Cisco ASA 5505 L2TP VPN cannot access internal network
Hi,
I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
Can you jhelp me to find out the issue?
I have Cisco ASA:
inside network - 192.168.1.0
VPN network - 192.168.168.0
I have router 192.168.1.2 and I cannot ping or get access to this router.
Here is my config:
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 198.X.X.A 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network net-all
subnet 0.0.0.0 0.0.0.0
object network vpn_local
subnet 192.168.168.0 255.255.255.0
object network inside_nw
subnet 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool sales_addresses 192.168.168.1-192.168.168.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic net-all interface
nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
object network vpn_local
nat (outside,outside) dynamic interface
object network inside_nw
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd dns 75.75.75.75 76.76.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy sales_policy internal
group-policy sales_policy attributes
dns-server value 75.75.75.75 76.76.76.76
vpn-tunnel-protocol l2tp-ipsec
username ----------
username ----------
tunnel-group DefaultRAGroup general-attributes
address-pool sales_addresses
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
: end
Thanks for your help.
You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
policy-map global_policy
class inspection_default
inspect icmp
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Similar Messages
-
Cisco ASA 5505 Ipsec VPN and random connection dropping issues.
Hello,
We are currently having issues with a ASA 5505 Ipsec VPN. It was configured about 7-8 months ago and has been running very well..up until the last few weeks. For some reason, the VPN tends to randomly disconnect any user clients connected a lot. Furthermore, sometimes it actually connects; however does not put us on the local network for some reason and unable to browse file server. We have tried rebooting the ASA a few times and our ISP Time Warner informed us there are no signs of packet loss but still unable to pinpoint the problem. Sometimes users close out of VPN client completely, reopen several times and then it works. However it's never really consistent enough and hasn't been the last few weeks. No configuration changes have been made to ASA at all. Furthermore, the Cisco Ipsec VPN client version is: 5.0.70
Directly below is our current running config (modded for public). Any help or ideas would be greatly appreciated. Otherwise, if everything looks good...then I will defer back to our ISP Time Warner:
: Saved
ASA Version 8.4(2)
hostname domainasa
domain-name adomain.local
enable password cTfsR84pqF5Xohw. encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 205.101.1.240 255.255.255.248
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.2.60
domain-name adomain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network SBS_2011
host 192.168.2.60
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.192_
27
subnet 192.168.5.192 255.255.255.224
object network Https_Access
host 192.168.2.90
description Spam Hero
object-group network DM_INLINE_NETWORK_1
network-object object SPAM1
network-object object SPAM2
network-object object SPAM3
network-object object SPAM4
network-object object SPAM5
network-object object SPAM6
network-object object SPAM7
network-object object SPAM8
object-group service RDP tcp
description Microsoft RDP
port-object eq 3389
access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object SBS_2011 eq smtp
access-list outside_access_in extended permit tcp any object SBS_2011 eq https
access-list outside_access_in extended permit icmp any interface outside
access-list outside_access_in remark External RDP Access
access-list outside_access_in extended permit tcp any object SBS_2011 object-group RDP
access-list domain_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool test 192.168.10.1-192.168.10.5 mask 255.255.255.0
ip local pool VPN_Users 192.168.5.194-192.168.5.22
0 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.2.0_24
NETWORK_OBJ_192.168.2.0_24
destination static NETWORK_OBJ_192.168.5.192_
27 NETWORK_OBJ_192.168.5.192_
27 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
object network SBS_2011
nat (inside,outside) static interface service tcp smtp smtp
object network Https_Access
nat (inside,outside) static interface service tcp https https
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 205.101.1.239 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
rd DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.160-192.168.2.19
9 inside
dhcpd dns 192.168.2.60 24.29.99.36 interface inside
dhcpd wins 192.168.2.60 24.29.99.36 interface inside
dhcpd domain adomain interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy domain internal
group-policy domain attributes
wins-server value 192.168.2.60
dns-server value 192.168.2.60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value adomain.local
username ben password zWCAaitV3CB.GA87 encrypted privilege 0
username ben attributes
vpn-group-policy domain
username sdomain password FATqd4I1ZoqyQ/MN encrypted
username sdomain attributes
vpn-group-policy domain
username adomain password V5.hvhZU4S8NwGg/ encrypted
username adomain attributes
vpn-group-policy domain
service-type admin
username jdomain password uODal3Mlensb8d.t encrypted privilege 0
username jdomain attributes
vpn-group-policy domain
service-type admin
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool VPN_Users
default-group-policy domain
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:e2466a5b754
eebcdb0cef
f051bef91d
9
: end
no asdm history enable
Thanks againHello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio -
Hi Everyone,
In my study home lab, I wanted to configure a cisco ASA 5505 ( Base license) to allow SSL VPN. I follow carefully the configuration procedure as instructed on a short videos I downloaded on youtube.
I configured my outside e0/0 with a valid static IP address, unfortunately the vpn connection is timeout on a remote ( different) internet connection. But if I connect to my own internet line using a WIFI the VPN ( AnyConnect SSL VPN client ) connection is established.
I need help to solve this mystery. Please find attached the ASA config: #show run
I hope my explaination does make sense, if not accept my apology I am just new in cisco technology.
Best regards,
BENIf you can connect with your own internet line, then most probably it's not an issue with the ASA configuration.
I would check how you are routing the ASA to the internet, and if there is any ACL that might be blocking inbound access to the ASA on the device in front of the ASA. -
Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN
Hi Guys,
I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
For some odd reason, I am able to ping the following, with no issues.
Cisco 3750 SVI (192.168.1.3)
CentOS web server (connected directly to the Cisco ASA 5505)
I have checked and enable the following:
Nat Exemption
Sysopt connection permit-vpn
ACL's
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Added ICMP in the inspection policy
Packet-capture - Only getting echo requests.
