Question

ASA 5505 IPSec VPN issue

Asked by: rgonser

Hello All,

I'm having problems here is what I need:

I have someone at "XO comm" that runs a program that needs to access my 172.16.9.0/24 network, they do not need access to my 192.168.1.0/24 network. However I created an IPsec vpn for that, and it doesn't allow me to talk to the 172 network?? Any ideas? Sorry for my bad art, thought the diagram would explain it better!

THANK YOU!


ASA Version 8.0(4) 
!
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 7.1.4.6 255.255.255.248 
!
interface Vlan3
 description Connects to the Shell Robot PLC
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 172.16.9.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner login AUTHORIZED ACCESS ONLY
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.6
 domain-name KCI.COM
object-group service WebServices tcp
 description DNS, HTTP, HTTPS, FTP
 port-object eq ftp
 port-object eq www
 port-object eq https
object-group service iMacServices tcp
 port-object eq aol
 port-object eq 587
 port-object eq 995
 port-object eq 26002
 port-object eq 5678
 port-object eq 465
object-group service VNC tcp
 port-object range 5800 5900
object-group service DM_INLINE_TCP_2 tcp
 port-object eq pop3
 port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
 port-object eq pop3
 port-object eq smtp
access-list outside_access_in extended permit icmp any 67.91.154.104 255.255.255.248 
access-list outside_access_in remark Allows only MXLogic to be able to connect to our email server.
access-list outside_access_in extended permit tcp 208.65.144.0 255.255.248.0 interface outside eq smtp 
access-list outside_access_in remark Allows MXLogic Server to Connect
access-list outside_access_in extended permit tcp host 208.65.144.245 interface outside eq smtp 
access-list KovatchCastings_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.16.9.0 255.255.255.0 10.254.254.0 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.254.254.0 255.255.255.240 
access-list inside_nat0_outbound extended permit ip any 172.16.9.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 10.254.254.0 255.255.255.240 
access-list inside_access_in remark Allows ONLY KCI-FNP to transmit outbound email (blackberry)
access-list inside_access_in extended permit tcp host 192.168.1.2 any eq smtp 
access-list inside_access_in remark Allows ONLY AS/400 to transmit outbound email
access-list inside_access_in extended permit tcp host 192.168.1.1 any eq smtp 
access-list inside_access_in extended permit udp any eq domain 192.168.1.0 255.255.255.0 
access-list inside_access_in remark Allows WebServices (HTTP, HTTPS, and FTP)
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any object-group WebServices 
access-list inside_access_in remark Required for FileSrvG2 to operate with BlackBerry SRP
access-list inside_access_in extended permit tcp host 192.168.1.2 any eq 3101 
access-list inside_access_in remark Allows KCI to make DNS queries to Internet servers
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any eq domain 
access-list inside_access_in remark Allows Rob Gonser to pull/send RoadRunner email
access-list inside_access_in extended permit tcp host 192.168.1.125 75.180.132.0 255.255.255.0 object-group DM_INLINE_TCP_2 
access-list inside_access_in remark John Kleinhenz Outlook Windstream (email)
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 166.102.165.0 255.255.255.0 object-group DM_INLINE_TCP_3 
access-list inside_access_in extended permit tcp host 192.168.1.10 any object-group iMacServices 
access-list inside_access_in extended permit udp host 192.168.1.10 any 
access-list inside_access_in remark Allow outbound access to FlashMail
access-list inside_access_in extended permit tcp any host 131.123.247.97 eq 8008 
access-list inside_access_in remark BettsIND.com
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 host 65.110.96.32 
access-list IPSEC-USERS_splitTunnelAcl standard permit any 
pager lines 24
logging enable
logging asdm informational
logging from-address cisco-asa@kovatchcastings.com
logging recipient-address david.mathis@kovatchcastings.com level critical
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPool 10.254.254.1-10.254.254.10 mask 255.255.255.0
ip local pool RobotVPN-Pool 172.16.9.100-172.16.9.110 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-615.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.1.1 smtp netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.91.154.105 1
