VPN Tunnel setup - can't ping either endpoint
So I was given the task to set up a new VPN tunnel for a client and even though I've basically made it open, we still cannot ping each other's endpoints. I troubleshooted for over an hour with one of their techs, still to no avail. I included the config of this router. The tunnel can build out, completes phase 1 and 2, but still doesn't allow traffic or ability to connect to either endpoint. Please help.
Result of the command: "sh run"
: Saved
ASA Version 8.0(3)6
hostname RBPASA01
domain-name rbmc.org
enable password *removed* encrypted
passwd *removed* encrypted
names
name 10.20.10.0 OBD-DHCP-10.20.10.x description DHCP Scopes for VLAN20
name 10.20.11.0 OBD-DHCP-10.20.11.x description DHCP Scopes for VLAN20
name 10.20.12.0 OBD-DHCP-10.20.12.x description DHCP Scopes for VLAN20
name 10.10.14.0 PAD-DHCP-10.10.14.X description DHCP Scopes for VLAN10
name 128.127.0.0 Millennium-Remote
name 10.10.0.0 Pad-10.10-network
name 10.11.0.0 Pad-10.11-network
name 10.12.0.0 Pad-10.12-network
name 10.100.91.0 Pad-10.100-network
name 10.30.13.0 Millennium-nat
name 10.100.91.200 Maxsys-Server
name 65.171.123.34 Maxsys-Remote description Landacorp remote access
name 65.211.65.21 FTP-External-Address
name 172.31.0.15 FTP-Internal-Address description FTP Server in DMZ
name 10.100.91.201 RBPMAXYS02 description Landacorp Access
name 10.10.10.231 c05407
name 192.168.55.4 c05407Nat
name 192.168.55.3 c057017Nat
name 10.10.13.50 c05744
name 192.168.55.5 c05744Nat
name 151.198.253.253 VPN-External
name 10.13.102.30 NBI20610 description Viewpoint Server SBHCS
name 10.100.90.51 RBPASA01 description PRI ASA
name 10.100.90.52 RBPASA02 description SECASA
name 151.198.253.254 VPN02External
name 10.10.7.189 RBMHIS description AergoVPN(Local)
name 10.10.7.43 RBMHIS1 description AergoVPN(Local)
name 10.10.7.44 RBMHIS2 description AergoVPN(Local)
name 10.100.98.21 RBMS2 description AergoVPN(Local)
name 10.1.6.0 AergoVPN-Remote description AergoVPN-Remote
name 216.167.127.4 Lynx-PicisHost1 description Lynx Encryption Domain
name 216.167.127.30 Lynx-PicisHost10 description Lynx Encryption Domain
name 216.167.127.31 Lynx-PicisHost11 description Lynx Encryption Domain
name 216.167.127.32 Lynx-PicisHost12 description Lynx Encryption Domain
name 216.167.127.33 Lynx-PicisHost13 description Lynx Encryption Domain
name 216.167.127.34 Lynx-PicisHost14 description Lynx Encryption Domain
name 216.167.127.35 Lynx-PicisHost15 description Lynx Encryption Domain
name 216.167.127.5 Lynx-PicisHost2 description Lynx Encryption Domain
name 216.167.127.6 Lynx-PicisHost3 description Lynx Encryption Domain
name 216.167.127.7 Lynx-PicisHost4 description Lynx Encryption Domain
name 216.167.127.8 Lynx-PicisHost5 description Lynx Encryption Domain
name 216.167.127.9 Lynx-PicisHost6 description Lynx Encryption Domain
name 216.167.127.10 Lynx-PicisHost7 description Lynx Encryption Domain
name 216.167.127.28 Lynx-PicisHost8 description Lynx Encryption Domain
name 216.167.127.29 Lynx-PicisHost9 description Lynx Encryption Domain
name 216.167.119.208 Lynx-PicisNtwk description Lynx-PicisNtwk
name 10.10.7.152 OLSRV2RED description Picis-LynxLocal
name 10.100.91.14 RBPPICISTST description Lynx-PicisLocal
name 10.100.98.20 RBPAERGO1 description AERGO
name 10.50.1.141 PACSHost1 description GE PACS Local
name 10.50.1.149 PACSHost2 description GE PACS Local
name 10.50.1.151 PACSHost3 description GE PACS Local
name 10.50.1.38 PACSHost4 description GE PACS Local
name 10.50.1.39 PACSHost5 description GE PACS Local
name 10.50.1.41 PACSHost6 description GE PACS Local
name 10.50.1.42 PACSHost7 description GE PACS Local
name 10.50.1.43 PACSHost8 description GE PACS Local
name 10.50.1.64 PACSHost10 description GE PACS Local
name 10.50.1.67 PACSHost11 description GE PACS Local
name 10.50.1.68 PACSHost12 description GE PACS Local
name 10.50.1.69 PACSHost13 description GE PACS Local
name 10.50.1.44 PACSHost9 description GE PACS Local
name 10.50.1.70 PACSHost14 description GE PACS Local
name 10.50.1.71 PACSHost15 description GE PACS Local
name 10.50.1.72 PACSHost16 description GE PACS Local
name 10.50.1.73 PACSHost17 description GE PACS Local
name 10.50.1.74 PACSHost18 description GE PACS Local
name 10.50.1.75 PACSHost19 description GE PACS Local
name 10.50.1.76 PACSHost20 description GE PACS Local
name 10.50.1.77 PACSHost21 description GE PACS Local
name 10.50.1.91 PACSHost22 description GE PACS Local
name 10.50.1.92 PACSHost23 description GE PACS Local
name 10.60.1.42 PACSHost24 description GE PACS Local
name 10.60.1.43 PACSHost25 description GE PACS Local
name 10.60.1.44 PACSHost26 description GE PACS Local
name 10.60.1.45 PACSHost27 description GE PACS Local
name 10.60.1.46 PACSHost28 description GE PACS Local
name 10.60.1.47 PACSHost29 description GE PACS Local
name 10.60.1.48 PACSHost30 description GE PACS Local
name 10.60.1.49 PACSHost31 description GE PACS Local
name 10.60.1.51 PACSHost32 description GE PACS Local
name 10.60.1.52 PACSHost33 description GE PACS Local
name 10.60.1.53 PACSHost34 description GE PACS Local
name 10.60.1.80 PACSHost35 description GE PACS Local
name 10.50.1.30 PACSHost36 description GE PACS Local
name 10.50.1.200 PACSHost37 description GE PACS Local
name 10.50.1.137 PACSHost38 description GE PACS Local
name 10.50.1.203 PACSHost39 description GE PACS Local
name 10.50.1.206 PACSHost40 description GE PACS Local
name 10.50.1.209 PACSHost41 description GE PACS Local
name 10.60.1.215 PACSHost42 description GE PACS Local
name 10.60.1.23 PACSHost43 description GE PACS Local
name 10.60.1.21 PACSHost44 description GE PACS Local
name 10.50.1.36 PACSHost45 description GE PACS Local
name 10.50.1.34 PACSHost46 description GE PACS Local
name 10.50.1.10 PACSHost47 description GE PACS Local
name 150.2.0.0 GE_PACS_NET description GE PACS Remote
name 10.50.1.19 PACSHost49 description GE PACS Local
name 10.50.1.28 PACSHost50 description GE PACS Local
name 10.50.1.29 PACSHost51 description GE PACS Local
name 10.50.1.140 PACSHost52 description GE PACS Local
name 10.60.1.161 PACSHost53 description GE PACS Local
name 10.50.1.31 PACSHost54 description GE PACS Local
name 10.50.1.32 PACSHost55 description GE PACS Local
name 10.50.1.4 PACSHost56 description GE PACS Local
name 10.50.1.35 PACSHost57 description GE PACS Local
name 10.50.1.37 PACSHost58 description GE PACS Local
name 10.60.1.22 PACSHost59 description GE PACS Local
name 10.60.1.24 PACSHost60 description GE PACS Local
name 10.60.1.218 PACSHost61 description GE PACS Local
name 10.60.1.221 PACSHost62 description GE PACS Local
name 10.50.1.16 PACSHost63 description GE PACS Local
name 10.50.1.15 PACSHost64 description GE PACS Local
name 10.50.1.106 PACSHost65 description GE PACS Local
name 10.50.1.33 PACSHost66 description GE PACS Local
name 10.20.7.160 PACSHost67 description GE PACS Local
name 10.50.1.135 PACSHost68 description GE PACS Local
name 10.60.1.141 PACSHost69 description GE PACS Local
name 10.60.1.150 PACSHost70 description GE PACS Local
name 10.60.1.154 PACSHost71 description GE PACS Local
name 10.50.1.136 PACSHost72 description GE PACS Local
name 10.50.1.147 PACSHost73 description GE PACS Local
name 10.50.1.161 PACSHost74 description GE PACS Local
name 10.60.1.155 PACSHost75 description GE PACS Local
name 10.30.0.0 Throckmorton_Net1 description Internal
name 108.58.104.208 Throckmorton_Net2 description External
name 10.0.0.0 PAD_Internal description PAD INternal
name 172.16.100.16 LandaCorp_Remote description LandaCorp
name 192.168.55.6 C05817Nat description ViewPoint Computer
name 10.10.13.71 C05817 description ViewPoint Computer
name 10.50.1.189 RBMCCCG description GE PACS Local
name 10.50.1.21 RBMCDAS21 description GE PACS Local
name 10.50.1.22 RBMCDAS22 description GE PACS Local
name 10.50.1.23 RBMCDAS23 description GE PACS Local
name 10.50.1.24 RBMCDAS24 description GE PACS Local
name 10.50.1.248 RBMCNAS_BACKUP description GE PACS Local
name 10.50.1.243 RBMCNAS_STS description GE PACS Local
name 10.50.1.186 RBMCSPS description GE PACS Local
name 10.50.1.188 RBMCTESTCCG description GE PACS Local
name 10.50.1.252 RBMCTESTIMS description GE PACS Local
name 10.50.1.249 RBMICISU2 description GE PACS Local
name 10.50.1.191 RBMC1DAS32ILO description GE PACS Local
name 10.50.1.192 RBMC1DAS33ILO description GE PACS Local
name 10.50.1.193 RBMC1DAS34ILO description GE PACS Local
name 10.50.1.194 RBMC1DAS35ILO description GE PACS Local
name 10.50.1.195 RBMC1DAS36ILO description GE PACS Local
name 10.50.1.197 RBMC1DAS38ILO description GE PACS Local
name 10.50.1.190 RBMC1DPS106ILO description GE PACS Local
name 10.50.1.196 RBMCCWEBILO description GE PACS Local
name 10.50.1.17 RBMCEACA description GE PACS Local
name 10.50.1.247 RBMCNAS_BACKUPILO description GE PACS Local
name 10.50.1.254 RBMICISU2ILO description GE PACS Local
name 10.50.1.187 RBMC1DAS31_ILO description GE PACS Local
name 10.50.1.253 RBMCTESTDAS description GE PACS Local
name 12.145.95.0 LabCorp_Test_Remote description LabCorp VPN TEST
name 38.107.151.110 ClearSea_Server description DeafTalk External Server
name 10.100.90.15 DeafTalk1
name 10.10.10.155 Dennis
name 10.10.7.81 RBPMAM description SunQuest Lab Server
dns-guard
interface GigabitEthernet0/0
description External Interface
speed 1000
duplex full
nameif Verizon-ISP
security-level 0
ip address VPN-External 255.255.255.224 standby VPN02External
ospf cost 10
interface GigabitEthernet0/1
description LAN/STATE Failover Interface
interface GigabitEthernet0/2
description INTERNAL-NET
nameif Internal
security-level 100
ip address RBPASA01 255.255.255.0 standby RBPASA02
ospf cost 10
interface GigabitEthernet0/3
description DMZ Zone
nameif DMZ
security-level 10
ip address 172.31.0.51 255.255.255.0
interface Management0/0
shutdown
no nameif
no security-level
no ip address
time-range Vendor-Access
periodic Monday 9:00 to Friday 16:00
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Verizon-ISP
dns domain-lookup Internal
dns server-group DefaultDNS
name-server 10.100.91.5
name-server 10.10.7.149
domain-name rbmc.org
object-group service VPN_Tunnel tcp
description Ports used for Site to Site VPN Tunnel
port-object eq 10000
port-object eq 2746
port-object eq 4500
port-object eq 50
port-object eq 500
port-object eq 51
object-group network Millennium-Local-Network
description Pad networks that connect to millennium
network-object Pad-10.10-network 255.255.0.0
network-object Throckmorton_Net1 255.255.0.0
object-group icmp-type ICMP-Request-Group
icmp-object echo
icmp-object information-request
icmp-object mask-request
icmp-object timestamp-request
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group network Viewpoint
description OB Viewpoint Clients
network-object host 10.10.10.220
network-object host c05407
network-object host c05744
network-object host 192.168.55.2
network-object host c057017Nat
network-object host c05407Nat
