One router on ASA 5505 Site to Site VPN can't ping other router
I have two Cisco ASA routers and I have a site to site vpn set up between the two. The VPN link works but Site A can't ping anything on Site B. Site B can ping Site A. Site B can ping other pcs on it's own network. Site A has been in place for a while and has other site to site VPNs that work fine, so I think the problem is with Site B. Here is the config for Site B:
Result of the command: "show running-config"
: Saved
ASA Version 8.4(4)1
hostname SaskASA
enable password POgOWyKyb0jgJ1Hm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.16.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.16.0_23
subnet 192.168.16.0 255.255.254.0
object network NETWORK_OBJ_192.168.2.0_23
subnet 192.168.2.0 255.255.254.0
access-list outside_cryptomap extended permit ip 192.168.16.0 255.255.254.0 192.168.2.0 255.255.254.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.16.0_23 NETWORK_OBJ_192.168.16.0_23 destination static NETWORK_OBJ_192.168.2.0_23 NETWORK_OBJ_192.168.2.0_23 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 444
http 192.168.16.0 255.255.254.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 207.228.xx.xx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.16.100-192.168.16.200 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_207.228.xx.xxinternal
group-policy GroupPolicy_207.228.xx.xx attributes
vpn-tunnel-protocol ikev1 ikev2
username User password shbn5zbLkuHP/mJX encrypted privilege 15
tunnel-group 207.228.xx.xxtype ipsec-l2l
tunnel-group 207.228.xx.xxgeneral-attributes
default-group-policy GroupPolicy_207.228.xx.xx
tunnel-group 207.228.xx.xxipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f06bd1d6d063318339d98417b171175e
: end
Any ideas? Thanks.
I looked over the config for Site A, but couldn't find anything unusual. Perhaps I'm overlooking something. Here is the config for site A:
Result of the command: "show running-config"
: Saved
ASA Version 8.2(1)
hostname SiteA
domain-name domain
enable password POgOWyKyb0jgJ1Hm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.6
domain-name domain
object-group network DM_INLINE_NETWORK_1
network-object 192.168.14.0 255.255.254.0
network-object 192.168.4.0 255.255.254.0
network-object 192.168.6.0 255.255.254.0
network-object 192.168.8.0 255.255.254.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.12.0 255.255.254.0
network-object 192.168.14.0 255.255.254.0
network-object 192.168.4.0 255.255.254.0
network-object 192.168.6.0 255.255.254.0
network-object 192.168.8.0 255.255.254.0
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip any 192.168.15.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 192.168.16.0 255.255.254.0
access-list VPNGeo_splitTunnelAcl standard permit any
access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.6.0 255.255.254.0
access-list outside_3_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.4.0 255.255.254.0
access-list outside_4_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.8.0 255.255.254.0
access-list outside_5_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.16.0 255.255.254.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool GeoVPNPool 192.168.15.200-192.168.15.254 mask 255.255.254.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 444
http 192.168.2.0 255.255.254.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 207.228.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 208.119.xx.xx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer 208.119.xx.xx
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 208.119.xx.xx
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs group1
crypto map outside_map 5 set peer 70.64.xx.xx
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.2.100-192.168.2.254 inside
dhcpd auto_config outside interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNGeo internal
group-policy VPNGeo attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNGeo_splitTunnelAcl
username user password shbn5zbLkuHP/mJX encrypted privilege 15
username namepassword vP98Lj8Vm5SLs9PW encrypted
username nameattributes
vpn-group-policy VPNGeo
tunnel-group 207.228.xx.xxtype ipsec-l2l
tunnel-group 207.228.xx.xxipsec-attributes
pre-shared-key *
tunnel-group VPNGeo type remote-access
tunnel-group VPNGeo general-attributes
address-pool GeoVPNPool
default-group-policy VPNGeo
tunnel-group VPNGeo ipsec-attributes
pre-shared-key *
tunnel-group 208.119.xx.xxtype ipsec-l2l
tunnel-group 208.119.xx.xxipsec-attributes
pre-shared-key *
tunnel-group 208.119.xx.xx type ipsec-l2l
tunnel-group 208.119.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group 208.119.xx.xxtype ipsec-l2l
tunnel-group 208.119.xx.xxipsec-attributes
pre-shared-key *
tunnel-group 70.64.xx.xxtype ipsec-l2l
tunnel-group 70.64.xx.xxipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e3adf4e597198f58cd21e508aabdbab9
: end
Similar Messages
-
Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host
Hi:
Need your great help for my new ASA 5505 (8.4)
I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
ASA Version 8.4(3)
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.29.8.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 177.164.222.140 255.255.255.248
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name ABCtech.com
same-security-traffic permit inter-interface
object network obj_any
subnet 172.29.8.0 255.255.255.0
object service RDP
service tcp source eq 3389
object network orange
host 172.29.8.151
object network WAN_173_164_222_138
host 177.164.222.138
object service SMTP
service tcp source eq smtp
object service PPTP
service tcp source eq pptp
object service JT_WWW
service tcp source eq www
object service JT_HTTPS
service tcp source eq https
object network obj_lex
subnet 172.29.88.0 255.255.255.0
description Lexington office network
object network obj_HQ
subnet 172.29.8.0 255.255.255.0
object network guava
host 172.29.8.3
object service L2TP
service udp source eq 1701
access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended deny tcp any any eq 135
access-list inside_access_in extended deny tcp any eq 135 any
access-list inside_access_in extended deny udp any eq 135 any
access-list inside_access_in extended deny udp any any eq 135
access-list inside_access_in extended deny tcp any any eq 1591
access-list inside_access_in extended deny tcp any eq 1591 any
access-list inside_access_in extended deny udp any eq 1591 any
access-list inside_access_in extended deny udp any any eq 1591
access-list inside_access_in extended deny tcp any any eq 1214
access-list inside_access_in extended deny tcp any eq 1214 any
access-list inside_access_in extended deny udp any any eq 1214
access-list inside_access_in extended deny udp any eq 1214 any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any eq www any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
89
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
w
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
tps
access-list outside_access_in extended permit gre any host 177.164.222.138
access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
01
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit ip any any
access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
.88.0 255.255.255.0
access-list inside_in extended permit icmp any any
access-list inside_in extended permit ip any any
access-list inside_in extended permit udp any any eq isakmp
access-list inside_in extended permit udp any eq isakmp any
access-list inside_in extended permit udp any any
access-list inside_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static orange interface service RDP RDP
nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
lex route-lookup
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
WW
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
_HTTPS
nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Guava protocol nt
aaa-server Guava (inside) host 172.29.8.3
timeout 15
nt-auth-domain-controller guava
user-identity default-domain LOCAL
http server enable
http 172.29.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 173.190.123.138
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 172.29.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcprelay server 172.29.8.3 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy ABCtech_VPN internal
group-policy ABCtech_VPN attributes
dns-server value 172.29.8.3
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Tunnel_User
default-domain value ABCtech.local
group-policy GroupPolicy_10.8.8.1 internal
group-policy GroupPolicy_10.8.8.1 attributes
vpn-tunnel-protocol ikev1 ikev2
username who password eicyrfJBrqOaxQvS encrypted
tunnel-group 10.8.8.1 type ipsec-l2l
tunnel-group 10.8.8.1 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 10.8.8.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group ABCtech type remote-access
tunnel-group ABCtech general-attributes
address-pool ABC_HQVPN_DHCP
authentication-server-group Guava
default-group-policy ABCtech_VPN
tunnel-group ABCtech ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 173.190.123.138 type ipsec-l2l
tunnel-group 173.190.123.138 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 173.190.123.138 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
inspect netbios
smtp-server 172.29.8.3
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6a26676668b742900360f924b4bc80de
: endHello Wayne,
Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
Regards,
Julio
Security Trainer -
ASA 5505 as a SSL VPN Server and Easy VPN Client at the same time?
Is it possible to configure and operate the ASA 5505 as a SSL VPN server and Easy VPN Client at the same time? We would like to configure a few of these without having to purchase additional ASA 5505 and use a 2 device method (1 SSL VPN Server and 1 Easy VPN Client). Thanks in advance.