route dmz 172.16.9.0 255.255.255.0 172.16.9.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server FileSrvG4 protocol ldap
aaa-server FileSrvG4 (inside) host 192.168.1.6
 server-type auto-detect
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA TRANS_ESP_DES_SHA ESP-DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map robotplc_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map robotplc_map interface dmz
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 fqdn vpn.kovatchcastings.com
 email tech.support@kovatchcastings.com
 subject-name CN=vpn.kovatchcastings.com,OU=MIS,O=Kovatch Castings Inc,C=US,St=Ohio,L=Uniontown,EA=tech.support@kovatchcastings.com
 ip-address 65.116.196.139
 keypair kovatch-asa
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 fqdn Kovatch-ASA
 subject-name CN=kcastings.skylan.net
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 5e4dcee845004e479117b93b90eaf197
    308203ab 30820314 a0030201 0202105e 4dcee845 004e4791 17b93b90 eaf19730 
    0d06092a 864886f7 0d010105 05003081 c4310b30 09060355 04061302 5a413115 
    30130603 55040813 0c576573 7465726e 20436170 65311230 10060355 04071309 
    43617065 20546f77 6e311d30 1b060355 040a1314 54686177 74652043 6f6e7375 
    6c74696e 67206363 31283026 06035504 0b131f43 65727469 66696361 74696f6e 
    20536572 76696365 73204469 76697369 6f6e3119 30170603 55040313 10546861 
    77746520 53657276 65722043 41312630 2406092a 864886f7 0d010901 16177365 
    72766572 2d636572 74734074 68617774 652e636f 6d301e17 0d303830 31313030 
    30303030 305a170d 31313031 30393233 35393539 5a3081c0 3120301e 06035504 
    0a131776 706e2e6b 6f766174 63686361 7374696e 67732e63 6f6d313b 30390603 
    55040b13 32476f20 746f2068 74747073 3a2f2f77 77772e74 68617774 652e636f 
    6d2f7265 706f7369 746f7279 2f696e64 65782e68 746d6c31 22302006 0355040b 
    13195468 61777465 2053534c 31323320 63657274 69666963 61746531 19301706 
    0355040b 1310446f 6d61696e 2056616c 69646174 65643120 301e0603 55040313 
    1776706e 2e6b6f76 61746368 63617374 696e6773 2e636f6d 30819f30 0d06092a 
    864886f7 0d010101 05000381 8d003081 89028181 00852945 95e56e88 23e369d2 
    19a2172a 7f5c0ace 890a19e2 70218ff2 5a2753b1 14a88a6c ed7b0765 d9f3fae8 
    e23b7970 621983f8 ac2707f4 29a2c603 b6c607a0 c40096a8 b159134e ff24872e 
    61caab25 5db5ac2f 29f9092e d9e46480 15f5d763 cee671bb 2c32acbe 9a9c6028 
    d3c7f4a1 b99c0ba0 70a9e254 6ebdd5aa bfae74c0 a1020301 0001a381 9f30819c 
    300c0603 551d1301 01ff0402 30003039 0603551d 1f043230 30302ea0 2ca02a86 
    28687474 703a2f2f 63726c2e 74686177 74652e63 6f6d2f54 68617774 65536572 
    76657243 412e6372 6c301d06 03551d25 04163014 06082b06 01050507 03010608 
    2b060105 05070302 30320608 2b060105 05070101 04263024 30220608 2b060105 
    05073001 86166874 74703a2f 2f6f6373 702e7468 61777465 2e636f6d 300d0609 
    2a864886 f70d0101 05050003 81810072 e88850e9 2c0dfdc9 0f6680b7 33666d82 
    a236cf6c 471eddce 969bcd79 348c6eb7 104c06c9 dc1772bd cfa060eb c20284a5 
    24e83b32 0b8ff030 12944930 f7e4965f 13e4b5a3 8ea3854c 771f50de 9e2d9a0c 
    4c11469e caa41e1e 7600e088 1defc653 5ba19672 ceb9f59b b4c40960 0c7ec0e5 
    5face4df 831652ba 4de35bb7 1f7b03
  quit
crypto ca certificate chain ASDM_TrustPoint2
 certificate ca 01
    30820313 3082027c a0030201 02020101 300d0609 2a864886 f70d0101 04050030 
    81c4310b 30090603 55040613 025a4131 15301306 03550408 130c5765 73746572 
    6e204361 70653112 30100603 55040713 09436170 6520546f 776e311d 301b0603 
    55040a13 14546861 77746520 436f6e73 756c7469 6e672063 63312830 26060355 
    040b131f 43657274 69666963 6174696f 6e205365 72766963 65732044 69766973 
    696f6e31 19301706 03550403 13105468 61777465 20536572 76657220 43413126 
    30240609 2a864886 f70d0109 01161773 65727665 722d6365 72747340 74686177 
    74652e63 6f6d301e 170d3936 30383031 30303030 30305a17 0d323031 32333132 
    33353935 395a3081 c4310b30 09060355 04061302 5a413115 30130603 55040813 
    0c576573 7465726e 20436170 65311230 10060355 04071309 43617065 20546f77 
    6e311d30 1b060355 040a1314 54686177 74652043 6f6e7375 6c74696e 67206363 
    31283026 06035504 0b131f43 65727469 66696361 74696f6e 20536572 76696365 
    73204469 76697369 6f6e3119 30170603 55040313 10546861 77746520 53657276 
    65722043 41312630 2406092a 864886f7 0d010901 16177365 72766572 2d636572 
    74734074 68617774 652e636f 6d30819f 300d0609 2a864886 f70d0101 01050003 
    818d0030 81890281 8100d3a4 506ec8ff 566be6cf 5db6ea0c 687547a2 aac2da84 
    25fca8f4 4751da85 b5207494 861e0f75 c9e90861 f5066d30 6e151902 e952c062 
