ASA 5505 rookie - can't ping remote site or vice versa
Hi, I'm trying to setup an ipsec from an ASA 5505 (8.4) to a Sophos UTM (9.2)
Internet etc is up and accessible. Ipsec tunnel is up also but I can't pass traffic through it.
I get this message in the logs:
3
Aug 05 2014
22:38:52
81.111.111.156
82.222.222.38
Deny inbound protocol 50 src outside:81.111.111.156 dst outside:82.222.222.38
SITE A (ASA 5505) = 82.222.222.38
SITE B (UTM 9) = 81.111.111.156
Any pointers would be good as this is the first time I've tried this. Thank you.
Running config below:
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
description Zen Internet
nameif outside
security-level 0
pppoe client vpdn group Zen
ip address 82.222.222.38 255.255.255.255 pppoe setroute
boot system disk0:/asa922-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MY-LAN
subnet 192.168.1.0 255.255.255.0
object network THIER-LAN
subnet 192.168.30.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.30.0_24
subnet 192.168.30.0 255.255.255.0
object network THIER_VPN
host 81.111.111.156
description THIER VPN
object service Sophos_Admin
service tcp destination eq 4444
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object esp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object esp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object esp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp destination eq domain
service-object object Sophos_Admin
service-object tcp destination eq www
service-object tcp destination eq https
service-object esp
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object object Sophos_Admin
service-object esp
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object esp
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_4
service-object object Sophos_Admin
service-object icmp echo
service-object icmp echo-reply
access-list outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_3 object MY-LAN object THIER-LAN
access-list outside_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_2 object MY-LAN object THIER-LAN
access-list inside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_1 object THIER-LAN object MY-LAN
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_3 object THIER_VPN host 82.222.222.38
access-list outside_access_out extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 object THIER_VPN host 82.222.222.38
access-list inside_access_out extended permit object-group DM_INLINE_SERVICE_4 object MY-LAN object THIER-LAN
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 81.111.111.156
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 81.111.111.156
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 20
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 7800
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 7800
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group Zen request dialout pppoe
vpdn group Zen localname MYISP@zen
vpdn group Zen ppp authentication chap
vpdn username MYISP@zen password ***** store-local
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.36 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable interface outside
dynamic-filter drop blacklist interface outside
webvpn
anyconnect-essentials
group-policy GroupPolicy_81.111.111.156 internal
group-policy GroupPolicy_81.111.111.156 attributes
vpn-tunnel-protocol ikev1
username admin password JsE9Hv42G/zRUcG4 encrypted privilege 15
username bob password lTKS32e90Yo5l2L/ encrypted
tunnel-group 81.111.111.156 type ipsec-l2l
tunnel-group 81.111.111.156 general-attributes
default-group-policy GroupPolicy_81.111.111.156
tunnel-group 81.111.111.156 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect dns preset_dns_map dynamic-filter-snoop
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:9430c8a44d330d2b55f981274599a67e
: end
ciscoasa#
Hi,
I started again and used various combinations of encryption etc but they all come back the same so I'm at a loss.
output of debug crypto ipsec 128
IPSEC: New embryonic SA created @ 0xcdbaeff8,
SCB: 0xCDC33C70,
Direction: inbound
SPI : 0x6699A5F8
Session ID: 0x00006000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xcdc76048,
SCB: 0xCDB97B98,
Direction: outbound
SPI : 0xB4E5EBD5
Session ID: 0x00006000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xB4E5EBD5
IPSEC: Creating outbound VPN context, SPI 0xB4E5EBD5
Flags: 0x00000005
SA : 0xcdc76048
SPI : 0xB4E5EBD5
MTU : 1492 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x3653C7F5
Channel: 0xc8c234e0
IPSEC: Completed outbound VPN context, SPI 0xB4E5EBD5
VPN handle: 0x0003820c
IPSEC: New outbound encrypt rule, SPI 0xB4E5EBD5
Src addr: 192.168.1.0
Src mask: 255.255.255.0
Dst addr: 192.168.30.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xB4E5EBD5
Rule ID: 0xca9505d8
IPSEC: New outbound permit rule, SPI 0xB4E5EBD5
Src addr: 88.222.222.38
Src mask: 255.255.255.255
Dst addr: 80.111.111.156
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0xB4E5EBD5
Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xB4E5EBD5
Rule ID: 0xcdc482c8
IPSEC: New embryonic SA created @ 0xcdbaeff8,
SCB: 0xCDC33C70,
Direction: inbound
SPI : 0x6699A5F8
Session ID: 0x00006000
