[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
10/27/2008 at 10:03AM PDT, ID: 23851215
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.2

VPN Client connects but cant route between it and LAN

Asked by gurner78 in Networking Hardware Firewalls, IPSec Security Protocol

Tags: Cisco, ASA, 5510, VPN/Firewall

We have an ASA5510 configured ok to acces the internet etc, users can access the portal ok and download the AnyConnect SSL client and get LAN access etc, but it only has the default 2 licenses.

They bought 250 IPSec licenses, so we set up IPSec VPN access, and have eventually got the client to connect to the VPN, but for the life of us we cant narrow down what is stopping access.

it looks like an ACL doing it, but we cant see which one could.

you can telnet the firewall and ping the LAN, and ping the VPN client, etc, but they cant access one another.

it continually logs

10.10.11.3      47070      UKDC01      53      Authorization denied (acl=DAP-ip-user-B0BF360E) for user 'administrator' from 10.10.11.3/47070 to UKDC01/53 on interface PublicINT using UDP

for all protocols from the VPN client.

Cheers 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:

ASA Version 8.0(4) 
!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
!
interface Ethernet0/0
 nameif PublicINT
 security-level 0
 ip address PublicIP 255.255.255.240 
!
interface Ethernet0/1
 nameif DMZ
 security-level 0
 ip address 172.16.1.1 255.255.255.0 
!
interface Ethernet0/2
 nameif LAN
 security-level 100
 ip address 172.27.1.201 255.255.0.0 
!
interface Ethernet0/3
 nameif WLAN
 security-level 10
 ip address 10.0.0.1 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
access-list PublicINT_access_in remark VPN
access-list PublicINT_access_in extended permit udp any any eq isakmp 
access-list PublicINT_access_in remark any NTL provided IP can ping another for testing
access-list PublicINT_access_in extended permit icmp xxx.xxx.xxx.xxx 255.255.255.240 any log disable 
access-list PublicINT_access_in remark Allow LAN pinging
access-list PublicINT_access_in extended permit icmp 172.27.0.0 255.255.0.0 any log disable 
access-list PublicINT_access_in remark Allow PPTP Tunnel back in to LAN after initialisation
access-list PublicINT_access_in extended permit gre any 172.27.0.0 255.255.0.0 log disable 
access-list PublicINT_access_in remark Allow PPTP creation outbound
access-list PublicINT_access_in extended permit tcp any any eq pptp log disable 
access-list PublicINT_access_in remark any ping will dooo
access-list PublicINT_access_in extended permit icmp any any log disable 
access-list PublicINT_access_in remark for email inbound
access-list PublicINT_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 any eq smtp log disable 
access-list PublicINT_access_in remark for OWA inbound to .91, includes this firewall too but that has a separate ACL
access-list PublicINT_access_in extended permit tcp any any eq https log disable 
access-list PublicINT_access_in remark support can RDP like a goodun
access-list PublicINT_access_in extended permit tcp supportFurlong 255.255.255.0 any object-group RDP log disable 
access-list PublicINT_access_in extended permit tcp 172.27.0.0 255.255.0.0 10.10.11.0 255.255.255.0 
access-list LAN_to_VPN_outbound remark Allow LAN route back to VPN users
access-list LAN_to_VPN_outbound extended permit ip 172.27.0.0 255.255.0.0 10.10.11.0 255.255.255.0 log disable 
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 172.27.0.0 255.255.0.0 
access-list LAN_access_in remark Allow LAN access other interfaces
access-list LAN_access_in extended permit ip 172.27.0.0 255.255.0.0 any log disable 
access-list DMZ_access_in remark DMZ allowed out
access-list DMZ_access_in extended permit ip any any log disable 
access-list DMZ_access_in remark Blocked from LAN
access-list DMZ_access_in extended deny ip any 172.27.0.0 255.255.0.0 log disable 
access-list DefaultRAGroup_splitTunnelAcl standard permit 172.27.0.0 255.255.0.0 