    db4d999e e26a0c44 38cdfebe e3640970 c5feb16b 29b62f49 c83bd427 04251097 
    2fe7906d c0284299 d74c43de c3f5216d 549f5dc3 58e1c0e4 d95bb0b8 dcb47bdf 
    363ac2b5 662212d6 870d0203 010001a3 13301130 0f060355 1d130101 ff040530 
    030101ff 300d0609 2a864886 f70d0101 04050003 81810007 fa4c695c fb95cc46 
    ee85834d 21308eca d9a86f49 1ae6da51 e360706c 846111a1 1ac8483e 59437d4f 
    953da18b b70b6298 7a758add 884e4e9e 40dba8cc 3274b96f 0dc6e3b3 440bd98a 
    6f9a299b 9918283b d1e34028 9a5a3cd5 b5e7201b 8bcaa4ab 8de951d9 e24c2c59 
    a9dab9b2 751bf642 f2efc7f2 18f989bc a3ff8a23 2e7047
  quit
crypto isakmp identity address 
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable dmz
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 1
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 5
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable inside
 enable outside
 csd image disk0:/securedesktop-asa-3.2.0.136-k9.pkg
 svc image disk0:/sslclient-win-1.1.4.176.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.1.2
 dns-server value 192.168.1.6
 vpn-simultaneous-logins 7
 default-domain value KCI.COM
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value VPNPool
 webvpn
  homepage value http://CITRIX1.KCI.COM/Citrix/MetaFrame/auth/login.aspx
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
group-policy VendorGrpPolicy internal
group-policy VendorGrpPolicy attributes
 banner none
 wins-server value 192.168.1.2
 dns-server value 192.168.1.6
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 7
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value KCI.COM
 split-dns none
 intercept-dhcp disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout none
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 msie-proxy pac-url none
 vlan none
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value VPNPool
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  url-list none
  filter none
  homepage value http://CITRIX1.KCI.COM/Citrix/MetaFrame/auth/login.aspx
  port-forward name Application Access
  mapi disable
  http-proxy disable
  sso-server none
  svc dtls enable
  svc mtu 1406
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  svc modules none
  svc profiles none
  svc ask none default webvpn
  customization value DfltCustomization
  keep-alive-ignore 4
  http-comp gzip
  user-storage none
  storage-objects value cookies,credentials
  storage-key none
  hidden-shares none
  smart-tunnel disable
  activex-relay enable
  file-entry enable
  file-browsing enable
  url-entry enable
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
  smart-tunnel auto-signon disable
username terrar password yXn4/Pxlf9JDDXON encrypted
username barbk password DwL.ixm5YMfXTQj2 encrypted
username frankl password BCXjIvSQaufm9syt encrypted
username admin password HMZXO7wYcE4p3Kzr encrypted privilege 15
username davide password rFQXvjXaXW6ysS/5 encrypted
username johnkl password GlZCaTHHbRIzL1EX encrypted
username darren.ash password B.LahK4jiYLMYj66 encrypted
username darren.ash attributes
 webvpn
  customization value DfltCustomization
username dmathis password qQgzr2DrB2ZBFwQk4OOLHQ== nt-encrypted
username dougk password smrpSjpJUMHc5W2c encrypted
username markb password gJOhbxp7tL26QGi2 encrypted
username mattn password H2QFHNn1YzVJHSfJ encrypted
username markn password f5zr1g7SK2.iu0QO encrypted
username bobbieb password P13K1Mwodcquao4F encrypted
username bobbic password rkwTQaT0k6xRXLj/ encrypted
username robg password Orw.iGJpy97RpMMa encrypted
username bobe password 0wasy/MlZmdIBpJY encrypted
username nancyc password HZqEoSmwgeF3.V8G encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) RobotVPN-Pool
 address-pool (outside) RobotVPN-Pool
 address-pool VPNPool
 authentication-server-group (inside) LOCAL
 authentication-server-group (outside) LOCAL
 strip-realm
 strip-group
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key test
 peer-id-validate nocheck
 isakmp keepalive disable
 isakmp ikev1-user-authentication none
tunnel-group KCI-VPN type remote-access
tunnel-group KCI-VPN general-attributes
 address-pool VPNPool
tunnel-group KCI-VPN ipsec-attributes
 pre-shared-key pezz!fu$!
tunnel-group KCI-VENDOR type remote-access
tunnel-group KCI-VENDOR general-attributes
 address-pool VPNPool
 default-group-policy VendorGrpPolicy
tunnel-group KCI-VENDOR ipsec-attributes
 pre-shared-key tabs3743kova!
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
smtp-server 192.168.1.1
prompt hostname context 
Cryptochecksum:092a3262df8f014ac9041a5c33ab745b
: end

