netcmh
asked on
ASA 5510 VPN DMZ
Greetings all,
I've looked around and have not found an answer. So please help :)
I have an ASA 5510 with IOS 8.2
It has 3 interfaces which I'm using : External, Internal, DMZ
All's working fine now, with local LAN behind Internal, browsing, ftp, etc. Local LAN has 192.168.1.0
I'm using the ASA for a Site-to-Site VPN: also working. This VPN allows the remote site to connect to our segment behind the DMZ int.
Also, the ASA is our RA box, with users VPN-ing into it to get access to the LAN behind the Internal int.
I'm tasked with adding another VPN access - this time cisco VPN clients are required to access one server behind the DMZ int.
Have worked with http://www.petenetlive.com/KB/Article/0000071.htm as a guide. Step by step instructions were followed, and yet I couldn't get access to that server.
At first I got the "Reverse-path verify failed" error on packet-tracer, which I've temporarily rectified by removing the "ip verify reverse-path interface DMZ" line
Right now I'm getting the "Flow is denied by configured rule". Checking which access rule is dropping the packets, its the DMZ implicit rule which denies packets coming from source any to destination any with ip service.
I have the proper route command, the proper nat0 config set, and yet I run into this issue.
Please help.
Relevant config is attached. And, thanks for looking
I've looked around and have not found an answer. So please help :)
I have an ASA 5510 with IOS 8.2
It has 3 interfaces which I'm using : External, Internal, DMZ
All's working fine now, with local LAN behind Internal, browsing, ftp, etc. Local LAN has 192.168.1.0
I'm using the ASA for a Site-to-Site VPN: also working. This VPN allows the remote site to connect to our segment behind the DMZ int.
Also, the ASA is our RA box, with users VPN-ing into it to get access to the LAN behind the Internal int.
I'm tasked with adding another VPN access - this time cisco VPN clients are required to access one server behind the DMZ int.
Have worked with http://www.petenetlive.com/KB/Article/0000071.htm as a guide. Step by step instructions were followed, and yet I couldn't get access to that server.
At first I got the "Reverse-path verify failed" error on packet-tracer, which I've temporarily rectified by removing the "ip verify reverse-path interface DMZ" line
Right now I'm getting the "Flow is denied by configured rule". Checking which access rule is dropping the packets, its the DMZ implicit rule which denies packets coming from source any to destination any with ip service.
I have the proper route command, the proper nat0 config set, and yet I run into this issue.
Please help.
Relevant config is attached. And, thanks for looking
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.2.1 255.255.255.0
access-list dmz_nat0_outbound extended permit ip host 192.168.9.1 172.16.200.0 255.255.255.0
access-list Client1 standard permit host 192.168.9.1
ip local pool Restricted_VPN_IP_Pool 172.16.200.1-172.16.200.254 mask 255.255.255.0
nat-control
nat (dmz) 0 access-list dmz_nat0_outbound
route dmz 192.168.9.1 255.255.255.255 172.16.2.2 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
group-policy Client1 internal
group-policy Client1 attributes
dns-server value 192.168.1.2 192.168.1.6
vpn-filter value Client1
vpn-tunnel-protocol IPSec
default-domain value company.prv
username Client1 password xxxxxxxxx encrypted privilege 0
username Client1 attributes
vpn-group-policy Client1
service-type remote-access
tunnel-group Client1 type remote-access
tunnel-group Client1 general-attributes
address-pool Restricted_VPN_IP_Pool
default-group-policy Client1
tunnel-group Client1 ipsec-attributes
pre-shared-key *
just remove the vpn-filter value Client1 from the group policy and see
ASKER
I need that filter, but for testing, I've removed it - no luck. Still the same error
type the command : sysopt connection permit-vpn
kindly provide your whole config
kindly provide your whole config
ASKER
I've already made sure that I had that in. Whole config might take some time
Any specific areas you interested in?
Any specific areas you interested in?
