Advertisement

03.29.2008 at 02:38PM PDT, ID: 23279953
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.8

ASA 5510 Remote Access VPN Issues

Asked by andyoww in Cisco PIX Firewall, Network Software Firewalls

Tags: , ,

I'm having trouble connecting VPNs to my ASA.

I can get connected, but when I do, I don't get any packets returned to the clients.

I'm sure it is one or two lines I'm missing, but I can't see what I'm missing.

Here's my config and version.

Thanks.

Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:

asa#sh run
 
ASA Version 7.0(7)
!
hostname asa
domain-name domain.com
enable password 122334455 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 69.x.x.x 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.x.x.x 255.255.255.0
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.x.x.x 255.255.0.0
 management-only
!
passwd 122334455 encrypted
ftp mode passive
clock timezone cst -6
clock summer-time cst recurring
dns domain-lookup inside
dns name-server 192.x.x.x
access-list outside_acl extended permit udp any host 192.x.x.x eq ntp
access-list outside_acl extended deny ip host 24.x.x.x any
access-list outside_acl extended deny tcp any any eq 161
access-list outside_acl extended deny udp any any eq snmp
access-list outside_acl extended deny tcp any any eq telnet
access-list outside_acl extended permit ip any any
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access standard permit host 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.x.x.x 255.255.255.0
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 69.x.x.x 1
route inside 10.x.x.x 255.255.255.255 192.x.x.x 1
route inside 10.x.x.x 255.255.255.255 192.x.x.x 1
route inside 10.x.x.x 255.255.255.255 192.x.x.x 1
route inside 10.x.x.x 255.255.255.255 192.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server value 192.x.x.x
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 18
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp enable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value domain.com
 split-dns none
 secure-unit-authentication disable
 user-authentication enable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy MYPolicy internal
group-policy MYPolicy attributes
 split-tunnel-policy excludespecified
 split-tunnel-network-list value Local_LAN_Access
 default-domain value domain.com
 webvpn
username user1 password 122334455 encrypted
username user1 attributes
 vpn-group-policy MYPolicy
 vpn-framed-ip-address 192.168.50.2 255.255.255.0
 webvpn
username user2 password 122334455 encrypted
username user2 attributes
 vpn-group-policy MYPolicy
 vpn-tunnel-protocol IPSec webvpn
 vpn-framed-ip-address 192.168.50.3 255.255.255.0
 webvpn
http server enable
http 192.x.x.x 255.255.255.0 inside
http 172.x.x.x 255.255.0.0 management
no snmp-server location
no snmp-server contact
crypto ipsec transform-set MYset esp-3des esp-md5-hmac
crypto dynamic-map MYmap 10 set transform-set MYset
crypto dynamic-map MYmap 10 set reverse-route
crypto map IPSec_map 65535 ipsec-isakmp dynamic MYmap
crypto map IPSec_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group MYGROUPVPN type ipsec-ra
tunnel-group MYGROUPVPN ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh scopy enable
ssh 128.X.X.X 255.255.255.248 outside
ssh 192.X.X.X 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:122334455
: end
 
asa#sh ver
 
Cisco Adaptive Security Appliance Software Version 7.0(7)
Device Manager Version 5.0(7)
 
Compiled on Fri 06-Jul-07 10:37 by builders
System image file is "disk0:/asa707-k8.bin"
Config file at boot was "startup-config"
 
sdasa up 21 days 22 hours
 
Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
 
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CNlite-MC-Boot-Cisco-1.2
                             SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04
 0: Ext: Ethernet0/0         : address is 001b.d5fb.6432, irq 9
 1: Ext: Ethernet0/1         : address is 001b.d5fb.6433, irq 9
 2: Ext: Ethernet0/2         : address is 001b.d5fb.6434, irq 9
 3: Ext: Ethernet0/3         : address is 001b.d5fb.6435, irq 9
 4: Ext: Management0/0       : address is 001b.d5fb.6436, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5
 
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs               : 25
Inside Hosts                : Unlimited
Failover                    : Active/Standby
VPN-DES                     : Enabled
VPN-3DES-AES                : Enabled
Security Contexts           : 0
GTP/GPRS                    : Disabled
VPN Peers                   : 150
 
This platform has an ASA 5510 Security Plus license.
[+][-]03.29.2008 at 02:55PM PDT, ID: 21238302

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 14-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]03.29.2008 at 03:07PM PDT, ID: 21238338

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 14-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.29.2008 at 04:49PM PDT, ID: 21238665

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 14-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.29.2008 at 05:14PM PDT, ID: 21238794

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 14-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.29.2008 at 05:50PM PDT, ID: 21238922

View this solution now by starting your 14-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Cisco PIX Firewall, Network Software Firewalls
Tags: Cisco, ASA, 5510
Sign Up Now!
Solution Provided By: batry_boy
Participating Experts: 2
Solution Grade: A
 
 
[+][-]03.29.2008 at 06:01PM PDT, ID: 21238943

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 14-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20081112-EE-VQP-43 / EE_QW_2_20070628