I don't think it is possible. Following links may help you
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008068dabe.html
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008071c428.shtml -
Site to Site VPN Problems With 2801 Router and ASA 5505
Hello,
I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
IP scheme at SIte A:
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Site A Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
end
IP scheme at site B:
ip 172.19.5.x
sub 255.255.255.292
gw 172.19.5.65
Cisco ASA 5505 at Site B
ASA Version 8.2(5)
hostname ASA5505
domain-name domain.com
enable password b04DSH2HQqXwS8wi encrypted
passwd b04DSH2HQqXwS8wi encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.65 255.255.255.192
interface Vlan2
nameif outside
security-level 0
ip address SITE B public IP 255.255.255.224
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name iis-usa.com
same-security-traffic permit intra-interface
object-group network old hosting provider
network-object 72.55.34.64 255.255.255.192
network-object 72.55.33.0 255.255.255.0
network-object 173.189.251.192 255.255.255.192
network-object 173.163.157.32 255.255.255.240
network-object 66.11.1.64 255.255.255.192
network-object 107.0.197.0 255.255.255.192
object-group network old hosting provider
network-object host 172.19.250.10
network-object host 172.19.250.11
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp object-group old hosting provider any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq www
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered warnings
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit 75.150.169.48 255.255.255.240 outside
icmp permit 72.44.134.16 255.255.255.240 outside
icmp permit 72.55.33.0 255.255.255.0 outside
icmp permit any outside
icmp permit 173.163.157.32 255.255.255.240 outside
icmp permit 107.0.197.0 255.255.255.192 outside
icmp permit 66.11.1.64 255.255.255.192 outside
icmp deny any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http 107.0.197.0 255.255.255.192 outside
http 66.11.1.64 255.255.255.192 outside
snmp-server host outside 107.0.197.29 community *****
snmp-server host outside 107.0.197.30 community *****
snmp-server host inside 172.19.250.10 community *****
snmp-server host outside 172.19.250.10 community *****
snmp-server host inside 172.19.250.11 community *****
snmp-server host outside 172.19.250.11 community *****
snmp-server host outside 68.82.122.239 community *****
snmp-server host outside 72.55.33.37 community *****
snmp-server host outside 72.55.33.38 community *****
snmp-server host outside 75.150.169.50 community *****
snmp-server host outside 75.150.169.51 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address 110
crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.19.5.64 255.255.255.192 inside
telnet 172.19.3.0 255.255.255.128 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.19.3.140
dhcpd wins 172.19.3.140
dhcpd ping_timeout 750
dhcpd domain iis-usa.com
dhcpd address 172.19.5.80-172.19.5.111 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection scanning-threat shun except object-group old hosting provider
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
tunnel-group 72.00.00.7 type ipsec-l2l
tunnel-group 72.00.00.7 ipsec-attributes
pre-shared-key *****
tunnel-group old vpn public ip type ipsec-l2l
tunnel-group old vpn public ip ipsec-attributes
pre-shared-key *****
tunnel-group SITE A Public IP type ipsec-l2l
tunnel-group SITE A Public IP ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endI have removed the old "set peer" and have added:
IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
on the router I have also added;
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
Here is my acl :
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
Still no ping tothe other site. -
Cisco ASA 5505 Dual-ISP Backup VPN
I am trying to create a backup tunnel from an ASA 5505 to a pix 501 in the case of the Main ISP failing. The Pix external side will stay the same, but not quite sure how I can create a new crypto map and have it use the Backup ISP interface without bringing down the main tunnel.
My first thought was to add the following crypto map to the configuration below:
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set peer 9.3.21.13
crypto map outside_map 2 set transform-set ESP-DES-MD5
crypto map outside_map interface backupisp -->but this would break the current tunnel.
NYASA# sh run
: Saved
ASA Version 7.2(4)
hostname NYASA
domain-name girls.org
enable password CHwdJ2WMUcjxIIm8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.1.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 9.17.5.8 255.255.255.240
interface Vlan3
description Backup ISP
nameif backupisp
security-level 0
ip address 6.27.9.5 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 10.1.100.0 255.255.255.0
access-list 150 extended permit ip any host 10.1.2.27
access-list 150 extended permit ip host 10.1.2.27 any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backupisp 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (backupisp) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 9.17.5.7 1 track 1
route backupisp 0.0.0.0 0.0.0.0 6.27.9.1 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 10.1.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 10
type echo protocol ipIcmpEcho 4.2.2.2 interface outside
num-packets 3
timeout 1000
frequency 3
sla monitor schedule 10 life forever start-time now
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 9.3.21.13
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
track 1 rtr 10 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
username ptiadmin password BtOLil2gR0VaUjfX encrypted privilege 15
tunnel-group 9.4.21.13 type ipsec-l2l
tunnel-group 9.4.21.13 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:22bb60b07c4c1805b89eb2376683f861
: end
NYASA#
Thanks in advance.In that case is the PIX who needs two peers (to the ASA).
The ASA will requiere the crypto map to be applied to the backup interface as well (as you mentioned)
crypto map outside_map interface backupisp -->but this would break the current tunnel.