ASKER
MY concern stems from the fact that I have a site-to-site already in place. And this new requirement is on top of that. Could the previous be blocking my current?
are you using the packet tracer to get the error
if not give the packet tracer output for the traffic between vpn pool and DMZ
with out seeing the whole config , I can't conclude on your point
ASKER
asafirewall#packet-tracer input dmz tcp 172.16.200.1 3389 192.168.9.1 3389 detail
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8476560, priority=12, domain=capture, deny=false
hits=13241, user_data=0xd8476a90, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7b0a238, priority=1, domain=permit, deny=false
hits=11750, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.9.1 255.255.255.255 dmz
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7b0ac78, priority=111, domain=permit, deny=true
hits=15, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8476560, priority=12, domain=capture, deny=false
hits=13241, user_data=0xd8476a90, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7b0a238, priority=1, domain=permit, deny=false
hits=11750, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.9.1 255.255.255.255 dmz
Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7b0ac78, priority=111, domain=permit, deny=true
hits=15, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASKER
Please ask for specific areas. The asa config is a large amount to prime before posting.
kindly provide the full config
from where you generated the traffic ? DMZ to VPN users or vice versa
ASKER
It's from VPN users to DMZ
ASKER
At the expense of being monotonous, please ask for specific areas of the config - ACLs, cryptos, routes etc.
ASKER
Does it have to do with the interface security levels?
ASKER
Here's the whole config. Hope you can help now.
The IPs are real now.So please ask away:
hostname asafirewall
domain-name company.prv
names
name 172.16.1.0 VPNUsers
name 10.0.0.197 CO01-SMTP
name 10.0.0.194 CO01-DNS
name 10.0.0.203 COM01
name 10.0.0.202 COMAS011B
name 161.168.228.14 CLMAS012c
name 161.168.228.13 CLMAS012a
name 161.165.202.14 CLMAS012d
name 161.165.202.13 CLMAS012b
name 10.0.0.253 COIS0101
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0 standby 10.0.0.252
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.253.2 255.255.255.248 standby 172.16.253.3
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name company.prv
object-group service COAS2 tcp
port-object range 4080 4080
port-object range 5080 5080
object-group service ExchangeAccess tcp
port-object eq www
port-object eq pop3
port-object eq https
port-object eq imap4
object-group service Phones udp
port-object range 16400 16999
port-object eq 2427
object-group network CLMAS012
network-object CLMAS012b 255.255.255.255
network-object CLMAS012d 255.255.255.255
network-object CLMAS012a 255.255.255.255
network-object CLMAS012c 255.255.255.255
object-group icmp-type icmp-allowed
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.194 eq domain
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.194 eq domain
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.197 eq smtp
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.195 object-group ExchangeAccess
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.200 eq pptp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp object-group CLMAS012 host xxx.xxx.xxx.202 object-group COAS2 log
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.202 object-group COAS2
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.204 object-group Phones
access-list outside_access_in remark For IP phones
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 VPNUsers 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 102 standard permit 192.168.96.0 255.255.224.0
access-list 102 standard permit 10.0.0.0 255.255.255.0
access-list cvpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list cvpnclient_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list outside_cryptomap_dyn_31 extended permit ip any 172.16.2.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.2.0 255.255.255.0
access-list user1_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list user1_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list outside_cryptomap_20 extended permit ip 192.168.98.0 255.255.255.240 10.20.28.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip 192.168.98.0 255.255.255.240 10.20.28.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
access-list DMZ_access_out extended permit tcp 10.20.28.0 255.255.252.0 host 192.168.98.1 eq telnet
access-list DMZ_access_out extended permit icmp 10.20.28.0 255.255.252.0 192.168.98.0 255.255.255.240
access-list DMZ_access_out extended deny ip 10.20.28.0 255.255.252.0 any
