what is wrong here?
Steps to take to resolve this issue:
1/ Turn off Wifi
2/ Ensure Mobile (cellular) data is on
3/ Turn iPhone OFF and then ON (re-boot iPhone)
4/ Without turning Wifi on, open an app that requires mobile (cellular) data.
5/ The app will now show on the Settings list with the option to enable or disable mobile (cellular) data
6/ In time all apps that require or use mobile data will be added to the list automatically. -
Can't SSH to inside interface on ASA
Hi there
I have generated the key and can ssh to outside interface. I have allowed access on inside interface. I can telnet but not ssh. I captured packets and can see incoming only. Any ideas?
TIA
Sent from Cisco Technical Support iPhone AppHi there,
Here it is -
asa01(config)# sh cap capin
4 packets captured
1: 21:59:03.583343 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
2: 21:59:05.586990 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
3: 21:59:09.588577 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
4: 21:59:17.591659 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
4 packets shown
asa01(config)#
asa01(config)# sh cap asp
0 packet captured
0 packet shown
asa01(config)#
Can you ping the Switch interface from the ASA? - Yes
Can you ping the ASA from the switch? - Yes -
Next some advise... i've configured a VPN server -pptp on my router, create a vpn for client to site. At the moment, client computer can connect and established a connection to router. I can ping from client to router (192.168.5.1) but can't ping 192.168.5.2(switch) or 192.168.10.X (workstations)
What i'm trying to achieve is to access the internal network (192.168.10.X) which is from the layer 3 switch's end. Any help/extra eye would be good.
Here are my network design and config below:
Client Computer ---> Internet ---> (1.1.1.1) Cisco Router 881 (192.168.5.1) ---> Dell Powerconnect 6248 switch (192.168.5.2) --> Workstation(192.168.10.x)
Cisco 881 Router
aaa new-model
aaa authentication ppp default local
vpdn enable
vpdn-group PPTP-VPDN
accept-dialin
protocol pptp
virtual-template 1
interface FastEthernet0
description Link to Switch
switchport access vlan 5
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
switchport access vlan 70
no ip address
interface FastEthernet4
description INTERNET WAN PORT
ip address [EXTERNAL IP]
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map VPN1
interface Vlan1
no ip address
interface Vlan5
description $ES_LAN$
ip address 192.168.5.1 255.255.255.248
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly in
interface Vlan70
ip address [EXTERNAL IP]
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Virtual-Template1
ip unnumbered FastEthernet4
encapsulation ppp
peer default ip address pool defaultpool
ppp authentication chap ms-chap
ip local pool defaultpool 192.168.10.200 192.168.10.210
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list NO-NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 [EXTERNAL IP]
ip route 192.168.0.0 255.255.0.0 192.168.5.2
ip access-list extended NO-NAT
deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended VLAN70
permit ip [EXTERNAL IP] 0.0.0.15 192.168.10.0 0.0.1.255
permit tcp [EXTERNAL IP] 0.0.0.15 any eq smtp
permit tcp [EXTERNAL IP] 0.0.0.15 any eq www
permit tcp [EXTERNAL IP] 0.0.0.15 any eq 443
permit tcp [EXTERNAL IP] 0.0.0.15 any eq domain
permit udp [EXTERNAL IP] 0.0.0.15 any eq domain
ip access-list extended VPN
permit ip 192.168.10.0 0.0.1.255 10.1.0.0 0.0.1.255
permit ip [EXTERNAL IP] 0.0.0.15 10.1.0.0 0.0.1.255
ip access-list extended WAN
Layer 3 Switch - Dell Powerconnect 6224
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.5.1
interface vlan 5
name "Connect to Cisco Router"
routing
ip address 192.168.5.2 255.255.255.248
exit
interface vlan 10
name "internal network"
routing
ip address 192.168.10.1 255.255.255.0
exit
interface ethernet 1/g12
switchport mode acesss vlan 5
exit
interface ethernet 1/g29
switchport mode access vlan 10
exitHi Samuel,
I went through your configuration and picked up some problematic lines..