network-object host c05744Nat
network-object host C05817Nat
network-object host C05817
object-group service ConnectionPorts tcp-udp
port-object eq 3872
port-object eq 4890
port-object eq 4898
object-group service TCP tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_1 tcp
group-object ConnectionPorts
port-object eq 3389
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object icmp
protocol-object tcp
object-group network AergoVPN-Local
description Aergo VPN Local HIS Servers
network-object host RBMHIS
network-object host RBMHIS1
network-object host RBMHIS2
network-object host RBMS2
network-object host RBPAERGO1
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object icmp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network Lynx-PicisRemote
description Lynx-Picis Remote Encryption Domain
network-object Lynx-PicisNtwk 255.255.255.240
network-object host Lynx-PicisHost7
network-object host Lynx-PicisHost8
network-object host Lynx-PicisHost9
network-object host Lynx-PicisHost10
network-object host Lynx-PicisHost11
network-object host Lynx-PicisHost12
network-object host Lynx-PicisHost13
network-object host Lynx-PicisHost14
network-object host Lynx-PicisHost15
network-object host Lynx-PicisHost1
network-object host Lynx-PicisHost2
network-object host Lynx-PicisHost3
network-object host Lynx-PicisHost4
network-object host Lynx-PicisHost5
network-object host Lynx-PicisHost6
object-group network DM_INLINE_NETWORK_1
network-object host OLSRV2RED
network-object host RBPPICISTST
object-group network DM_INLINE_NETWORK_2
network-object host OLSRV2RED
network-object host RBPPICISTST
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object icmp
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host OLSRV2RED
network-object host RBPPICISTST
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_3 tcp
group-object ConnectionPorts
port-object eq 3389
object-group network GE_PACS_Local
description GE PACS Local Hosts
network-object host PACSHost67
network-object host PACSHost65
network-object host PACSHost47
network-object host PACSHost68
network-object host PACSHost72
network-object host PACSHost38
network-object host PACSHost52
network-object host PACSHost1
network-object host PACSHost73
network-object host PACSHost2
network-object host PACSHost3
network-object host PACSHost64
network-object host PACSHost74
network-object host PACSHost63
network-object host PACSHost49
network-object host PACSHost37
network-object host PACSHost39
network-object host PACSHost40
network-object host PACSHost41
network-object host PACSHost50
network-object host PACSHost51
network-object host PACSHost36
network-object host PACSHost54
network-object host PACSHost55
network-object host PACSHost66
network-object host PACSHost46
network-object host PACSHost57
network-object host PACSHost45
network-object host PACSHost58
network-object host PACSHost4
network-object host PACSHost5
network-object host PACSHost6
network-object host PACSHost7
network-object host PACSHost8
network-object host PACSHost9
network-object host PACSHost56
network-object host PACSHost10
network-object host PACSHost11
network-object host PACSHost12
network-object host PACSHost13
network-object host PACSHost14
network-object host PACSHost15
network-object host PACSHost16
network-object host PACSHost17
network-object host PACSHost18
network-object host PACSHost19
network-object host PACSHost20
network-object host PACSHost21
network-object host PACSHost22
network-object host PACSHost23
network-object host PACSHost69
network-object host PACSHost70
network-object host PACSHost71
network-object host PACSHost75
network-object host PACSHost53
network-object host PACSHost42
network-object host PACSHost61
network-object host PACSHost44
network-object host PACSHost62
network-object host PACSHost59
network-object host PACSHost43
network-object host PACSHost60
network-object host PACSHost24
network-object host PACSHost25
network-object host PACSHost26
network-object host PACSHost27
network-object host PACSHost28
network-object host PACSHost29
network-object host PACSHost30
network-object host PACSHost31
network-object host PACSHost32
network-object host PACSHost33
network-object host PACSHost34
network-object host PACSHost35
network-object host RBMCSPS
network-object host RBMCTESTCCG
network-object host RBMCCCG
network-object host RBMCDAS21
network-object host RBMCDAS22
network-object host RBMCDAS23
network-object host RBMCNAS_STS
network-object host RBMCNAS_BACKUP
network-object host RBMICISU2
network-object host RBMCDAS24
network-object host RBMCTESTIMS
network-object host RBMCEACA
network-object host RBMC1DAS31_ILO
network-object host RBMC1DPS106ILO
network-object host RBMC1DAS32ILO
network-object host RBMC1DAS33ILO
network-object host RBMC1DAS34ILO
network-object host RBMC1DAS35ILO
network-object host RBMC1DAS36ILO
network-object host RBMCCWEBILO
network-object host RBMC1DAS38ILO
network-object host RBMCNAS_BACKUPILO
network-object host RBMCTESTDAS
network-object host RBMICISU2ILO
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group service DM_INLINE_SERVICE_3
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group network DM_INLINE_NETWORK_4
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_5
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_6
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_7
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group network DM_INLINE_NETWORK_8
network-object Throckmorton_Net1 255.255.0.0
network-object Throckmorton_Net2 255.255.255.248
object-group service DM_INLINE_SERVICE_4
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group service DM_INLINE_SERVICE_5
service-object icmp
service-object udp
service-object tcp
service-object tcp eq ftp
object-group network DM_INLINE_NETWORK_9
network-object host RBMCEACA
group-object GE_PACS_Local
object-group protocol DM_INLINE_PROTOCOL_9
protocol-object ip
protocol-object icmp
object-group service ClearSea tcp-udp
description DeafTalk
port-object range 10000 19999
port-object eq 35060
object-group service ClearSeaUDP udp
description DeafTalk
port-object range 10000 19999
object-group service DM_INLINE_TCP_4 tcp
group-object ClearSea
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_11
network-object 0.0.0.0 0.0.0.0
network-object host DeafTalk1
object-group protocol DM_INLINE_PROTOCOL_10
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_11
protocol-object ip
protocol-object icmp
access-list RBMCVPNCL_splitTunnelAcl standard permit Pad-10.100-network 255.255.255.0
access-list Verizon-ISP_Internal extended permit tcp any host FTP-External-Address eq ftp
access-list dmz_internal extended permit tcp host FTP-Internal-Address any eq ftp
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_4 object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DM_INLINE_NETWORK_3 object-group Lynx-PicisRemote
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_6 object-group Viewpoint host NBI20610
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_7 host RBPMAXYS02 host LandaCorp_Remote
access-list Internal_access_in extended permit tcp host RBPMAXYS02 host LandaCorp_Remote object-group DM_INLINE_TCP_3
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
access-list Internal_access_in extended permit object-group DM_INLINE_SERVICE_4 Pad-10.10-network 255.255.0.0 object-group DM_INLINE_NETWORK_7
access-list Internal_access_in remark Permit to connect to DeafTalk Server
access-list Internal_access_in extended permit tcp object-group DM_INLINE_NETWORK_11 host ClearSea_Server object-group DM_INLINE_TCP_4
access-list Internal_access_in extended permit object-group DM_INLINE_PROTOCOL_10 any LabCorp_Test_Remote 255.255.255.0
access-list Verizon-ISP_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_11 host RBPMAM LabCorp_Test_Remote 255.255.255.0
access-list Verizon-ISP_2_cryptomap extended permit tcp host Maxsys-Server host Maxsys-Remote object-group VPN_Tunnel
access-list Internal_nat0_outbound extended permit tcp Pad-10.100-network 255.255.255.0 host Maxsys-Remote object-group VPN_Tunnel
access-list DMZ_access_in extended permit ip Pad-10.10-network 255.255.0.0 172.31.0.0 255.255.255.0
access-list Verizon-ISP_access_in extended permit tcp any host FTP-External-Address object-group DM_INLINE_TCP_2
access-list Verizon-ISP_access_in extended permit tcp host LandaCorp_Remote host RBPMAXYS02 object-group DM_INLINE_TCP_1
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host NBI20610 object-group Viewpoint
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_3 AergoVPN-Remote 255.255.255.0 object-group AergoVPN-Local
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_5 object-group Lynx-PicisRemote object-group DM_INLINE_NETWORK_2
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_2 host LandaCorp_Remote host RBPMAXYS02
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_SERVICE_3 GE_PACS_NET 255.255.0.0 object-group DM_INLINE_NETWORK_9
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_PROTOCOL_9 LabCorp_Test_Remote 255.255.255.0 any
access-list Verizon-ISP_access_in extended permit object-group DM_INLINE_SERVICE_5 object-group DM_INLINE_NETWORK_8 Pad-10.10-network 255.255.0.0
access-list Verizon-ISP_3_cryptomap extended permit ip host Maxsys-Server host Maxsys-Remote
access-list Internal_nat0_outbound_1 extended permit ip host RBPMAXYS02 host LandaCorp_Remote
access-list Internal_nat0_outbound_1 extended permit ip object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
access-list Internal_nat0_outbound_1 extended permit ip host OLSRV2RED object-group Lynx-PicisRemote
access-list Internal_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_1 object-group Lynx-PicisRemote
access-list Internal_nat0_outbound_1 extended permit ip any 10.100.99.0 255.255.255.0
access-list Internal_nat0_outbound_1 extended permit ip object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
access-list Internal_nat0_outbound_1 extended permit ip Pad-10.10-network 255.255.0.0 object-group DM_INLINE_NETWORK_4
access-list Internal_nat0_outbound_1 extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_5
access-list Internal_nat0_outbound_1 extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_6
access-list Internal_nat0_outbound_1 extended permit ip object-group Millennium-Local-Network Millennium-Remote 255.255.0.0
access-list Internal_nat0_outbound_1 extended deny ip any LabCorp_Test_Remote 255.255.255.0 inactive
access-list Verizon-ISP_5_cryptomap extended permit ip host RBPMAXYS02 host LandaCorp_Remote
access-list Verizon-ISP_6_cryptomap extended permit ip object-group Viewpoint host NBI20610
access-list Verizon-ISP_4_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group Lynx-PicisRemote
access-list Verizon-ISP_7_cryptomap extended permit ip object-group GE_PACS_Local GE_PACS_NET 255.255.0.0