access-list DefaultRAGroup_splitTunnelAcl remark Access to LAN
access-list VPN-Pool_tun remark Access to VPN Pool
access-list VPN-Pool_tun standard permit 10.10.11.0 255.255.255.0 
access-list VPN-Pool_tun remark Access to LAN
access-list VPN-Pool_tun standard permit 172.27.0.0 255.255.0.0 
access-list VPN_to_LAN_Inbound remark Access for VPN Users to LAN
access-list VPN_to_LAN_Inbound extended permit ip 10.10.11.0 255.255.255.0 172.27.0.0 255.255.0.0 log disable 
access-list management_nat_outbound remark for testing anywhere on management DHCP interface
access-list management_nat_outbound extended permit ip any any 
access-list LAN_nat_outbound remark allow LAN/NAT access
access-list LAN_nat_outbound extended permit ip any any 
access-list PublicINT_cryptomap extended permit ip 172.27.0.0 255.255.0.0 10.10.11.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl_2 standard permit 172.27.0.0 255.255.0.0 
access-list CompanyVPN-Group_splitTunnelAcl standard permit 172.27.0.0 255.255.0.0 
access-list PublicINT_dyn_map extended permit ip any 10.10.11.0 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging list VPN-Log level debugging class vpn
logging buffer-size 50000
logging console informational
logging buffered informational
logging history informational
logging asdm informational
mtu PublicINT 1500
mtu DMZ 1500
mtu LAN 1500
mtu WLAN 1500
mtu management 1500
ip local pool AnyConnectPool 10.10.11.0-10.10.11.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (PublicINT) 1 interface
nat (LAN) 0 access-list LAN_to_VPN_outbound
nat (LAN) 1 access-list LAN_nat_outbound
nat (management) 1 access-list management_nat_outbound
static (LAN,PublicINT) xxx.xxx.xxx.xxx ExchangeUK netmask 255.255.255.255 
access-group PublicINT_access_in in interface PublicINT
access-group DMZ_access_in in interface DMZ
access-group LAN_access_in in interface LAN
route PublicINT 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 network-acl PublicINT_dyn_map
 webvpn
  url-list value CompanyBookmarks
  file-browsing enable
  file-entry enable
  url-entry enable
  svc ask enable default webvpn
aaa-server AD_RADIUS protocol radius
 max-failed-attempts 5
aaa-server AD_RADIUS (LAN) host UKDC01
 key c1sc0
 radius-common-pw c1sc0
 acl-netmask-convert auto-detect
aaa-server AD_RADIUS (LAN) host UKDC03
 key c1sc0
 radius-common-pw c1sc0
aaa authentication serial console AD_RADIUS LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication enable console LOCAL 
http server enable
http supportFurlong 255.255.255.0 PublicINT
http xxx.xxx.xxx.xxx 255.255.255.240 PublicINT
http 172.27.0.0 255.255.0.0 LAN
http 192.168.1.0 255.255.255.0 management
http xxx.xxx.xxx.xxx 255.255.252.0 PublicINT
http redirect management 81
http redirect LAN 81
http redirect PublicINT 81
snmp-server host PublicINT xx.xxx.167.6 community snmp version 2c udp-port 161
snmp-server location Abingdon
no snmp-server contact
snmp-server community snmp
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt accept *** Welcome to Company Abingdon *** 
auth-prompt reject *** Please contact Support at support@wibble.net in the event of logon problems *** 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map PublicINT_dyn_map 20 match address PublicINT_dyn_map
crypto dynamic-map PublicINT_dyn_map 20 set pfs 
crypto dynamic-map PublicINT_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map PublicINT_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map PublicINT_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map PublicINT_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map PublicINT_map 65535 ipsec-isakmp dynamic PublicINT_dyn_map
crypto map PublicINT_map interface PublicINT
crypto ca trustpoint CompanyASA
 enrollment self
 subject-name CN=Head Office FW,O=Company,C=UK,L=Abingdon
 crl configure
crypto ca trustpoint LOCAL-CA-SERVER
 keypair LOCAL-CA-SERVER
 crl configure
crypto ca server 
crypto ca certificate chain CompanyASA
 certificate 31
    xxxxxxxxxxxxxxx