The above command should not break the current tunnel (if the route to reach the other end goes out via the primary interface).
Additionally you need IP SLA configured in the ASA to allow it to use the primary connection and fallback to the backup connection to build-up the tunnel (as well to use again the primary interface when it recovers).
Federico. -
ASA 5505 8.2 - SSL VPN - Cannot Ping inside host's
Hello All,
I'm an ASA Newb.
I feel like I have tried everything posted and still no success.
PROBLEM: When connected to the SSL VPN I cannot ping any internal host's. I cannot ping anything on this inside?
Result of the command: "show running-config"
: Saved
ASA Version 8.2(5)
hostname MCASA01
domain-name mydomain.org
enable password xxbtzv6P4Hqevn4N encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.2.0 VLAN
name 192.168.5.0 VPNPOOL
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ddns update hostname MC_DNS
dhcp client update dns server both
ip address 192.168.1.1 255.255.255.0
interface Vlan2
no forward interface Vlan1
nameif outside
security-level 0
ip address 11.11.11.202 255.255.255.252
interface Vlan3
no nameif
security-level 50
ip address 192.168.2.1 255.255.255.0
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name mydomain.org
access-list SPLIT-TUNNEL standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 192.168.5.1-192.168.5.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 74.7.217.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=vpn.mydomain.org,OU=IT,O="mydomain",C=US,St=CA,L=Chino
keypair digicert.key
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 00b63edadf5efa057ea49da56b179132e8
3082051c 30820404 a0030201 02021100 b63edadf 5efa057e a49da56b 179132e8
300d0609 2a864886 f70d0101 05050030 72310b30 09060355 04061302 4742311b
30190603 55040813 12477265 61746572 204d616e 63686573 74657231 10300e06
03550407 13075361 6c666f72 64311a30 18060355 040a1311 434f4d4f 444f2043
41204c69 6d697465 64311830 16060355 0403130f 45737365 6e746961 6c53534c
20434130 1e170d31 33313130 35303030 3030305a 170d3134 30323033 32333539
35395a30 52312130 1f060355 040b1318 446f6d61 696e2043 6f6e7472 6f6c2056
616c6964 61746564 3111300f 06035504 0b130846 72656520 53534c31 1a301806
03550403 13117670 6e2e6d65 74726f63 656c6c2e 6f726730 82012230 0d06092a
864886f7 0d010101 05000382 010f0030 82010a02 82010100 a0d97d51 fcd18293
eaf8e9b2 d632b2e3 e4d92eb1 5b639766 52677a26 2aa7d09d 437be3b6 dfb8649c
4d715278 e1745955 27e8aab2 9c9da997 694a73e8 c1c426f3 a519adba acc2ad94
aa0e09af 6db7bfc6 bad90bf2 b057dc56 c69a4276 1b826c83 6cd7ae09 af39bd7d
4abe60b4 9b04613a 287a1ae6 9d117d05 c7cdc15f 09d588b0 fcc05c47 c1cb6d67
c3701389 d3b7691d b05ff82c b0be475d 746a4916 0bbf11a6 7ee1b7ec bd05e1d2
dda305a6 918bfd35 17447b04 bca1e6d9 10955649 d8211878 168c4c21 279a6584
4b560a9f 414aea15 91e21581 a71d6b98 86d9eac3 47ea3a1d a172c71a ecf77aaa
536d73e4 bc53eb68 c7bfacdd fab87ea5 121baf55 067dbd19 02030100 01a38201
cb308201 c7301f06 03551d23 04183016 8014dacb eaad5b08 5dccfffc 2654ce49
e555c638 f4f8301d 0603551d 0e041604 14fabb1d f439c41f e59207c7 202c2fda
b46bcacc ee300e06 03551d0f 0101ff04 04030205 a0300c06 03551d13 0101ff04
02300030 34060355 1d25042d 302b0608 2b060105 05070301 06082b06 01050507
0302060a 2b060104 0182370a 03030609 60864801 86f84204 01304f06 03551d20
04483046 303a060b 2b060104 01b23101 02020730 2b302906 082b0601 05050702
01161d68 74747073 3a2f2f73 65637572 652e636f 6d6f646f 2e636f6d 2f435053
30080606 67810c01 0201303b 0603551d 1f043430 323030a0 2ea02c86 2a687474
703a2f2f 63726c2e 636f6d6f 646f6361 2e636f6d 2f457373 656e7469 616c5353
4c43412e 63726c30 6e06082b 06010505 07010104 62306030 3806082b 06010505
07300286 2c687474 703a2f2f 6372742e 636f6d6f 646f6361 2e636f6d 2f457373