access-list Verizon-ISP_8_cryptomap extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_5
access-list Verizon-ISP_9_cryptomap extended permit ip PAD_Internal 255.0.0.0 object-group DM_INLINE_NETWORK_6
access-list Verizon-ISP_cryptomap extended permit ip object-group AergoVPN-Local AergoVPN-Remote 255.255.255.0
pager lines 24
logging enable
logging buffer-size 32000
logging buffered debugging
logging asdm debugging
mtu Verizon-ISP 1500
mtu Internal 1500
mtu DMZ 1500
ip local pool CiscoClient-IPPool-192.168.55.x 192.168.45.1-192.168.45.25 mask 255.255.255.0
ip local pool VLAN99VPNUsers 10.100.99.6-10.100.99.255 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface Failover GigabitEthernet0/1
failover key *****
failover replication http
failover link Failover GigabitEthernet0/1
failover interface ip Failover 172.16.90.17 255.255.255.248 standby 172.16.90.18
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 173.72.107.26 Verizon-ISP
icmp deny any Verizon-ISP
icmp permit host 192.168.10.2 Internal
icmp permit host 192.168.10.3 Internal
icmp permit host 192.168.10.4 Internal
icmp permit host 192.168.10.5 Internal
icmp permit host 10.10.10.96 Internal
icmp permit host 10.10.13.20 Internal
icmp permit host 10.10.12.162 Internal
icmp deny any Internal
icmp permit host Dennis Internal
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
global (Verizon-ISP) 1 65.211.65.6-65.211.65.29 netmask 255.255.255.224
global (Verizon-ISP) 101 interface
nat (Internal) 0 access-list Internal_nat0_outbound_1
nat (Internal) 101 0.0.0.0 0.0.0.0
static (Internal,DMZ) Pad-10.10-network Pad-10.10-network netmask 255.255.0.0
static (Verizon-ISP,DMZ) FTP-Internal-Address FTP-External-Address netmask 255.255.255.255
static (DMZ,Verizon-ISP) FTP-External-Address FTP-Internal-Address netmask 255.255.255.255
static (Internal,Verizon-ISP) c05407Nat c05407 netmask 255.255.255.255
static (Internal,Verizon-ISP) c057017Nat 10.10.10.220 netmask 255.255.255.255
static (Internal,Verizon-ISP) c05744Nat c05744 netmask 255.255.255.255
static (Verizon-ISP,Internal) Maxsys-Server VPN-External netmask 255.255.255.255
static (Internal,Verizon-ISP) C05817Nat C05817 netmask 255.255.255.255
access-group Verizon-ISP_access_in in interface Verizon-ISP
access-group Internal_access_in in interface Internal
access-group dmz_internal in interface DMZ
route Verizon-ISP 0.0.0.0 0.0.0.0 65.211.65.2 1
route Internal Pad-10.10-network 255.255.0.0 10.10.0.1 1
route Internal 10.20.0.0 255.255.0.0 10.10.0.1 1
route Internal Throckmorton_Net1 255.255.0.0 10.10.0.1 1
route Internal 10.50.0.0 255.255.0.0 10.10.0.1 1
route Internal 10.60.0.0 255.255.0.0 10.10.0.1 1
route Internal 10.70.0.0 255.255.0.0 10.10.0.1 1
route Internal 10.100.0.0 255.255.0.0 10.10.0.1 1
route Internal 64.46.192.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.193.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.194.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.195.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.196.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.201.0 255.255.255.0 10.10.0.1 1
route Internal 64.46.246.0 255.255.255.0 10.10.0.1 1
route Verizon-ISP 65.51.206.130 255.255.255.255 65.211.65.2 255
route Verizon-ISP Millennium-Remote 255.255.0.0 65.211.65.2 1
route Internal Millennium-Remote 255.255.0.0 10.10.0.1 255
route Internal 172.31.1.0 255.255.255.0 10.10.0.1 1
route Internal 192.168.55.0 255.255.255.0 10.10.0.1 1
route Internal 195.21.26.0 255.255.255.0 10.10.0.1 1
route Internal 199.21.26.0 255.255.255.0 10.10.0.1 1
route Internal 199.21.27.0 255.255.255.0 10.10.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server RadiusServer protocol radius
aaa-server RadiusServer (Internal) host 10.10.7.240
timeout 5
key r8mcvpngr0up!
radius-common-pw r8mcvpngr0up!
aaa-server SafeNetOTP protocol radius
max-failed-attempts 1
aaa-server SafeNetOTP (Internal) host 10.100.91.13
key test
radius-common-pw test
aaa-server VPN-FW protocol radius
aaa-server VPN-FW (Internal) host 10.10.7.240
timeout 5
key r8mcvpngr0up!
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http Dennis 255.255.255.255 Internal
http 10.10.11.108 255.255.255.255 Internal
http 10.10.10.194 255.255.255.255 Internal
http 10.10.10.195 255.255.255.255 Internal
http 10.10.12.162 255.255.255.255 Internal
http 10.10.13.20 255.255.255.255 Internal
snmp-server location BRN2 Data Center
snmp-server contact Crystal Holmes
snmp-server community r8mc0rg
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change
auth-prompt prompt Your credentials have been verified
auth-prompt accept Your credentials have been accepted
auth-prompt reject Your credentials have been rejected. Contact your system administrator
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Verizon-ISP_map 1 match address Verizon-ISP_cryptomap
crypto map Verizon-ISP_map 1 set peer 65.51.154.66
crypto map Verizon-ISP_map 1 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 2 match address Verizon-ISP_2_cryptomap
crypto map Verizon-ISP_map 2 set peer Maxsys-Remote
crypto map Verizon-ISP_map 2 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 2 set nat-t-disable
crypto map Verizon-ISP_map 3 match address Verizon-ISP_3_cryptomap
crypto map Verizon-ISP_map 3 set peer Maxsys-Remote
crypto map Verizon-ISP_map 3 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 3 set nat-t-disable
crypto map Verizon-ISP_map 4 match address Verizon-ISP_4_cryptomap
crypto map Verizon-ISP_map 4 set peer 198.65.114.68
crypto map Verizon-ISP_map 4 set transform-set ESP-AES-256-SHA
crypto map Verizon-ISP_map 4 set nat-t-disable
crypto map Verizon-ISP_map 5 match address Verizon-ISP_5_cryptomap
crypto map Verizon-ISP_map 5 set peer 12.195.130.2
crypto map Verizon-ISP_map 5 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 5 set nat-t-disable
crypto map Verizon-ISP_map 6 match address Verizon-ISP_6_cryptomap
crypto map Verizon-ISP_map 6 set peer 208.68.22.250
crypto map Verizon-ISP_map 6 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 6 set nat-t-disable
crypto map Verizon-ISP_map 7 match address Verizon-ISP_7_cryptomap
crypto map Verizon-ISP_map 7 set peer 208.51.30.227
crypto map Verizon-ISP_map 7 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 8 match address Verizon-ISP_8_cryptomap
crypto map Verizon-ISP_map 8 set peer Throckmorton_Net2
crypto map Verizon-ISP_map 8 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 9 match address Verizon-ISP_9_cryptomap
crypto map Verizon-ISP_map 9 set peer 108.58.104.210
crypto map Verizon-ISP_map 9 set transform-set ESP-3DES-MD5
crypto map Verizon-ISP_map 10 match address Verizon-ISP_cryptomap_1
crypto map Verizon-ISP_map 10 set peer 162.134.70.20
crypto map Verizon-ISP_map 10 set transform-set ESP-3DES-SHA
crypto map Verizon-ISP_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Verizon-ISP_map interface Verizon-ISP
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn vpn.rbmc.org
subject-name CN=vpn.rbmc.org
keypair sslvpnkeypair
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201dc 30820145 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
34311530 13060355 0403130c 76706e2e 72626d63 2e6f7267 311b3019 06092a86
4886f70d 01090216 0c76706e 2e72626d 632e6f72 67301e17 0d303830 38323030
34313134 345a170d 31383038 31383034 31313434 5a303431 15301306 03550403
130c7670 6e2e7262 6d632e6f 7267311b 30190609 2a864886 f70d0109 02160c76
706e2e72 626d632e 6f726730 819f300d 06092a86 4886f70d 01010105 0003818d
00308189 02818100 a1664806 3a378c37 a55b2cd7 86c1fb5a de884ec3 6d5652e3
953e9c01 37f4593c a6b61c31 80f87a51 c0ccfe65 e5ca3d33 216dea84 0eeeecf3
394505ea 231b0a5f 3c0b59d9 b7c9ba4e 1da130fc cf0159bf 537282e4 e34c2442
beffc258 a8d8edf9 59412e87 c5f819d0 2d233ecc 214cea8b 3a3922e5 2718ef6a
87c340a3 d3a0ae21 02030100 01300d06 092a8648 86f70d01 01040500 03818100
33902c9e 54dc8574 13084948 a21390a2 7000648a a9c7ad0b 3ffaeae6 c0fc4e6c
60b6a60a ac89c3da 869d103d af409a8a e2d43387 a4fa2278 5a105773 a8d6b5c3
c13a743c 8a42c34a e6859f6e 760a81c7 5116f42d b3d81b83 11fafae7 b541fad1
f9bc1cb0 5ed77033 6cab9c90 0a14a841 fc30d8e4 9c85c0e0 d2cca126 fd449e39
quit
crypto isakmp identity address
crypto isakmp enable Verizon-ISP
crypto isakmp enable Internal
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 173.72.107.26 255.255.255.255 Verizon-ISP
ssh 10.10.12.162 255.255.255.255 Internal
ssh 10.100.91.53 255.255.255.255 Internal
ssh Dennis 255.255.255.255 Internal
ssh timeout 60
console timeout 2
management-access Internal
vpn load-balancing
interface lbpublic Verizon-ISP
interface lbprivate Internal
cluster key r8mcl0adbalanc3
cluster encryption
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
ntp server 207.5.137.133 source Verizon-ISP prefer
ntp server 10.100.91.5 source Internal prefer
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint0 Verizon-ISP
webvpn
enable Verizon-ISP
svc image disk0:/anyconnect-win-2.1.0148-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 2
svc image disk0:/anyconnect-linux-2.1.0148-k9.pkg 3
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
wins-server value 10.100.91.5
dns-server value 10.100.91.5
vpn-simultaneous-logins 1
vpn-idle-timeout 15
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
webvpn
svc ask none default webvpn
group-policy VPNUsers internal
group-policy VPNUsers attributes
dns-server value 10.100.91.6 10.100.91.5
vpn-tunnel-protocol IPSec
default-domain value RBMC
tunnel-group DefaultL2LGroup ipsec-attributes
peer-id-validate nocheck
tunnel-group 65.51.154.66 type ipsec-l2l
tunnel-group 65.51.154.66 ipsec-attributes
pre-shared-key *
tunnel-group 65.171.123.34 type ipsec-l2l
tunnel-group 65.171.123.34 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group 12.195.130.2 type ipsec-l2l
tunnel-group 12.195.130.2 ipsec-attributes
pre-shared-key *
tunnel-group 208.68.22.250 type ipsec-l2l
tunnel-group 208.68.22.250 ipsec-attributes
pre-shared-key *
tunnel-group 198.65.114.68 type ipsec-l2l
tunnel-group 198.65.114.68 ipsec-attributes
pre-shared-key *
tunnel-group VPNUsers type remote-access
tunnel-group VPNUsers general-attributes
address-pool VLAN99VPNUsers
authentication-server-group VPN-FW
default-group-policy VPNUsers
tunnel-group VPNUsers ipsec-attributes
trust-point ASDM_TrustPoint0
tunnel-group 208.51.30.227 type ipsec-l2l
tunnel-group 208.51.30.227 ipsec-attributes
pre-shared-key *
tunnel-group 108.58.104.210 type ipsec-l2l
tunnel-group 108.58.104.210 ipsec-attributes
pre-shared-key *
tunnel-group 162.134.70.20 type ipsec-l2l
tunnel-group 162.134.70.20 ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect sunrpc
service-policy global_policy global
prompt hostname context
Cryptochecksum:9d17ad8684073cb9f3707547e684007f
: end
Message was edited by: Dennis Farrell
Hi Dennis,
Your tunnel to "12.145.95.0 LabCorp_Test_Remote" segment can only be initiated from host: RBPMAM is due to your crytp-acl below.