access-list TAC extended permit ip host 1.1.1.1 host 2.2.2.2
access-list TESTVPN_splitTunnelAcl standard permit host 192.168.99.5
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap errors
logging history warnings
logging asdm informational
logging host inside COIS0101
logging host inside 192.168.100.9
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool CiscoVPN 172.16.2.1-172.16.2.254 mask 255.255.255.0
ip local pool Restricted_VPN_IP_Pool 172.16.200.1-172.16.200.25 4 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
failover
failover lan unit primary
failover lan interface folink Ethernet0/3
failover link folink Ethernet0/3
failover interface ip folink 192.168.253.1 255.255.255.252 standby 192.168.253.2
no monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any echo dmz
icmp permit any echo-reply dmz
asdm image disk0:/asdm-625-53.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (inside,outside) xxx.xxx.xxx.195 COM01 netmask 255.255.255.255 dns
static (inside,outside) xxx.xxx.xxx.194 CO01-DNS netmask 255.255.255.255 dns
static (inside,outside) xxx.xxx.xxx.197 CO01-SMTP netmask 255.255.255.255 dns
static (inside,outside) 192.168.98.2 192.168.98.2 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.202 COMAS011B netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.204 10.0.0.152 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.200 COIS0101 netmask 255.255.255.255
access-group outside_access_in in interface outside
!
router ospf 1
network xxx.xxx.xxx.192 255.255.255.192 area 0
log-adj-changes
!
route outside 10.20.28.0 255.255.252.0 xxx.xxx.xxx.193 1
route dmz 192.168.98.0 255.255.255.240 172.16.253.1 1
route dmz 192.168.99.5 255.255.255.255 172.16.253.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host COIS0101
timeout 60
key xxxxxx
aaa-server XauthVPN protocol radius
aaa-server XauthVPN (inside) host 192.168.100.2
timeout 60
key xxxxxxxx
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 dmz
snmp-server host dmz 192.168.100.9 community XXXXXX
no snmp-server location
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change fru-insert fru-remove
auth-prompt prompt Welcome to the company Internet
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-none
crypto ipsec transform-set company esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TUNNEL_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map users 11 set transform-set ESP-3DES-SHA
crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
crypto dynamic-map users 31 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map remote 20 match address outside_cryptomap_20
crypto map remote 20 set peer yyy.yyy.yyy.150
crypto map remote 20 set transform-set TUNNEL_ESP_3DES_MD5
crypto map remote 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map remote 65535 ipsec-isakmp dynamic users
crypto map remote interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 200.9.49.66 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.100.4 source inside prefer
ntp server 192.168.100.2 source inside prefer
webvpn
group-policy 1 internal
group-policy 1 attributes
dns-server value 192.168.100.4 192.168.100.2
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102
default-domain value company.prv
group-policy mygroup internal
group-policy mygroup attributes
vpn-idle-timeout 30
group-policy bvftun internal
group-policy cvpnclient internal
group-policy cvpnclient attributes
dns-server value 192.168.100.2 192.168.100.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cvpnclient_splitTunnelAcl
default-domain value company.prv
group-policy TESTVPN internal
group-policy TESTVPN attributes
dns-server value 192.168.100.2 192.168.100.6
vpn-filter value TESTVPN_splitTunnelAcl
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TESTVPN_splitTunnelAcl
default-domain value company.prv
username TESTVPN password XXXXXXXXX encrypted privilege 0
username TESTVPN attributes
vpn-group-policy TESTVPN
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou p RADIUS
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group mygroup type remote-access
tunnel-group mygroup general-attributes
authentication-server-grou p RADIUS
default-group-policy mygroup
tunnel-group 1 type remote-access
tunnel-group 1 general-attributes
address-pool CiscoVPN
authentication-server-grou p RADIUS
authorization-server-group RADIUS
default-group-policy 1
tunnel-group 1 ipsec-attributes
pre-shared-key *
tunnel-group cvpnclient type remote-access
tunnel-group cvpnclient general-attributes
address-pool CiscoVPN
authentication-server-grou p RADIUS
default-group-policy cvpnclient
tunnel-group cvpnclient ipsec-attributes
pre-shared-key *
tunnel-group yyy.yyy.yyy.150 type ipsec-l2l
tunnel-group yyy.yyy.yyy.150 general-attributes