656e7469 616c5353 4c43415f 322e6372 74302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e63 6f6d6f64 6f63612e 636f6d30 33060355 1d11042c
302a8211 76706e2e 6d657472 6f63656c 6c2e6f72 67821577 77772e76 706e2e6d
6574726f 63656c6c 2e6f7267 300d0609 2a864886 f70d0101 05050003 82010100
2484b72c 56161585 c9caa1a3 43cbc754 d3b43cef 7902a775 d40d064f 6918d52f
0aaaea0c ad873124 11b68847 406812da fd0c5d71 6e110898 1ebddcab ddf980e4
b95be4e2 0633cc23 7a4cbc27 f1f5e4e8 1de3c127 2b28a364 f1f26764 98afe871
45547855 c0ceaf39 256f46db 4ac412a7 2b594817 a967ba5a 24986b24 57002ce4
f046c6b3 5f7c9cc2 e6cd8ede 8fbcac60 b87fd497 71328783 8b148f7f affec249
191c460b 3d46d352 0651f35e 96a60fbe 7b22e057 06aa7722 da447cd3 0ea72e7f
5ec8c13c b550f502 b020efdc 35f62b89 52d7e6e3 14ade632 802dee70 1cdbf7ad
a39a173b 916406e4 887ba623 4813b925 8a63a300 fd016981 a8d70651 a736267a
quit
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd dns 66.180.96.12 64.238.96.12 interface inside
dhcpd lease 86400 interface inside
dhcpd ping_timeout 4000 interface inside
dhcpd domain mydomain.org interface inside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 64.147.116.229 source outside
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy VPNGP internal
group-policy VPNGP attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
username GaryC password TGbvzEO3d6HlfU66 encrypted privilege 15
username GaryC attributes
vpn-group-policy VPNGP
tunnel-group MCVPN type remote-access
tunnel-group MCVPN general-attributes
address-pool VPNPOOL
default-group-policy VPNGP
tunnel-group MCVPN webvpn-attributes
group-alias MCVPN enable
group-url https://11.11.11.202/MCVPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1e950c041cc2c25116d30e5c884abbfc
: end
My goal is to allow Remote Users to RDP(3389) through VPN.
Thank you,
Gary
Message was edited by: Gary CulwellHello Jon,
Thank you so much for your response. Clients will not be connect to a specific RDP server. I was hoping if we were to establish a VPN Client tunnel I would like that tunnel to provide full local are access. So the way the clients are used to is while in the field they use RDP to connect to their desktops on the internal LAN.
Would you say this would work:
route inside 192.168.1.0 255.255.255.0 192.168.1.1 1
Do you have examples?
Thank you,
Gary -
802.1X Athentication Successful but can't ping Default Router. PSK works fine
Got an interesting scenario. I am labbing out 802.1X authentication for wireless with a Cisco 2504 WLC along with a Windows Server 2012 r2 with AD, DHCP Server, DNS Server, Certificate Services, and NPS. I was able to make the different parts communicate and was able to successfully authenticate with an account I created on AD. Under my windows server event viewer, I received confirmation message: "Network Policy Server granted access to user." I received a valid IP address from the DHCP server. Computer is on the domain. Everything looks like it is working perfectly. I even checked the debug on my WLC looking for the mac address of my device but I received the "Processing Access-Accept mobile <MAC-ADDRESS>" message.
Here comes the problem. I created 2 WLAN’s to test. One was PSK while the other was 802.1X. They share the same interface on the WLC, so they have the exact same configurations. On my PSK everything works fine, I can browse Internet and ping devices within the network. On the 802.1X, I am able to ping the controller, but nothing else. Can’t ping gateway nor my dhcp server. Any thoughts?
Best Regards,
SeanIn your testing the device that connected with psk is the same device that connected to TLS?
-
Forward 3 inside IP using the same port to one outside IP ASA 5505
Ok, so I have 3 cameras 172.20.101.15-17 all listen on port 7000. I want to forward them to a single outside IP, but when the user connects I need them to come in on ports 7001, 7002, 7003.