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-05 at 12:33:44ID24629318
Tags

IPSec

,

VPN

,

ASA

Topics

Cisco PIX Firewall

,

Virtual Private Networking (VPN)

,

Networking Hardware Firewalls

Participating Experts
3
Points
500
Comments
14

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. IPsec VPN
    I wonder if there is a free or cheap stable IPsec based VPN that has the following characteristicas: -It supports Linux and Windows XP -It can be configured to connect directly host to host -There exist high-end VPN concentrator hardware that can handle requests on the serve...
  2. IPSec,
    How you implement IPsec in Windows 2003 environment? Could you please provide tutorial for it ? step by step
  3. IPSec VPN
    Trying to setup new ASA box for IPSec VPN. I receive this error message in ASDM when a VPN client tries to connect. Group = DefaultRAGroup, IP = x.x.x.x, Error: Unable to remove PeerTblEntry Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from peer table failed, no ma...
  4. IPSEC VPN TUNNEL
    Hi I have attached the diagram.I need PC-1 to talk to 192.168.1.0/24 subnet using IPSEC VPN TUNNEL between HO and DRP.MY question is "WHAT SHOUD BE THE VPN IPSEC TUNNEL TERMINATION POINTS"?Please highlight ! Thanks
  5. IPSEC VPN
    I am having trouble getting a VPN connection established. I have 2 ZyWALL 70 firewalls with latest firmware at 2 different locations. I have tried several different configurations and I can get phase 1 working but phase 2 gives me errors which I will post in the code sectio...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: bmeyer1908Posted on 2009-08-05 at 13:13:43ID: 25027613

Try a static translation for the DMZ to the inside to the same IP addresses you have on nthe DMZ.

example: static (inside,DMZ) 167.141.67.0 167.141.67.0 netmask 255.255.255.0 0 0

 

by: rgonserPosted on 2009-08-05 at 13:24:55ID: 25027734

Still no luck.. Could it have to do with the no forward?
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 7.1.4.6 255.255.255.248
!
interface Vlan3
 description Connects to the Shell Robot PLC
 <b>no forward interface Vlan1</b>
 nameif dmz
 security-level 50
 ip address 172.16.9.1 255.255.255.0

 

by: Jay_GridleyPosted on 2009-08-06 at 03:00:14ID: 25031566

I have some trouble understanding what is going on, since you have several tunnels configured.

I see in your diagram that "XO comm" is connecting from the outside.
Which tunnel-group do they use to connect? And which username?
Can you get a tunnel up and no traffic is passing? Or don't you get any connection at all?

Also, do your other tunnels work as expected?

Please let me know so I can help you further.

JG.

 

by: rgonserPosted on 2009-08-06 at 05:03:07ID: 25032229

They would use the VENDOR tunnel group. I was trying remotely last night and I couldn't  even get a connection going with the cisco VPN client on KCI-VENDOR tunnel or the KCI-VPN tunnel.

Thanks

 

by: Jay_GridleyPosted on 2009-08-06 at 06:39:54ID: 25033150

I've been going over your config. It's a bit confusing still, as you seem to have VPN enabled on every interface.
There are also a lot of options enabled on the group-policies.

I would personally remove:
crypto isakmp enable inside
crypto isakmp enable dmz
Unless you actually have users on the inside or dmz of your network connecting through VPN to your ASA to get somewhere.

Also this route:
route dmz 172.16.9.0 255.255.255.0 172.16.9.1 1
is a bit redundant, as that network is already configured on that interface to begin with.

However, I don't think these things should interfere with your VPN.

I assume that your regualer VPN users are actually able to connect. So what I want to do is remove the extensive group policy and recreate it with minimal requirements. To keep things clear.
In general you just want the vendor to connect the same way as your regular users, but just don't allow them to go into the LAN, but into the DMZ.