default-group-policy bvftun
tunnel-group yyy.yyy.yyy.150 ipsec-attributes
pre-shared-key *
tunnel-group TESTVPN type remote-access
tunnel-group TESTVPN general-attributes
address-pool Restricted_VPN_IP_Pool
default-group-policy TESTVPN
tunnel-group TESTVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 10.0.0.203
prompt hostname context
The IPs are real now.So please ask away:
hostname asafirewall
domain-name company.prv
names
name 172.16.1.0 VPNUsers
name 10.0.0.197 CO01-SMTP
name 10.0.0.194 CO01-DNS
name 10.0.0.203 COM01
name 10.0.0.202 COMAS011B
name 161.168.228.14 CLMAS012c
name 161.168.228.13 CLMAS012a
name 161.165.202.14 CLMAS012d
name 161.165.202.13 CLMAS012b
name 10.0.0.253 COIS0101
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0 standby 10.0.0.252
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.253.2 255.255.255.248 standby 172.16.253.3
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name company.prv
object-group service COAS2 tcp
port-object range 4080 4080
port-object range 5080 5080
object-group service ExchangeAccess tcp
port-object eq www
port-object eq pop3
port-object eq https
port-object eq imap4
object-group service Phones udp
port-object range 16400 16999
port-object eq 2427
object-group network CLMAS012
network-object CLMAS012b 255.255.255.255
network-object CLMAS012d 255.255.255.255
network-object CLMAS012a 255.255.255.255
network-object CLMAS012c 255.255.255.255
object-group icmp-type icmp-allowed
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.194 eq domain
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.194 eq domain
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.197 eq smtp
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.195 object-group ExchangeAccess
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.200 eq pptp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp object-group CLMAS012 host xxx.xxx.xxx.202 object-group COAS2 log
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.202 object-group COAS2
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.204 object-group Phones
access-list outside_access_in remark For IP phones
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 VPNUsers 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 102 standard permit 192.168.96.0 255.255.224.0
access-list 102 standard permit 10.0.0.0 255.255.255.0
access-list cvpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list cvpnclient_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list outside_cryptomap_dyn_31 extended permit ip any 172.16.2.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.2.0 255.255.255.0
access-list user1_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list user1_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list outside_cryptomap_20 extended permit ip 192.168.98.0 255.255.255.240 10.20.28.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip 192.168.98.0 255.255.255.240 10.20.28.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
access-list DMZ_access_out extended permit tcp 10.20.28.0 255.255.252.0 host 192.168.98.1 eq telnet
access-list DMZ_access_out extended permit icmp 10.20.28.0 255.255.252.0 192.168.98.0 255.255.255.240
access-list DMZ_access_out extended deny ip 10.20.28.0 255.255.252.0 any
access-list TAC extended permit ip host 1.1.1.1 host 2.2.2.2
access-list TESTVPN_splitTunnelAcl standard permit host 192.168.99.5
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging trap errors
logging history warnings
logging asdm informational
logging host inside COIS0101
logging host inside 192.168.100.9
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool CiscoVPN 172.16.2.1-172.16.2.254 mask 255.255.255.0
ip local pool Restricted_VPN_IP_Pool 172.16.200.1-172.16.200.25
ip verify reverse-path interface outside
ip verify reverse-path interface inside
failover
failover lan unit primary
failover lan interface folink Ethernet0/3
failover link folink Ethernet0/3
failover interface ip folink 192.168.253.1 255.255.255.252 standby 192.168.253.2
no monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any echo dmz
icmp permit any echo-reply dmz
asdm image disk0:/asdm-625-53.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (inside,outside) xxx.xxx.xxx.195 COM01 netmask 255.255.255.255 dns
static (inside,outside) xxx.xxx.xxx.194 CO01-DNS netmask 255.255.255.255 dns
static (inside,outside) xxx.xxx.xxx.197 CO01-SMTP netmask 255.255.255.255 dns
static (inside,outside) 192.168.98.2 192.168.98.2 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.202 COMAS011B netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.204 10.0.0.152 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.200 COIS0101 netmask 255.255.255.255
access-group outside_access_in in interface outside
!