I have forwarded ports before, but never in this fashion, and I have no clue how to do so.Hello Shaun,
Let's say you are running a version higher than 8.3 and that the public IP is 8.8.8.8
object network Outside_IP
host 8.8.8.8
exit
object network Internal_server_1
host 172.20.101.15
nat (inside,outside) static 8.8.8 service tcp 7000 7001
exit
object network Internal_Server_2
host 172.20.101.16
nat (inside,outside) static 8.8.8 service tcp 7000 7002
exit
object network Internal_Server_3
host 172.20.101.17
nat (inside,outside) static 8.8.8 service tcp 7000 7003
Of course create the ACL's as needed,
Regards, -
ASA configuration is below!
ASA Version 9.1(1)
hostname ASA
domain-name xxx.xx
names
ip local pool VPN_CLIENT_POOL 192.168.12.1-192.168.12.254 mask 255.255.255.0
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.11.1 255.255.255.0
interface GigabitEthernet0/1
description Interface_to_VPN
nameif outside
security-level 0
ip address 111.222.333.444 255.255.255.240
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name www.ww
same-security-traffic permit intra-interface
object network LAN
subnet 192.168.11.0 255.255.255.0
description LAN
object network SSLVPN_POOL
subnet 192.168.12.0 255.255.255.0
access-list VPN_CLIENT_ACL standard permit 192.168.11.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (outside,inside) source static SSLVPN_POOL SSLVPN_POOL destination static LAN LAN
route outside 0.0.0.0 0.0.0.0 111.222.333.443 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list none
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
email [email protected]
subject-name CN=ASA
ip-address 111.222.333.444
crl configure
crypto ca trustpoint ASDM_TrustPoint6
enrollment terminal
fqdn vpn.domain.com
email [email protected]
subject-name CN=vpn.domain.com
ip-address 111.222.333.444
keypair sslvpn
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint6
telnet timeout 5
ssh 192.168.11.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcpd address 192.168.5.2-192.168.5.254 management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint6 outside
webvpn
enable outside
csd image disk0:/csd_3.5.2008-k9.pkg
anyconnect image disk0:/anyconnect-win-3.1.04066-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy VPN_CLIENT_POLICY internal
group-policy VPN_CLIENT_POLICY attributes
wins-server none
dns-server value 192.168.11.198
vpn-simultaneous-logins 5
vpn-session-timeout 480
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_CLIENT_ACL
default-domain value mycomp.local
address-pools value VPN_CLIENT_POOL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect dtls compression lzs
anyconnect modules value vpngina
customization value DfltCustomization
group-policy IT_POLICY internal
group-policy IT_POLICY attributes
wins-server none
dns-server value 192.168.11.198
vpn-simultaneous-logins 3
vpn-session-timeout 120
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_CLIENT_ACL
default-domain value company.com
address-pools value VPN_CLIENT_POOL
webvpn
anyconnect ssl dtls enable
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect dtls compression lzs
customization value DfltCustomization
username vpnuser password PA$$WORD encrypted
username vpnuser attributes
vpn-group-policy VPN_CLIENT_POLICY
service-type remote-access
username vpnuser2 password PA$$W encrypted
username vpnuser2 attributes
service-type remote-access
username admin password ADMINPA$$ encrypted privilege 15
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool VPN_CLIENT_POOL
default-group-policy VPN_CLIENT_POLICY
tunnel-group VPN webvpn-attributes
authentication aaa certificate
group-alias VPN_to_R enable
tunnel-group IT_PROFILE type remote-access
tunnel-group IT_PROFILE general-attributes
address-pool VPN_CLIENT_POOL
default-group-policy IT_POLICY
tunnel-group IT_PROFILE webvpn-attributes
authentication aaa certificate
group-alias IT enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: endHi,
here's what you need:
same-security-traffic permit intra-interface
access-list VPN_CLIENT_ACL standard permit 192.168.12.0 255.255.255.0
nat (outside,outside) source static SSLVPN_POOL SSLVPN_POOL destination static SSLVPN_POOL SSLVPN_POOL
Patrick -
ASA 5505 Site-to-Site VPN dropping at end of lifetime
I have 4 ASA 5505's with Site-to-Site IPSEC VPN tunnels built between them. One of the tunnels stays up just fine but the other 2 drop at the end of the SA lifetime for a period of time equal to 10% of the SA lifetime.
Orignially, I had the the lifetime set to 1 hour and the tunnels would drop for 6 minutes. I changed the lifetime to 8 hours (480 minutes) and they dropped for 48 minutes. I've gone over the configurations and the only differences I can find is that the sites where the tunnel drops have the outside interface forwarded to an VOIP server and all ports but SIP blocked.Can you post the configs?