To make sure the vendor only get's to the DMZ I want to try using split tunneling. There are other ways, but I think this is the most straight forward at this point. If you don't agree with split tunnel I would suggest we first try to get the tunnel going and then look for another solution.

First take out the old policY:
no group-policy VendorGrpPolicy attributes
should take care of things, but make sure it is really gone.

First we need the split tunnel acl:

access-list SplitTunnelVendor standard permit 172.16.9.0 255.255.255.0

Now create a new policy:
group-policy VendorGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunnelVendor
 address-pools value VPNPool

We also need to exempt from NAT. We can use the same access-list that you already have:
nat (dmz) 0 access-list inside_nat0_outbound

Finally, I think you know this, but I wanted to make sure:
You have to create a seperate VPN profile to send to your vendor. I've created a screenshot of setting this up and attached it here.

Let me know how things turn out.
If you still can't connect, please post your revised config.

Good luck!

JG

 

by: rgonserPosted on 2009-08-06 at 06:52:09ID: 25033303

Yes, I had the inside int enabled so I could test it from the inside network. I was able to get the VPN working on my own, however, I still cannot access the 172.16.9.x network..

I connect to the VPN, attempt to ping 172.16.9.50 and I get 100% packet loss, and on the firewall logs I see:
"No translation group found for icmp src inside:10.254.254.1 dst robotplc:172.16.9.50 (type 8, code 0)"

Does this have to do with the "no foward int vlan1" on the vlan 3 int?

Thank you!

 

by: Jay_GridleyPosted on 2009-08-06 at 07:03:34ID: 25033451

No, the problem is that you don't tell the ASA not to NAT your traffic.

Add this line:
nat (dmz) 0 access-list inside_nat0_outbound

 

by: rgonserPosted on 2009-08-06 at 07:37:33ID: 25033882

Added that and still no go.. I'm really thinking its the no forward thats stopping it..? We have the base license, and from what I've read it sounds like you need the Security plus license to be able to do this...

Here's the code now >>

VPN is working..
Still no responses from ping 172.16.9.x network..