Thanks in advance!Hi,
I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
object network acvpnpool
subnet <anyconnect VPN Subnet>
object network insidelan
subnet <inside lan subnet>
nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
Regards
Karthik -
Cisco ASA 5505 not able to access flash
Hi All:
I have searched and searched all over the net for an answer to this question and have decided to just post it. I have a 5505 that was given to me by my job to use for working on my CCNA Sec. cert and did the following:
I plugged it in and booted it up just fine. Made config changes as I followed along with the examples in my CCNA Security book. Got to the point in chapter 14 where the initial setup happens to configure it for working with ASDM. I never did a write mem on it and decided to take it back to square one by unplugging it to allow it to lose the changes that I made. This is where things got ugly.
When it booted back up it got stuck in a bootup loop and couldn't find an IOS. After following all kinds of steps to boot to rommon and tftp another IOS and such (several times) I decided to follow another posting that said that the flash could be corrupted and to just delete it and start anew. Did that and through rommon as it would not boot up normally any more. After trying this over and over for the last couple hours I realized that it would boot from tftp so I did that in hopes of fixing the flash issue.
I've tried deleting it, and re-initializing it and formating it. But the thing is that it no longer SEES the disk0: mount point. I've used two different flash cards...the one that came with it and the one that I already had. With the cover off I can see that there is no activity light next to the flash drive when I issue a delete or initialize or format command.
Here is a copy of some of the output file. Any help or suggestions are greatly appreciated.
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Please set ADDRESS Variable.
Please set SERVER Variable.
Please set IMAGE Variable.
Launching BootLoader...
Default configuration file contains 1 entry.
Boot mode is 1. Default entry is 1.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Please set ADDRESS Variable.
Please set SERVER Variable.
Please set IMAGE Variable.
Launching BootLoader...
Default configuration file contains 1 entry.
Boot mode is 1. Default entry is 1.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Please set ADDRESS Variable.
Please set SERVER Variable.
Please set IMAGE Variable.
Launching BootLoader...
Default configuration file contains 1 entry.
Boot mode is 1. Default entry is 1.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Please set ADDRESS Variable.
Please set SERVER Variable.
Please set IMAGE Variable.
Launching BootLoader...
Default configuration file contains 1 entry.
Boot mode is 1. Default entry is 1.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Please set ADDRESS Variable.
Please set SERVER Variable.
Please set IMAGE Variable.
Launching BootLoader...
Default configuration file contains 1 entry.
Boot mode is 1. Default entry is 1.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Please set ADDRESS Variable.
Please set SERVER Variable.
Please set IMAGE Variable.
Launching BootLoader...
Default configuration file contains 1 entry.
Boot mode is 1. Default entry is 1.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
Failsafe booting engaged.
Default configuration file contains 1 entry.
Searching / for images to boot.
No images in /
Error 15: File not found
unable to boot an image
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)11 04/30/08 15:45:41.19
Low Memory: 632 KB
High Memory: 507 MB
PCI Device Table.
Bus Dev Func VendID DevID Class Irq
00 01 00 1022 2080 Host Bridge
00 01 02 1022 2082 Chipset En/Decrypt 11
00 0C 00 1148 4320 Ethernet 11
00 0D 00 177D 0003 Network En/Decrypt 10
00 0F 00 1022 2090 ISA Bridge
00 0F 02 1022 2092 IDE Controller
00 0F 03 1022 2093 Audio 10
00 0F 04 1022 2094 Serial Bus 9
00 0F 05 1022 2095 Serial Bus 9
Evaluating BIOS Options ...
Launch BIOS Extension to setup ROMMON
Cisco Systems ROMMON Version (1.0(12)11) #4: Thu May 1 14:50:05 PDT 2008
Platform ASA5505
Use BREAK or ESC to interrupt boot.
Use SPACE to begin boot immediately.
Boot interrupted.
Ethernet0/0
MAC Address: 0023.339e.2a91
Link is UP
Use ? for help.
rommon #0> format disk0:
Invalid or incorrect command. Use 'help' for help.
rommon #0> ADDRESS=10.10.10.110
rommon #1> GATEWAY=10.10.10.1
rommon #2> SERVER=10.10.10.98
rommon #3> IMAGE=asa914-k8.bin
rommon #4> tftp
ROMMON Variable Settings:
ADDRESS=10.10.10.110
SERVER=10.10.10.98
GATEWAY=10.10.10.1
PORT=Ethernet0/0
VLAN=untagged
IMAGE=asa914-k8.bin
CONFIG=
LINKTIMEOUT=20
PKTTIMEOUT=4
RETRY=20
tftp [email protected] via 10.10.10.1
Received 27076608 bytes
Launching TFTP Image...
Cisco Security Appliance admin loader (3.0) #0: Thu Dec 5 19:38:43 PST 2013
Platform ASA5505
Loading...
IO memory blocks requested from bigphys 32bit: 9956
Àdosfsck 2.11, 12 Mar 2005, FAT32, LFN
Currently, only 1 or 2 FATs are supported, not 42.
dosfsck(/dev/hda1) returned 1
mount: mounting /dev/hda1 on /mnt/disk0 failed: Invalid argument
mount: mounting /dev/hda1 on /mnt/disk0 failed: Invalid argument
Processor memory 343932928, Reserved memory: 62914560
Total SSMs found: 0
Total NICs found: 10
88E6095 rev 2 Gigabit Ethernet @ index 09 MAC: 0000.0003.0002
88E6095 rev 2 Ethernet @ index 08 MAC: 0023.339e.2a90
88E6095 rev 2 Ethernet @ index 07 MAC: 0023.339e.2a8f
88E6095 rev 2 Ethernet @ index 06 MAC: 0023.339e.2a8e
88E6095 rev 2 Ethernet @ index 05 MAC: 0023.339e.2a8d
88E6095 rev 2 Ethernet @ index 04 MAC: 0023.339e.2a8c
88E6095 rev 2 Ethernet @ index 03 MAC: 0023.339e.2a8b
88E6095 rev 2 Ethernet @ index 02 MAC: 0023.339e.2a8a
88E6095 rev 2 Ethernet @ index 01 MAC: 0023.339e.2a89
y88acs06 rev16 Gigabit Ethernet @ index 00 MAC: 0023.339e.2a91
INFO: Unable to read firewall mode from flash
Writing default firewall mode (single) to flash
INFO: Unable to read cluster interface-mode from flash
Writing default mode "None" to flash
Verify the activation-key, it might take a while...
