Question

VPN clients cannot access other network subnets

Asked by: djhath

When connected to my network via a Cisco VPN connection, I am unable to connect to any other network subnets.  I can connect to my corporate subnet (192.168.1.x), but not to a remote office (192.168.2.x).  

I have a Cisco ASA 5510 firewall that hands out 192.168.5.x addresses to VPN clients.  Is this a matter of a static route that needs to be added or is this an ACL issue?  

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-05-18 at 08:45:42ID24417922
Topic

Cisco PIX Firewall

Participating Experts
1
Points
500
Comments
45

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. How to configure Cisco site-to-site vpn with multiple sub…
    We recently purchased 2 new Cisco ASA 5505 firewalls, one for each of our branch offices. What we want to do is connect our two branch offices via a site-to-site vpn tunnel. The complication comes into place in that we also have Cisco 1841 routers at each branch offices tha...
  2. Cisco ASA to Netgear VPN
    Cannot get VPN to work betwen Cisco ASA & Netgear DG834
  3. Cisco VPN and multiple subnets
    I have a network that has two subnets, 192.168.1.0 and 192.168.2.0. I have a Cisco ASA 5510 firewall in place on my network. The ASA is on the 192.168.1.0 network. I can access the 192.168.2.0 network when I am on the 192.168.1.0 network, but my VPN clients can only access...
  4. Cisco ASA site to site VPN routing
    I have an existing site to site vpn between a cisco asa 5505 and a 5520. The remote site (5505) is 10.30.2.0/24 and corporate (5520) is 10.1.0.0/16; that works fine. What I am trying to do is add the subnet 192.168.3.0/24 to go down the tunnel as well. the 192.168.3.0 subnet ...
  5. CISCO ASA VPN
    Hi I am trying to setup a l2L FW on a ASA ver 8 and getting the message on the show isakmp sa detail for phase one. trolling through the net indictaes it is the remote end who are using a non cisco device I belive it is a draytec firewall but supports all standards ( I am...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: JFrederick29Posted on 2009-05-18 at 08:47:54ID: 24413203

If you are split tunneling, it may simply be a matter of adding 192.168.2.0/24 to the split tunnel access-list.

 

by: djhathPosted on 2009-05-18 at 09:03:04ID: 24413350

The corresponding access list I have for split tunneling in my config is this:

access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

So, I added this:

access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

...connected to the VPN, attempted to ping anything on the .2.x subnet to no avail.

 

by: JFrederick29Posted on 2009-05-18 at 09:05:18ID: 24413371

You logged off VPN and reconnected, right?

Is the remote subnet (192.168.2.0) a site to site VPN off this ASA or is it reachable via the inside?

 

by: djhathPosted on 2009-05-18 at 09:07:35ID: 24413411

Yes, I did.

The 192.168.2.0 subnet is a site-to-site VPN off this ASA, reachable on the LAN.  I also made sure that the running config was saved on the ASA after adding the command.

 

by: JFrederick29Posted on 2009-05-18 at 09:09:20ID: 24413425

Okay, since its a VPN off the ASA, there is more to it.

The site to site access-list needs to also include the 192.168.5.0 to 192.168.2.0 subnet on this ASA.  The remove end access-list will need to be updated to include 192.168.2.0 to 192.168.5.0.  You also may need to use a NAT0 access-list on the outside for VPN to VPN traffic depending on your NAT-control policy.

 

by: djhathPosted on 2009-05-18 at 09:22:08ID: 24413562

I thought I had done so correctly, however it appears not.  I have attached a copy of my config