router ospf 1
network xxx.xxx.xxx.192 255.255.255.192 area 0
log-adj-changes
!
route outside 10.20.28.0 255.255.252.0 xxx.xxx.xxx.193 1
route dmz 192.168.98.0 255.255.255.240 172.16.253.1 1
route dmz 192.168.99.5 255.255.255.255 172.16.253.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host COIS0101
timeout 60
key xxxxxx
aaa-server XauthVPN protocol radius
aaa-server XauthVPN (inside) host 192.168.100.2
timeout 60
key xxxxxxxx
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 dmz
snmp-server host dmz 192.168.100.9 community XXXXXX
no snmp-server location
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change fru-insert fru-remove
auth-prompt prompt Welcome to the company Internet
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-none
crypto ipsec transform-set company esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TUNNEL_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map users 11 set transform-set ESP-3DES-SHA
crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
crypto dynamic-map users 31 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map remote 20 match address outside_cryptomap_20
crypto map remote 20 set peer yyy.yyy.yyy.150
crypto map remote 20 set transform-set TUNNEL_ESP_3DES_MD5
crypto map remote 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map remote 65535 ipsec-isakmp dynamic users
crypto map remote interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 200.9.49.66 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.100.4 source inside prefer
ntp server 192.168.100.2 source inside prefer
webvpn
group-policy 1 internal
group-policy 1 attributes
dns-server value 192.168.100.4 192.168.100.2
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102
default-domain value company.prv
group-policy mygroup internal
group-policy mygroup attributes
vpn-idle-timeout 30
group-policy bvftun internal
group-policy cvpnclient internal
group-policy cvpnclient attributes
dns-server value 192.168.100.2 192.168.100.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cvpnclient_splitTunnelAcl
default-domain value company.prv
group-policy TESTVPN internal
group-policy TESTVPN attributes
dns-server value 192.168.100.2 192.168.100.6
vpn-filter value TESTVPN_splitTunnelAcl
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TESTVPN_splitTunnelAcl
default-domain value company.prv
username TESTVPN password XXXXXXXXX encrypted privilege 0
username TESTVPN attributes
vpn-group-policy TESTVPN
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group mygroup type remote-access
tunnel-group mygroup general-attributes
authentication-server-grou
default-group-policy mygroup
tunnel-group 1 type remote-access
tunnel-group 1 general-attributes
address-pool CiscoVPN
authentication-server-grou
authorization-server-group
default-group-policy 1
tunnel-group 1 ipsec-attributes
pre-shared-key *
tunnel-group cvpnclient type remote-access
tunnel-group cvpnclient general-attributes
address-pool CiscoVPN
authentication-server-grou
default-group-policy cvpnclient
tunnel-group cvpnclient ipsec-attributes
pre-shared-key *
tunnel-group yyy.yyy.yyy.150 type ipsec-l2l
tunnel-group yyy.yyy.yyy.150 general-attributes
default-group-policy bvftun
tunnel-group yyy.yyy.yyy.150 ipsec-attributes
pre-shared-key *
tunnel-group TESTVPN type remote-access
tunnel-group TESTVPN general-attributes
address-pool Restricted_VPN_IP_Pool
default-group-policy TESTVPN
tunnel-group TESTVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 10.0.0.203
prompt hostname context
ASKER
Any luck?
just remove the match address command on your dynamic crypto map entries and try..i dont think its required. i believe seq no 31 on your dynamic crypto is for your remote access vpn.