Failed to retrieve permanent activation key.
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
The Running Activation Key is not valid, using default settings:
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2_05
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09
Cisco Adaptive Security Appliance Software Version 9.1(4)
****************************** Warning *******************************
This product contains cryptographic features and is
subject to United States and local country laws
governing, import, export, transfer, and use.
Delivery of Cisco cryptographic products does not
imply third-party authority to import, export,
distribute, or use encryption. Importers, exporters,
distributors and users are responsible for compliance
with U.S. and local country laws. By using this
product you agree to comply with applicable laws and
regulations. If you are unable to comply with U.S.
and local laws, return the enclosed items immediately.
A summary of U.S. laws governing Cisco cryptographic
products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by
sending email to [email protected].
******************************* Warning *******************************
This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/)
Copyright (C) 1995-1998 Eric Young ([email protected])
All rights reserved.
Copyright (c) 1998-2011 The OpenSSL Project.
All rights reserved.
This product includes software developed at the University of
California, Irvine for use in the DAV Explorer project
(http://www.ics.uci.edu/~webdav/)
Copyright (c) 1999-2005 Regents of the University of California.
All rights reserved.
Busybox, version 1.16.1, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Busybox comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
DOSFSTOOLS, version 2.11, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
675 Mass Ave, Cambridge, MA 02139
DOSFSTOOLS comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
grub, version 0.94, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307
grub comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
libgcc, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libgcc comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenseSee User Manual (''Licensing'') for details.
libstdc++, version 4.3, Copyright (C) 2007 Free Software Foundation, Inc.
libstdc++ comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
Linux kernel, version 2.6.29.6, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
Linux kernel comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
module-init-tools, version 3.10, Copyright (C) 1989, 1991 Free Software
Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
module-init-tools comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
numactl, version 2.0.3, Copyright (C) 2008 SGI.
Author: Andi Kleen, SUSE Labs
Version 2.0.0 by Cliff Wickman, Chritopher Lameter and Lee Schermerhorn
numactl comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
pciutils, version 3.1.4, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
pciutils comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
readline, version 5.2, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111 USA
readline comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
udev, version 146, Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
udev comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it under the General
Public License v.2 (http://www.gnu.org/licenses/gpl-2.0.html)
See User Manual (''Licensing'') for details.
Cisco Adapative Security Appliance Software, version 9.1,
Copyright (c) 1996-2013 by Cisco Systems, Inc.
Certain components of Cisco ASA Software, Version 9.1 are licensed under the GNU
Lesser Public License (LGPL) Version 2.1. The software code licensed under LGPL
Version 2.1 is free software that comes with ABSOLUTELY NO WARRANTY. You can
redistribute and/or modify such LGPL code under the terms of LGPL Version 2.1
(http://www.gnu.org/licenses/lgpl-2.1.html). See User Manual for licensing
details.
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Insufficient flash space available for this request:
Size info: request:32 free:0 delta:32
Could not initialize system files in flash.
config_fetcher: channel open failed
ERROR: MIGRATION - Could not get the startup configuration.
INFO: Power-On Self-Test in process.
INFO: Power-On Self-Test complete.
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_200804300128.log'
Pre-configure Firewall now through interactive prompts [yes]? n
Type help or '?' for a list of available commands.
ciscoasa> en
Password:
ciscoasa# format disk0:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "disk0:". Continue? [confirm]
Initializing partition - done!
Creating FAT16 filesystem
mkdosfs 2.11 (12 Mar 2005)
System tables written to disk
Format of disk0 complete
ciscoasa# format disk:
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa# format flash:
Format operation may take a while. Continue? [confirm]
Format operation will destroy all data in "flash:". Continue? [confirm]
Initializing partition - done!Yeah...I think I found that one out the hard way already. I'll cross that bridge when I get to it. I want to get this issue fixed before I start thinking about the license issue.
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# sh flash
--#-- --length-- -----date/time------ path
2403 0 Apr 30 2008 02:00:56 test
2285 196 Apr 30 2008 01:28:20 upgrade_startup_errors_200804300128.log
2283 0 Apr 30 2008 01:28:20 coredumpinfo
2284 59 Apr 30 2008 01:28:20 coredumpinfo/coredump.cfg
2280 0 Apr 30 2008 01:27:56 crypto_archive
2267 0 Apr 30 2008 01:27:38 log
0 bytes total (0 bytes free)
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# sh disk0
--#-- --length-- -----date/time------ path
2403 0 Apr 30 2008 02:00:56 test
2285 196 Apr 30 2008 01:28:20 upgrade_startup_errors_200804300128.log
2283 0 Apr 30 2008 01:28:20 coredumpinfo
2284 59 Apr 30 2008 01:28:20 coredumpinfo/coredump.cfg
2280 0 Apr 30 2008 01:27:56 crypto_archive
2267 0 Apr 30 2008 01:27:38 log
0 bytes total (0 bytes free)
ciscoasa# -
Hello all thanks for looking,
I need to know how to setup my cisco asa 5505 as a vpn client to services like HMA or privateinternet and other paid VPN services. If someone else has already written a guide to this then that would be great. What I want to do is route all my secure traffice through the asa and have it go across the internet as encrypted VPN stuff and have my other stuff that does not need to be encrypted just go through to my other router.
Thanks in advance,If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.
-
CIsco ASA 5505 and VPN licenses
Hi,
Cisco ASA 5505 comes with 10 VPN licenses in a standard configuration.
How those licenses are counted? Will I need a license per one IPSec SA?
If I have two site connected with LAN-to-LAN VPN with 10 subnets at one site, how many licenses will be taken? 10 - one per IPSec SA or just 1 - one per point-to-point VPN?
Thank you.
Regards,
AlexAlex,
In an ASA 5505, it should say something like this...when you do sh ver.
VPN Peers : 25
It means that you can have so many peers connecting to the ASA. Its not per IPSec SA.
Its a per tunnel license.
Rate this, if it helps!
Gilbert -
Cisco ASA 5505 L2TP Pass through
I am having trouble with L2TP pass through on an ASA 5505 device.
L2TP server: OSX 10.6
I can connect with any OSX system and it works fine straight away.
