Cisco ASA 5505 VPN help for local lan access.
Hi all,
I am very new to Cisco systems. Recently I was tasked to enable local lan access for one of my server. The problem is this. I have this server with 2 interfaces. One interface to my FTP server(192.168.2.3) and the other to the Cisco ASA(192.168.1.1). Whenever I connect the server to Cisco Anyconnect VPN, I am unable to access the FTP server anymore.
I googled and found out that the problem is because the metric level is 1 for Ciscoanyconnect network interface which causes all traffic to go through the Cisco VPN Interface. Another problem is I can't change the metric of the Cisco VPN Interface as whenever I reconnect to the VPN, the metric resets back to 1 again. I tried to follow some guides to configure split tunnel but my traffic is still going through the VPN connection.
Anyone can tell me what I am missing here? Sorry I am very new to Cisco systems. Spent about 5 days troubleshooting and I feel I am getting it soon. Anyone can guide me what else I am supposed to do?
What I did> Configuration>> Remote access VPN>> Network Client Access>> Group Policies>> Advanced>> Split Tunneling>> Uncheck Inherit and select "Exclude Network List below.>> Uncheck Network List and select Manage, Add 192.168.2.0/24 to permit.
Really appreciate if anyone can tell me what else I can do to ensure my server has access the my FTP Server after connecting to the VPN.
Thanks all!
Wen Qi
Hi,
Try adding the following configuration
policy-map global_policy
class inspection_default
inspect pptp
And then try again.
I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
- Jouni
Similar Messages
-
Cisco ASA 5505 VPN Help Needed
Hi all.
I am trying to connect to a VPN set up at a remote customer site. However it seems that connections cannot be established from inside my office network. I have tried from other sites and connections can be established. For obvious reasons, this is not a practical solution.
I have run network monitoring within the ASDM at the time of various connection attempts and keep get the following message:
194.75.53.148
regular translation creation failed for protocol 47 src inside:192.168.0.81 dst outside:194.75.53.148
My configuration is below:
ciscoasa# show run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name xxx.local
enable password SpSqlpxlX4bU60eP encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group XXXX
ip address xxx.xxx.xxx.xxx 255.255.255.255 pppoe setroute
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address xxx.xxx.xxx.xxx 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name xxx.local
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq smtp
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp any host abc.abc.com object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any host abc.abc.com eq https
access-list outside_access_in extended permit tcp any host abc.abc.com object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host abc.abc.com eq https
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp abc https abc https netmask 255.255.255.255
static (inside,outside) tcp abc https abc https netmask 255.255.255.255
static (inside,outside) tcp abc smtp abc smtp netmask 255.255.255.255
static (inside,outside) tcp abc https abc https netmask 255.255.255.255
static (inside,outside) tcp abc https abc https netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.85 255.255.255.255 inside
ssh timeout 5
console timeout 0
vpdn group abc request dialout pppoe
vpdn group abc localname 02024658215@abc
vpdn group abc ppp authentication pap
vpdn username 02024658215@abc password ********* store-local
dhcpd auto_config outside
username manager password KDNz8d1FwKy7dzg2 encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:27b2bfc3a2fa63ce614199070bd1195f
: end
If I drill down into the error further it says that the ASA is not permitted to let traffic destined for a network or broadcast address through. The traffic is coming back to 192.168.0.81 which is neither of these.
Maybe I am overlooking something simple but any help or guidance would be much appreciated.
Thanks in advance.
Ben Peacock.Hi,
Try adding the following configuration
policy-map global_policy
class inspection_default
inspect pptp
And then try again.
I'm not 100% would you need to perhaps allow GRE through the firewall even after that. (Protocol 47)
- Jouni -
Port Forwarding for Cisco ASA 5505 VPN
This is the Network
Linksys E2500 ---> Cisco ASA 5505 ---> Server
I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
Thank YouFor IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
Command to enable NAT-T on ASA:
crypto isakmp nat-traversal 30 -
Cisco ASA 5505 VPN Routing/Networking Question
I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs. I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses. I would like to install a second Cisco ASA 5505 in a remote branch office as its peer.
Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center? I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible. It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.
What am I missing? Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?You can do it in several different ways.
One way is to tell the server that if it has traffic to network x then it needs to go to the ASA all other traffic is to head for the default gateway.
In windows this is done via the route command
do not forget to make it "persistent" otherwise the route will disapear when your reboot the server.
in unix/linux
It is also the route command
Or you can tell your "default gateway" to route that network to the ASA
Good luck
HTH -
CISCO ASA 5505 VPN problem in Windows 7
I am using CISCO ASA 5505. Client PC with Windows XP can use IE to make the VPN connection normally.
However, client PC with Windows 7 cannot use IE to make the VPN connection.
It just show the error of "Internet Explorer cannot display the webpage"
Would you please help?
Thank you very much!Hi Timothy,
Could you please try disabling UAC in Win 7. Also try to connect from a machine where you have admin privileges (in case you are trying connection from a restricted machine.