VPIF num : 0x00000003
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host IBSA update, SPI 0x6699A5F8
IPSEC: Creating inbound VPN context, SPI 0x6699A5F8
Flags: 0x00000006
SA : 0xcdbaeff8
SPI : 0x6699A5F8
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x0003820C
SCB : 0x363F2BE7
Channel: 0xc8c234e0
IPSEC: Completed inbound VPN context, SPI 0x6699A5F8
VPN handle: 0x00040e4c
IPSEC: Updating outbound VPN context 0x0003820C, SPI 0xB4E5EBD5
Flags: 0x00000005
SA : 0xcdc76048
SPI : 0xB4E5EBD5
MTU : 1492 bytes
VCID : 0x00000000
Peer : 0x00040E4C
SCB : 0x3653C7F5
Channel: 0xc8c234e0
IPSEC: Completed outbound VPN context, SPI 0xB4E5EBD5
VPN handle: 0x0003820c
IPSEC: Completed outbound inner rule, SPI 0xB4E5EBD5
Rule ID: 0xca9505d8
IPSEC: Completed outbound outer SPD rule, SPI 0xB4E5EBD5
Rule ID: 0xcdc482c8
IPSEC: New inbound tunnel flow rule, SPI 0x6699A5F8
Src addr: 192.168.30.0
Src mask: 255.255.255.0
Dst addr: 192.168.1.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x6699A5F8
Rule ID: 0xcdc35348
IPSEC: New inbound decrypt rule, SPI 0x6699A5F8
Src addr: 80.111.111.156
Src mask: 255.255.255.255
Dst addr: 88.222.222.38
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x6699A5F8
Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x6699A5F8
Rule ID: 0xc96f7cc8
IPSEC: New inbound permit rule, SPI 0x6699A5F8
Src addr: 80.111.111.156
Src mask: 255.255.255.255
Dst addr: 88.222.222.38
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 50
Use protocol: true
SPI: 0x6699A5F8
Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x6699A5F8
Rule ID: 0xc96f6388
Similar Messages
-
ASA 5505 VPN can't access connected network
I have an ASA 5505 with ipsec VPN configured on it. I am able to connect to the ASA but I can't ping a connected network. I get a dhcp assigned address in the network I am trying to reach but can't access that network on Vlan5. Please help.
I attached the config.I think final questions, can you have two nat statements that point to the same acl ie.
access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list no_nat extended permit ip 192.168.9.0 255.255.255.0 172.31.1.0 255.255.255.0
access-list no_nat extended permit ip 192.168.5.0 255.255.255.0 192.168.5.0 255.255.255.0
nat (inside) 0 access-list no_nat
nat (inside) 1 192.168.9.0 255.255.255.0
nat (fw-civic) 0 access-list no_nat
nat (fw-civic) 1 192.168.5.0 255.255.255.0
Or do I need to create a new acl for the fw-civic interface?
Thanks -
Bonjour - Mac A can see Mac B but not vice versa
Hi
Very odd behaviour with Bonjour. Up until yesterday, my macbook pro (call it A) would see my mac pro (B) - it would appear automatically in A's sidebar, I could listen to B's iTunes library on A and so on. No problem and there hasn't been for a couple of years. B could not see A - but I didn't really need it to and this wasn't an issue.
Suddenly, this morning, the situation is completely reversed. A can no longer see B at all, but B can see A.
I can connect both ways by using 'Connect', I can ping both ways, but I can't get A to discover B using Bonjour.
The only think I've done that I can think can have caused the changes is to use Omnifocus sync (with B holding the sync server) - it worked fine all day, but overnight Bonjour seems to have reversed itself as described above.
Bonjour Browser shows me that B can see A, but A can't see B. I have identical settings on both machines for sharing, network, firewall (all everything).
Bizarrely, for one two minute period a couple of hours ago, the situation reversed itself (A could see B but not vice versa), but then immediately went back to B can see A, but not vice versa.
Both computers are running the same version of Leopard (10.5.7). I've reinstalled the OS on B, just to see, but this hasn't improved matters.
I can find nothing on google or this discussions forum to explain this bizarre behaviour - most support threads seem to peter out without being resolved. Has anyone any idea what's going on please? I'm quite happy getting stuck into the command line, if that's needed.
Many thanks
DavidThe Macbook Pro is connected wirelessly to the router, the Mac Pro connects to the same router by ethernet.
As far as I'm aware, I'd made no changes to any of the setups (computers or router) before the problem occurred: bonjour worked fine, but in one direction only (the MBP could see the Mac Pro, but not vice versa). Now, the Mac Pro can see the MBP, but not vice versa - and this is a problem because my printer and itunes server both sit on the Mac Pro.
I've set all the firewall and security settings I could find to transparent access - and (except for the obvious difference between the wired and wireless links), the setups are identical on both computers.
By the way, I can connect to the Mac Pro easily enough and transfer files, I just can't see it via bonjour or use Screen Sharing (again the settings haven't changed since they were working!)
Many thanks
David
Many thanks
David -
ASA firewall wont ping remote site
We have remote office which I can ping while at the main office, but when I am connected to VPN from office or home, I cant ping the remote office.