-
Cisco asa 5505 with Router 881w Configuration Help
Hello all,
I'm having trouble setting up a second vlan to route to the internet. I have a Cisco ASA 5505 connected to my ISP(OUTSIDE) and a Cisco 881w (INSIDE) router in the back of my firewall. My vlan 10 with the network 192.168.5.1 255.255.255.0 works with pat, however vlan 15 that is on my 881w router does not route to the internet at all. I can only ping from 192.168.15.15 network to 192.168.5.1 I would like some advice on how can I make this set up work. Attached with this discussion is a picture of my topology.
Thanks in advance.
here are the show runs:
Cisco ASA 5505 show run:
ASA Version 8.3(1)
names
interface Vlan1
no nameif
no security-level
no ip address
interface Vlan5
mac-address xxxx.xxxx.xxxx
nameif OUTSIDE
security-level 0
ip address dhcp setroute
interface Vlan10
nameif INSIDE
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 5
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
object network INTERNAL_LAN
subnet 192.168.5.0 255.255.255.0
object network PRIVATE_LAN_192
subnet 192.168.15.0 255.255.255.224
description PRIVATE_LAN_192
access-list INSIDE_access_in extended permit ip any any
access-list INSIDE_access_in extended deny ip any any
access-list OUTSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended deny ip any any
pager lines 24
logging enable
mtu OUTSIDE 1500
mtu INSIDE 1500
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network INTERNAL_LAN
nat (INSIDE,OUTSIDE) dynamic interface
object network PRIVATE_LAN_192
nat (INSIDE,OUTSIDE) dynamic interface
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
route INSIDE 192.168.15.0 255.255.255.224 192.168.5.2 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
dhcpd dns 8.8.8.8 75.75.76.76
dhcpd address 192.168.5.10-192.168.5.100 INSIDE
dhcpd enable INSIDE
Router 881w show run:
Current configuration : 4912 bytes
version 12.4
no ip source-route
ip dhcp excluded-address 192.168.15.1 192.168.15.10
ip dhcp pool PRIVATE_LAN
network 192.168.15.0 255.255.255.224
interface FastEthernet0
switchport trunk allowed vlan 1,15,1002-1005
switchport mode trunk
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address 192.168.5.2 255.255.255.0
duplex auto
speed auto
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
no ip address
interface Vlan15
ip address 192.168.15.1 255.255.255.224
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
no ip http server
ip http authentication local
ip http secure-serverThe cable modem does not have any configuration. I cant add any to it. Its a cisco dpc3008. From vlan 10 i have no problem to get to the internet with the above configuration. My problem is just vlan 15.
-
Cisco ASA 5505 - 2 questions - VPN Licensing; Routing
Hi,
I have a client that has a Cisco ASA 5505 security appliance. Currently it is setup as a "proof of concept" for clientless browser-based SSL VPN. The device came with 2 licenses for this service, and we need to increase that somewhere between 10-25 users. 25 users is the max on this device I believe.
I have searched Cisco.com and tried Googling the ASA 5505 for licensing but I can't find the correct license that I need for this.
The second question I have is routing capability. We have a WAN connection to another branch of the computer from this location where the ASA 5505 is located. A Cisco 2851 is used for this connection. We are wanting to bring in a high speed Internet connection for the VPN access and Internet access. What I need to know is can we put the WAN and Internet connections behind the ASA 5505 and have that route appropriately to the branch WAN for that traffic and all other traffic to the Internet?
Thanks!
--KentHi Kent,
Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main (http://forums.cisco.com/eforum/servlet/NetProf?page=main) This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
Regards,
David Dunlap
SBSC Engineer -
ASA 5505 - L2TP over IPsec - Remote Address shows outside interface address
Using an ASA 5505 for firewall and VPN. We've enabled L2TP over IPsec to allow Windows clients to connect without third party software.
The devices complete the connection and authenticate fine, but then are unable to hit any internal resources. Split tunneling seems to be working, as they can still hit outside resources. Packet tracer shows tcp flowing freely between VPN clients (192.168.102.0/24) and internal resources (192.168.100.0/24). Even the NAT translation looks good in packet tracer.