Kindly let me know.
Kindly let me know.
ASKER
I need those matches:
crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
crypto map remote 20 match address outside_cryptomap_20
No, 31 is for my other vpn users.The one I'm interested in is group-policy TESTVPN internal
crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
crypto map remote 20 match address outside_cryptomap_20
No, 31 is for my other vpn users.The one I'm interested in is group-policy TESTVPN internal
ASKER
Don't mean to rush you, but do you think we could solve this today? I've got a deadline that I'd very much like to meet. Thanks for your help so far.
in your full config there is no entry like
access-list dmz_nat0_outbound extended permit ip host 192.168.9.1 172.16.200.0 255.255.255.0
route dmz 192.168.9.1 255.255.255.255 172.16.2.2 1
i hope there is no acess-list applied on your DMZ interface.
access-list dmz_nat0_outbound extended permit ip host 192.168.9.1 172.16.200.0 255.255.255.0
route dmz 192.168.9.1 255.255.255.255 172.16.2.2 1
i hope there is no acess-list applied on your DMZ interface.
ASKER
I had edited the initial entries, but the pasted config is correct and I do have the corresponding lines:
access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
route dmz 192.168.99.5 255.255.255.255 172.16.253.1 1
Also, the packet tracer is dying at an implict deny rule on the DMZ int. see pics
1.JPG
2.JPG
access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
route dmz 192.168.99.5 255.255.255.255 172.16.253.1 1
Also, the packet tracer is dying at an implict deny rule on the DMZ int. see pics
1.JPG
2.JPG
vpn-filter value TESTVPN_splitTunnelAcl
just remove the above command and do a trace , just for testing
just remove the above command and do a trace , just for testing
ASKER
same trace, same result
type the below command and see
access-list DMZ_access_out extended permit ip host 192.168.99.5 host 172.16.200.1
access-group DMZ_access_out in int DMZ
access-list DMZ_access_out extended permit ip host 192.168.99.5 host 172.16.200.1
access-group DMZ_access_out in int DMZ
also change your split acl to
no access-list TESTVPN_splitTunnelAcl standard permit host 192.168.99.5
access-list TESTVPN_splitTunnelAcl extended permit host 192.168.99.5 host 172.16.200.0 255.255.255.0
also tell me this 172.16.200.1 is reachable from your ASA
no access-list TESTVPN_splitTunnelAcl standard permit host 192.168.99.5
access-list TESTVPN_splitTunnelAcl extended permit host 192.168.99.5 host 172.16.200.0 255.255.255.0
also tell me this 172.16.200.1 is reachable from your ASA
ASKER
You mean:
access-list AMP_Tools_splitTunnelAcl extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
?
172.16.200.1 is not pingable from the ASA. It's an IP the client gets once connected
3.JPG
access-list AMP_Tools_splitTunnelAcl extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
?
172.16.200.1 is not pingable from the ASA. It's an IP the client gets once connected
3.JPG
ASKER
Still the same
ASKER
Anything else I can try? - that would help you decipher this?
access-list AMP_Tools_splitTunnelAcl , what is this ?
please share the actual configs , otherwise it will create too much confusions
client is now connected or not ?
how you are doing the packet race with out connecting the client ?
DOES 192.168.99.5 is REACHABLE FROM asa ?
please share the actual configs , otherwise it will create too much confusions
client is now connected or not ?
how you are doing the packet race with out connecting the client ?
DOES 192.168.99.5 is REACHABLE FROM asa ?