access-list Verizon-ISP_cryptomap_1 extended permit object-group DM_INLINE_PROTOCOL_11 host RBPMAM LabCorp_Test_Remote 255.255.255.0
Secondly your no-nat on internal interface is denying the traffic that must enter into crytp engine, therefore your tunnel never going to come up.
Therefore please turn it to a "permit" instead.
access-list Internal_nat0_outbound_1 extended deny ip any LabCorp_Test_Remote 255.255.255.0 inactive
Please update,
thanks
Rizwan Rafeek
Message was edited by: Rizwan Mohamed
Similar Messages
-
I will include a post of my config. I have the clients connecting through the VPN tunnel on the 180.0.0.0/24 network, 192.168.1.0/24 is the primary network for the office.
I can connect to the VPN and I do recieve the correct address assignment. I belive tunneling may be setup correct in the aspect that I can still connect to the internet while on the VPN, but I can not ping any hosts on the 192.168.1.0 network. In the debug log from the ASDM I can see pings reaching the ASA, but no responce is received on the client.
6
Feb 21 2013
21:54:26
180.0.0.1
53508
192.168.1.1
0
Built inbound ICMP connection for faddr 180.0.0.1/53508 gaddr 192.168.1.1/0 laddr 192.168.1.1/0 (christopher)
Any help would be greatly appreciated, I am currently presuring my CCNP so I would like to get a deeper understanding of how to solve these issues.
-Chris
hostname RegencyRE-ASA
domain-name regencyrealestate.info
enable password 2/VA7dRFkv6fjd1X encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 180.0.0.0 Regency
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
description link to REGENCYSERVER
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
description link to RegencyRE-AP
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.120 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.220.220
name-server 208.67.222.222
domain-name regencyrealestate.info
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 Regency 255.255.255.224
access-list RegencyRE_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Regency 180.0.0.1-180.0.0.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm location Regency 255.255.255.0 inside
asdm location 192.168.0.0 255.255.0.0 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 12.186.110.2 1
route inside 192.0.0.0 255.0.0.0 192.168.1.102 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
http server enable 8443
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
ssh version 2
console timeout 0
dhcprelay server 192.168.1.102 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 69.25.96.13 source outside prefer
ntp server 216.171.124.36 source outside prefer
webvpn
group-policy RegencyRE internal
group-policy RegencyRE attributes
dns-server value 208.67.220.220 208.67.222.222
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RegencyRE_splitTunnelAcl
username adriana password encrypted privilege 0
username christopher password encrypted privilege 15
username irene password encrypted privilege 0
tunnel-group RegencyRE type remote-access
tunnel-group RegencyRE general-attributes
address-pool Regency
default-group-policy RegencyRE
tunnel-group RegencyRE ipsec-attributes
pre-shared-key R3&eNcY1.
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:35bc3a41701f7f8e9dde5fa35532896d
: endLooking at a previous ASA 5520 I configured when I ping hosts I see the following in the logs. I know there is something obvious I am missing.
6
Feb 21 2013
22:01:49
302020
170.0.0.1
13317
172.16.0.253
0
Built inbound ICMP connection for faddr 170.0.0.1/13317 gaddr 172.16.0.253/0 laddr 172.16.0.253/0 (cxv1)
6
Feb 21 2013
22:01:49
302020
172.16.0.253
0
170.0.0.1
13317
Built outbound ICMP connection for faddr 170.0.0.1/13317 gaddr 172.16.0.253/0 laddr 172.16.0.253/0 -
Can QoS be implemented when VPN tunnel bandwidth is unknown?
Is it possible to have some sort of QoS on both sides of a VPN tunnel when the speed at the endpoint is unknown. In other words is it possible to have QoS bandwidth parameters to be automatically detected/adapted to the actual bandwidth?
Hey Martin,
Thanks for your reply. I Think IntServ won't be a solution straight away, I'll try to explain what I would like to do.
What my issue is that I have a few locations who are kind of mobile, and each location connects to the internet via various links, depending on which is available. This link can be a normal ISP which blocks all traffic except port 80 and 443. The connection could be a simple ISDN dialin or a dedicated T1 link.
Because there is a Cisco VoIP router on the mobile location and some users' data should have precedence over others' I would like to implement QoS.
My idea was when I were able to set up a site-to-site SSL VPN tunnel to a router in a datacenter (using Array Network stuff if the Cisco can't do site-to-site SSL) I would have more control over the internetlink. I Would not be limited to using only port 80 and 443: all traffic would just go encrypted and look like normal HTTPS traffic.
It's likely that this VPN link would always consume the maximum available bandwidth. When it is be possible for some QoS mechanism to "detect" the speed of the VPN I could let's say dedicate bandwidth for 4 VoIP calls and the remaining bandwidth can be made available for normal traffic. Note that this normal traffic should have some priority levels too.
Assigning dedicated bandwidth to VoIP isn't a big problem I think, however how can I make x percentage of the remaining bandwidth available to user x and y percentage available to user y?
I Hope I wrote it understandable ;).
Regards -
Connect to VPN but can't ping past inside interface
Hello,
I've been working on this issue for a few days with no success. We're setting up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec VPN setup on it for remote access. After some initial problems, we've gotten it to where the VPN tunnel authenticates the user and connects as it should, however we cannot ping into our LAN. We are able to ping as far as the firewall's inside interface. I've tried other types of traffic too and nothing gets through. I've checked the routes listed on the VPN client while we're connected and they look correct - the client also shows both sent and received bytes when we connect using TCP port 10000, but no Received bytes when we connect using UDP 4500. We are trying to do split tunneling, and that seems to be setup correctly because I can still surf while the VPN is connected.
Below is our running config. Please excuse any messyness in the config as there are a couple of us working on it and we've been trying a whole bunch of different settings throughout the troubleshooting process. I will also note that we're using ASDM as our primary method of configuring the unit, so any suggestions that could be made with that in mind would be most helpful. Thanks!
ASA-01# sh run
: Saved
ASA Version 8.6(1)2
hostname ASA-01
domain-name domain.org
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.2.0.1 255.255.0.0
interface GigabitEthernet0/1
description Primary WAN Interface
nameif outside
security-level 0
ip address 76.232.211.169 255.255.255.192
interface GigabitEthernet0/2
shutdown
<--- More --->
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
<--- More --->
duplex full
shutdown
nameif management
security-level 100
ip address 10.4.0.1 255.255.0.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.11.6
domain-name domain.org
dns server-group sub
name-server 10.2.11.121
name-server 10.2.11.138
domain-name sub.domain.net
same-security-traffic permit intra-interface
object network 76.232.211.132
host 76.232.211.132
object network 10.2.11.138
host 10.2.11.138
object network 10.2.11.11
host 10.2.11.11
<--- More --->
object service DB91955443
service tcp destination eq 55443
object service 113309
service tcp destination range 3309 8088
object service 11443
service tcp destination eq https
object service 1160001
service tcp destination range 60001 60008
object network LAN
subnet 10.2.0.0 255.255.0.0
object network WAN_PAT
host 76.232.211.170
object network Test
host 76.232.211.169
description test
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.2.250.0_24
subnet 10.2.250.0 255.255.255.0
object network VPN_In
subnet 10.3.0.0 255.255.0.0
description VPN User Network
object-group service 11
service-object object 113309
<--- More --->
service-object object 11443
service-object object 1160001
object-group service IPSEC_VPN udp
port-object eq 4500
port-object eq isakmp
access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
access-list outside_access_in extended permit object DB91955443 any interface outside
access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit icmp any any echo-reply log disable
access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
<--- More --->
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any WAN_PAT inactive
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.2.11.121
nt-auth-domain-controller sub.domain.net
aaa-server ActiveDirectory (inside) host 10.2.11.138
nt-auth-domain-controller sub.domain.net
user-identity default-domain LOCAL
eou allow none
http server enable
http 10.4.0.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
<--- More --->
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
<--- More --->
subject-name CN=ASA-01
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a6c98751
308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
quit
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
<--- More --->
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
<--- More --->
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
<--- More --->
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
<--- More --->
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
<--- More --->
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
<--- More --->
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.2.11.121 10.2.11.138
dhcpd lease 36000
dhcpd ping_timeout 30
dhcpd domain sub.domain.net
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
<--- More --->
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy domain internal
group-policy domain attributes
banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
wins-server value 10.2.11.121 10.2.11.138
dns-server value 10.2.11.121 10.2.11.138
vpn-idle-timeout none
vpn-filter value vpn_access_in
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value sub.domain.net
split-dns value sub.domain.net
group-policy DfltGrpPolicy attributes
dns-server value 10.2.11.121 10.2.11.138
vpn-filter value outside_access_in
vpn-tunnel-protocol l2tp-ipsec
default-domain value sub.domain.net
split-dns value sub.domain.net
address-pools value VPNUsers
username **** password **** encrypted privilege 15
<--- More --->
username **** password **** encrypted privilege 15
username **** attributes
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ssl dtls enable
anyconnect profiles value VPN_client_profile type user
tunnel-group DefaultL2LGroup general-attributes
default-group-policy domain
tunnel-group DefaultRAGroup general-attributes
address-pool VPNUsers
authentication-server-group ActiveDirectory
default-group-policy domain
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy domain
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
authentication-server-group ActiveDirectory LOCAL
authentication-server-group (inside) ActiveDirectory LOCAL
<--- More --->
default-group-policy domain
dhcp-server link-selection 10.2.11.121
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 21
subscribe-to-alert-group configuration periodic monthly 21
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
: endHello,
I've been working on this issue for a few days with no success. We're setting up a new Cisco ASA 5515 in our environment and are trying to get a simple IPSec VPN setup on it for remote access. After some initial problems, we've gotten it to where the VPN tunnel authenticates the user and connects as it should, however we cannot ping into our LAN. We are able to ping as far as the firewall's inside interface. I've tried other types of traffic too and nothing gets through. I've checked the routes listed on the VPN client while we're connected and they look correct - the client also shows both sent and received bytes when we connect using TCP port 10000, but no Received bytes when we connect using UDP 4500. We are trying to do split tunneling, and that seems to be setup correctly because I can still surf while the VPN is connected.