: Saved
:
ASA Version 7.2(4) 
!
hostname Marlboro-ASA
domain-name intranet.ceadvisors.com
enable password * encrypted
passwd * encrypted
names
name 64.18.0.0 Postini
name 216.148.212.0 RMON description All Covered RMON
name 192.168.1.13 CEADC1 description CEA Domain Controller
name 192.168.1.18 CEAFIN1 description Vision App Server
name 192.168.1.11 CEAMAIL1 description Exchange 2007 Server
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address xx.xxx.xxx.xxx 255.255.255.240 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/2
 nameif Guest
 security-level 10
 ip address 192.168.10.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description Management Interface
 nameif management
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
 management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server CEADC1
 domain-name intranet.ceadvisors.com
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list outside-access-in extended permit tcp any host xx.xxx.xxx.xxx eq https 
access-list outside-access-in extended permit tcp any host xx.xxx.xxx.xxx eq www 
access-list outside-access-in extended permit tcp any host xx.xxx.xxx.xxx eq https 
access-list outside-access-in extended permit icmp any any inactive 
access-list outside-access-in extended permit tcp RMON 255.255.255.0 host 75.144.134.116 eq smtp 
access-list outside-access-in extended permit tcp Postini 255.255.0.0 host 75.144.134.116 eq smtp 
access-list outside-access-in extended permit udp any any eq isakmp 
access-list outside-access-in extended deny tcp any host xx.xxx.xxx.xxx eq www 
access-list outside-access-in extended permit icmp any any echo-reply 
access-list outside-access-in extended permit icmp any any unreachable 
access-list outside-access-in extended permit icmp any any time-exceeded 
access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Guest 1500
mtu management 1500
ip local pool CEA_VPN_Pool 192.168.5.10-192.168.5.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
global (Guest) 20 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (Guest) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp xx.xxx.xxx.xxx https CEAFIN1 https netmask 255.255.255.255 
static (Inside,Outside) xx.xxx.xxx.xxx CEAMAIL1 netmask 255.255.255.255 
static (Inside,Outside) xx.xxx.xxx.xxx CEADC1 netmask 255.255.255.255 
access-group outside-access-in in interface Outside
route Outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 1
route Inside 192.168.3.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server CEADC1 protocol radius
aaa-server CEADC1 (Inside) host CEADC1
 timeout 5
 key *
aaa-server CEADC2 protocol radius
aaa-server CEADC2 (Outside) host 192.168.1.14
 key *
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 192.168.5.0 255.255.255.0 Inside
http 10.10.10.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Inside
http 192.168.2.0 255.255.255.0 Inside
http redirect Outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 match address l2l_list
crypto map Outside_map 10 set peer xx.xx.xxx.xxx 
crypto map Outside_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity address 
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 Inside
telnet 192.168.5.0 255.255.255.0 Inside
telnet 192.168.2.0 255.255.255.0 Inside
telnet timeout 5
ssh xx.xx.xx.xxx 255.255.255.255 Outside
ssh 192.168.5.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Inside
ssh 192.168.2.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd dns 4.2.2.1
!
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5
ssl trust-point my.godaddy.key Outside
webvpn
 enable Outside
 svc image disk0:/sslclient-win-1.1.4.179.pkg 1
 svc enable
 customization DfltCustomization
  title text Concentric Energy Advisors WebVPN
  logout-message text Your Session has been terminated.
  logo none
 url-list CEA_Servers "Z: Drive" cifs://ceafs1/ceadata 2
 url-list CEA_Servers "Vision" http://ceafin1/vision 3
 url-list CEA_Servers "Web Mail" https://mail.ceadvisors.com 4
 url-list CEA_Servers "Intranet" http://ceaforum 5
 java-trustpoint my.godaddy.key
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions http-proxy
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list value CEA_Servers
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13 192.168.1.14
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  functions file-access file-browsing
username support password JRI3BtDx/rKPMXJe encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server CEADC1 master timeout 2 retry 2
tunnel-group CEA type ipsec-ra
tunnel-group CEA general-attributes
 address-pool CEA_VPN_Pool
 authentication-server-group CEADC1
 default-group-policy CEA
tunnel-group CEA ipsec-attributes
 pre-shared-key *
tunnel-group xx.xx.xx.xxx type ipsec-l2l
tunnel-group xx.xx.xx.xxx ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 192.168.1.11
prompt hostname context 
Cryptochecksum:efdb5a45f730ee8d0ed39ba55a56969c
: end
asdm image disk0:/asdm-524.bin
asdm location CEAFIN1 255.255.255.255 Inside
no asdm history enable
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:

Select allOpen in new window

 

by: JFrederick29Posted on 2009-05-18 at 09:26:58ID: 24413599

You've got it backwards.

Should be:

access-list l2l_list extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

The other end of the site to site needs the inverse rule added as well:

access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

 

by: djhathPosted on 2009-05-18 at 09:33:33ID: 24413651

Did both and still nothin' doin' ...

 

by: JFrederick29Posted on 2009-05-18 at 09:35:40ID: 24413670

Oops, forgot this.  Add this to the config:

same-security-traffic permit intra-interface

 

by: djhathPosted on 2009-05-18 at 09:43:27ID: 24413762

Applied the command to both firewalls and still can't hit anything on the .2.x subnet from the VPN.

 

by: JFrederick29Posted on 2009-05-18 at 09:46:55ID: 24413808

You added the crypto ACL entry on each side, right?

Try pinging 192.168.2.x (-t) from the VPN client and do a "show log | i 192.168.5.x"    <--where 192.168.5.x is the IP of the VPN client pinging.

Could still be a NAT issue.

 

by: djhathPosted on 2009-05-18 at 09:59:17ID: 24413973

Sure did.  I will attach the config of the remote site, as well.