Also, add the site under trusted sites in IE. i.e if you are connecting to https://1.1.1.1 or https://vpn.abc.com then please add it under the trusted sites:
Let me know if this helps.
Thanks,
Vishnu Sharma -
I have a cisco asa 5505 that I am setting up VPN access too. I have multiple subnets all routed through a layer 3 switch conected to my asa. My problem is I can ping everything on VLAN1 (192.168.100.0/24) but no other VLANS (10.141.152.0/23 etc.)
Post the config of your ASA and someone will be able to assist.
-
ASA 5505 VPN HELP!!!
I have two ASA 5505's. One is currently setup as my firewall connected to the Cox Cable modem and wireless AP. I have another ASA that I would like to use, I have an idea that I could set that one up as a VPN unit, but not sure how I could do that. If that is not an option, can you provide the command line instructions on how to setup the VPN via the console cable. I am kinda new and I am slowing trying to become more knowledgeable about this. Any help would be greatly appreciated.
Thanks,
Jon
My current Config:
ASA Version 8.2(3)wn coldstart' comm
!d
hostname Wood-ASA1-if
%ASA-5-111008:
domain-name lv.cox.net the 'inspect ip-optio
enable password 8Ry2YjIyt7RRXU24 encrypted8cb69fe 20cfb60adisk0:/asa823.bin
passwd 2KFQnbNIdI.2KYOU encrypteded the 'service-policy global_pol
namesobal'
!a
interface Ethernet0/0in ^
switchport access vlan 2%ASA-5-
command.ser 'Con
!S
interface Ethernet0/1ig' executed the 'pro
!t
interface Ethernet0/2mand.tics access-lirv
interface Ethernet0/3 securi
rd DfltAccess
!l
interface Etherne
interface Vlan1ecuted the 'pro
nameif inside' command.omma
security-level 100
%ASA-5-111008: Use
ip address 192.168.1.1 255.255.255.01008: User 'Config' executed the 'no
!t
interface Vlan2 the '
%ASA-5-1
nameif outsidefig' executed t
security-level 0-5-111008: User '
ip address dhcp setrouteination address http http
boot system disk0:/asa823-k8.bing' executed the 'class-map inspe
boot config disk0:/asa823.binom/its/service/oddce/services
ftp mode passivemand. User 'Conf
dns server-group DefaultDNS User 'Config' execut
%ASA-
domain-name lv.cox.netexecuted the 'destinati
object-group icmp-type ICMP-INBOUNDation linkup linkdown coldstart' co
description Permit necessary inbound ICMP trafficand.'policy-map type
%ASA-5-111008: User 'Config'
icmp-object echo-replyon transport-method htt
icmp-object unreachable
s_map' command.t
icmp-object t
%ASA-
logging buffered warningsecuted the 'subscribe-to-
logging asdm notificationsxecuted t
%ASA-5-111008: U
mtu inside 1500cuted the 'poli
mtu outside 1500ct
riodic month
icmp unreachable rate-limit 1 burst-size 1-111008: User 'Config' executed the 'subsc
asdm image disk0:/asdm-625.bino5-111008: User 'Config' execu
no asdm history enablemmand.outside' command
arp timeout 14400monthly' command.
nat-control
%ASA-5-111
global (outside) 1 interfacenfig' executed the 'subscrib
nat (inside) 1 0.0.0.0 0.0.0.0andasa# threat-detec
d.n
%ASA
access-group INBOUND in interface outside08: Us
riodic daily' command.e
timeout xlate 3:
aaa authentication ssh console LOCALe Ethernet0/5, changed state to admi
http server enableas
%ASA-5-111008:
http 192.168.1.0 255.255.255.0 inside' executed the
%ASA-4-411003: Interfa
no snmp-server locationstate to administra con
no snmp-server contact
telnet timeout 5# nat-contr
%ASA
ssh 0.0.0.0 0.0.0.0 insideec
%ASA-4-411001: Line pro
ssh 0.0.0.0 0.0.0.0 outside/3, changed state to upomma
ssh timeout 5SA-5-111
%ASA
console timeout 0onfig' executed t
dhcpd dns 8.8.8.8 8.8.4.4ne protocol on Interface
dhcpd auto_config outside to ups_map' com
%ASA-5-1
!0
dhcpd address 192.168.1.2-192.168.1.33 insideommand
enableR: % I
Password:SA-5-1110
Wood-A
dhcpd dns 8.8.8.8 8.8.4.4 interface inside: Uname: enable_15 From: 1 To:pect netbios
dhcpd enable insidescoas
%ASA-5-111008
!U
threat-detection basic-threat%ASA-5-111008: User 'enable_1
threat-detection statistics acce
.0.0.0 0.0.0.