Below is our running config. Please excuse any messyness in the config as there are a couple of us working on it and we've been trying a whole bunch of different settings throughout the troubleshooting process. I will also note that we're using ASDM as our primary method of configuring the unit, so any suggestions that could be made with that in mind would be most helpful. Thanks!
ASA-01# sh run
: Saved
ASA Version 8.6(1)2
hostname ASA-01
domain-name domain.org
enable password **** encrypted
passwd **** encrypted
names
interface GigabitEthernet0/0
speed 100
duplex full
nameif inside
security-level 100
ip address 10.2.0.1 255.255.0.0
interface GigabitEthernet0/1
description Primary WAN Interface
nameif outside
security-level 0
ip address 76.232.211.169 255.255.255.192
interface GigabitEthernet0/2
shutdown
<--- More --->
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
speed 100
<--- More --->
duplex full
shutdown
nameif management
security-level 100
ip address 10.4.0.1 255.255.0.0
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.2.11.6
domain-name domain.org
dns server-group sub
name-server 10.2.11.121
name-server 10.2.11.138
domain-name sub.domain.net
same-security-traffic permit intra-interface
object network 76.232.211.132
host 76.232.211.132
object network 10.2.11.138
host 10.2.11.138
object network 10.2.11.11
host 10.2.11.11
<--- More --->
object service DB91955443
service tcp destination eq 55443
object service 113309
service tcp destination range 3309 8088
object service 11443
service tcp destination eq https
object service 1160001
service tcp destination range 60001 60008
object network LAN
subnet 10.2.0.0 255.255.0.0
object network WAN_PAT
host 76.232.211.170
object network Test
host 76.232.211.169
description test
object network NETWORK_OBJ_10.2.0.0_16
subnet 10.2.0.0 255.255.0.0
object network NETWORK_OBJ_10.2.250.0_24
subnet 10.2.250.0 255.255.255.0
object network VPN_In
subnet 10.3.0.0 255.255.0.0
description VPN User Network
object-group service 11
service-object object 113309
<--- More --->
service-object object 11443
service-object object 1160001
object-group service IPSEC_VPN udp
port-object eq 4500
port-object eq isakmp
access-list outside_access_in extended permit icmp object VPN_In 10.2.0.0 255.255.0.0 traceroute log disable
access-list outside_access_in extended permit object-group 11 object 76.232.211.132 interface outside
access-list outside_access_in extended permit object DB91955443 any interface outside
access-list outside_access_in extended permit udp any object Test object-group IPSEC_VPN inactive
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any
access-list inside_access_in extended permit ip any any log disable
access-list inside_access_in extended permit icmp any any echo-reply log disable
access-list inside_access_in extended permit ip object VPN_In 10.2.0.0 255.255.0.0 log disable
access-list domain_splitTunnelAcl standard permit 10.2.0.0 255.255.0.0
access-list domain_splitTunnelAcl standard permit 10.3.0.0 255.255.0.0
access-list vpn_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.3.0.1-10.3.0.254 mask 255.255.0.0
<--- More --->
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any management
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (inside,outside) source dynamic any WAN_PAT inactive
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 113309 113309
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 11443 11443
nat (outside,outside) source static 76.232.211.132 76.232.211.132 destination static interface 10.2.11.11 service 1160001 1160001
nat (outside,outside) source static any any destination static interface 10.2.11.138 service DB91955443 DB91955443
nat (inside,outside) source static NETWORK_OBJ_10.2.0.0_16 NETWORK_OBJ_10.2.0.0_16 destination static NETWORK_OBJ_10.2.250.0_24 NETWORK_OBJ_10.2.250.0_24 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 76.232.211.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
<--- More --->
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol nt
aaa-server ActiveDirectory (inside) host 10.2.11.121
nt-auth-domain-controller sub.domain.net
aaa-server ActiveDirectory (inside) host 10.2.11.138
nt-auth-domain-controller sub.domain.net
user-identity default-domain LOCAL
eou allow none
http server enable
http 10.4.0.0 255.255.255.0 management
http 10.2.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
<--- More --->
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
<--- More --->
subject-name CN=ASA-01
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate a6c98751
308201f1 3082015a a0030201 020204a6 c9875130 0d06092a 864886f7 0d010105
0500303d 31153013 06035504 03130c43 5248442d 4d432d46 57303131 24302206
092a8648 86f70d01 09021615 43524844 2d4d432d 46573031 2e637268 642e6f72
67301e17 0d313330 35303730 32353232 325a170d 32333035 30353032 35323232
5a303d31 15301306 03550403 130c4352 48442d4d 432d4657 30313124 30220609
2a864886 f70d0109 02161543 5248442d 4d432d46 5730312e 63726864 2e6f7267
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00c23d5f
acbf2b3f 9fe6e3c9 1866c344 07b6ee49 f6f31798 0b87a38b 890f70e2 c28cc1d5
fd1b4e80 7fa25483 09e79459 6bf92155 c55240b4 93eeb4eb af3f8aec 8906ef48
140c57bb 5ca4471f 275c1932 7e90976f f0dfe8a3 04a7861f cce7a320 7267df2e
61f9b6b8 22bb70ac d9cedb73 3cf9747b c2636892 48b35385 a94bfae5 fd020301
0001300d 06092a86 4886f70d 01010505 00038181 003c7e16 be4aff40 8fe69a31
acf31808 680e44eb 8ede9094 f9a4a147 0ae18cdc 000dc07f c1da1af4 a2d964ed
288689ee 95179ad0 90728324 9803248d b9d10641 01897453 fe7fafcd 34dee13a
92798615 4acb1f27 14fdb346 ab3eb825 04f23791 81d08fa2 b54c6a47 aedd9694
1c9fbcb4 455fd5ce 420298aa 9333737c 19f0e715 50
quit
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev2 policy 1
<--- More --->
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
<--- More --->
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable inside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
<--- More --->
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
<--- More --->
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
<--- More --->
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
<--- More --->
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.2.11.121 10.2.11.138
dhcpd lease 36000
dhcpd ping_timeout 30
dhcpd domain sub.domain.net
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
<--- More --->
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect profiles VPN_client_profile disk0:/VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy domain internal
group-policy domain attributes
banner value You are attempting to access secured systems at thsi facility. All activity is monitored and recorded. Disconnect now if you are not authorized to access these systems or do not possess valid logon credentials.
wins-server value 10.2.11.121 10.2.11.138
dns-server value 10.2.11.121 10.2.11.138
vpn-idle-timeout none
vpn-filter value vpn_access_in
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domain_splitTunnelAcl
default-domain value sub.domain.net
split-dns value sub.domain.net
group-policy DfltGrpPolicy attributes
dns-server value 10.2.11.121 10.2.11.138
vpn-filter value outside_access_in
vpn-tunnel-protocol l2tp-ipsec
default-domain value sub.domain.net
split-dns value sub.domain.net
address-pools value VPNUsers
username **** password **** encrypted privilege 15
<--- More --->
username **** password **** encrypted privilege 15
username **** attributes
webvpn
anyconnect keep-installer installed
anyconnect dtls compression lzs
anyconnect ssl dtls enable
anyconnect profiles value VPN_client_profile type user
tunnel-group DefaultL2LGroup general-attributes
default-group-policy domain
tunnel-group DefaultRAGroup general-attributes
address-pool VPNUsers
authentication-server-group ActiveDirectory
default-group-policy domain
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 trust-point ASDM_TrustPoint0
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy domain
tunnel-group domain type remote-access
tunnel-group domain general-attributes
address-pool (inside) VPNUsers
address-pool VPNUsers
authentication-server-group ActiveDirectory LOCAL
authentication-server-group (inside) ActiveDirectory LOCAL
<--- More --->
default-group-policy domain
dhcp-server link-selection 10.2.11.121
tunnel-group domain ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
<--- More --->
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 21
subscribe-to-alert-group configuration periodic monthly 21
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2578e19418cb5c61eaf15e9e2e5338a0
: end -
ASA 5505 AnyConnect VPN Can RDP to clients but can't ping/icmp
Hello all,
I've been searching all day for a solution to this problem. I setup and SSL anyconnect VPN on my Cisco ASA 5505. It works well and connects with out a problem. However, I can't ping any internal clients, but I can RDP to them. It may be something simple and I would appreciate any help. Most of the time people end up posting their config so I will as well.
MafSecASA# show run
: Saved
ASA Version 8.2(1)
hostname MafSecASA
domain-name mafsec.com
names
interface Vlan1
nameif inside
security-level 100
ip address 10.4.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 7.3.3.2 255.255.255.248
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.20.1.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
interface Ethernet0/1
speed 100
duplex full
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 3
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name mafsec.com
same-security-traffic permit intra-interface
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
protocol-object udp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object tcp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in remark allow remote users to internal users
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list inside_split_tunnel standard permit 10.4.0.0 255.255.255.0
access-list inside_split_tunnel standard permit 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.4.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.4.0.0 255.255.255.0 10.5.0.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 10.5.0.0 255.255.255.0 10.4.0.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSLVPNPool2 10.5.0.1-10.5.0.254 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 7.3.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.4.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.4.0.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd option 6 ip 8.8.8.8 8.8.4.4
dhcpd address 10.4.0.15-10.4.0.245 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 86400 interface inside
dhcpd option 3 ip 10.4.0.1 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol svc
group-lock none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside_split_tunnel
vlan none
address-pools value SSLVPNPool2
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username user1 password
username user1 attributes
service-type remote-access
username user2 password
tunnel-group SSLVPNGROUP type remote-access
tunnel-group SSLVPNGROUP general-attributes
address-pool SSLVPNPool2
default-group-policy SSLVPN
tunnel-group SSLVPNGROUP webvpn-attributes
group-alias SSLVPN enable
prompt hostname context
Cryptochecksum:3b16cbc9bbdfa20e6987857c1916a396
: end
Thank in advance for any help!Your config actually looks good (you have the ACL that would allow the echo-reply back since you don't have inspection turned on) - are you sure this isn't a windows firewall issue on the PCs? I'd try pinging a router or switch just to make sure.