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)


: Saved
:
ASA Version 8.0(3) 
!
hostname concentric-DC-ASA
domain-name intranet.ceadvisors.com
enable password * encrypted
no names
name 192.168.2.0 DC-inside-block
name 192.168.1.12 CEAEXCH1 description CEA Exchange Server
name 192.168.1.13 CEADC1 description CEA Domain Controller
!
interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 description Outside
 nameif outside
 security-level 0
 ip address xx.xx.xxx.xxx 255.255.255.248 
!
interface Ethernet0/0
 description Inside
 switchport access vlan 2
!
interface Ethernet0/1
 description Inside
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd zX4wR0GwTwRjrWan encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.13
 domain-name intranet.ceadvisors.com
same-security-traffic permit intra-interface
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside extended deny ip any any log 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq smtp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq www 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq telnet 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3389 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq https 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pop3 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp-data 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq dnsix 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq domain 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq domain 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq kerberos 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq imap4 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldap 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldaps 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq netbios-ssn 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 139 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 445 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 445 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 135 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-ns 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-dgm 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq ntp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3268 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 389 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53211 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53212 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 88 
access-list inside extended deny ip any any log 
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply 
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded 
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_IN_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server CEADC1 protocol radius
aaa-server CEADC1 host 192.168.1.13
 key Pl@sma
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http xx.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THREEDES esp-3des esp-sha-hmac 
crypto map DC2BOS 1 match address l2l_list
crypto map DC2BOS 1 set peer xx.xxx.xxx.xxx
crypto map DC2BOS 1 set transform-set THREEDES
crypto map DC2BOS interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet xx.xxx.xxx.xxx 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh xx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
ntp server 131.216.22.17 source outside
ntp server 216.204.156.2 source outside
webvpn
 enable outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  url-list value CEA_Servers
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  file-entry enable
  file-browsing enable
username support password JRI3BtDx/rKPMXJe encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 192.168.1.12 timeout 2 retry 2
 nbns-server 192.168.1.13 timeout 2 retry 2
tunnel-group xx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group CEA type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:a8f01800f7c03666c8819760b203ab3c
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:

Select allOpen in new window

 

by: JFrederick29Posted on 2009-05-18 at 10:02:21ID: 24414012

Missing this from the remote config:

access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0

 

by: djhathPosted on 2009-05-18 at 10:05:37ID: 24414050

Added it, still no go...  Did see this in the Syslog:

3      May 18 2009      13:04:57      305005      192.168.2.2             No translation group found for icmp src outside:192.168.5.28 dst inside:192.168.2.2 (type 8, code 0)

 

by: JFrederick29Posted on 2009-05-18 at 10:08:41ID: 24414086

Add this:

conf t
access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (outside) 0 access-list no-outside-nat

 

by: djhathPosted on 2009-05-18 at 10:09:39ID: 24414096

To both configs?

 

by: JFrederick29Posted on 2009-05-18 at 10:10:02ID: 24414104

Sorry, to the remote config.

 

by: djhathPosted on 2009-05-18 at 10:15:14ID: 24414172

Still nothing...  And I am making sure that I disconnect and reconnect the VPN each time before trying.

 

by: djhathPosted on 2009-05-18 at 10:15:43ID: 24414180

Would you like updated configs attached?

 

by: JFrederick29Posted on 2009-05-18 at 10:16:51ID: 24414201

Yes, please.

 