VPN gives me an ip 10.21.18.x
remote site's IP is: 172.29.x.x
i have the access-list information for the ASA firewall and router below:
below is the multilayer:
OFFICE-CORE-01#show ip access-lists
Extended IP access list verizon-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list PAETEC-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
----------------------------------ASA ACCESS-LIST is below the brief version-------
access-list CompanyName-vpn-maint_splitTunnelAcl line 10 standard permit 172.29.0.0 255.255.0.0 (hitcnt=0) 0x52bc4d4c
-----------------------below is the ASA routes-----------------------
Gateway of last resort is 53.138.58.129 to network 0.0.0.0
S 192.168.10.0 255.255.255.0 [1/0] via 10.21.0.1, inside
C 172.17.21.0 255.255.255.0 is directly connected, dmz_tier2
S 172.16.142.0 255.255.254.0 [1/0] via 53.138.58.129, outside
C 172.16.21.0 255.255.255.0 is directly connected, dmz_tier1
C 172.19.21.0 255.255.255.0 is directly connected, dmz_tier4
S 172.23.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.25.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.25.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.24.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 172.26.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.26.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.29.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.29.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 192.168.20.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.11.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.13.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.1 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.10.21.2 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.22.0.0 255.255.0.0 [1/0] via 53.138.58.129, outside
S 10.23.3.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.23.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.21.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.10 255.255.255.255 [1/0] via 10.21.0.1, inside
C 10.21.0.0 255.255.255.0 is directly connected, inside
S 10.22.3.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 10.10.41.0 255.255.255.0 [1/0] via 53.138.58.129, outside
C 53.138.58.128 255.255.255.128 is directly connected, outside
S 192.168.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 53.138.58.129, outside
S 0.0.0.0 0.0.0.0 [255/0] via 10.21.0.1, inside tunneled
------------------------------------below is the router's routes----------
Gateway of last resort is 10.21.0.11 to network 0.0.0.0
205.232.16.0/32 is subnetted, 1 subnets
S 205.232.16.25 [1/0] via 10.21.0.11
62.0.0.0/32 is subnetted, 1 subnets
S 62.100.0.146 [1/0] via 10.21.0.12
178.78.0.0/32 is subnetted, 1 subnets
S 178.78.147.193 [1/0] via 10.21.0.12
C 192.168.10.0/24 is directly connected, Vlan29
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
S 172.16.141.0/24 [1/0] via 10.21.0.11
S 172.16.142.0/23 [1/0] via 10.21.0.11
S 172.16.40.1/32 [1/0] via 10.21.2.12
S 172.16.40.10/32 [1/0] via 10.21.2.12
S 172.16.21.0/24 [1/0] via 10.21.0.11
172.19.0.0/24 is subnetted, 1 subnets
S 172.19.21.0 [1/0] via 10.21.0.11
172.18.0.0/24 is subnetted, 1 subnets
S 172.18.21.0 [1/0] via 10.21.0.12
172.23.0.0/24 is subnetted, 3 subnets
S 172.23.186.0 [1/0] via 10.21.0.6
S 172.23.184.0 [1/0] via 10.21.0.6
S 172.23.181.0 [1/0] via 10.21.0.6
S 172.25.0.0/16 [1/0] via 10.21.0.11
172.24.0.0/24 is subnetted, 3 subnets
C 172.24.181.0 is directly connected, Vlan31
C 172.24.186.0 is directly connected, Vlan32
C 172.24.187.0 is directly connected, Vlan33
S 172.26.0.0/16 [1/0] via 10.21.0.11
172.29.0.0/24 is subnetted, 3 subnets
S 172.29.181.0 [1/0] via 10.21.0.6
S 172.29.184.0 [1/0] via 10.21.0.6
S 172.29.190.0 [1/0] via 10.21.0.6
S 172.28.0.0/16 [1/0] via 10.21.0.11
C 192.168.20.0/24 is directly connected, Vlan30
10.0.0.0/8 is variably subnetted, 35 subnets, 4 masks
S 10.11.0.0/16 [1/0] via 10.21.0.6
C 10.21.28.0/24 is directly connected, Vlan28
C 10.21.26.0/24 is directly connected, Vlan26
C 10.21.25.0/24 is directly connected, Vlan25
S 10.12.0.0/16 [1/0] via 10.21.0.6
C 10.21.24.0/24 is directly connected, Vlan24
S 10.13.0.0/16 [1/0] via 10.21.0.6
C 10.21.23.0/24 is directly connected, Vlan23
C 10.21.22.0/24 is directly connected, Vlan22
C 10.21.21.0/24 is directly connected, Vlan21
C 10.21.20.0/24 is directly connected, Vlan20
C 10.21.19.0/24 is directly connected, Vlan19
S 10.21.18.0/24 [1/0] via 10.21.0.12
S 10.21.17.0/24 [1/0] via 10.21.0.11
C 10.21.16.0/24 is directly connected, Vlan16
C 10.21.15.0/24 is directly connected, Vlan15
C 10.21.14.0/24 is directly connected, Vlan14
C 10.21.13.0/24 is directly connected, Vlan13
C 10.21.12.0/24 is directly connected, Vlan12
C 10.21.11.0/24 is directly connected, Vlan11
C 10.10.21.1/32 is directly connected, Loopback0
S 10.31.0.0/16 [1/0] via 10.21.0.6
D 10.10.21.2/32 [90/130816] via 10.21.252.10, 7w0d, Vlan999
C 10.21.5.0/24 is directly connected, Vlan5
C 10.21.4.0/24 is directly connected, Vlan4
S 10.22.0.0/16 [1/0] via 10.21.0.11
C 10.21.3.0/24 is directly connected, Vlan3
C 10.21.2.0/24 is directly connected, Vlan2
C 10.23.2.0/24 is directly connected, Vlan900
S 10.22.3.0/24 [1/0] via 10.21.0.11
C 10.21.0.0/24 is directly connected, Vlan1000
S 10.41.0.0/16 [1/0] via 10.21.0.11
S 10.10.41.0/24 [1/0] via 10.21.0.11
S 10.51.0.0/16 [1/0] via 10.21.0.6
C 10.21.252.8/30 is directly connected, Vlan999
62.0.0.0/32 is subnetted, 1 subnets
S 62.138.58.129 [1/0] via 10.21.0.11
S 192.168.2.0/24 [1/0] via 10.21.0.12
S* 0.0.0.0/0 [1/0] via 10.21.0.11We have remote office which I can ping while at the main office, but when I am connected to VPN from office or home, I cant ping the remote office.