--Jason -
VPN connection works, but can't ping or access any other device on remote network
I have an OS X Lion server at work (uses a static IP of 192.168.2.10). VPN is setup and works.
The work network's router has an IP of 192.168.2.1 and hands out IPs of 192.168.2.100-149. The VPN service is configured to hand out IPs of 192.168.2.150-170.
My home network uses a router with an IP of 192.168.1.1 and hands out IPs from 192.168.1.2-49
Both routers are using subnet mask of 255.255.255.0
The problem is, I can connect to the VPN just fine and access all services running on that same OS X server like iChat and AFP file sharing. But, I cannot directly access any other device on the office network like client machines or even trying to log into the router's GUI interface. Pings timeout, etc.
Example:
At my home, I have a local IP of 192.168.1.12 and I connect to the work VPN. It assigns me an IP address of 192.168.2.151 and I'm able to connect to iChat on the OS X server that has a static IP of 192.168.2.10
In terminal, I try to ping the router on the work network (192.168.2.1) and I get no response (even though ICMP response is turn ON). I try to ping another OS X workstation on the work office, and get no response.
I'm not sure how to fix this, or whether I need to change settings on either router or the server.
Would greatly appreciate any insight or help on this. Thanks.danimalapple wrote:
I have an OS X Lion server at work (uses a static IP of 192.168.2.10). VPN is setup and works.
The work network's router has an IP of 192.168.2.1 and hands out IPs of 192.168.2.100-149. The VPN service is configured to hand out IPs of 192.168.2.150-170.
My home network uses a router with an IP of 192.168.1.1 and hands out IPs from 192.168.1.2-49
Both routers are using subnet mask of 255.255.255.0
The problem is, I can connect to the VPN just fine and access all services running on that same OS X server like iChat and AFP file sharing. But, I cannot directly access any other device on the office network like client machines or even trying to log into the router's GUI interface. Pings timeout, etc.
Example:
At my home, I have a local IP of 192.168.1.12 and I connect to the work VPN. It assigns me an IP address of 192.168.2.151 and I'm able to connect to iChat on the OS X server that has a static IP of 192.168.2.10
In terminal, I try to ping the router on the work network (192.168.2.1) and I get no response (even though ICMP response is turn ON). I try to ping another OS X workstation on the work office, and get no response.
I'm not sure how to fix this, or whether I need to change settings on either router or the server.
Would greatly appreciate any insight or help on this. Thanks.
Check the DNS settings on the server (see my earlier post in this thread). -
ASA 5505 VPN clients can't ping router or other clients on network
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:df7d1e4f34ee0e155cebe86465f367f5
: end
Any ideas what I need to add to get the vpn client to be able to ping the router and clients?
Thanks.I tried that and it didn't work. As for upgrading the ASA version, I'd like to but this is an old router and I don't have a support contract with Cisco anymore, so I can't access the latest firmware.
here is the runnign config again:
Result of the command: "show startup-config"
: Saved
: Written by enable_15 at 01:48:37.789 MDT Wed Jun 20 2012
ASA Version 7.2(4)
hostname ASA
domain-name default.domain.invalid
enable password kdnFT44SJ1UFX5Us encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.0.4 Server
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list vpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.0.0.192 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 10.0.0.220-10.0.0.240 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
asdm location Server 255.255.255.255 inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp Server smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 Server pop3 netmask 255.255.255.255
static (inside,outside) tcp interface www Server www netmask 255.255.255.255
static (inside,outside) tcp interface https Server https netmask 255.255.255.255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 480
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
username admin password wwYXKJulWcFrrhXN encrypted privilege 15
username VPNuser password fRPIQoKPyxym36g7 encrypted privilege 15
username VPNuser attributes
vpn-group-policy vpn
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool VPNpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:78864f4099f215f4ebdd710051bdb493 -
Quickvpn / client to gateway vpn rv042 can only ping router
I am setting up remote access using an RV042 router. Using quickvpn or a client-to gateway vpn and shrewsoft client, I can only access/ping the LAN side of the remote router and one machine on the remote network. The PPTP server and native Windows 7 connection provide access to all machines on the remote network.
I have 2 possible reasons for this and would like to find the real reason:
1) The remote RV042 is behind another router, and that router restricts access other than the PPTP traffic.
2) The VPN tunnels other than PPTP only allow access to the remote LAN side of the router and remote machines that have the remote router defined as their gateway in the IP configuration.
Any ideas?I've narrowed the problem down to option 2 above. If I change the gateway of a LAN resource to point to the LAN side of the router, it can be accessed through the VPN tunnel.
I haven't had time to see if adding routing entries can fix this problem. Any suggestions will be appreciated.
Also, I would appreciate an explanation of why the PPTP connection works. I will research this myself (eventually) but am already backed up with other projects.. -
Cisco ASA 5510 - Cisco Client Can Connect To VPN But Can't Ping!
Hi,
I have an ASA 5510 with the configuration below. I have configure the ASA as remote access vpn server with cisco vpn client, my problem now is I can connect but I can't ping.
Config
ciscoasa# sh run
: Saved
ASA Version 8.0(3)
hostname ciscoasa
enable password 5QB4svsHoIHxXpF/ encrypted
names
name xxx.xxx.xxx.xxx SAP_router_IP_on_SAP
name xxx.xxx.xxx.xxx ISA_Server_second_external_IP
name xxx.xxx.xxx.xxx Mail_Server
name xxx.xxx.xxx.xxx IncomingIP
name xxx.xxx.xxx.xxx SAP
name xxx.xxx.xxx.xxx WebServer
name xxx.xxx.xxx.xxx cms_eservices_projects_sharepointold
name 192.168.2.2 isa_server_outside
interface Ethernet0/0
nameif outside
security-level 0
ip address IncomingIP 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.253 255.255.255.0
management-only
passwd 123
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object-group service TCP_8081 tcp
port-object eq 8081
object-group service DM_INLINE_TCP_1 tcp
port-object eq 3389
port-object eq ftp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq pop3
port-object eq 3200
port-object eq 3300
port-object eq 3600
port-object eq 3299
port-object eq 3390
port-object eq 50000
port-object eq 3396
port-object eq 3397
port-object eq 3398
port-object eq imap4
port-object eq 587
port-object eq 993
port-object eq 8000
port-object eq 8443
port-object eq telnet
port-object eq 3901
group-object TCP_8081
port-object eq 1433
port-object eq 3391
port-object eq 3399
port-object eq 8080
port-object eq 3128
port-object eq 3900
port-object eq 3902
port-object eq 7777
port-object eq 3392
port-object eq 3393
port-object eq 3394
port-object eq 3395
port-object eq 92
port-object eq 91
port-object eq 3206
port-object eq 8001
port-object eq 8181
port-object eq 7778
port-object eq 8180
port-object eq 22222
port-object eq 11001
port-object eq 11002
port-object eq 1555
port-object eq 2223
port-object eq 2224
object-group service RDP tcp
port-object eq 3389
object-group service 3901 tcp
description 3901
port-object eq 3901
object-group service 50000 tcp
description 50000
port-object eq 50000
object-group service Enable_Transparent_Tunneling_UDP udp
port-object eq 4500
access-list inside_access_in remark connection to SAP
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 host SAP_router_IP_on_SAP
access-list inside_access_in remark VPN Outgoing - PPTP
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp
access-list inside_access_in remark VPN Outgoing - GRE
access-list inside_access_in extended permit gre 192.168.2.0 255.255.255.0 any
access-list inside_access_in remark VPN - GRE
access-list inside_access_in extended permit gre any any
access-list inside_access_in remark VPN Outgoing - IKE Client
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq isakmp
access-list inside_access_in remark VPN Outgoing - IPSecNAT - T
access-list inside_access_in extended permit udp 192.168.2.0 255.255.255.0 any eq 4500
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in remark DNS Outgoing
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in remark Outoing Ports
access-list inside_access_in extended permit tcp 192.168.2.0 255.255.255.0 any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit ip 172.16.1.0 255.255.255.0 any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit gre any host Mail_Server
access-list outside_access_in extended permit tcp any host Mail_Server eq pptp
access-list outside_access_in extended permit esp any any
access-list outside_access_in extended permit ah any any
access-list outside_access_in extended permit udp any any eq isakmp
access-list outside_access_in extended permit udp any any object-group Enable_Transparent_Tunneling_UDP
access-list VPN standard permit 192.168.2.0 255.255.255.0
access-list corp_vpn extended permit ip 192.168.2.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool POOL 172.16.1.10-172.16.1.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 2 Mail_Server netmask 255.0.0.0
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list corp_vpn
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp Mail_Server 8001 ISA_Server_second_external_IP 8001 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 8000 ISA_Server_second_external_IP 8000 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pptp isa_server_outside pptp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server smtp isa_server_outside smtp netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 587 isa_server_outside 587 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9444 isa_server_outside 9444 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 9443 isa_server_outside 9443 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3389 isa_server_outside 3389 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3390 isa_server_outside 3390 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server 3901 isa_server_outside 3901 netmask 255.255.255.255
static (inside,outside) tcp SAP 50000 isa_server_outside 50000 netmask 255.255.255.255
static (inside,outside) tcp SAP 3200 isa_server_outside 3200 netmask 255.255.255.255
static (inside,outside) tcp SAP 3299 isa_server_outside 3299 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server www isa_server_outside www netmask 255.255.255.255
static (inside,outside) tcp Mail_Server https isa_server_outside https netmask 255.255.255.255
static (inside,outside) tcp Mail_Server pop3 isa_server_outside pop3 netmask 255.255.255.255
static (inside,outside) tcp Mail_Server imap4 isa_server_outside imap4 netmask 255.255.255.255
static (inside,outside) tcp cms_eservices_projects_sharepointold 9999 isa_server_outside 9999 netmask 255.255.255.255
static (inside,outside) 192.168.2.0 access-list corp_vpn
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set transet esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 set transform-set transet ESP-3DES-SHA
crypto map cryptomap 10 ipsec-isakmp dynamic dynmap
crypto map cryptomap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
dhcpd domain domain.local interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
tftp-server management 192.168.1.123 /
group-policy mypolicy internal
group-policy mypolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
username vpdn password 123
username vpdn attributes
vpn-group-policy mypolicy
service-type remote-access
tunnel-group mypolicy type remote-access
tunnel-group mypolicy general-attributes
address-pool POOL
default-group-policy mypolicy
tunnel-group mypolicy ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
service-policy global_policy global
prompt hostname context
Cryptochecksum:b8bb19b6cb05cfa9ee125ad7bc5444ac
: end
Thank you very much.Here is the output:
ciscoasa# packet-tracer input outside icmp 172.16.1.10 8 0 192.168.2.1
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
static translation to 192.168.2.0
translate_hits = 0, untranslate_hits = 139
Additional Information:
NAT divert to egress interface inside
Untranslate 192.168.2.0/0 to 192.168.2.0/0 using netmask 255.255.255.0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) 192.168.2.0 access-list corp_vpn
nat-control
match ip inside 192.168.2.0 255.255.255.0 outside 172.16.1.0 255.255.255.0
static translation to 192.168.2.0
translate_hits = 0, untranslate_hits = 140
Additional Information:
Phase: 11
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
Hi!