by: djhathPosted on 2009-05-18 at 10:23:50ID: 24414296

Main site attached

: Saved
:
ASA Version 7.2(4) 
!
hostname Marlboro-ASA
domain-name intranet.ceadvisors.com
enable password * encrypted
passwd * encrypted
names
name 64.18.0.0 Postini
name 216.148.212.0 RMON description All Covered RMON
name 192.168.1.13 CEADC1 description CEA Domain Controller
name 192.168.1.18 CEAFIN1 description Vision App Server
name 192.168.1.11 CEAMAIL1 description Exchange 2007 Server
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.240 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/2
 nameif Guest
 security-level 10
 ip address 192.168.10.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description Management Interface
 nameif management
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
 management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server CEADC1
 domain-name intranet.ceadvisors.com
same-security-traffic permit intra-interface
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq https 
access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq www 
access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq https 
access-list outside-access-in extended permit icmp any any inactive 
access-list outside-access-in extended permit tcp RMON 255.255.255.0 host xx.xx.xx.xx eq smtp 
access-list outside-access-in extended permit tcp Postini 255.255.0.0 host xx.xx.xx.xx eq smtp 
access-list outside-access-in extended permit udp any any eq isakmp 
access-list outside-access-in extended deny tcp any host xx.xx.xx.xx eq www 
access-list outside-access-in extended permit icmp any any echo-reply 
access-list outside-access-in extended permit icmp any any unreachable 
access-list outside-access-in extended permit icmp any any time-exceeded 
access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Guest 1500
mtu management 1500
ip local pool CEA_VPN_Pool 192.168.5.10-192.168.5.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
global (Guest) 20 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (Guest) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp xx.xx.xx.xx https CEAFIN1 https netmask 255.255.255.255 
static (Inside,Outside) xx.xx.xx.xx CEAMAIL1 netmask 255.255.255.255 
static (Inside,Outside) xx.xx.xx.xx CEADC1 netmask 255.255.255.255 
access-group outside-access-in in interface Outside
route Outside 0.0.0.0 0.0.0.0 75.144.134.126 1
route Inside 192.168.3.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server CEADC1 protocol radius
aaa-server CEADC1 (Inside) host CEADC1
 timeout 5
 key *
aaa-server CEADC2 protocol radius
aaa-server CEADC2 (Outside) host 192.168.1.14
 key *
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 192.168.5.0 255.255.255.0 Inside
http 10.10.10.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Inside
http 192.168.2.0 255.255.255.0 Inside
http redirect Outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 match address l2l_list
crypto map Outside_map 10 set peer xx.xx.xx.xx
crypto map Outside_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity address 
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 Inside
telnet 192.168.5.0 255.255.255.0 Inside
telnet 192.168.2.0 255.255.255.0 Inside
telnet timeout 5
ssh xx.xx.xx.xx 255.255.255.255 Outside
ssh 192.168.5.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Inside
ssh 192.168.2.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd dns 4.2.2.1
!
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5
ssl trust-point my.godaddy.key Outside
webvpn
 enable Outside
 svc image disk0:/sslclient-win-1.1.4.179.pkg 1
 svc enable
 customization DfltCustomization
  title text Concentric Energy Advisors WebVPN
  logout-message text Your Session has been terminated.
  logo none
 url-list CEA_Servers "Z: Drive" cifs://ceafs1/ceadata 2
 url-list CEA_Servers "Vision" http://ceafin1/vision 3
 url-list CEA_Servers "Web Mail" https://mail.ceadvisors.com 4
 url-list CEA_Servers "Intranet" http://ceaforum 5
 java-trustpoint my.godaddy.key
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions http-proxy
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list value CEA_Servers
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13 192.168.1.14
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  functions file-access file-browsing
username * password * encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server CEADC1 master timeout 2 retry 2
tunnel-group CEA type ipsec-ra
tunnel-group CEA general-attributes
 address-pool CEA_VPN_Pool
 authentication-server-group CEADC1
 default-group-policy CEA
tunnel-group CEA ipsec-attributes
 pre-shared-key *
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group 67.62.134.115 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 192.168.1.11
prompt hostname context 
Cryptochecksum:ebbcf1fb10df0e7bd107907d326fe5f6
: end
asdm image disk0:/asdm-524.bin
asdm location CEAFIN1 255.255.255.255 Inside
no asdm history enable
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:

Select allOpen in new window

 

by: djhathPosted on 2009-05-18 at 10:26:25ID: 24414332

Remote site attached

: Saved
:
ASA Version 8.0(3) 
!
hostname concentric-DC-ASA
domain-name intranet.ceadvisors.com
enable password * encrypted
no names
name 192.168.2.0 DC-inside-block
name 192.168.1.12 CEAEXCH1 description CEA Exchange Server
name 192.168.1.13 CEADC1 description CEA Domain Controller
!
interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 description Outside
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.248 
!
interface Ethernet0/0
 description Inside
 switchport access vlan 2
!
interface Ethernet0/1
 description Inside
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd zX4wR0GwTwRjrWan encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.13
 domain-name intranet.ceadvisors.com
same-security-traffic permit intra-interface
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside extended deny ip any any log 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq smtp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq www 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq telnet 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3389 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq https 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pop3 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp-data 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq dnsix 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq domain 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq domain 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq kerberos 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq imap4 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldap 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldaps 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq netbios-ssn 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 139 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 445 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 445 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 135 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-ns 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-dgm 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq ntp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3268 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 389 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53211 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53212 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 88 
access-list inside extended deny ip any any log 
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply 
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded 
access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list no-outside-nat
access-group OUTSIDE_IN_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 67.62.134.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server CEADC1 protocol radius
aaa-server CEADC1 host 192.168.1.13
 key *
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http xx.xx.xx.xx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THREEDES esp-3des esp-sha-hmac 
crypto map DC2BOS 1 match address l2l_list
crypto map DC2BOS 1 set peer xx.xx.xx.xx 
crypto map DC2BOS 1 set transform-set THREEDES
crypto map DC2BOS interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet xx.xx.xx.xx 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
ntp server 131.216.22.17 source outside
ntp server 216.204.156.2 source outside
webvpn
 enable outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  url-list value CEA_Servers
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  file-entry enable
  file-browsing enable
username * password * encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 192.168.1.12 timeout 2 retry 2
 nbns-server 192.168.1.13 timeout 2 retry 2
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
 pre-shared-key *
tunnel-group CEA type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:a8f01800f7c03666c8819760b203ab3c
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:

Select allOpen in new window

 

by: JFrederick29Posted on 2009-05-18 at 10:30:32ID: 24414387

Try to ping something on the 192.168.2.0/24 subnet other than the ASA inside interface.  Still getting the same syslog entries?

 

by: djhathPosted on 2009-05-18 at 10:35:18ID: 24414442

192.168.2.2 is a server that resides on that site.  

I'll try pinging 192.168.2.3, which is a network printer.

From syslog:

3      May 18 2009      13:34:23      305005      192.168.2.3             No translation group found for icmp src outside:192.168.5.28 dst inside:192.168.2.3 (type 8, code 0)

 

by: JFrederick29Posted on 2009-05-18 at 10:36:23ID: 24414456

Which Firewall is that syslog message from?

 

by: JFrederick29Posted on 2009-05-18 at 10:38:02ID: 24414473

Nevermind, assuming the main office based on your logging config:

Add this to the main ASA, also:

conf t
access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (Outside) 0 access-list no-outside-nat

 

by: JFrederick29Posted on 2009-05-18 at 10:41:19ID: 24414521

Sorry, to keep mixing things up but add this as well to the main ASA:

access-list Inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0


This may be the only thing required regarding NAT.

 

by: djhathPosted on 2009-05-18 at 10:42:20ID: 24414531

I added those commands to main office config.

Still nothing - this Syslog is from the remote site:

3      May 18 2009      13:41:16      305005      192.168.2.3             No translation group found for icmp src outside:192.168.5.28 dst inside:192.168.2.3 (type 8, code 0)

 

by: djhathPosted on 2009-05-18 at 10:45:24ID: 24414567

Just added the Inside_nat0_outbound ACL change, still nothing...

Still generating the same from the remote site syslog:

3      May 18 2009      13:44:34      305005      192.168.2.3             No translation group found for icmp src outside:192.168.5.28 dst inside:192.168.2.3 (type 8, code 0)

 

by: JFrederick29Posted on 2009-05-18 at 10:56:54ID: 24414691

Can you ping the other way?

 

by: djhathPosted on 2009-05-18 at 11:02:31ID: 24414764

I can ping 192.168.5.28 (VPN client) from my main site LAN (192.168.1.x), but not from the remote site (192.168.2.x)

 

by: JFrederick29Posted on 2009-05-18 at 11:07:08ID: 24414836

Try removing the "nat (outside) 0" config from both Firewalls and try again.  I'm about stumped as this should be working.

192.168.2.1 is the default gateway for the 192.168.2.1 hosts, right? or is something else?

 

by: djhathPosted on 2009-05-18 at 11:21:55ID: 24414981

Yes, 192.168.2.1 is the default gateway for the hosts on that subnet.  

I just removed the nat (Outside) command from both firewalls and the lan-2-lan tunnel has dropped.

 

by: JFrederick29Posted on 2009-05-18 at 11:26:57ID: 24415029

The nat (outside) you just added?  Nice...

Really not much to this so not sure why it's not working...see below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml#notes

Can you post a "show cry ipsec sa" from both ASA's.

 

by: djhathPosted on 2009-05-18 at 11:32:57ID: 24415078

Alright, the tunnel dropped because I removed the wrong command.  I removed the nat (inside) 0 statement on the main site firewall, thinking I had applied it to the wrong interface.  

I removed the nat (outside) 0 statement and reapplied on both firewalls, still nothing.

Here is the result of the show cry ipsec sa from the main site:

Result of the command: "show cry ipsec sa"

interface: Outside
    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.27/255.255.255.255/0/0)
      current_peer: 209.6.174.244, username: nstandish
      dynamic allocated peer ip: 192.168.5.27

      #pkts encaps: 44379, #pkts encrypt: 44391, #pkts digest: 44391
      #pkts decaps: 50328, #pkts decrypt: 50328, #pkts verify: 50328
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 44379, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 12, #pre-frag failures: 0, #fragments created: 24
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 24
      #send errors: 0, #recv errors: 15