When connecting with a windows computer I get a 789 error. "Error 789: The L2TP connection attempt failed because the security layer encountere a processing error during the initial negotiations with the remote computer."
I did not setup or configure the device to start with and apart from this issue its working fine so I am hessitant at trying to just mess around too much to try and find the problem.
I am using the ASDM 6.4 to manage the device.
Ports look to be forwarded correctly; 1701, 4500 & 500 UDP.
Im just looking for other common issues?
RobBelow is the commands you wanted.
Where you see: IPNOTWHATIWASEXPECTING
This is an IP I dont know. possible and old IP address.
and
default-domain value domain-notcorrect.local
This is an old domain from years ago.
Result of the command: "show run crypto"
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set aes-192-sha esp-aes-192 esp-sha-hmac
crypto ipsec transform-set aes-256-sha esp-aes-256 esp-sha-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map map-dynamic 1 set pfs group5
crypto dynamic-map map-dynamic 1 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 2 set pfs
crypto dynamic-map map-dynamic 2 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 3 set pfs
crypto dynamic-map map-dynamic 3 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 4 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer IPNOTWHATIWASEXPECTING3
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address acl-amzn
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer IPNOTWHATIWASEXPECTING IPNOTWHATIWASEXPECTING
crypto map outside_map 2 set transform-set transform-amzn
crypto map outside_map 255 ipsec-isakmp dynamic map-dynamic
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
crypto isakmp policy 12
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 13
authentication pre-share
encryption aes-192
hash sha
group 1
lifetime 86400
crypto isakmp policy 21
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 22
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 23
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
crypto isakmp policy 31
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 32
authentication rsa-sig
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 33
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 34
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Result of the command: "show run group-policy"
group-policy evertest internal
group-policy evertest attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy petero internal
group-policy petero attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy awsfilter internal
group-policy awsfilter attributes
vpn-filter value amzn-filter
group-policy vpnpptp internal
group-policy vpnpptp attributes
dns-server value 10.100.25.252
vpn-tunnel-protocol l2tp-ipsec
group-policy vanheelm internal
group-policy vanheelm attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy ciscoVPNuser internal
group-policy ciscoVPNuser attributes
dns-server value 10.100.25.10
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy chauhanv2 internal
group-policy chauhanv2 attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy oterop internal
group-policy oterop attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy Oterop internal
group-policy Oterop attributes
dns-server value 10.100.25.252
vpn-idle-timeout 30
group-policy chauhanv internal
group-policy chauhanv attributes
dns-server value 10.100.25.252
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy bnixon2 internal
group-policy bnixon2 attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
Result of the command: "show run tunnel-group"
tunnel-group ciscoVPNuser type remote-access
tunnel-group ciscoVPNuser general-attributes
address-pool vpnippool
default-group-policy ciscoVPNuser
tunnel-group ciscoVPNuser ipsec-attributes
pre-shared-key *****
tunnel-group petero type remote-access
tunnel-group petero general-attributes
address-pool vpnippool
default-group-policy petero
tunnel-group petero ipsec-attributes
pre-shared-key *****
tunnel-group oterop type remote-access
tunnel-group oterop general-attributes
address-pool vpnippool
default-group-policy oterop
tunnel-group oterop ipsec-attributes
pre-shared-key *****
tunnel-group vanheelm type remote-access
tunnel-group vanheelm general-attributes
address-pool vpnippool
default-group-policy vanheelm
tunnel-group vanheelm ipsec-attributes
pre-shared-key *****
tunnel-group chauhanv type remote-access
tunnel-group chauhanv general-attributes
default-group-policy chauhanv
tunnel-group Oterop type remote-access
tunnel-group Oterop general-attributes
default-group-policy Oterop
tunnel-group chauhanv2 type remote-access
tunnel-group chauhanv2 general-attributes
address-pool vpnippool
default-group-policy chauhanv2
tunnel-group chauhanv2 ipsec-attributes
pre-shared-key *****
tunnel-group bnixon2 type remote-access
tunnel-group bnixon2 general-attributes
address-pool vpnippool
default-group-policy bnixon2
tunnel-group bnixon2 ipsec-attributes
pre-shared-key *****
tunnel-group vpnpptp type remote-access
tunnel-group vpnpptp general-attributes
address-pool vpnippool
default-group-policy vpnpptp
tunnel-group IPNOTWHATIWASEXPECTING4 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING4 ipsec-attributes
pre-shared-key *****
tunnel-group evertest type remote-access
tunnel-group evertest general-attributes
address-pool vpnippool
default-group-policy evertest
tunnel-group evertest ipsec-attributes
pre-shared-key *****
tunnel-group evertest ppp-attributes
authentication ms-chap-v2
tunnel-group IPNOTWHATIWASEXPECTING3 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING3 ipsec-attributes
pre-shared-key *****
tunnel-group IPNOTWHATIWASEXPECTING2 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING2 general-attributes
default-group-policy awsfilter
tunnel-group IPNOTWHATIWASEXPECTING2 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
tunnel-group IPNOTWHATIWASEXPECTING type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING general-attributes
default-group-policy awsfilter
tunnel-group IPNOTWHATIWASEXPECTING ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsec"
INFO: There are presently no active sessions of the type specified
Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsecOverNAT"
INFO: There are presently no active sessions of the type specified -
Vpn client can access internet but cannot access internal network
I am using PIX 501 to setup a VPN. At first the VPN client cannot access the internet once they logged in via the Cisco system vpn client, so i enable split tunneling. Now the VPN client can access the internet but they can't access the internal network.Due to the limited characters can be posted here, only necessary IOS coding is posted on the next message. Who knows how to solve this problem? Pls Help.....