I wish someone can help me on this, I'm a new guy on cisco firewalls and I'm currently implementing cisco asa 5512x, here are the details:
ISP -> Firewall -> Core switch -> Internal LAN
after installing the cisco asa and terminating the appropriate lan for the outside and inside interfaces, internet seems intermittent and cisco vpn client can connect with internet connection but can't ping internal LAN.
here's my configuration from my firewall.
ASA Version 8.6(1)2
hostname ciscofirewall
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.x.x.x 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.152.11.15 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 4.2.2.2 -------> public DNS
name-server 8.8.8.8 -------> public
name-server 203.x.x.x ----> Clients DNS
name-server 203.x.x.x -----> Clients DNS
same-security-traffic permit intra-interface
object network net_access
subnet 10.0.0.0 255.0.0.0
object network citrix_server
host 10.152.11.21
object network NETWORK_OBJ_10.10.10.0_28
subnet 10.10.10.0 255.255.255.240
object network NETWORK_OBJ_10.0.0.0_8
subnet 10.0.0.0 255.0.0.0
object network InterconHotel
subnet 10.152.11.0 255.255.255.0
access-list net_surf extended permit ip any any
access-list net_surf extended permit ip object NETWORK_OBJ_10.10.10.0_28 object InterconHotel
access-list outside_access extended permit tcp any object citrix_server eq www
access-list outside_access extended permit ip object NETWORK_OBJ_10.10.10.0_28 any
access-list outsidevpn_splitTunnelAcl standard permit 10.152.11.0 255.255.255.0
access-list LAN_Users remark LAN_clients
access-list LAN_Users standard permit any
access-list vpnpool extended permit ip 10.10.10.0 255.255.255.248 any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.10.10.1-10.10.10.6 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
object network net_access
nat (inside,outside) dynamic interface
object network citrix_server
nat (inside,outside) static 203.177.18.234 service tcp www www
object network NETWORK_OBJ_10.10.10.0_28
nat (any,outside) dynamic interface
object network InterconHotel
nat (inside,outside) dynamic interface dns
access-group outside_access in interface outside
access-group net_surf out interface outside
route outside 0.0.0.0 0.0.0.0 203.x.x.x 1
route outside 10.10.10.0 255.255.255.248 10.152.11.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.100 255.255.255.255 inside
http 10.10.10.0 255.255.255.240 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
client-update enable
telnet 10.152.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
anyconnect-essentials
group-policy outsidevpn internal
group-policy outsidevpn attributes
dns-server value 203.x.x.x 203.x.x.x
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value outsidevpn_splitTunnelAcl
default-domain value interconti.com
address-pools value vpnpool
username test1 password i1lji/GiOWB67bAs encrypted privilege 5
username test1 attributes
vpn-group-policy outsidevpn
username mnlha password WlzjmENGEEZmT9LA encrypted
username mnlha attributes
vpn-group-policy outsidevpn
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group outsidevpn type remote-access
tunnel-group outsidevpn general-attributes
address-pool (inside) vpnpool
address-pool vpnpool
authentication-server-group (outside) LOCAL
default-group-policy outsidevpn
tunnel-group outsidevpn ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
inspect ipsec-pass-thru
class class-default
user-statistics accounting
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:edc30dda08e5800fc35b72dd6e1d88d7
: end
thanks. please help.I think you should change your nat-exemption rule to smth more general, like
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.10.10.0_28 NETWORK_OBJ_10.10.10.0_28 no-proxy-arp route-lookup
'cause your inside networks are not the same as your vpn-pool subnet.
Plus, if you're trying to reach inside subnets, different from 10.152.11.0 255.255.255.0 (ip from wich subnet is assignet to your inside interface, and for wich above nat exception should be enough), you should check if routing is configured from that subnets to your vpn-pool-subnet through the ASA. -
One router on ASA 5505 Site to Site VPN can't ping other router
I have two Cisco ASA routers and I have a site to site vpn set up between the two. The VPN link works but Site A can't ping anything on Site B. Site B can ping Site A. Site B can ping other pcs on it's own network. Site A has been in place for a while and has other site to site VPNs that work fine, so I think the problem is with Site B. Here is the config for Site B:
Result of the command: "show running-config"
: Saved
ASA Version 8.4(4)1
hostname SaskASA
enable password POgOWyKyb0jgJ1Hm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.16.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.16.0_23
subnet 192.168.16.0 255.255.254.0
object network NETWORK_OBJ_192.168.2.0_23
subnet 192.168.2.0 255.255.254.0
access-list outside_cryptomap extended permit ip 192.168.16.0 255.255.254.0 192.168.2.0 255.255.254.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.16.0_23 NETWORK_OBJ_192.168.16.0_23 destination static NETWORK_OBJ_192.168.2.0_23 NETWORK_OBJ_192.168.2.0_23 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
nat (inside,outside) after-auto source dynamic any interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 444
http 192.168.16.0 255.255.254.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 207.228.xx.xx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.16.100-192.168.16.200 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_207.228.xx.xxinternal
group-policy GroupPolicy_207.228.xx.xx attributes
vpn-tunnel-protocol ikev1 ikev2
username User password shbn5zbLkuHP/mJX encrypted privilege 15
tunnel-group 207.228.xx.xxtype ipsec-l2l
tunnel-group 207.228.xx.xxgeneral-attributes
default-group-policy GroupPolicy_207.228.xx.xx
tunnel-group 207.228.xx.xxipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f06bd1d6d063318339d98417b171175e
: end
Any ideas? Thanks.I looked over the config for Site A, but couldn't find anything unusual. Perhaps I'm overlooking something. Here is the config for site A:
Result of the command: "show running-config"
: Saved
ASA Version 8.2(1)
hostname SiteA
domain-name domain
enable password POgOWyKyb0jgJ1Hm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.254.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.6
domain-name domain
object-group network DM_INLINE_NETWORK_1
network-object 192.168.14.0 255.255.254.0
network-object 192.168.4.0 255.255.254.0
network-object 192.168.6.0 255.255.254.0
network-object 192.168.8.0 255.255.254.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.12.0 255.255.254.0
network-object 192.168.14.0 255.255.254.0
network-object 192.168.4.0 255.255.254.0
network-object 192.168.6.0 255.255.254.0
network-object 192.168.8.0 255.255.254.0
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_1
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 object-group DM_INLINE_NETWORK_2
access-list inside_nat0_outbound extended permit ip any 192.168.15.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.254.0 192.168.16.0 255.255.254.0
access-list VPNGeo_splitTunnelAcl standard permit any
access-list outside_2_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.6.0 255.255.254.0
access-list outside_3_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.4.0 255.255.254.0
access-list outside_4_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.8.0 255.255.254.0
access-list outside_5_cryptomap extended permit ip 192.168.2.0 255.255.254.0 192.168.16.0 255.255.254.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool GeoVPNPool 192.168.15.200-192.168.15.254 mask 255.255.254.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 444
http 192.168.2.0 255.255.254.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http authentication-certificate inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 207.228.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 208.119.xx.xx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer 208.119.xx.xx
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 208.119.xx.xx
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set pfs group1
crypto map outside_map 5 set peer 70.64.xx.xx
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcp-client client-id interface outside
dhcpd auto_config outside
dhcpd address 192.168.2.100-192.168.2.254 inside
dhcpd auto_config outside interface inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPNGeo internal
group-policy VPNGeo attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNGeo_splitTunnelAcl
username user password shbn5zbLkuHP/mJX encrypted privilege 15
username namepassword vP98Lj8Vm5SLs9PW encrypted
username nameattributes
vpn-group-policy VPNGeo
tunnel-group 207.228.xx.xxtype ipsec-l2l
tunnel-group 207.228.xx.xxipsec-attributes
pre-shared-key *
tunnel-group VPNGeo type remote-access
tunnel-group VPNGeo general-attributes
address-pool GeoVPNPool
default-group-policy VPNGeo
tunnel-group VPNGeo ipsec-attributes
pre-shared-key *
tunnel-group 208.119.xx.xxtype ipsec-l2l
tunnel-group 208.119.xx.xxipsec-attributes
pre-shared-key *
tunnel-group 208.119.xx.xx type ipsec-l2l
tunnel-group 208.119.xx.xx ipsec-attributes
pre-shared-key *
tunnel-group 208.119.xx.xxtype ipsec-l2l
tunnel-group 208.119.xx.xxipsec-attributes
pre-shared-key *
tunnel-group 70.64.xx.xxtype ipsec-l2l
tunnel-group 70.64.xx.xxipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e3adf4e597198f58cd21e508aabdbab9
: end -
How can I improve performance over a Branch Office IPsec vpn tunnel between and SA540 and an SA520
Hello,
I just deployed one Cisco SA540 and three SA520s.
The SA540 is at the Main Site.
The three SA520s are the the spoke sites.
Main Site:
Downstream Speed: 32 Mbps
Upstream Speed: 9.4 Mbps
Spoke Site#1:
Downstream Speed: 3.6 Mbps
Upstream Speed: 7.2 Mbps (yes, the US is faster than the DS at the time the speed test was taken).
The SA tunnels are "Established"
I see packets being tranmsitted and received.
Pinging across the tunnel has an average speed of 32 ms (which is good).
DNS resolves names to ip addresses flawlessly and quickly across the Inter-network.
But it takes from 10 to 15 minutes to log on to the domain from the Spoke Site#1 to the Main Site across the vpn tunnel.
It takes about 15 minutes to print across the vpn tunnel.
The remedy this, we have implemented Terminal Services across the Internet.
Printing takes about 1 minute over the Terminal Service Connection, while it takes about 15 minutes over the VPN.
Logging on to the network takes about 10 minutes over the vpn tunnel.
Using an LOB application takes about 2 minutes per transaction across the vpn tunnel; it takes seconds using Terminal Services.
I have used ASAs before in other implementation without any issues at all.
I am wondering if I replaced the SAs with ASAs, that they may fix my problem.
I wanted to go Small Business Pro, to take advantage of the promotions and because I am a Select Certified Partner, but from my experience, these SA vpn tunnels are unuseable.
I opened a case with Small Business Support on Friday evening, but they couldnt even figure out how to rename an IKE Policy Name (I figured out that you had to delete the IKE Policy; you cannot rename them once they are created).
Maybe the night weekend shift has a skeleton crew, and the best engineers are available at that time or something....i dont know.
I just know that my experience with the Cisco TAC has been great for the last 10 years.
My short experience with the Cisco Small Business Support Center has not been as great at all.
Bottom Line:
I am going to open another case with the Day Shift tomorrow and see if they can find a way to speed things up.