parametersprompt host
message-length maximum client auto1008: User 'enable_15' executed the
message-length maximum 512A-5-111008: User 'Config' ex
policy-map type inspect dns prsent_dns_map 0/0' command. executed the 'inspe
no shut
parametersA-5
Wood-AS
message-length maximum 512 Interface Ethernet0/0, chan
policy-map global_policyg' executed the 'inspect
class inspection_defaultA-5-111008: User 'Con
ini
inspect dns preset_dns_map
%ASA-5-111008: User 'enable
inspect ftpthe 'no shutd
inspect h323 h225111008: User 'Confi
inspect h323 rasstination address
inspect rsh1001: Line pr
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c3a35118ab34143a5e73e414ead343c1for sure you can do this with the ASA , see the following configuration example :
http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a0080950890.shtml
cheers. -
Cisco ASA 5505 VPN Anyconnect no address assignment
I have a problem with ip assigment via anyconnect. I always get the message no assigned address via anyconnect. I assigned to my profile for vpn a address pool, but it's still not working. Here is my config:
hostname firewall
domain-name ITTRIPP.local
enable password 8K8UeTZ9KV5Lvofo encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool 192.168.178.0 192.168.178.151-192.168.178.171 mask 255.255.255.255
ip local pool net-10 10.0.0.1-10.0.0.10 mask 255.255.255.0
ip local pool SSL-POOL 172.16.1.1-172.16.1.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
description Private Interface
nameif inside
security-level 100
ip address 192.168.178.10 255.255.255.0
ospf cost 10
interface Vlan2
description Public Interface
nameif outside
security-level 0
ip address 192.168.177.2 255.255.255.0
ospf cost 10
interface Vlan3
description DMZ-Interface
nameif dmz
security-level 0
ip address 10.10.10.2 255.255.255.0
boot system disk0:/asa914-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
dns server-group DefaultDNS
name-server 192.168.178.3
name-server 192.168.177.1
domain-name ITTRIPP.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 192.168.178.x
subnet 192.168.178.0 255.255.255.0
object network NETWORK_OBJ_192.168.178.0_26
subnet 192.168.178.0 255.255.255.192
object service teamviewer
service tcp source eq 5938
object service smtp_tls
service tcp source eq 587
object service all_tcp
service tcp source range 1 65535
object service udp_all
service udp source range 1 65535
object network NETWORK_OBJ_192.168.178.128_26
subnet 192.168.178.128 255.255.255.192
object network NETWORK_OBJ_10.0.0.0_28
subnet 10.0.0.0 255.255.255.240
object-group service Internet-udp udp
description UDP Standard Internet Services
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
object-group service Internet-tcp tcp
description TCP Standard Internet Services
port-object eq www
port-object eq https
port-object eq smtp
port-object eq 465
port-object eq pop3
port-object eq 995
port-object eq ftp
port-object eq ftp-data
port-object eq domain
port-object eq ssh
port-object eq telnet
object-group user DM_INLINE_USER_1
user LOCAL\admin
user LOCAL\lukas
user LOCAL\sarah
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group service 192.168.178.network tcp
port-object eq 5000
port-object eq 5001
object-group service DM_INLINE_SERVICE_1
service-object object smtp_tls
service-object tcp destination eq imap4
service-object object teamviewer
object-group service DM_INLINE_SERVICE_2
service-object object all_tcp
service-object object udp_all
object-group service DM_INLINE_SERVICE_3
service-object object all_tcp
service-object object smtp_tls
service-object object teamviewer
service-object object udp_all
service-object tcp destination eq imap4
object-group service vpn udp
port-object eq 1701
port-object eq 4500
port-object eq isakmp
object-group service openvpn udp
port-object eq 1194
access-list NAT-ACLs extended permit ip 192.168.178.0 255.255.255.0 any
access-list inside-in remark -=[Access Lists For Outgoing Packets from Inside in terface]=-
access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any object -group Internet-udp
access-list inside-in extended permit tcp 192.168.178.0 255.255.255.0 any object -group Internet-tcp
access-list inside-in extended permit icmp 192.168.178.0 255.255.255.0 any
access-list inside-in extended permit udp 192.168.178.0 255.255.255.0 any eq sip
access-list inside-in extended permit object-group DM_INLINE_SERVICE_1 192.168.1 78.0 255.255.255.0 any
access-list inside-in extended permit object-group DM_INLINE_SERVICE_2 192.168.1 78.0 255.255.255.0 any
access-list outside-in remark -=[Access Lists For Incoming Packets on OUTSIDE in terface]=-
access-list outside-in extended permit icmp any 192.168.178.0 255.255.255.0 echo -reply
access-list outside-in extended permit tcp object-group-user DM_INLINE_USER_1 an y host 192.168.178.95 object-group DM_INLINE_TCP_1
access-list outside-in extended permit tcp any host 192.168.178.95 object-group 192.168.178.network
access-list outside-in extended permit tcp any 192.168.178.0 255.255.255.0 eq si p