enable password ********** encrypted
passwd ********** encrypted
hostname Firewall
domain-name aqswdefrgt.com.sg
access-list 100 permit ip 192.168.1.0 255.255.255.0 192.168.50.0 255.255.255.0
access-list nat permit tcp any host 65.165.123.142 eq smtp
access-list nat permit tcp any host 65.165.123.142 eq pop3
access-list nat permit tcp any host 65.165.123.143 eq smtp
access-list nat permit tcp any host 65.165.123.143 eq pop3
access-list nat permit tcp any host 65.165.123.143 eq www
access-list nat permit tcp any host 65.165.123.152 eq smtp
access-list nat permit tcp any host 65.165.123.152 eq pop3
access-list nat permit tcp any host 65.165.123.152 eq www
access-list nat permit tcp any host 65.165.123.143 eq https
access-list nat permit icmp any any
ip address outside 65.165.123.4 255.255.255.240
ip address inside 192.168.1.2 255.255.255.0
ip verify reverse-path interface outside
ip local pool clientpool 192.168.50.1-192.168.50.50
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 65.165.123.142 smtp 192.168.1.56 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.142 pop3 192.168.1.56 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 smtp 192.168.1.55 smtp netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 pop3 192.168.1.55 pop3 netmask 255.255.2
55.255 0 0
static (inside,outside) tcp 65.165.123.143 www 192.168.1.55 www netmask 255.255.255
.255 0 0
static (inside,outside) tcp 65.165.123.152 smtp 192.168.1.76 smtp netmask 255.255.
255.255 0 0
static (inside,outside) tcp 65.165.123.152 pop3 192.168.1.76 pop3 netmask 255.255.
255.255 0 0
static (inside,outside) tcp 65.165.123.152 www 192.168.1.76 www netmask 255.255.25
5.255 0 0
static (inside,outside) tcp 65.165.123.143 https 192.168.1.55 https netmask 255.255
.255.255 0 0
access-group nat in interface outside
route outside 0.0.0.0 0.0.0.0 65.165.123.1 1
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server plexus protocol radius
aaa-server plexus (inside) host 192.168.1.55 ******** timeout 5
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map client authentication plexus
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash md5
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400
vpngroup vpn3000 address-pool clientpool
vpngroup vpn3000 dns-server 192.168.1.55
vpngroup vpn3000 wins-server 192.168.1.55
vpngroup vpn3000 default-domain aqswdefrgt.com.sg
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80 -
ASA 5505 Static hosts cannot access outside
I'm replacing an old PIX with a second hand ASA firewall.
I have configured the ASA in a very similar manner to how the PIX was set up but I'm having trouble with some hosts on the inside accessing the Internet. Any inside hosts which use DHCP work fine. Any inside hosts with a static IP (and configured on the ASA with a "static" rule) cannot access the Internet. For example, in the config below the server daviker-dialler cannot access the Internet.
I've spent a few days working on this now and have started from scratch several times but I'm not getting anywhere.
Apologies for all the X's everywhere, didn't like to post anything sensitive on the Internet. If I've obscured something pertinent let me know.
Any advice would be greatly appreciated! Thanks.
: Saved
ASA Version 7.2(3)
hostname fw-1
domain-name XXXX
enable password XXXX encrypted
names
name 92.X.X.61 bb-office
name 92.X.X.128 gl-office
name 10.0.0.117 daviker-dialler_in
name 77.X.X.117 daviker-dialler_out
name 10.0.0.112 data-2_in
name 77.X.X.112 data-2_out
name 10.0.0.81 corp-1_in
name 77.X.X.81 corp-1_out
name 10.0.0.111 data-1_in
name 77.X.X.210 user_75
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 77.X.X.66 255.255.255.192
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
passwd XXXX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name XXXX
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 5900
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 4040
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 9876
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq sip
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq www
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq https
access-list inbound extended permit udp host bb-office host daviker-dialler_out eq sip
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 1433
access-list inbound extended permit udp host bb-office host daviker-dialler_out eq netbios-ns
access-list inbound extended permit udp host bb-office host daviker-dialler_out eq netbios-dgm
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq netbios-ssn
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 445
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 4040
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 9876
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq sip
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq www
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq https
access-list inbound extended permit udp host gl-office host daviker-dialler_out eq sip
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 1433
access-list inbound extended permit udp host gl-office host daviker-dialler_out eq netbios-ns
access-list inbound extended permit udp host gl-office host daviker-dialler_out eq netbios-dgm
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq netbios-ssn
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 445
access-list inbound extended permit tcp host gl-office host daviker-dialler_out eq 5900
access-list inbound extended permit tcp any host data-2_out eq ssh
access-list inbound extended permit tcp any host corp-1_out eq ssh
access-list inbound extended permit tcp any host corp-1_out eq www
access-list inbound extended permit tcp any host corp-1_out eq pop3
access-list inbound extended permit tcp any host corp-1_out eq imap4
access-list inbound extended permit tcp any host corp-1_out eq smtp
access-list inbound extended permit tcp any host corp-1_out eq 995
access-list inbound extended permit tcp any host corp-1_out eq 465
access-list inbound extended permit tcp any host corp-1_out eq 993
access-list inbound extended permit tcp any host corp-1_out eq 8008
access-list inbound extended permit udp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-ns
access-list inbound extended permit udp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-dgm
access-list inbound extended permit tcp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq netbios-ssn
access-list inbound extended permit tcp 77.X.X.64 255.255.255.192 host 77.X.X.113 eq 445
access-list inbound extended permit udp any host 77.X.X.113 eq netbios-ns
access-list inbound extended permit udp any host 77.X.X.113 eq netbios-dgm
access-list inbound extended permit tcp any host 77.X.X.113 eq netbios-ssn
access-list inbound extended permit tcp any host 77.X.X.113 eq 445
access-list inbound extended permit tcp host bb-office host data-2_out eq 5901
access-list inbound extended permit tcp host bb-office host data-2_out eq 3690
access-list inbound extended permit tcp host bb-office host data-2_out eq www
access-list inbound extended permit tcp host bb-office host daviker-dialler_out eq 3389
access-list inbound extended permit tcp host 2.X.X.18 host data-2_out eq 3306
access-list inbound extended permit tcp any host data-2_out eq 3306
access-list inbound extended permit tcp host 212.X.X.7 host daviker-dialler_out eq 5900
access-list inbound extended permit tcp host bb-office host data-2_out eq 3306
access-list inbound extended permit tcp host user_75 host daviker-dialler_out eq 1433
access-list inbound extended permit tcp host user_75 host daviker-dialler_out eq 5900
access-list inbound extended permit tcp host user_75 host data-2_out eq 3690
access-list inbound extended permit tcp host user_75 host data-2_out eq www
access-list inbound extended permit tcp host user_75 host data-2_out eq 3306
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255
static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255
static (inside,outside) data-2_out data-2_in netmask 255.255.255.255
static (inside,outside) 77.X.X.113 data-1_in netmask 255.255.255.255
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 77.X.X.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 77.X.X.91 8.8.8.8
dhcpd domain cagltd.net
dhcpd auto_config outside
dhcpd address 10.0.0.20-10.0.0.40 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
username matt password XXXX encrypted
prompt hostname context
Cryptochecksum:00af76f23831b8c828fc6677c9069072
: endHi Jouni,
Thanks for the info.