VPN gives me an ip 10.21.18.x
remote site's IP is: 172.29.x.x
i have the access-list information for the ASA firewall and router below:
below is the multilayer:
OFFICE-CORE-01#show ip access-lists
Extended IP access list verizon-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list PAETEC-INTERNET-TRAFFIC
10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
40 permit ip 10.23.20.0 0.0.0.255 any
50 permit ip 10.23.21.0 0.0.0.255 any
60 permit ip 10.23.22.0 0.0.0.255 any
70 permit ip 10.23.23.0 0.0.0.255 any
80 permit ip 10.23.24.0 0.0.0.255 any
90 permit ip 10.23.25.0 0.0.0.255 any
100 permit ip 10.23.26.0 0.0.0.255 any
Extended IP access list system-cpp-all-routers-on-subnet
10 permit ip any host 224.0.0.2
Extended IP access list system-cpp-all-systems-on-subnet
10 permit ip any host 224.0.0.1
Extended IP access list system-cpp-dhcp-cs
10 permit udp any eq bootpc any eq bootps
Extended IP access list system-cpp-dhcp-sc
10 permit udp any eq bootps any eq bootpc
Extended IP access list system-cpp-dhcp-ss
10 permit udp any eq bootps any eq bootps
Extended IP access list system-cpp-energywise-disc
10 permit udp any eq any eq 0
Extended IP access list system-cpp-hsrpv2
10 permit udp any host 224.0.0.102
Extended IP access list system-cpp-igmp
10 permit igmp any 224.0.0.0 31.255.255.255
Extended IP access list system-cpp-ip-mcast-linklocal
10 permit ip any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ospf
10 permit ospf any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-pim
10 permit pim any 224.0.0.0 0.0.0.255
Extended IP access list system-cpp-ripv2
10 permit ip any host 224.0.0.9
----------------------------------ASA ACCESS-LIST is below the brief version-------
access-list CompanyName-vpn-maint_splitTunnelAcl line 10 standard permit 172.29.0.0 255.255.0.0 (hitcnt=0) 0x52bc4d4c
-----------------------below is the ASA routes-----------------------
Gateway of last resort is 53.138.58.129 to network 0.0.0.0
S 192.168.10.0 255.255.255.0 [1/0] via 10.21.0.1, inside
C 172.17.21.0 255.255.255.0 is directly connected, dmz_tier2
S 172.16.142.0 255.255.254.0 [1/0] via 53.138.58.129, outside
C 172.16.21.0 255.255.255.0 is directly connected, dmz_tier1
C 172.19.21.0 255.255.255.0 is directly connected, dmz_tier4
S 172.23.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.25.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.25.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.24.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 172.26.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.26.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.29.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
S 172.29.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 172.28.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 192.168.20.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.11.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.13.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.1 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.10.21.2 255.255.255.255 [1/0] via 10.21.0.1, inside
S 10.22.0.0 255.255.0.0 [1/0] via 53.138.58.129, outside
S 10.23.3.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.23.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S 10.21.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
S 10.10.21.10 255.255.255.255 [1/0] via 10.21.0.1, inside
C 10.21.0.0 255.255.255.0 is directly connected, inside
S 10.22.3.0 255.255.255.0 [1/0] via 53.138.58.129, outside
S 10.10.41.0 255.255.255.0 [1/0] via 53.138.58.129, outside
C 53.138.58.128 255.255.255.128 is directly connected, outside
S 192.168.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 53.138.58.129, outside
S 0.0.0.0 0.0.0.0 [255/0] via 10.21.0.1, inside tunneled
------------------------------------below is the router's routes----------
Gateway of last resort is 10.21.0.11 to network 0.0.0.0
205.232.16.0/32 is subnetted, 1 subnets
S 205.232.16.25 [1/0] via 10.21.0.11
62.0.0.0/32 is subnetted, 1 subnets
S 62.100.0.146 [1/0] via 10.21.0.12
178.78.0.0/32 is subnetted, 1 subnets
S 178.78.147.193 [1/0] via 10.21.0.12
C 192.168.10.0/24 is directly connected, Vlan29
