[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.4

Cisco ASA 5510 and VPN Remote IPSEC => Any return traffic ?

Asked by jpc42 in Cisco PIX Firewall, IPSec Security Protocol

Tags: cisco asa 5510 vpn remote ipsec

Hi

I have installed a Cisco ASA 5510 and i want configure a IPSEC VPN Remote access for external user.

i have used the ASDM 6.0 and now i can connect without problems with the Cisco VPN Client (on Windows XP). but after connected, i can't access to any host in the lan. My ping start, i see on my linux server/tcpdump that he receive the ping and reply but the ASA deny the reply.

My configuration:

Wan => Connected ton Internet
Lan => Connected to lan with 10.100.1.0/24 and a lot of route
VPN: 10.100.5.0/24 Pool IPSEC Remote-Access.

i put my configuration, i think's that it's a small eroor but i don't where.

I don't want limitation or NAT from lan to VPN and same in VPN to LAN. The lan don't use ASA for going on Internet but a route sent the 10.100.5.0/24 on the IP LAN of the ASA.

This is the error on a ping and ssh:

3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.100.1.250 dst wan:10.100.5.10 (type 0, code 0)

6|Jan 05 2009|05:30:10|302020|10.100.5.10|10.100.1.250|Built inbound ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.1.250/0 laddr 10.100.1.250/0

6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.100.1.250|Teardown ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.1.250/0 laddr 10.100.1.250/0

Inbound TCP connection denied from 10.100.1.250/22 to 10.100.5.10/1953 flags SYN ACK  on interface lan


Thnks for your help in best time 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:

Result of the command: "show running-config"
 
: Saved
:
ASA Version 8.0(3) 
!
hostname ASA5510-1
domain-name asa.mydomaine.org
enable password XXX encrypted
names
name 10.100.5.0 IPSec
!
interface Ethernet0/0
 nameif wan
 security-level 0
 ip address 62.xx.xx.xx 255.255.255.128 
!
interface Ethernet0/1
 nameif lan
 security-level 0
 ip address 10.100.1.242 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 nameif management
 security-level 0
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup lan
dns server-group DefaultDNS
 name-server 10.100.1.250
 domain-name asa.mydomaine.org
same-security-traffic permit intra-interface
access-list nonat extended permit ip any IPSec 255.255.255.0 
access-list split-tunnel extended permit ip host 10.100.1.0 any 
access-list myvpn_splitTunnelAcl standard permit IPSec 255.255.255.0 
access-list myvpn_splitTunnelAcl standard permit 10.100.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu lan 1500
mtu wan 1500
ip local pool IpSec 10.100.5.1-10.218.5.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any lan
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (wan) 101 interface
nat (lan) 0 access-list nonat
route wan 0.0.0.0 0.0.0.0 62.xx.xx.x 1
route lan 172.16.0.0 255.255.0.0 10.100.1.250 1
route lan 172.17.0.0 255.255.0.0 10.100.1.250 1
route lan 192.168.0.0 255.255.0.0 10.100.1.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server IPSEC protocol radius
aaa-server IPSEC (lan) host 10.100.1.245
 key MYKEY
 authentication-port 1812
 accounting-port 1813
http server enable
http 0.0.0.0 0.0.0.0 wan
http 62.xx.xx.xx 255.255.255.128 wan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto isakmp enable wan
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access wan
threat-detection basic-threat
threat-detection statistics
group-policy myvpn internal
group-policy myvpn attributes
 dns-server value 172.16.1.1
 vpn-tunnel-protocol IPSec 
 group-lock value myvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value myvpn_splitTunnelAcl
 default-domain value mydomaine.org
 vpn-group-policy myvpn
tunnel-group myvpn type remote-access
tunnel-group myvpn general-attributes
 address-pool IpSec
 authentication-server-group IPSEC LOCAL
 default-group-policy myvpn
tunnel-group myvpn ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context 
Cryptochecksum:714d09de3a3cXXX...
: end
[+][-]01/15/09 08:08 AM, ID: 23384762Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: Cisco PIX Firewall, IPSec Security Protocol
Tags: cisco asa 5510 vpn remote ipsec
Sign Up Now!
Solution Provided By: jpc42
Participating Experts: 3
Solution Grade: A
 
[+][-]01/07/09 10:39 AM, ID: 23317858Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/07/09 11:10 AM, ID: 23318218Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/07/09 11:16 AM, ID: 23318305Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/07/09 12:08 PM, ID: 23318836Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/07/09 12:57 PM, ID: 23319387Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/07/09 08:01 PM, ID: 23322063Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/07/09 08:35 PM, ID: 23322209Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/07/09 08:51 PM, ID: 23322270Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/07/09 08:54 PM, ID: 23322283Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/07/09 09:05 PM, ID: 23322310Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/07/09 09:49 PM, ID: 23322454Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]01/08/09 12:25 AM, ID: 23322969Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]01/15/09 08:08 AM, ID: 23384755Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-92 - Hierarchy / EE_QW_3_20080625