I didn't have icmp traffic allowed, so I knew ping wouldn't be working. I was testing using http.
I have enabled icmp and dhcp clients can ping outside. Static nat clients can't ping outside. Static clients also cannot use outbound http.
As suggested, I have run some packet traces.
From a static nat client on the ASA:
fw-1# packet-tracer input inside tcp 10.0.0.81 80 173.203.209.67 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255
match ip inside host corp-1_in outside any
static translation to corp-1_out
translate_hits = 668, untranslate_hits = 2
Additional Information:
Static translate corp-1_in/0 to corp-1_out/0 using netmask 255.255.255.255
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) corp-1_out corp-1_in netmask 255.255.255.255
match ip inside host corp-1_in outside any
static translation to corp-1_out
translate_hits = 668, untranslate_hits = 2
Additional Information:
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1759, packet dispatched to next module
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 77.X.X.65 using egress ifc outside
adjacency Active
next-hop mac address 0017.0f13.5000 hits 1
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
This looks fine to me, but as I say, an outbound tcp port 80 connection from the actual machine on 10.0.0.81 fails.
Here is a similar trace from a dhcp client to the same destination:
fw-1# packet-tracer input inside tcp 10.0.0.20 80 173.203.209.67 80
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (77.74.111.66 [Interface PAT])
translate_hits = 990, untranslate_hits = 226
Additional Information:
Dynamic translate 10.0.0.20/80 to 77.74.111.66/1 using netmask 255.255.255.255
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1771, packet dispatched to next module
Phase: 9
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 77.X.X.65 using egress ifc outside
adjacency Active
next-hop mac address 0017.0f13.5000 hits 5
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
I can see the difference in the NAT translation section. A real outbound tcp port 80 connection from the actual machine on 10.0.0.20 works fine.
Finally, for the sake of comparison, I ran a similar packet trace using a static nat IP on the old PIX firewall:
old-fw-1# packet-tracer input inside tcp 10.0.0.117 80 173.203.209.67 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect http
service-policy global_policy global
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255
nat-control
match ip inside host daviker-dialler_in outside any
static translation to daviker-dialler_out
translate_hits = 17132, untranslate_hits = 1277850
Additional Information:
Static translate daviker-dialler_in/0 to daviker-dialler_out/0 using netmask 255.255.255.255
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) daviker-dialler_out daviker-dialler_in netmask 255.255.255.255
nat-control
match ip inside host daviker-dialler_in outside any
static translation to daviker-dialler_out
translate_hits = 17132, untranslate_hits = 1277850
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1006075, packet dispatched to next module
Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 78.X.X.69 using egress ifc outside
adjacency Active
next-hop mac address 0017.0f13.5000 hits 572133
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Outbound traffic from static nat hosts on the old PIX firewall works fine. One glaring difference is that the PIX is inspecting http traffic, but surely this is a red herring. Another difference is that the old and new firewalls have different gateways / default routes & different outside IP addresses. As the new ASA firewall (and its dhcp hosts) can talk to the outside world quite happily I don't think this is relevant.
I wondered whether it might be down to the difference in the inside (255.255.255.0) and outside (255.255.255.192) subnets. The set up is the same on the PIX, but I wondered whether some other line of config might be required on the ASA to handle it. I adjusted the subnet of the inside interface on the ASA to match the outside one (both 255.255.255.192) but it didn't make any difference.
So I'm puzzled! -
Cannot access internal network after Tiger upgrade
I've just upgraded an eMac (1.25GHz, 768MB) from 10.3.9 to 10.4.6. Although I can get online, access Mail and all applications, I cannot access the internal network at all.
I've updated to 10.4.9, but still no luck. I've restarted, logged in as a different user, logged out and in again, removed the 'com.apple.networkconfig.plist' file from the 'Library/Preferences' folder, but still doesn't work.
I can see all the aliases to the other machines on the network in the sidebar, but clicking on them brings up a message "The alias xxxx could not be opened, because the original alias could not be found.".
Other machines can see this on on the network. File Sharing is turned on.
Any thoughts, I'm tearing my hair out a bit!
Powerbook G4 Mac OS X (10.4.8)no good, is an afpmounter error, i solved it with an
Archive and Install
http://docs.info.apple.com/article.html?artnum=107120-en
maybe someone have a solution..
i think is an error during the update (i had the same from panther to tiger)
with A&I and half-hour, your machine work perfectly. -
Cisco ASA 5505 - 1st VPN works, 2nd VPN can't get traffic across
This is my first Cisco configuration ever so go easy on me. A lot of the commands that I used here I don't really understand. I got them from Googling configs. I have the need for more than one VPN on this thing, and I've been fighting with this thing for hours today without any luck.
The first VPN I setup, labeled vpn1 here works perfectly. I connect via the public IP on the DSL and I can get traffic to my 192.168.1.0/24 network without any problems.
I pretty much duplicated the configuration for the 2nd VPN, just replacing my 192.168.1.0/24 subnet w/ the network connected to a third interface on the ASA (10.4.0.0 255.255.240.0). I successfully make connection to this VPN, but I cannot get traffic to traverse the VPN. I'm using the address 10.4.0.1 to test pings. The ASA itself can ping 10.4.0.1 as that interface of the ASA has 10.4.13.10 255.255.240.0, which is the same subnet (range is 10.4.0.0 - 10.4.15.255).