enable password $$$$$ encrypted
passwd $$$$$ encrypted
names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.253 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.2.3.4 255.255.255.248 
!
interface Vlan3
 description Connects to the Shell Robot PLC
 no forward interface Vlan1
 nameif robotplc
 security-level 100
 ip address 172.16.9.1 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner login AUTHORIZED ACCESS ONLY
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.6
 domain-name KCI.COM
object-group service WebServices tcp
 description DNS, HTTP, HTTPS, FTP
 port-object eq ftp
 port-object eq www
 port-object eq https
object-group service iMacServices tcp
 port-object eq aol
 port-object eq 587
 port-object eq 995
 port-object eq 26002
 port-object eq 5678
 port-object eq 465
object-group service VNC tcp
 port-object range 5800 5900
object-group service DM_INLINE_TCP_2 tcp
 port-object eq pop3
 port-object eq smtp
object-group service DM_INLINE_TCP_3 tcp
 port-object eq pop3
 port-object eq smtp
access-list outside_access_in extended permit icmp any 67.91.154.104 255.255.255.248 
access-list outside_access_in remark Allows only MXLogic to be able to connect to our email server.
access-list outside_access_in extended permit tcp 208.65.144.0 255.255.248.0 interface outside eq smtp 
access-list outside_access_in remark Allows MXLogic Server to Connect
access-list outside_access_in extended permit tcp host 208.65.144.245 interface outside eq smtp 
access-list KovatchCastings_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.16.9.0 255.255.255.0 10.254.254.0 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.254.254.0 255.255.255.240 
access-list inside_nat0_outbound extended permit ip any 172.16.9.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 10.254.254.0 255.255.255.240 
access-list inside_access_in remark Allows ONLY KCI-FNP to transmit outbound email (blackberry)
access-list inside_access_in extended permit tcp host 192.168.1.2 any eq smtp 
access-list inside_access_in remark Allows ONLY AS/400 to transmit outbound email
access-list inside_access_in extended permit tcp host 192.168.1.1 any eq smtp 
access-list inside_access_in extended permit udp any eq domain 192.168.1.0 255.255.255.0 
access-list inside_access_in remark Allows WebServices (HTTP, HTTPS, and FTP)
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any object-group WebServices 
access-list inside_access_in remark Required for FileSrvG2 to operate with BlackBerry SRP
access-list inside_access_in extended permit tcp host 192.168.1.2 any eq 3101 
access-list inside_access_in remark Allows KCI to make DNS queries to Internet servers
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any eq domain 
access-list inside_access_in remark Allows Rob Gonser to pull/send RoadRunner email
access-list inside_access_in extended permit tcp host 192.168.1.125 75.180.132.0 255.255.255.0 object-group DM_INLINE_TCP_2 
access-list inside_access_in remark John Kleinhenz Outlook Windstream (email)
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 166.102.165.0 255.255.255.0 object-group DM_INLINE_TCP_3 
access-list inside_access_in extended permit tcp host 192.168.1.10 any object-group iMacServices 
access-list inside_access_in extended permit udp host 192.168.1.10 any 
access-list inside_access_in remark Allow outbound access to FlashMail
access-list inside_access_in extended permit tcp any host 131.123.247.97 eq 8008 
access-list inside_access_in remark BettsIND.com
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 host 65.110.96.32 
access-list IPSEC-USERS_splitTunnelAcl standard permit any 
pager lines 24
logging enable
logging console debugging
logging monitor alerts
logging asdm informational
logging from-address cisco-asa@kovatchcastings.com
logging recipient-address david.mathis@kovatchcastings.com level critical
mtu inside 1500
mtu outside 1500
mtu robotplc 1500
ip local pool VPNPool 10.254.254.1-10.254.254.10 mask 255.255.255.0
ip local pool RobotVPN-Pool 172.16.9.100-172.16.9.110 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-615.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (robotplc) 0 access-list inside_nat0_outbound
static (inside,outside) tcp interface smtp 192.168.1.1 smtp netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 67.91.154.105 1
route robotplc 172.16.9.0 255.255.255.0 172.16.9.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server FileSrvG4 protocol ldap
aaa-server FileSrvG4 (inside) host 192.168.1.6
 server-type auto-detect
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map IPSec_map 65535 set security-association lifetime seconds 28800
crypto map IPSec_map 65535 set security-association lifetime kilobytes 4608000
crypto map ipsec_map 65535 set security-association lifetime seconds 28800
crypto map ipsec_map 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map0 interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map robotplc_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map robotplc_map interface robotplc
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 fqdn vpn.kovatchcastings.com
 email tech.support@kovatchcastings.com
 subject-name CN=vpn.kovatchcastings.com,OU=MIS,O=Kovatch Castings Inc,C=US,St=Ohio,L=Uniontown,EA=tech.support@kovatchcastings.com
 ip-address 65.116.196.139
 keypair kovatch-asa
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 fqdn Kovatch-ASA
 subject-name CN=kcastings.skylan.net
 no client-types
 crl configure
crypto ca trustpoint ASDM_TrustPoint2
 enrollment terminal
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 5e4dcee845004e479117b93b90eaf197
    308203ab 30820314 a0030201 0202105e 4dcee845 004e4791 17b93b90 eaf19730 
    0d06092a 864886f7 0d010105 05003081 c4310b30 09060355 04061302 5a413115 
    30130603 55040813 0c576573 7465726e 20436170 65311230 10060355 04071309 
    43617065 20546f77 6e311d30 1b060355 040a1314 54686177 74652043 6f6e7375 
    6c74696e 67206363 31283026 06035504 0b131f43 65727469 66696361 74696f6e 
    20536572 76696365 73204469 76697369 6f6e3119 30170603 55040313 10546861 
    77746520 53657276 65722043 41312630 2406092a 864886f7 0d010901 16177365 
    72766572 2d636572 74734074 68617774 652e636f 6d301e17 0d303830 31313030 
    30303030 305a170d 31313031 30393233 35393539 5a3081c0 3120301e 06035504 
    0a131776 706e2e6b 6f766174 63686361 7374696e 67732e63 6f6d313b 30390603 
    55040b13 32476f20 746f2068 74747073 3a2f2f77 77772e74 68617774 652e636f 