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
S 172.16.141.0/24 [1/0] via 10.21.0.11
S 172.16.142.0/23 [1/0] via 10.21.0.11
S 172.16.40.1/32 [1/0] via 10.21.2.12
S 172.16.40.10/32 [1/0] via 10.21.2.12
S 172.16.21.0/24 [1/0] via 10.21.0.11
172.19.0.0/24 is subnetted, 1 subnets
S 172.19.21.0 [1/0] via 10.21.0.11
172.18.0.0/24 is subnetted, 1 subnets
S 172.18.21.0 [1/0] via 10.21.0.12
172.23.0.0/24 is subnetted, 3 subnets
S 172.23.186.0 [1/0] via 10.21.0.6
S 172.23.184.0 [1/0] via 10.21.0.6
S 172.23.181.0 [1/0] via 10.21.0.6
S 172.25.0.0/16 [1/0] via 10.21.0.11
172.24.0.0/24 is subnetted, 3 subnets
C 172.24.181.0 is directly connected, Vlan31
C 172.24.186.0 is directly connected, Vlan32
C 172.24.187.0 is directly connected, Vlan33
S 172.26.0.0/16 [1/0] via 10.21.0.11
172.29.0.0/24 is subnetted, 3 subnets
S 172.29.181.0 [1/0] via 10.21.0.6
S 172.29.184.0 [1/0] via 10.21.0.6
S 172.29.190.0 [1/0] via 10.21.0.6
S 172.28.0.0/16 [1/0] via 10.21.0.11
C 192.168.20.0/24 is directly connected, Vlan30
10.0.0.0/8 is variably subnetted, 35 subnets, 4 masks
S 10.11.0.0/16 [1/0] via 10.21.0.6
C 10.21.28.0/24 is directly connected, Vlan28
C 10.21.26.0/24 is directly connected, Vlan26
C 10.21.25.0/24 is directly connected, Vlan25
S 10.12.0.0/16 [1/0] via 10.21.0.6
C 10.21.24.0/24 is directly connected, Vlan24
S 10.13.0.0/16 [1/0] via 10.21.0.6
C 10.21.23.0/24 is directly connected, Vlan23
C 10.21.22.0/24 is directly connected, Vlan22
C 10.21.21.0/24 is directly connected, Vlan21
C 10.21.20.0/24 is directly connected, Vlan20
C 10.21.19.0/24 is directly connected, Vlan19
S 10.21.18.0/24 [1/0] via 10.21.0.12
S 10.21.17.0/24 [1/0] via 10.21.0.11
C 10.21.16.0/24 is directly connected, Vlan16
C 10.21.15.0/24 is directly connected, Vlan15
C 10.21.14.0/24 is directly connected, Vlan14
C 10.21.13.0/24 is directly connected, Vlan13
C 10.21.12.0/24 is directly connected, Vlan12
C 10.21.11.0/24 is directly connected, Vlan11
C 10.10.21.1/32 is directly connected, Loopback0
S 10.31.0.0/16 [1/0] via 10.21.0.6
D 10.10.21.2/32 [90/130816] via 10.21.252.10, 7w0d, Vlan999
C 10.21.5.0/24 is directly connected, Vlan5
C 10.21.4.0/24 is directly connected, Vlan4
S 10.22.0.0/16 [1/0] via 10.21.0.11
C 10.21.3.0/24 is directly connected, Vlan3
C 10.21.2.0/24 is directly connected, Vlan2
C 10.23.2.0/24 is directly connected, Vlan900
S 10.22.3.0/24 [1/0] via 10.21.0.11
C 10.21.0.0/24 is directly connected, Vlan1000
S 10.41.0.0/16 [1/0] via 10.21.0.11
S 10.10.41.0/24 [1/0] via 10.21.0.11
S 10.51.0.0/16 [1/0] via 10.21.0.6
C 10.21.252.8/30 is directly connected, Vlan999
62.0.0.0/32 is subnetted, 1 subnets
S 62.138.58.129 [1/0] via 10.21.0.11
S 192.168.2.0/24 [1/0] via 10.21.0.12
S* 0.0.0.0/0 [1/0] via 10.21.0.11 -
ASA 5505 VPN can't access inside host
I have setup remote VPN access on a ASA 5505 but cannot access the host or ASA when I login using the VPN. I can connect with the Cisco VPN client and the VPN light is on on the ASA and it shows that I'm connected. I have the correct Ip address but I cannot ping or connect to any of the internal addresses. I cannot find what I'm missing. I have the VPN bypassing the interface ACLs. Since I can login but not go anywhere I feel certian I missed something.
part of config below
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
ip local pool xxxx 10.1.1.50-10.1.1.55 mask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
service-policy global_policy global
group-policy xxxxxxx internal
group-policy xxxxxxx attributes
banner value xxxxx Disaster Recovery Site
wins-server none
dns-server value 24.xxx.xxx.xx
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
default-domain none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value xxxxxx
smartcard-removal-disconnect enable
client-firewall none
webvpn
functions url-entry
vpn-nac-exempt none
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
tunnel-group xxxx type ipsec-ra
tunnel-group xxxx general-attributes
address-pool xxxx
default-group-policy xxxx
tunnel-group blountdr ipsec-attributes
pre-shared-key *I get the banner and IP adress info...
This is what the client log provides...