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 209.6.174.244/1099
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 0EA2DE6A

    inbound esp sas:
      spi: 0xE554A279 (3847529081)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 459, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 10581
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x0EA2DE6A (245554794)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 459, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 10581
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.20/255.255.255.255/0/0)
      current_peer: 66.30.186.113, username: bhevert
      dynamic allocated peer ip: 192.168.5.20

      #pkts encaps: 54343, #pkts encrypt: 54411, #pkts digest: 54411
      #pkts decaps: 47518, #pkts decrypt: 47518, #pkts verify: 47518
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 54343, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 68, #pre-frag failures: 0, #fragments created: 136
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 136
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 66.30.186.113/1117
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: C0C1C42F

    inbound esp sas:
      spi: 0xB76949A2 (3077130658)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 444, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 22151
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xC0C1C42F (3233924143)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 444, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 22151
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_map, seq num: 10, local addr: 75.144.134.114

      access-list l2l_list permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 67.62.134.115

      #pkts encaps: 41023427, #pkts encrypt: 41023427, #pkts digest: 41023427
      #pkts decaps: 36586431, #pkts decrypt: 36586431, #pkts verify: 36586431
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 41023427, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 2
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114, remote crypto endpt.: 67.62.134.115

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 25220048

    inbound esp sas:
      spi: 0x11CF477F (298796927)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 207, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4080057/10205)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x25220048 (622985288)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 207, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4034235/10205)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_map, seq num: 10, local addr: 75.144.134.114

      access-list l2l_list permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 67.62.134.115

      #pkts encaps: 640, #pkts encrypt: 640, #pkts digest: 640
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 640, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114, remote crypto endpt.: 67.62.134.115

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 6290EBC8

    inbound esp sas:
      spi: 0x24A0F22A (614527530)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 207, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4275000/21628)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x6290EBC8 (1653664712)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 207, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4274962/21628)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.28/255.255.255.255/0/0)
      current_peer: 71.233.179.11, username: jhathaway
      dynamic allocated peer ip: 192.168.5.28

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 71.233.179.11/3193
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: D69D9F8F

    inbound esp sas:
      spi: 0x32232C59 (841165913)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 482, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 28755
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xD69D9F8F (3600654223)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 482, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 28755
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.25/255.255.255.255/0/0)
      current_peer: 71.243.55.86, username: coneill
      dynamic allocated peer ip: 192.168.5.25

      #pkts encaps: 32327, #pkts encrypt: 32345, #pkts digest: 32345
      #pkts decaps: 31203, #pkts decrypt: 31203, #pkts verify: 31203
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 32327, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 18, #pre-frag failures: 0, #fragments created: 36
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 36
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 71.243.55.86/4442
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 97613F89

    inbound esp sas:
      spi: 0x617BFDC6 (1635515846)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 458, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 8586
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x97613F89 (2539732873)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 458, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 8586
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.29/255.255.255.255/0/0)
      current_peer: 76.120.2.95, username: lquilici
      dynamic allocated peer ip: 192.168.5.29

      #pkts encaps: 465, #pkts encrypt: 465, #pkts digest: 465
      #pkts decaps: 793, #pkts decrypt: 793, #pkts verify: 793
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 465, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 76.120.2.95/2344
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: D004F310

    inbound esp sas:
      spi: 0xAE114735 (2920367925)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 481, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 27993
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xD004F310 (3489985296)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 481, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 27993
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.26/255.255.255.255/0/0)
      current_peer: 76.179.71.136, username: bhopkins
      dynamic allocated peer ip: 192.168.5.26

      #pkts encaps: 7572, #pkts encrypt: 7593, #pkts digest: 7593
      #pkts decaps: 8968, #pkts decrypt: 8968, #pkts verify: 8968
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 7572, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 21, #pre-frag failures: 0, #fragments created: 42
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 42
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 76.179.71.136/2474
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 74127397

    inbound esp sas:
      spi: 0xD7F2DE8A (3623018122)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 457, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26599
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x74127397 (1947366295)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 457, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26599
         IV size: 8 bytes
         replay detection support: Y

From the remote site:

Result of the command: "sh cry ipsec sa"

interface: outside
    Crypto map tag: DC2BOS, seq num: 1, local addr: 67.62.134.115

      access-list l2l_list permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
      current_peer: 75.144.134.114

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 655, #pkts decrypt: 655, #pkts verify: 655
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.62.134.115, remote crypto endpt.: 75.144.134.114

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 24A0F22A

    inbound esp sas:
      spi: 0x6290EBC8 (1653664712)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: DC2BOS
         sa timing: remaining key lifetime (kB/sec): (3824961/21541)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x24A0F22A (614527530)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: DC2BOS
         sa timing: remaining key lifetime (kB/sec): (3825000/21541)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: DC2BOS, seq num: 1, local addr: 67.62.134.115

      access-list l2l_list permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 75.144.134.114