Now this is not just happening between the Main Site and Spoke Site #1 above. It is also happeninng between the Main Site and Spoke #2 (I think Spoke#2 has a Download Speed of about 3Mbps and and Upload Speed of about 0.5 Mbps.
Please help.
I would hate to dismiss SA5xx series without making sure it is not just a simple configuration setting.Hi Anthony,
I agree!. My partner wants to just replace the SA5xxs with ASAs, as we have never had problems with ASA vpn performance.
But I want to know WHY this is happening too.
I will definitely run a sniffer trace to see what is happening.
Here are some other things I have learned from the Cisco Small Business Support Center (except for Item 1 which I learned from you!)
1. Upgrade the SA540 at the Main Site to 2.1.45.
2a. For cable connections, use the standard MTU of 1500 bytes.
2.b For DSL, use the following command to determine the largets MTU that will be sent without packet fragmentation:
ping -f -l packetsize
Perform the items below to see if this increases performance:
I was told by the Cisco Small Business Support Center that setting up a Manual Policy is not recommended; I am not sure why they stated this.
3a. Lower the IKE encryption algorithm from "AES-128" to DES.
3b. Lower the IKE authentication algorithm to MD5
3c. Also do the above for the VPN Policy
Any input is welcome! -
Can not ping between remote vpn site ???
site A is l2l vpn, site B is network-extend vpn, both connect to same vpn device 5510 at central office and work well. I can ping from central office to both remote sites, But i can not ping between these two vpn sites ? Tried debug icmp, i can see the icmp from side A does reach central office but then disappeared! not sending to side B ?? Please help ...
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network SITE-A
network-object 192.168.42.0 255.255.255.0
object-group network SITE-B
network-object 192.168.46.0 255.255.255.0
access-list OUTSIDE extended permit icmp any any
access-list HOLT-VPN-ACL extended permit ip object-group CBO-NET object-group SITE-A
nat (outside,outside) source static SITE-A SITE-A destination static SITE-B SITE-B
crypto map VPN-MAP 50 match address HOLT-VPN-ACL
crypto map VPN-MAP 50 set peer *.*.56.250
crypto map VPN-MAP 50 set ikev1 transform-set AES-256-SHA
crypto map VPN-MAP interface outside
group-policy REMOTE-NETEXTENSION internal
group-policy REMOTE-NETEXTENSION attributes
dns-server value *.*.*.*
vpn-idle-timeout none
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTE-NET2
default-domain value *.org
nem enable
tunnel-group REMOTE-NETEXTENSION type remote-access
tunnel-group REMOTE-NETEXTENSION general-attributes
authentication-server-group (inside) LOCAL
default-group-policy REMOTE-NETEXTENSION
tunnel-group REMOTE-NETEXTENSION ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *.*.56.250 type ipsec-l2l
tunnel-group *.*.56.250 ipsec-attributes
ikev1 pre-shared-key *****
ASA-5510# show route | include 192.168.42
S 192.168.42.0 255.255.255.0 [1/0] via *.*.80.1, outside
ASA-5510# show route | include 192.168.46
S 192.168.46.0 255.255.255.0 [1/0] via *.*.80.1, outside
ASA-5510#
Username : layson-ne Index : 10
Assigned IP : 192.168.46.0 Public IP : *.*.65.201
Protocol : IKEv1 IPsecOverNatT
License : Other VPN
Encryption : 3DES Hashing : SHA1
Bytes Tx : 11667685 Bytes Rx : 1604235
Group Policy : REMOTE-NETEXTENSION Tunnel Group : REMOTE-NETEXTENSION
Login Time : 08:19:12 EST Thu Feb 12 2015
Duration : 6h:53m:29s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
ASA-5510# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : *.*.56.250
Index : 6 IP Addr : *.*.56.250
Protocol : IKEv1 IPsec
Encryption : 3DES AES256 Hashing : SHA1
Bytes Tx : 2931026707 Bytes Rx : 256715895
Login Time : 02:02:41 EST Thu Feb 12 2015
Duration : 13h:10m:03sHi Rico,
You need to dynamic-nat (to available IP address) for both side for each remote subset to access the other remote side subnet and so they can access each other subnet as if both originating the traffic from your central location.
example:
Lets say this IP (10.10.10.254) is unused IP at central office, permitted to access remote tunnel "A" and site "B".
object-group network SITE-A
network-object 192.168.42.0 255.255.255.0
object-group network SITE-B
network-object 192.168.46.0 255.255.255.0
nat (outside,outside) source dynamic SITE-A 10.10.10.254 destination
static SITE-B SITE-B
nat (outside,outside) source dynamic SITE-B 10.10.10.254 destination
static SITE-A SITE-A
Hope this helps
Thanks
Rizwan Rafeek -
Changing S2S VPN tunnel endpoint
Hi CSC'ers,
For DR purposes, we have two VPN tunnel endpoints on different ISP's at our head-end office. At our branch office, we have an ASA. I am wondering if for the purpose of re-pointing the tunnel from the branch to the DR endpoint at the head-end, it's as easy as:
no crypto map <map-name> <seq-num> set peer <ip_address_1>
crypto map <map-name> <seq-num> set peer <ip_address_2>
Where <ip_address_1> is the regular production endpoint, and <ip_address_2> is the DR endpoint.
Or is there any other command that I need to run to make the tunnel re-point take effect?
(Yes, I know I can have multiple peers set on a crypto map set peer, but we have reasons that we don't want to do that.)
Thanks,
WillWill,
I dont know what DR means, but if what you want to do is just to change the peer for the VPN tunnel, then yes that is all you need to do
Let me know if you have any other questions.
Mike -
Next some advise... i've configured a VPN server -pptp on my router, create a vpn for client to site. At the moment, client computer can connect and established a connection to router. I can ping from client to router (192.168.5.1) but can't ping 192.168.5.2(switch) or 192.168.10.X (workstations)
What i'm trying to achieve is to access the internal network (192.168.10.X) which is from the layer 3 switch's end. Any help/extra eye would be good.
Here are my network design and config below:
Client Computer ---> Internet ---> (1.1.1.1) Cisco Router 881 (192.168.5.1) ---> Dell Powerconnect 6248 switch (192.168.5.2) --> Workstation(192.168.10.x)
Cisco 881 Router
aaa new-model
aaa authentication ppp default local
vpdn enable
vpdn-group PPTP-VPDN
accept-dialin
protocol pptp
virtual-template 1
interface FastEthernet0
description Link to Switch
switchport access vlan 5
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
switchport access vlan 70
no ip address
interface FastEthernet4
description INTERNET WAN PORT
ip address [EXTERNAL IP]
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map VPN1
interface Vlan1
no ip address
interface Vlan5
description $ES_LAN$
ip address 192.168.5.1 255.255.255.248
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly in
interface Vlan70
ip address [EXTERNAL IP]
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Virtual-Template1
ip unnumbered FastEthernet4
encapsulation ppp
peer default ip address pool defaultpool
ppp authentication chap ms-chap
ip local pool defaultpool 192.168.10.200 192.168.10.210
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list NO-NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 [EXTERNAL IP]
ip route 192.168.0.0 255.255.0.0 192.168.5.2
ip access-list extended NO-NAT
deny ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended VLAN70
permit ip [EXTERNAL IP] 0.0.0.15 192.168.10.0 0.0.1.255
permit tcp [EXTERNAL IP] 0.0.0.15 any eq smtp
permit tcp [EXTERNAL IP] 0.0.0.15 any eq www
permit tcp [EXTERNAL IP] 0.0.0.15 any eq 443
permit tcp [EXTERNAL IP] 0.0.0.15 any eq domain
permit udp [EXTERNAL IP] 0.0.0.15 any eq domain
ip access-list extended VPN
permit ip 192.168.10.0 0.0.1.255 10.1.0.0 0.0.1.255
permit ip [EXTERNAL IP] 0.0.0.15 10.1.0.0 0.0.1.255
ip access-list extended WAN
Layer 3 Switch - Dell Powerconnect 6224
ip routing
ip route 0.0.0.0 0.0.0.0 192.168.5.1
interface vlan 5
name "Connect to Cisco Router"
routing
ip address 192.168.5.2 255.255.255.248
exit
interface vlan 10
name "internal network"
routing
ip address 192.168.10.1 255.255.255.0
exit
interface ethernet 1/g12
switchport mode acesss vlan 5
exit
interface ethernet 1/g29
switchport mode access vlan 10
exitHi Samuel,
I went through your configuration and picked up some problematic lines..
First of all you can't have your vpn-pool to be in the 192.168.10.x/24 range because you already have that subnet used behind the switch ( this would only be possible if you had 192.168.10.x range directly connected to the router ). Also, you can't bind your Virtual Template to the WAN ip, it should bind to a interface with a subnet that includes your vpn-pool IP range.
The cleanest way to do this is,
Create a new loop back interface with a new subnet
interface loopback 0
ip address 192.168.99.1 255.255.255.0
Have new vpn pool defined,
ip local pool defaultpool 192.168.99.200 192.168.99.210
Change your Template to point the new loopback interface,
interface Virtual-Template1
ip unnumbered loopback0
encapsulation ppp
peer default ip address pool defaultpool
ppp authentication chap ms-chap
All the vpn clients will get an IP from 192.168.99.200 192.168.99.210 range. And they will be able to get in to the router and up to the desired 192.168.10.x/24 range behind the router. Packets will get in to the switch and then in to the host. Host will reply through the gateway( switch ) -> router -> Client.
PS: Earlier, even if your packets get to the host, the host will never try to send the reply packets back through the gateway ( switch ) because from its(hosts) point of view, the packet came from the same Lan, so the host will just try to "arp" for the senders MAC and will eventually time out)
Hope this helps.
Please don't forget to rate/mark helpful posts
Shamal
Maybe you are looking for
-
Vanishing message lists, stalls, and a whole mess of trouble!
Out of all my apps, MAIL was the most reliable & stable of the lot. Then two days ago, it began behaving el'stupido! This is going to be somewhat thorough, so please bear with me: 1 ''Get Mail'' was taking forever to complete its first retrieval. So
-
Initialize record type constant in package header
I am creating a package to hold application constants in Oracle 8.1.7.4. I want one of my constants to be a programmer-defined record type. A constant table type of that record type will then hold multiple records. I'm new to using record data types
-
Isync spinning forever, not syncing, but no error messages
I have a problem: Isync spins continually and won't sync from my main laptop Macbook (which also is set to sync to Nokia E61 and also won't). There are no errors given, just continuous spinning "syncing" but not doing anything. Have to cancel sync ev
-
Ubuntu: no screen display
I have recently been subjected to a nice friendly hard drive wiping by my eMac, and i have no mac OS X disk, so i thought I'd get ubuntu on it until i can afford OS X again. having downloaded the PPC iso and burned it onto my disk, i booted it , and
-
Recommended external HDD for MacBook Pro 2011 15"?
Hello, I'm looking for external HDD for new MacBook Pro 2011 15". Is there any external HDD available with Thunderbolt port? Any recommended HDD using FireWire 800 port? Since this is m first Mac, I'm not much familiar with Mac Accessories. Any furth