1 13:45:32.942 05/30/08 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route: code 87
Destination 172.20.255.255
Netmask 255.255.255.255
Gateway 10.1.2.1
Interface 10.1.2.5
2 13:45:32.942 05/30/08 Sev=Warning/2 CM/0xA3100024
Unable to add route. Network: ac14ffff, Netmask: ffffffff, Interface: a010205, Gateway: a010201. -
Asa 5505 inside to outside ping ?
Hello, for some reason I cannot ping from a host on my inside network to my outside network interface
i.e. ping from 192.168.0.100 to 192.168.200.2
Also vice versa, when I ping from the asa5505's outside interface to any inside network address it does not work.
Can anyone see wht this is ? - it has to be something simple.
Thanks kindly for any help.
Result of the command: "show running-config"
Result of the command: "show running-config"
ASA Version 8.0(2)
hostname philASA5505
domain-name phil.home
enable password ma.B/.HgoVfoLiCL encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
ospf cost 10
interface Vlan2
no forward interface Vlan5
nameif outside
security-level 100
ip address 192.168.200.2 255.255.255.0
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 5
passwd ma.B/.HgoVfoLiCL encrypted
ftp mode passive
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
dns server-group DefaultDNS
domain-name phil.home
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network lan
description lan
network-object host 192.168.100.0
access-list outside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
ip local pool philpool 192.168.0.1-192.168.0.99 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
nat (outside) 0 access-list outside_nat0_outbound
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.200.1 1
route outside 192.168.100.0 255.255.255.0 192.168.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 192.168.200.1
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
dhcpd address 192.168.0.100-192.168.0.120 inside
dhcpd dns 8.8.8.8 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
class-map global-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect icmp
service-policy global-policy global
webvpn
enable outside
svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy philtunnel internal
group-policy philtunnel attributes
dns-server value 4.2.2.2 8.8.8.8
vpn-tunnel-protocol IPSec
username phil password DfN1FSNE/PrGENWQ encrypted privilege 15
tunnel-group 192.168.200.1 type ipsec-l2l
tunnel-group 192.168.200.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:809d3cdfdada66715a76c3aa57905add
: endI do not see in your config an entry for
policy-map global-policy
is there an entry for this that somehow did not get posted?
and under that policy-map is there an entry for
class global-class
and under that is there an entry for
inspect icmp
If these are missing then I suggest that you add them to your config and see if the behavior changes.
HTH
Rick -
ASA 5505 VPN can't access inside hosts
I have configured VPN on the 5505 using ASDM and I'm able to connect to the 5505 and the client is also getting an IP-address from the configured pool.
The Cisco VPN client shows an error in the log: AddRoute failed to add a route: code 87
CiscoNo I can't ping anything.
And here is the route -print after connection
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0c 29 48 d4 50 ...... VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
0x10004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.222.101 192.168.222.100 1
85.82.25.170 255.255.255.255 192.168.129.2 192.168.129.130 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.129.0 255.255.255.0 192.168.129.130 192.168.129.130 10
192.168.129.0 255.255.255.0 192.168.222.101 192.168.222.100 10
192.168.129.130 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.129.254 255.255.255.255 192.168.129.130 192.168.129.130 1
192.168.129.255 255.255.255.255 192.168.129.130 192.168.129.130 10
192.168.222.100 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.222.255 255.255.255.255 192.168.222.100 192.168.222.100 10
224.0.0.0 240.0.0.0 192.168.129.130 192.168.129.130 10
224.0.0.0 240.0.0.0 192.168.222.100 192.168.222.100 10
255.255.255.255 255.255.255.255 192.168.129.130 192.168.129.130 1
255.255.255.255 255.255.255.255 192.168.222.100 192.168.222.100 1
Default Gateway: 192.168.222.101
===========================================================================
Persistent Routes:
None -
How can I change remote site definition without breaking all of the links?
I've created a website and put it here http://home.comcast.net/~alpsf/index.html to test it during construction. Now when I change the remote site definition on the local site in DW, all of the links are broken. I now suspect the problem is that I made it site root-relative, and DW inserted /~alpsf/ in all of the links. Is there a way to fix this?
Thanks very much.You can do a find and replace to change the links globally. Make sure you do a complete backup of the site prior to doing this incase you don't do it correctly. Let me stress that again, backup your entire site incase you need to restore. If you have created a "new site" and this will not be part of the /~alpsf site, then you will need to define a new site and copy all the files into that folder (I am guessing this is the case). I would copy the files outside of Dreamweaver. You could do this without touching the files in the ~alpsf directory. There are a lot of variable here as I don't know exactly what you are doing.
On the file menu select window/results-select search. (this is done if the search window is not open).
Find in: Entire Current Local Site
Search: Source Code
Find: "/~alpsf/
Replace:"/
That should do it, but this is a very tricky thing. I wouldn't have a problem doing this as long as I have everything backed up.
Jim
Edited:You might have to go into your css, spry files and any others that has links to do the same (this time only select Find in: Current document once the document is open). Once that is done, delete the whole remote site and upload the changes once you check that everything is completed. -
ASA 5505-VPN- Can't use AD services
New install:5505 VPN with MS Active Directory services on LAN.
I can VPN into the network but cannot e.g. join my laptop to the Domain. Message says "cannot find "domain" I can: ping the PDC, RDP onto the PDC or any system on the LAN. Also applications that are on the remote laptop and rely on LAN resources fail.