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Nam e Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0. 252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbi os-ns
access-list dmz_access_in remark -=[Access Lists For Outgoing Packets from DMZ i nterface]=-
access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_3 10.10 .10.0 255.255.255.0 any
access-list dmz_access_in extended permit icmp 10.10.10.0 255.255.255.0 any
access-list dmz_access_in extended permit tcp 10.10.10.0 255.255.255.0 any objec t-group Internet-tcp
access-list dmz_access_in extended permit udp 10.10.10.0 255.255.255.0 any objec t-group Internet-udp
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.178.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
nat (dmz,outside) source static any any destination static NETWORK_OBJ_192.168.1 78.0_26 NETWORK_OBJ_192.168.178.0_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.178.128_26 NETWORK_OBJ_192.168.178.128_26 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.0 .0_28 NETWORK_OBJ_10.0.0.0_28 no-proxy-arp route-lookup
object network 192.168.178.x
nat (inside,outside) dynamic interface
nat (dmz,outside) after-auto source dynamic 192.168.178.x interface
access-group inside-in in interface inside
access-group outside-in in interface outside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.177.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ITTRIPP protocol ldap
aaa-server ITTRIPP (inside) host 192.168.178.3
ldap-base-dn CN=Users,DC=ITTRIPP,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,DC=ITTRIPP,DC=local
server-type microsoft
user-identity default-domain LOCAL
eou allow none
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 5
http server enable
http 192.168.178.0 255.255.255.0 inside
http redirect outside 80
http redirect inside 80
http redirect dmz 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-A ES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A ES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES2 56 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map dmz_map interface dmz
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=firewall
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
fqdn l1u.dyndns.org
email [email protected]
subject-name CN=l1u.dyndns.org,OU=VPN Services,O=ITTRIPP,C=DE,St=NRW,L=PLBG,EA= [email protected]
serial-number
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 6a871953
308201cf 30820138 a0030201 0202046a 87195330 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130866 69726577 616c6c31 17301506 092a8648
86f70d01 09021608 66697265 77616c6c 301e170d 31343033 30373039 31303034
5a170d32 34303330 34303931 3030345a 302c3111 300f0603 55040313 08666972
6577616c 6c311730 1506092a 864886f7 0d010902 16086669 72657761 6c6c3081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100c0 8f17fa6c
2f227dd9 9d2856e1 b1f8193b 13c61cfe 2d6cbf94 62373535 71db9ac7 5f4ad79f
7594cfef 1360d88d ad3c69c1 6e617071 c6629bfa 3c77c2d2 a59b1ce1 39ae7a44
3f8c852d f51d03c1 d9924f7c 24747bbb bf79af9a 68365ed8 7f56e58c a37c7036
4db983e0 414d1b5e a8a2226f 7c76f50d d14ca714 252f7fbb d4a23d02 03010001
300d0609 2a864886 f70d0101 05050003 81810019 0d0bbce4 31d9342c 3965eb56
4dde42e0 5ea57cbb a79b3542 4897521a 8a6859c6 daf5e356 9526346d f13fb344
260f3fc8 fca6143e 25b08f3d d6780448 3e0fdf6a c1fe5379 1b9227b1 cee01a20
aa252698 6b29954e ea8bb250 4310ff96 f6c6f0dc 6c7c6021 3c72c756 f7b2e6a1
1416d222 0e11ca4a 0f0b840a 49489303 b76632
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 580c1e53
308202ff 30820268 a0030201 02020458 0c1e5330 0d06092a 864886f7 0d010105
05003081 c3312230 2006092a 864886f7 0d010901 16136d61 696c406c 31752e64
796e646e 732e6f72 67310d30 0b060355 04071304 504c4247 310c300a 06035504
0813034e 5257310b 30090603 55040613 02444531 10300e06 0355040a 13074954
54524950 50311530 13060355 040b130c 56504e20 53657276 69636573 31173015
06035504 03130e6c 31752e64 796e646e 732e6f72 67313130 12060355 0405130b
4a4d5831 3533345a 30575430 1b06092a 864886f7 0d010902 160e6c31 752e6479
6e646e73 2e6f7267 301e170d 31343033 31353036 35303535 5a170d32 34303331
32303635 3035355a 3081c331 22302006 092a8648 86f70d01 09011613 6d61696c
406c3175 2e64796e 646e732e 6f726731 0d300b06 03550407 1304504c 4247310c
300a0603 55040813 034e5257 310b3009 06035504 06130244 45311030 0e060355
040a1307 49545452 49505031 15301306 0355040b 130c5650 4e205365 72766963
65733117 30150603 55040313 0e6c3175 2e64796e 646e732e 6f726731 31301206
03550405 130b4a4d 58313533 345a3057 54301b06 092a8648 86f70d01 0902160e
6c31752e 64796e64 6e732e6f 72673081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 818100c0 8f17fa6c 2f227dd9 9d2856e1 b1f8193b 13c61cfe
2d6cbf94 62373535 71db9ac7 5f4ad79f 7594cfef 1360d88d ad3c69c1 6e617071
c6629bfa 3c77c2d2 a59b1ce1 39ae7a44 3f8c852d f51d03c1 d9924f7c 24747bbb
bf79af9a 68365ed8 7f56e58c a37c7036 4db983e0 414d1b5e a8a2226f 7c76f50d
d14ca714 252f7fbb d4a23d02 03010001 300d0609 2a864886 f70d0101 05050003
81810087 8aca9c2b 40c9a326 4951c666 44c311b6 5f3914d5 69fcbe0a 13985b51
336e3c1b ae29c922 c6c1c29d 161fd855 984b6148 c6cbd50f ff3dde66 a71473c4