First of all you can't have your vpn-pool to be in the 192.168.10.x/24 range because you already have that subnet used behind the switch ( this would only be possible if you had 192.168.10.x range directly connected to the router ). Also, you can't bind your Virtual Template to the WAN ip, it should bind to a interface with a subnet that includes your vpn-pool IP range.
The cleanest way to do this is,
Create a new loop back interface with a new subnet
interface loopback 0
ip address 192.168.99.1 255.255.255.0
Have new vpn pool defined,
ip local pool defaultpool 192.168.99.200 192.168.99.210
Change your Template to point the new loopback interface,
interface Virtual-Template1
ip unnumbered loopback0
encapsulation ppp
peer default ip address pool defaultpool
ppp authentication chap ms-chap
All the vpn clients will get an IP from 192.168.99.200 192.168.99.210 range. And they will be able to get in to the router and up to the desired 192.168.10.x/24 range behind the router. Packets will get in to the switch and then in to the host. Host will reply through the gateway( switch ) -> router -> Client.
PS: Earlier, even if your packets get to the host, the host will never try to send the reply packets back through the gateway ( switch ) because from its(hosts) point of view, the packet came from the same Lan, so the host will just try to "arp" for the senders MAC and will eventually time out)
Hope this helps.
Please don't forget to rate/mark helpful posts
Shamal -
Subnet mask 255.255.255.255 assigned to VPN client - can't ping LAN
Hi,
I configured PIX 501 with PPTP VPN to connect to the small office (PIX FW, Win 2000 Server, several Win clients, LAN IP 10.0.0.X/24):
ip local pool mypool 10.0.0.101-10.0.0.105
vpdn group mygroup accept dialin pptp
vpdn group mygroup ppp authentication mschap
vpdn group mygroup ppp encryption mppe 128 required
vpdn group mygroup client configuration address local mypool
vpdn group mygroup client configuration dns 10.0.0.15
vpdn group mygroup pptp echo 60
vpdn group mygroup client authentication local
vpdn username xxxx password *********
vpdn enable outside
I can connect to the office using Win VPN client, but I can't ping any hosts in the office network. I suspect that the reason for that is subnet mask assigned to the VPN client: 255.255.255.255. ipconfig of the VPN client:
PPP adapter Office:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.0.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
Default GW is missing too, but I think this is not the main problem.
Any way, what is wrong with my config? How to fix subnet mask assigned to clients? Or may be my assumption is wrong and this mask is ok? What is wrong then?
Any input will be greatly appreciated!
GeorgeThanks for the prompt reply.
Here it does:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
hostname OSTBERG-PIX
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 80 permit ip 10.0.0.0 255.255.255.0 10.0.20.0 255.255.255.0
access-list inbound permit icmp any any
access-list inbound permit tcp any any eq pptp
access-list inbound permit gre any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 66.189.xxx.xxx 255.255.252.0
ip address inside 10.0.0.23 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 10.0.0.101-10.0.0.105
pdm location 10.0.0.0 255.255.255.0 inside
pdm location 10.0.0.15 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 66.189.yyy.yyy 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
telnet 10.0.0.23 255.255.255.255 inside
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group mygroup accept dialin pptp
vpdn group mygroup ppp authentication mschap
vpdn group mygroup ppp encryption mppe 128 required
vpdn group mygroup client configuration address local mypool
vpdn group mygroup client configuration dns 10.0.0.15
vpdn group mygroup pptp echo 60
vpdn group mygroup client authentication local
vpdn username ********* password *********
vpdn enable outside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
terminal width 80
Cryptochecksum:xxx
: end
There are remnants of old config, I just recently took over this network, some lines look odd to me, but I did not touch what works. VPN config is all mine.
PIX internal 10.0.0.23 - is a gateway for the network. DNS server in LAN - 10.0.0.15.