Any help would be welcomeSorry, just realized I did not attach config!
-
Cisco VPN client can't ping remote network.
I have recently installed a Cisco 5505 and have problems with some of the Cisco VPN Hosts I connect to using the Cisco VPN dialer. The Cisco Dialer connects fine but I am unable to connect to any computers on the remote network.
I have tracked the issue down to the ones that work & the ones that don't. If the remote Cisco is on the same sub-net as the computers I am connecting to it works fine. If the remote Cisco is on a differant sub-net then the computer I am trying to connect to it won't work unless I set up a static nat for a given pc on my network.
When I run through the dynamic Nat for my network I get the following error on the 5505.
regular translation creation failed for protocol 50 src inside:192.168.97.215 dst outside:xx.xxx.xx.xxx
I have been trying to find a solution to this issue ever since I installed the router and have not had any luck with any of the suggestions I have found on the Web. I have attached my config.
Any help would be appreciated.
MikeThanks for your response.
Yes that exactly the setup we are trying to get to work.
I have a call into them now and will check on their set up but I have no control over how they configure their routers I can only make requests.
I was hoping there was something causing it on my side as I deal with Hospitals and they can get very picky about their security.
I guess what is confusing me is it works if it goes through a Static Nat but not if it runs through our dynamic Nat.
Mike -
ASA 5505 VPN Can not connect clients
Hi,
I tried to search for an answer to this question but I couldn't find the answer.
I configured the VPN on the ASA, I can not get a client to connect to the ASA I've tried and search for an answer and I really need som help!
Any help is greatly appreciated.
: Saved
ASA Version 7.2(2)
hostname
domain-name
enable password
names
ddns update method
ddns both
interface Vlan1
nameif inside
security-level 100
ddns update hostname
ddns update
dhcp client update dns
ip address 192.168.1.1 255.255.255.0
ospf cost 10
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
ospf cost 10
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server
name-server
domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list EasyVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list OUTSIDE_IN_ACL extended permit ip any any
access-list OUTSIDE_IN_ACL extended permit icmp any interface outside
access-list Remote-VPN_splitTunnelAcl standard permit any
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list Bild_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool TKK 192.168.1.200-192.168.1.220 mask 255.255.255.224
ip local pool VPN-Pool 192.168.254.1-192.168.254.10 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
static (inside,inside) tcp interface 3389 access-list inside_nat_static
static (inside,inside) tcp interface ftp access-list inside_nat_static_2
static (outside,inside) x.x.x.x 192.168.1.0 netmask 255.255.255.255 dns
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 192.168.1.253
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission
to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy EasyVPN internal
group-policy EasyVPN attributes
dns-server value 192.168.1.253
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value EasyVPN_splitTunnelAcl
default-domain value xxx.se
group-policy Remote-VPN internal
group-policy Remote-VPN attributes
dns-server value 192.168.1.253
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote-VPN_splitTunnelAcl
default-domain value xxx.se
group-policy CiscoASA internal
group-policy CiscoASA attributes
dns-server value 192.168.1.253 x.x.x.x
vpn-tunnel-protocol IPSec webvpn
group-policy Bild internal
group-policy Bild attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Bild_splitTunnelAcl
username User attributes
vpn-group-policy DfltGrpPolicy
username Bild password encrypted privilege 0
username Bild attributes
vpn-group-policy Bild
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 220 set pfs
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
address-pool vpn
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group Bild type ipsec-ra
tunnel-group Bild general-attributes
address-pool TKK
default-group-policy Bild
tunnel-group Bild ipsec-attributes
pre-shared-key *
tunnel-group CiscoASA type ipsec-ra
tunnel-group CiscoASA general-attributes
address-pool vpn
default-group-policy CiscoASA
tunnel-group CiscoASA ipsec-attributes
pre-shared-key *
tunnel-group EasyVPN type ipsec-ra
tunnel-group EasyVPN general-attributes
address-pool vpn
default-group-policy EasyVPN
tunnel-group EasyVPN ipsec-attributes
pre-shared-key *
tunnel-group Remote-VPN type ipsec-ra
tunnel-group Remote-VPN general-attributes
address-pool VPN-Pool
default-group-policy Remote-VPN
tunnel-group Remote-VPN ipsec-attributes
pre-shared-key *
class-map global-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global-policy
class global-class
inspect ftp
inspect icmp
inspect pptp
service-policy global-policy global
prompt hostname context
Cryptochecksum:8cdda33b1993ba7bb33db88d996e939c
: endHi Fredrik,
I see your acl "outside_nat0_outbound" set on inside interface for no nat, but I do not see, the acl is being defined anywhere on your config.
I also strongly recommand create your vpn-pool to be different subnet rather being as same as your inside ip of your ASA.
so, let assume your vpn pool is 192.168.255.1-254/24
so, your no-nat for inside will look like this below.
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.255.0 255.255.255.0
Let me know, if this helps.
thanks -
Cisco ASA 5505 - outside can't DHPC as router use same range
Hi
Im new to the ASA and is trying to setup at test net. The ASA is connected to my router on port zero using DHPC.