ea949f87 b4aca243 8151acd8 a4a426d1 7a434fbd 1a14bd90 0abe5736 4cd0f21b
d194b3d6 9ae45fab 2436ccbf d59d6ba9 509580a0 ad8f4131 39e6ccf1 1b7a125d
d50e4e
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable inside client-services port 443
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable dmz client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.178.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.178.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign local
no ipv6-vpn-addr-assign aaa
dhcp-client update dns server both
dhcpd update dns both
dhcpd address 192.168.178.100-192.168.178.150 inside
dhcpd dns 192.168.178.3 192.168.177.1 interface inside
dhcpd wins 192.168.178.3 interface inside
dhcpd domain ITTRIPP.local interface inside
dhcpd update dns both interface inside
dhcpd option 3 ip 192.168.178.10 interface inside
dhcpd option 4 ip 192.168.178.3 interface inside
dhcpd option 6 ip 192.168.178.3 192.168.177.1 interface inside
dhcpd option 66 ip 192.168.178.95 interface inside
dhcpd enable inside
dhcpd address 192.168.177.100-192.168.177.150 outside
dhcpd dns 192.168.178.3 192.168.177.1 interface outside
dhcpd wins 192.168.178.3 interface outside
dhcpd domain ITTRIPP.local interface outside
dhcpd update dns both interface outside
dhcpd option 3 ip 192.168.177.2 interface outside
dhcpd option 4 ip 192.168.178.3 interface outside
dhcpd option 6 ip 192.168.178.3 interface outside
dhcpd enable outside
dhcpd address 10.10.10.100-10.10.10.150 dmz
dhcpd dns 192.168.178.3 192.168.177.1 interface dmz
dhcpd wins 192.168.178.3 interface dmz
dhcpd domain ITTRIPP.local interface dmz
dhcpd update dns both interface dmz
dhcpd option 3 ip 10.10.10.2 interface dmz
dhcpd option 4 ip 192.168.178.3 interface dmz
dhcpd option 6 ip 192.168.178.3 interface dmz
dhcpd enable dmz
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag e-rate 200
tftp-server inside 192.168.178.105 /volume1/data/tftp
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint1 outside
ssl trust-point ASDM_TrustPoint1 dmz
ssl trust-point ASDM_TrustPoint0 dmz vpnlb-ip
ssl trust-point ASDM_TrustPoint1 inside
ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
webvpn
enable inside
enable outside
enable dmz
file-encoding 192.168.178.105 big5
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-linux-3.1.03103-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-3.1.03103-k9.pkg 2
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 3
anyconnect profiles SSL-Profile_client_profile disk0:/SSL-Profile_client_profil e.xml
anyconnect enable
tunnel-group-list enable
mus password *****
group-policy DfltGrpPolicy attributes
wins-server value 192.168.178.3
dns-server value 192.168.178.3 192.168.177.1
dhcp-network-scope 192.168.178.0
vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
default-domain value ITTRIPP.local
split-dns value ITTRIPP.local
webvpn
anyconnect firewall-rule client-interface public value outside-in
anyconnect firewall-rule client-interface private value inside-in
group-policy GroupPolicy_SSL-Profile internal
group-policy GroupPolicy_SSL-Profile attributes
wins-server value 192.168.178.3
dns-server value 192.168.178.3 192.168.177.1
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value ITTRIPP.local
webvpn
anyconnect profiles value SSL-Profile_client_profile type user
username sarah password PRgJuqNTubRwqXtd encrypted
username admin password QkbxX5Qv0P59Hhrx encrypted privilege 15
username lukas password KGLLoTxH9mCvWzVI encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool SSL-POOL
secondary-authentication-server-group LOCAL
authorization-server-group LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
ikev1 trust-point ASDM_TrustPoint0
ikev1 radius-sdi-xauth
tunnel-group SSL-Profile type remote-access
tunnel-group SSL-Profile general-attributes
address-pool SSL-POOL
default-group-policy GroupPolicy_SSL-Profile
tunnel-group SSL-Profile webvpn-attributes
group-alias SSL-Profile enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
service-policy global_policy global
mount FTP type ftp
server 192.168.178.105
path /volume1/data/install/microsoft/Cisco
username lukas
password ********
mode passive
status enable
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:998674b777e5fd1d3a131d93704ea0e1
Any idea why it's not working?You've got a lot going on there but I'd focus on the line "no vpn-addr-assign local". Per the command reference that tells the ASA NOT to use the local pool.
By the way, DHCP on the outside interface looks very counter-intutive, as does enabling VPN on all interfaces over every protocol. -
Cisco ASA 5505 VPN Remote Acces Problem
Hello Guys .. i have cisco 5505 Asa security Adaptive , and i have two local networks 192.168.1.0 /24 and 192.168.2.0/24 , and i have my ISP public connection,,,,,what i want to do is i want to connect Remote VPN connection and access my Private Network of 192. my public ip is like 155.155.155.0 /24 ...
i put my ISP connection in the EO/0 and my private networks into E0/1 and E0/2.
so i created a remote vpn connection ,, and then i connected to the VPN ..