      #pkts encaps: 36593992, #pkts encrypt: 36593992, #pkts digest: 36593992
      #pkts decaps: 41027877, #pkts decrypt: 41027877, #pkts verify: 41027877
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 36593992, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.62.134.115, remote crypto endpt.: 75.144.134.114

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 11CF477F

    inbound esp sas:
      spi: 0x25220048 (622985288)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: DC2BOS
         sa timing: remaining key lifetime (kB/sec): (3583201/10121)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x11CF477F (298796927)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: DC2BOS
         sa timing: remaining key lifetime (kB/sec): (3629068/10121)
         IV size: 8 bytes
         replay detection support: Y

 

by: JFrederick29Posted on 2009-05-18 at 11:40:13ID: 24415153

Okay, so the traffic is good to the remote Firewall (kind of already knew that) but there is no return traffic (because ASA is dropping traffic due to "no translation group".  Can you afford to "wr mem" and "reload" the remote ASA?  This should be working based on your config.

 

by: djhathPosted on 2009-05-18 at 11:45:26ID: 24415194

Well, having pulled my Joe Maddon baseball card out (from last night, in case your a baseball fan), and already dropped the tunnel on them once, I think I'll wait until this evening to reboot the remote firewall.

I will advise on how that works out after the reboot.

And before I forget, I'm very appreciative of all of your help so far!  Thank you.

 

by: JFrederick29Posted on 2009-05-18 at 11:46:42ID: 24415208

No prob.  Drives me insane that it's not working <8-]

 

by: djhathPosted on 2009-05-18 at 17:42:32ID: 24417683

Alright, I rebooted the firewall and I still can't ping on the 192.168.2.x subnet from a VPN client.  I'm going to attach the current configs just for the hell of it.

Main Site:

: Saved
:
ASA Version 7.2(4) 
!
hostname Marlboro-ASA
domain-name intranet.ceadvisors.com
enable password * encrypted
passwd * encrypted
names
name 64.18.0.0 Postini
name 216.148.212.0 RMON description All Covered RMON
name 192.168.1.13 CEADC1 description CEA Domain Controller
name 192.168.1.18 CEAFIN1 description Vision App Server
name 192.168.1.11 CEAMAIL1 description Exchange 2007 Server
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.240 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/2
 nameif Guest
 security-level 10
 ip address 192.168.10.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description Management Interface
 nameif management
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
 management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server CEADC1
 domain-name intranet.ceadvisors.com
same-security-traffic permit intra-interface
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq https 
access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq www 
access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq https 
access-list outside-access-in extended permit icmp any any inactive 
access-list outside-access-in extended permit tcp RMON 255.255.255.0 host xx.xx.xx.xx eq smtp 
access-list outside-access-in extended permit tcp Postini 255.255.0.0 host xx.xx.xx.xx eq smtp 
access-list outside-access-in extended permit udp any any eq isakmp 
access-list outside-access-in extended deny tcp any host xx.xx.xx.xx eq www 
access-list outside-access-in extended permit icmp any any echo-reply 
access-list outside-access-in extended permit icmp any any unreachable 
access-list outside-access-in extended permit icmp any any time-exceeded 
access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Guest 1500
mtu management 1500
ip local pool CEA_VPN_Pool 192.168.5.10-192.168.5.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
global (Guest) 20 interface
nat (Outside) 0 access-list no-outside-nat
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (Guest) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp xx.xx.xx.xx https CEAFIN1 https netmask 255.255.255.255 
static (Inside,Outside) xx.xx.xx.xx CEAMAIL1 netmask 255.255.255.255 
static (Inside,Outside) xx.xx.xx.xx CEADC1 netmask 255.255.255.255 
access-group outside-access-in in interface Outside
route Outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route Inside 192.168.3.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server CEADC1 protocol radius
aaa-server CEADC1 (Inside) host CEADC1
 timeout 5
 key *
aaa-server CEADC2 protocol radius
aaa-server CEADC2 (Outside) host 192.168.1.14
 key *
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 192.168.5.0 255.255.255.0 Inside
http 10.10.10.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Inside
http 192.168.2.0 255.255.255.0 Inside
http redirect Outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 match address l2l_list
crypto map Outside_map 10 set peer xx.xx.xx.xx 
crypto map Outside_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity address 
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 Inside
telnet 192.168.5.0 255.255.255.0 Inside
telnet 192.168.2.0 255.255.255.0 Inside
telnet timeout 5
ssh xx.xx.xx.xx 255.255.255.255 Outside
ssh 192.168.5.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Inside
ssh 192.168.2.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd dns 4.2.2.1
!
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5
ssl trust-point my.godaddy.key Outside
webvpn
 enable Outside
 svc image disk0:/sslclient-win-1.1.4.179.pkg 1
 svc enable
 customization DfltCustomization
  title text Concentric Energy Advisors WebVPN
  logout-message text Your Session has been terminated.
  logo none
 url-list CEA_Servers "Z: Drive" cifs://ceafs1/ceadata 2
 url-list CEA_Servers "Vision" http://ceafin1/vision 3
 url-list CEA_Servers "Web Mail" https://mail.ceadvisors.com 4
 url-list CEA_Servers "Intranet" http://ceaforum 5
 java-trustpoint my.godaddy.key
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions http-proxy
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list value CEA_Servers
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13 192.168.1.14
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  functions file-access file-browsing
username * encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server CEADC1 master timeout 2 retry 2
tunnel-group CEA type ipsec-ra
tunnel-group CEA general-attributes
 address-pool CEA_VPN_Pool
 authentication-server-group CEADC1
 default-group-policy CEA
tunnel-group CEA ipsec-attributes
 pre-shared-key *
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 192.168.1.11
prompt hostname context 
Cryptochecksum:ee82dc24c45f96f6b71e71f468f3b072
: end
asdm image disk0:/asdm-524.bin
asdm location CEAFIN1 255.255.255.255 Inside
no asdm history enable
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:

Select allOpen in new window

 

by: djhathPosted on 2009-05-18 at 17:45:24ID: 24417692

Remote Site

: Saved
:
ASA Version 8.0(3) 
!
hostname concentric-DC-ASA
domain-name intranet.ceadvisors.com
enable password * encrypted
no names
name 192.168.2.0 DC-inside-block
name 192.168.1.12 CEAEXCH1 description CEA Exchange Server
name 192.168.1.13 CEADC1 description CEA Domain Controller
!
interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 description Outside
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.248 
!
interface Ethernet0/0
 description Inside
 switchport access vlan 2
!
interface Ethernet0/1
 description Inside
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd * encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.13
 domain-name intranet.ceadvisors.com
same-security-traffic permit intra-interface
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside extended deny ip any any log 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq smtp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq www 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq telnet 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3389 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq https 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pop3 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp-data 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq dnsix 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq domain 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq domain 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq kerberos 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq imap4 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldap 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldaps 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq netbios-ssn 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 139 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 445 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 445 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 135 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-ns 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-dgm 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq ntp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3268 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 389 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53211 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53212 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 88 
access-list inside extended deny ip any any log 
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply 
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded 
access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list no-outside-nat
access-group OUTSIDE_IN_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server CEADC1 protocol radius
aaa-server CEADC1 host 192.168.1.13
 key *
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
http server enable
http 75.144.134.117 255.255.255.255 outside
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THREEDES esp-3des esp-sha-hmac 
crypto map DC2BOS 1 match address l2l_list
crypto map DC2BOS 1 set peer xx.xx.xx.xx
crypto map DC2BOS 1 set transform-set THREEDES
crypto map DC2BOS interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet xx.xx.xx.xx 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
ntp server 131.216.22.17 source outside
ntp server 216.204.156.2 source outside
webvpn
 enable outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  url-list value CEA_Servers
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  file-entry enable
  file-browsing enable
username * encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 192.168.1.12 timeout 2 retry 2
 nbns-server 192.168.1.13 timeout 2 retry 2
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
 pre-shared-key *
tunnel-group CEA type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:4967fd1e78dbf91d5773d3225b01204b
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:

Select allOpen in new window

 

by: djhathPosted on 2009-05-18 at 18:54:41ID: 24417935

Well, here's the latest.  For the hell of it, I decided to try pinging a VPN client from a host on the remote 192.168.2.x subnet.  So, I RDP'd into a host, and was able to ping myself (192.168.5.x).  Then all of a sudden, I could ping on the remote subnet.  

So, it seems to be working.

 

by: JFrederick29Posted on 2009-05-19 at 04:40:34ID: 24420730

Interesting.  If you try it again after disconnecting VPN and reconnecting, can you ping 192.168.2.x?

 

by: djhathPosted on 2009-05-19 at 05:29:55ID: 24421140

Yes, I just reconnected and it's pinging OK.  I was a little weary, because the first ping timed out, but then it came back.  The ping times were a little erratic, but seemed to settle to where I expect them to be.

 

by: JFrederick29Posted on 2009-05-19 at 05:35:23ID: 24421186

Good deal.

 

by: JFrederick29Posted on 2009-05-20 at 07:07:51ID: 24431992

How's it working?  Still good?  Ready to close out this question?

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...