    6d2f7265 706f7369 746f7279 2f696e64 65782e68 746d6c31 22302006 0355040b 
    13195468 61777465 2053534c 31323320 63657274 69666963 61746531 19301706 
    0355040b 1310446f 6d61696e 2056616c 69646174 65643120 301e0603 55040313 
    1776706e 2e6b6f76 61746368 63617374 696e6773 2e636f6d 30819f30 0d06092a 
    864886f7 0d010101 05000381 8d003081 89028181 00852945 95e56e88 23e369d2 
    19a2172a 7f5c0ace 890a19e2 70218ff2 5a2753b1 14a88a6c ed7b0765 d9f3fae8 
    e23b7970 621983f8 ac2707f4 29a2c603 b6c607a0 c40096a8 b159134e ff24872e 
    61caab25 5db5ac2f 29f9092e d9e46480 15f5d763 cee671bb 2c32acbe 9a9c6028 
    d3c7f4a1 b99c0ba0 70a9e254 6ebdd5aa bfae74c0 a1020301 0001a381 9f30819c 
    300c0603 551d1301 01ff0402 30003039 0603551d 1f043230 30302ea0 2ca02a86 
    28687474 703a2f2f 63726c2e 74686177 74652e63 6f6d2f54 68617774 65536572 
    76657243 412e6372 6c301d06 03551d25 04163014 06082b06 01050507 03010608 
    2b060105 05070302 30320608 2b060105 05070101 04263024 30220608 2b060105 
    05073001 86166874 74703a2f 2f6f6373 702e7468 61777465 2e636f6d 300d0609 
    2a864886 f70d0101 05050003 81810072 e88850e9 2c0dfdc9 0f6680b7 33666d82 
    a236cf6c 471eddce 969bcd79 348c6eb7 104c06c9 dc1772bd cfa060eb c20284a5 
    24e83b32 0b8ff030 12944930 f7e4965f 13e4b5a3 8ea3854c 771f50de 9e2d9a0c 
    4c11469e caa41e1e 7600e088 1defc653 5ba19672 ceb9f59b b4c40960 0c7ec0e5 
    5face4df 831652ba 4de35bb7 1f7b03
  quit
crypto ca certificate chain ASDM_TrustPoint2
 certificate ca 01
    30820313 3082027c a0030201 02020101 300d0609 2a864886 f70d0101 04050030 
    81c4310b 30090603 55040613 025a4131 15301306 03550408 130c5765 73746572 
    6e204361 70653112 30100603 55040713 09436170 6520546f 776e311d 301b0603 
    55040a13 14546861 77746520 436f6e73 756c7469 6e672063 63312830 26060355 
    040b131f 43657274 69666963 6174696f 6e205365 72766963 65732044 69766973 
    696f6e31 19301706 03550403 13105468 61777465 20536572 76657220 43413126 
    30240609 2a864886 f70d0109 01161773 65727665 722d6365 72747340 74686177 
    74652e63 6f6d301e 170d3936 30383031 30303030 30305a17 0d323031 32333132 
    33353935 395a3081 c4310b30 09060355 04061302 5a413115 30130603 55040813 
    0c576573 7465726e 20436170 65311230 10060355 04071309 43617065 20546f77 
    6e311d30 1b060355 040a1314 54686177 74652043 6f6e7375 6c74696e 67206363 
    31283026 06035504 0b131f43 65727469 66696361 74696f6e 20536572 76696365 
    73204469 76697369 6f6e3119 30170603 55040313 10546861 77746520 53657276 
    65722043 41312630 2406092a 864886f7 0d010901 16177365 72766572 2d636572 
    74734074 68617774 652e636f 6d30819f 300d0609 2a864886 f70d0101 01050003 
    818d0030 81890281 8100d3a4 506ec8ff 566be6cf 5db6ea0c 687547a2 aac2da84 
    25fca8f4 4751da85 b5207494 861e0f75 c9e90861 f5066d30 6e151902 e952c062 
    db4d999e e26a0c44 38cdfebe e3640970 c5feb16b 29b62f49 c83bd427 04251097 
    2fe7906d c0284299 d74c43de c3f5216d 549f5dc3 58e1c0e4 d95bb0b8 dcb47bdf 
    363ac2b5 662212d6 870d0203 010001a3 13301130 0f060355 1d130101 ff040530 
    030101ff 300d0609 2a864886 f70d0101 04050003 81810007 fa4c695c fb95cc46 
    ee85834d 21308eca d9a86f49 1ae6da51 e360706c 846111a1 1ac8483e 59437d4f 
    953da18b b70b6298 7a758add 884e4e9e 40dba8cc 3274b96f 0dc6e3b3 440bd98a 
    6f9a299b 9918283b d1e34028 9a5a3cd5 b5e7201b 8bcaa4ab 8de951d9 e24c2c59 
    a9dab9b2 751bf642 f2efc7f2 18f989bc a3ff8a23 2e7047
  quit
crypto isakmp identity address 
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable robotplc
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 5
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable inside
 enable outside
 enable robotplc
 csd image disk0:/securedesktop-asa-3.2.0.136-k9.pkg
 svc image disk0:/sslclient-win-1.1.4.176.pkg 1
 svc image disk0:/anyconnect-macosx-i386-2.1.0148-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 wins-server value 192.168.1.2
 dns-server value 192.168.1.6
 vpn-simultaneous-logins 7
 default-domain value KCI.COM
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value VPNPool
 webvpn
  homepage value http://CITRIX1.KCI.COM/Citrix/MetaFrame/auth/login.aspx
  svc dtls none
  svc keep-installer none
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
username terry password $$$$$ encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) RobotVPN-Pool
 address-pool (outside) RobotVPN-Pool
 address-pool VPNPool
 authentication-server-group (inside) LOCAL
 authentication-server-group (outside) LOCAL
 strip-realm
 strip-group
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key test
 peer-id-validate nocheck
 isakmp keepalive disable
 isakmp ikev1-user-authentication none
tunnel-group KCI-VPN type remote-access
tunnel-group KCI-VPN general-attributes
 address-pool VPNPool
tunnel-group KCI-VPN ipsec-attributes
 pre-shared-key $$$$$
tunnel-group DfltGrpPolicy type remote-access
tunnel-group DfltGrpPolicy general-attributes
 address-pool VPNPool
tunnel-group DfltGrpPolicy ipsec-attributes
 pre-shared-key $$$$$
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
smtp-server 192.168.1.1
prompt hostname context 
Cryptochecksum:c3af26cde5551f7eed2dfea3e361c0d5
: end
ypted
username terry attributes
 webvpn
  customization value DfltCustomization
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) RobotVPN-Pool
 address-pool (outside) RobotVPN-Pool
 address-pool VPNPool
 authentication-server-group (inside) LOCAL
 authentication-server-group (outside) LOCAL
 strip-realm
 strip-group
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key test
 peer-id-validate nocheck
 isakmp keepalive disable
 isakmp ikev1-user-authentication none
tunnel-group KCI-VPN type remote-access
tunnel-group KCI-VPN general-attributes
 address-pool VPNPool
tunnel-group KCI-VPN ipsec-attributes
 pre-shared-key $$$$$
tunnel-group KCI-VENDOR type remote-access
tunnel-group KCI-VENDOR general-attributes
 address-pool VPNPool
 address-pool VPNpool
 default-group-policy VendorGrpPolicy
tunnel-group KCI-VENDOR ipsec-attributes
 pre-shared-key $$$$$
tunnel-group DfltGrpPolicy type remote-access
tunnel-group DfltGrpPolicy general-attributes
 address-pool VPNPool
tunnel-group DfltGrpPolicy ipsec-attributes
 pre-shared-key $$$$$
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
no tunnel-group-map enable peer-ip
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
smtp-server 192.168.1.1
prompt hostname context 
Cryptochecksum:6bfc58b55933bd0eb52f984296fcac15
: end
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:

Select allOpen in new window

 

by: rgonserPosted on 2009-08-06 at 07:59:36ID: 25034189

I decided to get into ASDM and have a look. I ran a packet trace form 10.254.254.1 (VPNpool address) to 172.16.9.1 (vlan3 address) and the result is packet dropped, and the reason it says is "(rpf-violated) reverse-path verify failed"

Any ideas from that?

 

by: rgonserPosted on 2009-08-06 at 08:05:34ID: 25034273

Here's a screenshot..

  • packetrace.JPG
    • 59 KB

    Attempt to ping from VPN address to the VLAN 3 subnet..

    Attempt to ping from VPN address to the VLAN 3 subnet..
 

by: Jay_GridleyPosted on 2009-08-07 at 13:38:34ID: 25046701

According to Cisco documentation this RPF is a mechanism in use to prevent spoofing attacks by checking the source of the ip address to the interface and checking if it should be coming from that interface, according to routing information:

This counter is incremented when ip verify reverse-path is configured on an interface and the security appliance receives a packet for which the route lookup of the source IP did not yield the same interface as the one on which the packet was received.

As  you are in this case sure there is no spoofing attack going on, you might consider removing the "ip verify reverse-path" from the inside interface:
no ip verify reverse-path interface inside

See if that solves it.

 

by: rgonserPosted on 2009-08-10 at 05:01:00ID: 25059058

I removed RPF from the inside interface, and I still can't access that vlan. Except now it's being stopped by an access list..

 

by: rgonserPosted on 2009-08-10 at 07:31:41ID: 25060217

I'm still thinking this might be a licensing issue? With the no forward interface command stopping the pings/traffic.. ?

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html

Can anyone confirm or denounce this?

 

by: ikalmarPosted on 2009-08-10 at 11:11:43ID: 25062413

Yep, if you bough a 5505 it have restricted license, you must buy security plus license to use 3 VLAN interface!!!!!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...