My problem i can't reach and access my private networks .. this probem frustrated me a lot .. so cisco guys please help me
and iam using ASDM cisco graphic interfaceHi Timothy,
Could you please try disabling UAC in Win 7. Also try to connect from a machine where you have admin privileges (in case you are trying connection from a restricted machine.
Also, add the site under trusted sites in IE. i.e if you are connecting to https://1.1.1.1 or https://vpn.abc.com then please add it under the trusted sites:
Let me know if this helps.
Thanks,
Vishnu Sharma -
I've got a new 5505, and I've run through two wizards: one to start up, one to add client VPN. As a result, I can now connect from a client, the client gets the right info (ip adress, dns, gateway), but it cannot connect to any of the servers on the 'inside' network. The config is here:
http://www.dubbele.com/asaconfig.txt.
I've tried a lot of different things, but I cannot seem to get what's going wrong. Any clues would be very welcome!John,
I strongly suggest to always use different ip-scheme for each of vpn RA tunnels and that they not be the same any of the asa inside interfaces.
interface Vlan1
ip address 192.168.6.25 255.255.255.0
ip local pool vpnhaarlem 192.168.6.150-192.168.6.175 mask 255.255.255.0
for vpnhaarlem do the following.
use a unique private IP scheme for it as you have done with rotterdam , as an example lets use 10.20.20.0/24
remove
no ip local pool vpnhaarlem 192.168.6.150-192.168.6.175 mask 255.255.255.0
add
ip local pool vpnhaarlem 10.20.20.1-10.20.20.254 mask 255.255.255.0
This first line acl is ok but persoannly I suggest to be more granular allowing specific RA tunnel group networks and not just permit ip any, again example for 10.20.20.0/24 network .
stick with one no NAT acl for RA tunnels like inside_nat0_outbound remove the 1 and 2 otherwise you will have to create more
nat (inside) access-list statements for RA networks.
remove
no access-list inside_nat0_outbound_1 extended permit ip any 192.168.6.0 255.255.255.0
no access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.6.0 255.255.255.0
add
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 10.20.20.0 255.255.255.0
for the rotterdam tunnel group it is fine with unique IP scheme , I would apply my suggestion above
no access-list inside_nat0_outbound_2 extended permit ip 192.168.6.0 255.255.255.0 192.168.6.128 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.5.0 255.255.255.0
re-adjust the no-nat acl statement bellow
no nat (inside) 0 access-list inside_nat0_outbound_2
nat (inside) 0 access-list inside_nat0_outbound
Let us know how it works out
Rgds
Jorge -
Cisco ASA 5505 VPN with iPhone
Hello Everyone. I am a newbie to the Cisco appliances, so please bear with me. I am trying to configure this unit to allow iPhone VPN access to our network to sync LOTUS DOMINO (Not Exchange) user's Email, Contacts, and Calendar. We have a Sonicwall NSA 2400 that is our main router, so the ASA will only be used for VPN access, not routing. It will be in the DMZ providing VPN access for the iPhones. With the VPN connected, we need to limit access to only those services required by the iphone to sync information. The Software version on the Cisco is 7.2(4). If there is anyone that could help me out, I would greatly appreciate it. Please remember I am new to this, so please be patient. Where do I begin? I hope to hear from anyone soon.
Hi,
I cannot help you with the Cisco side of the equation, but do you know about Lotus Traveler? It's free from IBM and essentially adds ActiveSync support to your Domino email environment. The iPhone is configured with an Exchange ActiveSync account and pointed to the Lotus Traveler server (which sits in your DMZ and only needs port 80/443 access). It gives you full push email/contacts/calendar (Blackberry-like) functionality.
Like I said, it's a free add-on from IBM Lotus for all licensed Domino users. -
Cisco ASA 5505 VPN connection issue ("Unable to add route")
I'm trying to get IPSec VPN working onto a new Cisco ASA5505. Pretty standard configuration.
Setup:
* Cisco VPN client on Windows 7 (v5.0.07.0290 x64 on Laptop1 and v5.0.07.0440 x64 on Laptop2)
* PPPoE/NAT and internal DHCP on the ASA were configured with the Startup Wizard in ASDM
NATting is working fine - internal PCs get an IP address in the 192.168.2.0/24 range and can all access the Internet.
I wanted to be able to connect from anywhere to the ASA in order to reach one of the internal servers. Should be pretty basic.
First I tried with the built-in ASDM IPSec Wizard, instructions found here.
VPN clients can connect to the ASA, are connected (until they're manually disconnected), but cannot reach the internal network nor the Internet. Note VPN client can connect fine to a different VPN site (not administered by myself).
Client logs show following error messages:
1 15:53:09.363 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
2 15:53:13.593 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.101
3 15:53:13.593 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100165, Gateway: ac100101.