I pulled up the session details for one of the VPN clients in the ASDM and under the IPsecOverNatT details, it is showing the VPN client's remote address correctly, but displays the local address as the address assigned to the outside interface (which the client is using to connect.) This seems to be the problem, as viewing detailed connection logs shows the internal resources trying to send packets back to the outside interface rather than the VPN client's assigned internal addresses. Details:
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: [OUTSIDE INTERFACE ADDRESS]
local ident (addr/mask/prot/port): ([OUTSIDE INTERFACE ADDRESS]/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): ([VPN CLIENT ADDRESS]/255.255.255.255/17/0)
current_peer: [VPN CLIENT ADDRESS], username: vpnuser
dynamic allocated peer ip: 192.168.102.1 [This is what I think it should be showing for local ident]
dynamic allocated peer ip(ipv6): 0.0.0.0
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: [OUTSIDE INTERFACE ADDRESS]/4500, remote crypto endpt.: [VPN CLIENT ADDRESS]/8248
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 05BFAE20
current inbound spi : CF85B895
inbound esp sas:
spi: 0xCF85B895 (3481647253)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373998/3591)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000FFFFD
outbound esp sas:
spi: 0x05BFAE20 (96448032)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373999/3591)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Any ideas? The remote clients connect but when internal resources try to send traffic to the VPN clients, the packets are directed to the outside interface address instead of the local address assigned to the VPN client.I have what I believe to be a similar issue. Site to site vpn is working well. That is site b can ping and send traffic to site A but Site A can not. Site B is a 3rd party vpn router. Site A is a Cisco 5505.
It appears that when the crypto map inserts the route into the routing table it shows the route via the outside IP of the outside interface and not the IP of Site B. in the crypto map I can see the proper ip address for the peer. I can't figure out why when it inserts the route that it uses the wrong ip address -
CIsco ASA 5505 and VPN licenses
Hi,
Cisco ASA 5505 comes with 10 VPN licenses in a standard configuration.
How those licenses are counted? Will I need a license per one IPSec SA?
If I have two site connected with LAN-to-LAN VPN with 10 subnets at one site, how many licenses will be taken? 10 - one per IPSec SA or just 1 - one per point-to-point VPN?
Thank you.
Regards,
AlexAlex,
In an ASA 5505, it should say something like this...when you do sh ver.
VPN Peers : 25
It means that you can have so many peers connecting to the ASA. Its not per IPSec SA.
Its a per tunnel license.
Rate this, if it helps!
Gilbert -
Nat/pat asa 5505 asdm ver 8.4
hi all,
i have a problem with portfoarwarding on asa 5505.
i have this situation:
internet ---> pubblic ip address-> router albacom -- 10.0.0.15 ---> -nat farward port 80--10.0.0.1 -outside -firewall asa -inside - 192.168.0.1------------server web 192.168.0.99
the server is not in dmz but it's on the lan network
my user must connect from internet, with any browser http://albacom_pubblic_address and router albacom and then asa firewall must nat and farward the port 80 on server web 192.168.0.99
any idea or tutorial
ths, best regardsHi Luca,
On the ASA, you would need the following:
object network server_ip
host 192.168.0.99
object service tcp_80
service tcp destination eq 80
nat (outside,inside) source static any any destination static interface server_ip service tcp_80 tcp_80
That would port forward all the request coming on port 80 on the outside interface of the firewall, to your internal server on port 80.
Hope that helps
Thanks,
Varun
Maybe you are looking for
-
Can I use adobe photoshop elements 12 and premiere elements 12 with a mac? and how?
I have photoshop element12 &premiere elements 12 and want to put them on my mac. Mac has no where to put the discs. Can I use it and how? I need baby steps as I am not great with tech.
-
Hi, I'm facing problems while lookingup Home, from Resin to wlserver6.1. I'm new to Resin and unable to find any clean documentation either. I'm able to lookup the server from Tomcat, but not from resin.
-
Safari Unable to Connect with Gmail Server?
I tried to log into Gmail this morning. The top of the page shows, "Redirecting" and then I get an error message of: Safari can't connect to the server. Safari can't open the page "http://mail.google.com/mail/?zx=1f097o2n9gp73&zx=1kh3f7h1am1kh&zx=1cs
-
Error in configuring SOA from jdev 11g TP4
i get an error while configuring SOA from jdev 11g, error is in Test DB setting in first step. These are the details DB Connection String : localhost:1521:XE DB User Name: adrs_soainfra DB Password: welcome1 error is "There was a problem in establish
-
Grub2 theme PKGBUILD - what am I missing?
I wrote the following in an attempt to install the winter theme for grub2. The package builds just fine, but I must be missing something because there is no theme displayed upon a reboot into grub2, just blue text. Note that all the grub2-theme.ins