  quit
crypto ca certificate chain LOCAL-CA-SERVER
 certificate ca 01
    xxxxxxxxxxxxxxx
  quit
crypto isakmp identity address 
crypto isakmp enable PublicINT
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-sessiondb max-webvpn-session-limit 2
~~~~~~~~~~~~~~~~~~~~~~~~~~
webvpn
 enable PublicINT
 enable LAN
 enable management
 csd image disk0:/images/securedesktop-asa-3.3.0.129-k9.pkg
 svc image disk0:/images/anyconnect-win-2.2.0140-k9.pkg 1 regex "Windows NT"
 svc image disk0:/images/anyconnect-linux-2.2.0140-k9.pkg 3 regex "Linux"
 svc image disk0:/images/anyconnect-macosx-i386-2.2.0140-k9.pkg 4 regex "PPC Mac OS X"
 svc enable
 port-forward test smtp 172.27.1.80 smtp 
 tunnel-group-list enable
 group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 172.27.1.11 172.27.1.33
 vpn-tunnel-protocol l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_2
 default-domain value Company.com
group-policy DfltGrpPolicy attributes
 dns-server value 172.27.1.11 172.27.1.33
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-Pool_tun
 default-domain value Company.com
 secure-unit-authentication enable
 address-pools value AnyConnectPool
 webvpn
  url-list value CompanyBookmarks
  svc ask enable default webvpn timeout 5
group-policy CompanyVPN-Group internal
group-policy CompanyVPN-Group attributes
 dns-server value 172.27.1.11 172.27.1.33
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value PublicINT_cryptomap
 default-domain value Company.com
username supporttemp password xxxxxxxxxxxxxxxxx encrypted
username admin password xxxxxxxxxxxxxxxxxxx encrypted privilege 15
username admin attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 password-storage disable
 webvpn
  customization value DfltCustomization
  svc keep-installer none
username administrator password xxxxxxxxxxxxxxxxxx encrypted privilege 15
username Company password xxxxxxxxxxxxxxxxxxx encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool AnyConnectPool
 authentication-server-group AD_RADIUS
 authentication-server-group (PublicINT) AD_RADIUS LOCAL
 authorization-server-group LOCAL
 authorization-server-group (PublicINT) AD_RADIUS
 default-group-policy DefaultRAGroup
 authorization-required
tunnel-group DefaultRAGroup webvpn-attributes
 group-alias VPNClientWin32 disable
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group AD_RADIUS LOCAL
 authentication-server-group (LAN) AD_RADIUS LOCAL
 authorization-server-group AD_RADIUS
 authorization-server-group (LAN) AD_RADIUS
 authorization-required
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 group-alias DefaultWEBVPNGroup disable
tunnel-group CompanyWebSSL type remote-access
tunnel-group CompanyWebSSL general-attributes
 address-pool AnyConnectPool
 authentication-server-group AD_RADIUS LOCAL
tunnel-group CompanyWebSSL webvpn-attributes
 group-alias Company enable
 dns-group InternalDNS
tunnel-group CompanyVPN-Group type remote-access
tunnel-group CompanyVPN-Group general-attributes
 address-pool AnyConnectPool
 authentication-server-group AD_RADIUS LOCAL
 default-group-policy CompanyVPN-Group
 authorization-required
tunnel-group CompanyVPN-Group ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect pptp 
!
service-policy global_policy global
smtp-server xx.xxx.161.4
prompt hostname context
[+][-]10/27/08 11:19 AM, ID: 22815202

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10/27/08 01:08 PM, ID: 22816247

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]10/27/08 01:58 PM, ID: 22816818

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]10/27/08 02:40 PM, ID: 22817162

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]10/28/08 04:02 AM, ID: 22820346

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Networking Hardware Firewalls, IPSec Security Protocol
Tags: Cisco, ASA, 5510, VPN/Firewall
Sign Up Now!
Solution Provided By: gurner78
Participating Experts: 1
Solution Grade: A
 
 
 
Loading Advertisement...
20091111-EE-VQP-91 - Hierarchy / EE_QW_2_20070628