4 15:54:30.425 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
5 15:54:31.433 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CheckUpVASettings: Found IPADDR entry addr=172.16.1.101, error 0
6 15:54:32.445 02/11/12 Sev=Warning/2 CVPND/0xA3400015
Error with call to IpHlpApi.DLL: CleanUpVASettings: Was able to delete all VA settings after all, error 0
7 20:50:45.355 02/11/12 Sev=Warning/3 IKE/0xA300005F
Firewall, Cisco Intrusion Prevention Security Agent, is not running, the client will not send firewall information to concentrator.
8 20:50:50.262 02/11/12 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.1.255
Netmask 255.255.255.255
Gateway 172.16.1.1
Interface 172.16.1.100
9 20:50:50.262 02/11/12 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: c0a801ff, Netmask: ffffffff, Interface: ac100164, Gateway: ac100101.
I've already tried the suggestions from this link, although the problem is different there (as the user can still access the internet, even without split tunneling, which I cannot).
A show run shows the following output (note in the below I have tried a different VPN network: 192.168.3.0/24 instead of 172.16.1.0/24 seen in the Client log)
Result of the command: "sh run"
: Saved
ASA Version 8.2(5)
hostname AsaDWD
enable password kLu0SYBETXUJHVHX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group DW-VPDN
ip address pppoe setroute
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool DWD-VPN-Pool 192.168.3.5-192.168.3.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group DW-VPDN request dialout pppoe
vpdn group DW-VPDN localname fa******@SKYNET
vpdn group DW-VPDN ppp authentication pap
vpdn username fa******@SKYNET password *****
dhcpd auto_config outside
dhcpd address 192.168.2.5-192.168.2.36 inside
dhcpd domain DOMAIN interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DWD internal
group-policy DWD attributes
vpn-tunnel-protocol IPSec
username test password ******* encrypted privilege 0
username test attributes
vpn-group-policy DWD
tunnel-group DWD type remote-access
tunnel-group DWD general-attributes
address-pool DWD-VPN-Pool
default-group-policy DWD
tunnel-group DWD ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3e6c9478a1ee04ab2e1e1cabbeddc7f4
: end
I've installed everything using the CLI as well (after a factory reset). This however yielded exactl the same issue.
Following commands have been entered:
ip local pool vpnpool 172.16.1.100-172.16.1.199 mask 255.255.255.0
username *** password ****
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 43200
isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp nat-traversal
sysopt connection permit-ipsec
sysopt connection permit-vpn
group-policy dwdvpn internal
group-policy dwdvpn attributes
vpn-tunnel-protocol IPSec
default-domain value DWD
tunnel-group dwdvpn type ipsec-ra
tunnel-group dwdvpn ipsec-attributes
pre-shared-key ****
tunnel-group dwdvpn general-attributes
authentication-server-group LOCAL
default-group-policy dwdvpn
Unfortunately I'm getting the same "AddRoute failed to add a route with metric of 0: code 160" error message.
I'm very confused as this should be a pretty standard setup. I tried to follow the instructions on the Cisco site to the letter...
The only "differences" in my setup are an internal network of 192.168.2.0 (with ASA IP address 192.168.2.254) and PPPoE with DHCP instead of no PPPoE at all.
Does anyone know what's going on?Yes, I have tried from a different laptop - same results. Using that laptop I can connect to a different IPSec site without issues.
Please find my renewed config below:
DWD-ASA(config)# sh run: Saved:ASA Version 8.2(5) !hostname DWD-ASAenable password ******* encryptedpasswd ****** encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address 192.168.2.254 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group DWD ip address pppoe setroute !ftp mode passiveaccess-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224 pager lines 24logging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpnpool 192.168.50.10-192.168.50.20 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1no asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list inside_nat0_outboundnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyhttp server enablehttp 192.168.2.0 255.255.255.0 insidehttp 0.0.0.0 0.0.0.0 outsideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400telnet timeout 5ssh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0vpdn group DWD request dialout pppoevpdn group DWD localname *****@SKYNETvpdn group DWD ppp authentication papvpdn username *****@SKYNET password ***** dhcpd auto_config outside!dhcpd address 192.168.2.10-192.168.2.40 insidedhcpd enable inside!threat-detection basic-threatthreat-detection statistics access-listno threat-detection statistics tcp-interceptwebvpn enable outside svc enablegroup-policy DfltGrpPolicy attributes vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpngroup-policy dwdipsec internalgroup-policy dwdipsec attributes vpn-tunnel-protocol IPSec default-domain value DWDDOMusername user1 password ***** encrypted privilege 0username user1 attributes vpn-group-policy dwdipsectunnel-group dwdipsec type remote-accesstunnel-group dwdipsec general-attributes address-pool vpnpool default-group-policy dwdipsectunnel-group dwdipsec ipsec-attributes pre-shared-key *****tunnel-group dwdssl type remote-accesstunnel-group dwdssl general-attributes address-pool vpnpool!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options !service-policy global_policy globalprompt hostname context no call-home reporting anonymousCryptochecksum:f5c8dd644aa2a27374a923671da1c834: endDWD-ASA(config)# -
How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR
I'm trying to test my Cisco VPN client from my workplace to my home where I have a Cisco ASA 5505 (VPN server) behind the Actiontec MI424WR. I'm able to Ping the Actiontec external IP. I also have Port Forwarding for IKE and IPSec configured on the Actiontec, but I cannot establish the VPN connection.