I've been reading about the problem and came across several posts that this subnet mask is normal, but it puzzles me - how can this host communicate with anyone else if there is no room for other hosts in this network (according to the mask)?!
Thanks again!
George -
I can connect my cisco mobile vpn but can't ping & access internal IP
Hi somebody,
i've configured mobile vpn configuration in cisco 7200 with GNS3. i can connect VPN to my cisco router with cisco vpn client software from outside. but i can't ping to internal ip and can't access internal resources.
My Internal IP is 192.168.1.x . And IP for mobile VPN client from outside is 172.60.1.x.
Your advise will be appreciate.
here is my configuration with cisco 7200 in GNS 3,
OfficeVPN_Router#sh run
Building configuration...
Current configuration : 2186 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname OfficeVPN_Router
boot-start-marker
boot-end-marker
enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
aaa new-model
aaa authentication login userlist local
aaa authorization network grouplist local
aaa session-id common
ip cef
no ip domain lookup
username asm privilege 15 password 0 pncsadmin
username user privilege 15 password 0 pncsadmin
username user1 privilege 15 password 0 pncsadmin
username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group MWG
key cisco
dns 165.21.83.88
pool vpnpool
acl 101
netmask 255.255.0.0
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
interface FastEthernet1/1
ip address 200.200.200.200 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
ip local pool vpnpool 172.60.1.10 172.60.1.100
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.201
no ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet1/1 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 permit ip any any
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
password cisco123
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco123
end
OfficeVPN_Router#sh ver
Cisco IOS Software, 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 21-Apr-09 18:50 by prod_rel_team
ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
OfficeVPN_Router uptime is 30 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE400) processor (revision A) with 245760K/16384K bytes of memory.
Processor board ID 4279256517
R7000 CPU at 150MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
6 slot VXR midplane, Version 2.1
Last reset from power-on
PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb0_mb1 has a total of 600 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
3 FastEthernet interfaces
125K bytes of NVRAM.
65536K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102
OfficeVPN_Router#Dear Javier ,
Thanks for your info. i already tested as you say. but still i can't use & ping to my internal IP which is behind cisco VPN router. i posted my config file.
OfficeVPN_Router(config)#ip access-list resequence 111 10 10
OfficeVPN_Router(config)#do sh run
Building configuration...
Current configuration : 2201 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname OfficeVPN_Router
boot-start-marker
boot-end-marker
enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
aaa new-model
aaa authentication login userlist local
aaa authorization network grouplist local
aaa session-id common
ip cef
no ip domain lookup
username asm privilege 15 password 0 pncsadmin
username user privilege 15 password 0 pncsadmin
username user1 privilege 15 password 0 pncsadmin
username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group MWG
key cisco
dns 165.21.83.88
pool vpnpool
acl 101
netmask 255.255.0.0
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
interface FastEthernet1/1
ip address 200.200.200.200 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
ip local pool vpnpool 172.60.1.10 172.60.1.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.201
no ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet1/1 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
password cisco123
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco123
end
Maybe you are looking for
-
Transfer tables between 2 clients (mandants)
Hi every one. I want to transfer data i have in some tables from client (mandant) 305 to another another to create an environnement of test with real data so we can test new programs in real conditions. For the moment here's what i did : I used RFC o
-
I had some software problems on my Macbook so yesterday the Apple genius' cleared my computer and reset it. In the process though my Adobe apps were deleted as well. I bought Adobe Creative Suite 6 Design & Web Premium Student and Teacher Edition onl
-
Why can't I click on the movie clips when they are moving fast?
I am making a game where insects in an array fall down from above the screen. The user clicks on these insects to increase his/her score. When the score reaches specific points, the speed increases. When the speed increases, it gets harder to click o
-
I want to add two monitors to my laptop to use instead of the notebook's monitor. Is there a way to use the two monitors with the laptop, powered on, but the lid closed? What hardware is needed to connect the two monitors?
-
I have the 4s Iphone, the ability to add invitees to an event in my calendar has disappeared. How do I get it back? Why and when did it disppear? Did an update take it away?