Here is my config (edited for names and passwords)
ciscoasa# show run
: Saved
ASA Version 8.2(5)
hostname ciscoasa
enable password ********** encrypted
passwd ********** encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP_DSL
ip address pppoe setroute
interface Vlan3
no forward interface Vlan1
nameif private
security-level 100
ip address 10.4.13.10 255.255.240.0
ftp mode passive
access-list 100 extended permit icmp any any
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 10.4.0.0 255.255.240.0 192.168.3.0 255.255.255.0
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 192.168.1.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 10.4.0.0 255.255.240.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1492
mtu private 1500
ip local pool vpn1pool 192.168.2.100-192.168.2.110
ip local pool vpn2pool 192.168.3.100-192.168.3.110
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (private) 0 access-list nonat
access-group 100 in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 30 set transform-set strong-des
crypto map vpn1 65535 ipsec-isakmp dynamic dynmap
crypto map vpn1 interface outside
crypto map vpn2 65535 ipsec-isakmp dynamic dynmap
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
vpdn group ISP_DSL request dialout pppoe
vpdn group ISP_DSL localname [email protected]
vpdn group ISP_DSL ppp authentication chap
vpdn username [email protected] password **********
dhcp-client update dns
dhcpd auto_config outside
dhcpd address 192.168.1.100-192.168.1.200 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn2 internal
group-policy vpn2 attributes
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
group-policy vpn1 internal
group-policy vpn1 attributes
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
username cssadmin password ********** encrypted
username vpn2user password ********** encrypted
username vpn1user password ********** encrypted
tunnel-group vpn1-VPN type remote-access
tunnel-group vpn1-VPN general-attributes
address-pool vpn1pool
default-group-policy vpn1
tunnel-group vpn1-VPN ipsec-attributes
pre-shared-key **********
tunnel-group vpn2-VPN type remote-access
tunnel-group vpn2-VPN general-attributes
address-pool vpn2pool
default-group-policy vpn2
tunnel-group vpn2-VPN ipsec-attributes
pre-shared-key *****
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f5137c68c4b4a832c9dff8db808004ae
: end
Theories: after fighting with it for a while and having another guy in my office look at it, we decided that the problem is probably that even though the pings are probably reaching 10.4.0.1, they have no route back to my VPN subnet 192.168.3.0/24. I contacted the admins of the 10.4.0.0 network and asked if they could add a route to 192.168.3.0/24 via 10.4.13.10, but he said there is no router of default gateway on the network to even configure.
So, what do I do? Maybe NAT the VPN traffic? If that is the correct answer, what lines would I put/change in the config to NAT that traffic.
I'm assuming the reason the 1st VPN works is because the ASA is the default gateway for the inside 192.168.1.0/24 network.
Thanks in advance for any insight you can provide.Hello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio -
Cisco ASA 5505 L2L VPN Tunnel with one Dynamic IP
Hi Rizwan,
Thanks for your response. I updated the configuration per your response below... It still doesn't work. please see my new config files below. Please help. Thanks in advance for your help....
Hi Pinesh,
Please make follow changes on host: officeasa
remove this line below highlighted.
crypto dynamic-map L2LMap 1 match address Crypto_L2L
It is only because group1 is weak, so please change it to group2
crypto dynamic-map L2LMap 1 set pfs group1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117
Please make follow changes on host: homeasa
It is only because group1 is weak, so please change it to group2
crypto map L2Lmap 1 set pfs group1
route outside 10.10.5.0 255.255.255.0 xxx.xxx.xxx.xxx default gateway on homeasa.
Hope that helps, if not please open a new thread.
Thanks
Rizwan Rafeek
New config files..
Site-A: (Office):
Hostname: asaoffice
Inside: 10.10.5.0/254
Outside e0/0: Static IP 96.xxx.xxx.118/30
Site-B: (Home):
Hostname: asahome
Inside: 10.10.6.0/254
Outside e0/0: Dynamic IP (DG: 66.xxx.xxx.1)
SIte-A:
officeasa(config)# sh config
: Saved
: Written by enable_15 at 15:34:23.899 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname officeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address 96.xxx.xxx.118 255.255.255.252
interface Vlan3
nameif inside
security-level 100
ip address 10.10.5.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 192.168.100.0 255.2
access-list NONAT extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255.255.2
access-list ormtST standard permit 10.10.5.0 255.255.255.0
access-list OCrypto_L2L extended permit ip 10.10.5.0 255.255.255.0 10.10.6.0 255
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool ormtIPP 192.168.100.100-192.168.100.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.xxx.xxx.117 1
route outside 10.10.6.0 255.255.255.0 96.xxx.xxx.117 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set OSite2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map OL2LMap 1 set pfs
crypto dynamic-map OL2LMap 1 set transform-set OSite2Site
crypto dynamic-map OL2LMap 1 set reverse-route
crypto map out_L2lMap 65535 ipsec-isakmp dynamic OL2LMap
crypto map out_L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.5.101-10.10.5.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy ormtGP internal
group-policy ormtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ormtST
address-pools value ormtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type remote-access
tunnel-group ormtProfile type remote-access
tunnel-group ormtProfile general-attributes
default-group-policy ormtGP
tunnel-group ormtProfile webvpn-attributes
group-alias OFFICE enable
tunnel-group defaultL2LGroup type ipsec-l2l
tunnel-group defaultL2LGroup ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:46d5c2e1ac91d73293f2fb1a0045180c
officeasa(config)#
Site-B:
Home ASA Configuration:
homeasa# sh config
: Saved
: Written by enable_15 at 15:48:42.479 UTC Sat Mar 3 2012
ASA Version 8.2(5)
hostname homeasa
enable password xyz encrypted
passwd xyz encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
switchport access vlan 3
interface Ethernet0/4
switchport access vlan 3
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
switchport access vlan 3
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan3
nameif inside
security-level 100
ip address 10.10.6.254 255.255.255.0
ftp mode passive
same-security-traffic permit inter-interface
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 192.168.101.0 255.255.255.0
access-list NONAT extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list hrmtST standard permit 10.10.6.0 255.255.255.0
access-list Crypto_L2L extended permit ip 10.10.6.0 255.255.255.0 10.10.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool hrmtIPP 192.168.101.100-192.168.101.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 10.10.5.0 255.255.255.0 66.xxx.xxx.1 1 (IP address of the Dynamic IP from ISP)
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.6.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map L2Lmap 1 match address Crypto_L2L
crypto map L2Lmap 1 set peer 96.xxx.xxx.118
crypto map L2Lmap 1 set transform-set Site2Site
crypto map L2LMap 1 set pfs
crypto map L2LMap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.10.6.101-10.10.6.132 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy hrmtGP internal
group-policy hrmtGP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value hrmtST
address-pools value hrmtIPP
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default svc timeout 20
username user1 password abcxyz encrypted
username user1 attributes
service-type admin
tunnel-group hrmtProfile type remote-access
tunnel-group hrmtProfile general-attributes
default-group-policy hrmtGP
tunnel-group hrmtProfile webvpn-attributes
group-alias hrmtCGA enable
tunnel-group 96.xxx.xxx.118 type ipsec-l2l
tunnel-group 96.xxx.xxx.118 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d16a0d49f275612dff7e404f49bcc499
homeasa#Thanks Rizwan,
Still no luck. I can't even ping the otherside (office).. I am not sure if i'm running the debug rightway. Here are my results...