What do I need to configure on the Actiontec to make this work?
Also, when I test this at home, the MI424WR acts as the DHCP server for my laptop and the Cisco outside interface. At home, I'm able to establish the VPN connection from my laptop to the ASA, allowing me to see a shared drive behind the ASA. However, at home, I cannot go to the Internet while using the VPN client.
Thanks for any help.
Steve
Solved!
Go to Solution.http://www.dslreports.com/faq/verizonfios/3.0_Networking
those are the best sample config's and resources on how to set the FiOS network
Bridging is possible but difficult. That link will give you great info on it.
Are you a FiOS customer that has phone/internet/tv
or no tv? or no phone? You have to be careful on your configuration or you might lose some TV features and functionality, like the Interactive Program Guide, or the VOD or the Widgets.
Sorry the Portforwarding wasn't enough to resolve your issue, I am not sure that it's a Actiontec config you are looking for, from my understanding of Cisco's and FiOS it may be something behind the cisco that is causing an issue. You may want to reach out to the Cisco admin that manages that, and find out if there are additional ports that are required and then you can come back and configure those ports too. -
CISCO ASA 5505 bandwidth Controll and split
Dear All,
Below am giving the infrastructure which i like to do please help me.
I Am Using Cisco ASA 5505 VPN Firewall and 6Mbps 1:1 dedicated internet connection.
in Lan Side we have 3 networks one for Internet Users one For VPN Users One for CCTV
i would like to split the 6Mbps bandwidth for these network 3 networks 3x2 each
each network use 2Mbps bandwidth. The VPN and CCTV Users use up to 6:00 pm after that the bandwidth will be free
after the 6:00 pm we need to use the the VPN and CCTV line bandwidth to the internet Users.
Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)
Compiled on Sun 06-Apr-08 13:39 by builders
System image file is "disk0:/asa724-k8.bin"
so please help me with suitable configuration for my purpose./please tell me which device will support for this/what is have to do for this.
Thanks
Lalu R.SThere's not much of that sort of functionality built into the ASA 5505 entry level firewall. To do that sort of thing in the firewall, you would have to move up to one of the newer 5500-X series with next generation firewall features and build a policy using Application Visibility and Control (AVC).
You can do some crude controls with QoS - the configuration guide chapter on doing that is here. -
Hi,
I have configured cisco ASA 5505 but I can't get access to internet using my laptop connected to the ASA. I did not use the console but the graphical interface for the configuration. I changed the inside adress of the ASA and it is 192.168.2.1. From the inside I can't ping the material in outside and from outside I can't ping the laptop connected to the ASA.
Here is my configuration:
Result of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname xxxxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.48 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name processia.com
access-list outside_access_in extended permit ip any any
access-list icmp_out_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ipv6 access-list outside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group icmp_out_in in interface outside
access-group outside_access_ipv6_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.2.2-192.168.2.129 inside
dhcpd dns 80.10.246.2 80.10.246.129 interface inside
dhcpd ping_timeout 5000 interface inside
dhcpd domain xxxxxxxxxxxxxxxxx interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
policy-map global_policy
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7e6f35db321b722ca60009b0c0dc706e
: end
Thank you for your helpHi Sylla,
The static route you have configured for Internet access needs to be corrected:
route outside 0.0.0.0 0.0.0.0 192.168.1.48 1
The next hop address should be your ISP's gateway IP address and not the ASA's outside interface IP. Currently, both are configured for 192.168.1.48.
-Mike
Maybe you are looking for
-
Extraction of datasource 0HR_PA_1 delivered no data
hi folks, i have a problem with extracting data from datasource 0HR_PA_1. I implemented the HR BI content for PA in a standard way. everthing works fine except datasource 0HR_PA_1 that means in detail that I get no data records from R/3 althrough the
-
How to take other music and photo from a librery different from the first ipod was sync?
how to take othe music and photo from different librey than the first used, without loose the photo and music alredy stock in ipod ?
-
A thumbnail photo of me has started appearing on emails I send - how can I get rid of it?
A thumbnail photo appears on all emails we send. == This happened == Every time Firefox opened == there was an automatic Windows update, after which I had to reinstall Firefox.
-
Subcontract GRN - disable quantity field for 543 movement type
Dear All, 1) while making the GRN for subcontract PO the raw material will get consumed by 543 movement type but here the field is editable and we need to make it uneditable 2) also if you might have observed that raw material qty will be calculated
-
Content window not opening in Firefox 11
Firefox 11.0. Windows XP. I open the options under tools. I can open all the tabs except for the 'content' window. I click on it and the last opened window (advanced or any others) stays. It will not open. Tried opening and closing the window and sti