(Or i guess its not as the router use the same ip range as ASA does inside).
I tried to set a static IP in the same range (eg. 192.168.1.20) but then get the message "cannot overlap with the subnet of interface inside".
So I belive that is why it dont get a IP from my router - it does show up in the router DHPC table as 192.168.1.5 but ASDM home says outside "no IP address".
I tried to change the inside range of the ASA but if I change the inside IP i loose connection.
(Had to restore factory-default useing the console).
I guess I could setup another range using the console, but how?
How can I setup this test net?If I need to save I did not. (I have not used the console before).
Found the: "write memory" and reload command.
I cant connect to the asa using ADSM-IDM Launcher (from PC connected to the inside lan).
It seems that the asa DHPC server does not work.
And: show running-config
ciscoasa# show running-config
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
no ip address
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5085ad55b43198c7490b2edfee450906
: end -
ASA 5510 and VPN access to remote site over Ext WAN
ASA 5510
int client IP 172.0.1.XXX /24
VPN Client IP 172.0.1.248 /29
Static routes in the ASA
1) 0.0.0.0 --- points to router1
2) 172.29.1.1 --- Points to router2
3) 172.29.1.2 --- Points to router2
Router1 Internet connection // VPN access in path
Router2 Dedicated line to offsite hosting // Dedicated routes in ASA
................../---- ROUTER 1
..Inside -- ASA --- outside (switch 2 rtrs)
..................\---- ROUTER 2
If a PC from inside the network wants to talk with 172.29.1.2 it will work fine. If I VPN into the router, I can connect to anything onsite. I cannot talk to 172.29.1.1 or .2
At first I thought it was the same-security-traffic issue and applied same-security-traffic permit inter-interface then i tried same-security-traffic permit intra-interface.
Both commands failed, Looking at the diagram I think its something with the fact I VPN into this ASA. Now router2 see's our ASA as its external. So it see's our 208.12.*.* as the outgouing address and dest is 172.29.1.1 or .2
I did a capture on the outside interface and I see the following. Now these caps are from the inside PC's accessing the website.
3000 packets captured
1: 15:03:38.176733 208.12.*.*.60404 > 172.29.1.2.443: P 2697372408:2697372444(36) ack 2813073572 win 64360
2: 15:03:38.179815 208.12.*.*.63637 > 172.29.1.2.443: P 3373326671:3373326705(34) ack 3255654279 win 64512
3: 15:03:38.179876 208.12.*.*.60404 > 172.29.1.2.443: P 2697372444:2697372480(36) ack 2813073572 win 64360
4: 15:03:38.180181 172.29.1.2.443 > 208.12.*.*.27133: . ack 838693750 win 65456
5: 15:03:38.180212 172.29.1.2.443 > 208.12.*.*.26920: P 1652457319:1652457373(54) ack 2226176804 win 65482
Can someone point me in the right direction on how I would get the VPN working so it too can connect to those websites?Hi,
Did you try to do NONAT for the traffic from 172.0.1.0 going to 172.29.1.0
Something like this:-
access-list NONAT permit ip 172.0.1.0 255.255.255.0 172.29.1.0 255.255.255.0
nat (Inside) 0 access-list NONAT -
Air drop problem: My macbook can see the imac but not vice versa.
Thats about it, When I open air drop on my imac i cant see my macbook but when i open air drop on my mac book I can see my imac, help?
I had the same problem on my mac mini.
Makes sure your computer is on the following list.
Only the following Apple computers are able to take advantage of the Air Drop feature:
MacBook Pro (Late 2008 or newer)
MacBook Air (Late 2010 or newer)
MacBook (Late 2008 or newer)
iMac (Early 2009 or newer)
Mac mini (Mid 2010 or newer)
Mac Pro (Early 2009 with AirPort Extreme card, or Mid 2010) -
ASA 5505 VPN clients can't ping router or other clients on network
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
: end
Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
Thanks.I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
here is the runnign config again:
Result of the command: "show startup-config"
: Saved
: Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location Server 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:78864f4099f215f4ebdd710051bdb493
Maybe you are looking for
-
is there any way i can zoom in the internal camera i have a leopard if this helps at all?
-
Hi, my Imac has crashed 3 times this week. The last crash happen when I was on youtube trying to view a video. I have downloaded and reinstalled flash twice in the last week. Following in a copy of crash report. Thanks for any help and suggestions. P
-
1607 Error while installing iTunes for Windows
I have a new laptop that i just picked up. Its a gateway with windows xp media center edition,2.0 gb of ram and a AMD Athlon 64. I am trying to install iTunes on it so i can stream my library on to it from my MacBook. When ever i try to do this i kee
-
Hi, I have a big problem. I come from debian where all works at a decent speed. I have tryed archlinux with kdemod during one month and it worked greatly (but firefox lasts 30 seconds in open, while other kde aplications runned fast). I am trying gno
-
Hello all, I´m using /SAPNEA/SMAPI_CUSTOMER_GETLIST fucntion module to get Customer Info from ECC. The scenario is soap sender and rfc receiver, and the problem is the parameter P_KUNNR from /SAPNEA/SMAPI_CUSTOMER_GETLIST. If i pass a string value