homeasa(config)# ping inside 10.10.5.254............. (Office CIsco ASA5505 IP on local side. I also tried pinging the server on other side (office) whic is @10.10.5.10 and got the same result)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.5.254, timeout is 2 seconds:
Success rate is 0
homeasa(config)# debug crypto isakmp 7
homeasa(config)# debug crypto ipsec 7
homeasa(config)# sho crypto isakmp 7
^
ERROR: % Invalid input detected at '^' marker.
homeasa(config)# sho crypto isakmp
There are no isakmp sas
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Global IPSec over TCP Statistics
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
hjnavasa(config)# sh crypto ipsec sa peer 96.xxx.xxx.118
There are no ipsec sas
homeasa(config)# -
Asa 5505 Remote VPN Can't access with my local network
Hello Guys ,, i have a problem with my asa 5505 Remote VPN Connection with local network access , the VPn is working fine and connected , but the problem is i can't reach my inside network connection of 192.168.30.x , here is my configuration , please can you help me
ASA Version 8.2(1)
interface Vlan1
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 155.155.155.10 255.255.255.0
interface Vlan5
no nameif
no security-level
no ip address
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.240
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn-Pool 192.168.100.1-192.168.100.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy mull internal
group-policy mull attributes
vpn-tunnel-protocol IPSec
username xxx password eKJj9owsQwAIk6Cw encrypted privilege 0
vpn-group-policy Mull
tunnel-group mull type remote-access
tunnel-group mull general-attributes
address-pool vpn-Pool
default-group-policy mull
tunnel-group mull ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname contextHey Jennifer i did every thing you mention it , but still i can't reach my inside network (LOCAL network) iam using Shrew Soft VPN Access Manager for my vpn connection
here is my cry ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 155.155.155.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)
current_peer:155.155.155.1, username: Thomas
dynamic allocated peer ip: 192.168.100.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 155.155.155.1/4500, remote crypto endpt.: 155.155.155.20/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 73FFAB96
inbound esp sas:
spi: 0x1B5FFBF1 (459275249)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 2894
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x73FFAB96 (1946135446)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 12288, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 2873
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001 -
Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505
Problem : Unable to access user A to user B
User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} ) --- User B
After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.
Ping is unsuccessful from user A to user B
Ping is successful from user B to user A, data is accessable
After done the packet tracer from user A to user B,
Result :
Flow-lookup
Action : allow
Info: Found no matching flow, creating a new flow
Route-lookup
Action : allow
Info : 192.168.5.203 255.255.255.255 identity
Access-list
Action : drop
Config Implicit Rule
Result - The packet is dropped
Input Interface : inside
Output Interface : NP Identify Ifc
Info: (acl-drop)flow is denied by configured rule
Below is Cisco ASA 5505's show running-config
ASA Version 8.2(1)
hostname Asite
domain-name ssms1.com
enable password ZZZZ encrypted
passwd WWWW encrypted
names
name 82 B-firewall description Singapore office firewall
name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP
name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)
name 192.168.2.0 fw-inside-subnet description A office internal LAN IP
name 122 A-forti
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.203 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 93 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name ssms1.com
object-group network obj_any
network-object 0.0.0.0 0.0.0.0
access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240
access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0
access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http B-inside-subnet 255.255.255.0 inside
http fw-inside-subnet 255.255.255.0 inside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer A-forti
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer B-firewall
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.5.10-192.168.5.20 inside
dhcpd dns 165 165 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username admin password XXX encrypted privilege 15
tunnel-group 122 type ipsec-l2l
tunnel-group 122 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map outside-policy
description ok
class outside-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum: XXX
: end
Kindly need your expertise&help to solve the problemany1 can help me ?
Maybe you are looking for
-
Cannot resolve " home directory is full" issue with mail
I've read all of the posts and tried to resolve it by doing what was instructed. I copied my mail folder, moved the envelope index file to my destop and when I start mail, it imports everything, lets me click "done" and then hangs. I had a mac accoun
-
Lync Mobile client signs out - Error- IIS reset on Front End - WAS Errors
I have a very limited understanding of Lync dependency's & how to trace the issue I'm now seeing. Would appreciate any direction or information to assist. We have Primary & Secondary Pools - both pools seem to be effected at different times. The Mobi
-
HELP! Cant view my photos on publish site...
Having created my website in iweb, I have added a photo gallery, once the site is 'published' no one can view the photos on the big wide web, have deleted page and re-designed, re-added, but no joy, can anyone help and advise? I'm at a complete blank
-
[Solved] Python: Creating AUR package, binary can't find python module
I'm building a PKGBUILD for PyLotRO for the AUR and I'm using a Debian package. I tried just copying the content of the data.tar.gz to the filesystem assuming the directory structure is the same for the packages but apparently it is not. At least I
-
Hi iHave a adobe form in which i need to place a * URL* as soon as user clicks on that url he should be navigated to that link, can u tell which *UI i should palce in adobe form so that when user click on it he should go to that site(for example tak