ASKER
ok those are the actual configs now. Sorry about trying to sanitize my configs
client connects to the VPn alright, no issues, get the IP from the pool 172.16.200.X
doing the packet trace form the packet tracer on the ASA
No the 99.5 is not reachable from the ASA, it's behind a couple of switches.
client connects to the VPn alright, no issues, get the IP from the pool 172.16.200.X
doing the packet trace form the packet tracer on the ASA
No the 99.5 is not reachable from the ASA, it's behind a couple of switches.
first we need to make 99.5 reachable ,
ASKER
my bad, I meant not pingable. A diff admin handles the switches. icmp's blocked.
can you do RDP to 99.5 from the DMZ lan . I just want to make sure connectivity is there or not
ASKER
no I can't
coz 3389 port is using for RDP.
ok any other PC in DMZ that we can test from VPN, ( atleast PING )
if so change the FW config accoridingly
ok any other PC in DMZ that we can test from VPN, ( atleast PING )
if so change the FW config accoridingly
ASKER
I'm coordinating with the other admin ans we'll try to wireshark it
ASKER
we're going to start in a couple of mins. But, while we're doing that - is there anything on the ASA config that might be preventing that communication? Just to make sure.
ok lets make the connection up to 99.5
ASKER
you're sure that there's nothing on the asa's side preventing this, right?
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.2.0 255.255.255.0
ASKER
I'm sorry, I don't understand. You're saying that that access-list is preventing the 172.16.200.0 network communicating with 192.168.99.5?
sorry by mistake I added the above line please ignore that
then add the below command
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
try ?
then add the below command
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
try ?
just add the above command and see its working or not ?
just enable the logging buffere on the firewall and give me the log output while tranfering packets from client to 99.5
just enable the logging buffere on the firewall and give me the log output while tranfering packets from client to 99.5
ASKER
the outside_cryptomap_dyn_11ac cess-list is for another VPN group, accessing a server on the inside
I need one accessing the server on the dmz
I need one accessing the server on the dmz
its ok just add it and see its working or not ?
any way 99.5 should reachable from DMZ network to work things properly
did you solve that ?
any way 99.5 should reachable from DMZ network to work things properly
did you solve that ?
same-security-traffic permit intra-interface
ASKER
I'm sorry, I was away trying out the wireshark, Just popped back in and saw DanJ's comment
Could you elaborate? Is that the only command I need?
Could you elaborate? Is that the only command I need?
i dont think that command will help you , any way try .
did you try my work around
did you try my work around
The ouptout of packet-tracer shows the input and output interface is the same (dmz).
input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz
By default the asa will not permit the traffic that enters one interface to exit the same interface. That command would allow you to do that.
input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz
By default the asa will not permit the traffic that enters one interface to exit the same interface. That command would allow you to do that.
since your vpn client are from outside please select interface as outside and then try the packet tracer
instead of doing packet tracer, try from the actual client machine
instead of doing packet tracer, try from the actual client machine
ASKER
same-security-traffic permit intra-interface
is not an option due to security concerns.
if I select the outside interface, I get the "Reverse-path verify failed" error. From the actual machine vpning in, running wireshark gets me nothing
is not an option due to security concerns.
if I select the outside interface, I get the "Reverse-path verify failed" error. From the actual machine vpning in, running wireshark gets me nothing
ASKER
As I understand it, when the vpn clients connect to my asa, my external interface takes care of setting up a session with them. It then assigns them an IP and drops them inside the asa. It's from there that they need to traverse past the dmz int and get to the other side of the int.
So, I think DanJ is correct in analyzing the packet trace. Anything else that I can do to get this to work.
Remember that the site-to-site tunnel is working
So, I think DanJ is correct in analyzing the packet trace. Anything else that I can do to get this to work.
Remember that the site-to-site tunnel is working
then add the below command
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
did you try this
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
did you try this
ASKER
Tried it, nothing
give me the show log output ,after enabling the logging
99.5 is reachbale or still not from the DMZ network ? why cant you try some other PC that has PING reply enabled.
99.5 is reachbale or still not from the DMZ network ? why cant you try some other PC that has PING reply enabled.
ASKER
because it's the switch which has ping disabled. all the devices are behind the switch
ASKER
PLEASE help!!!
give me your show log output
ASKER
I'm sure this isn't what you want
show log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level errors, facility 20, 775267971 messages logged
Logging to inside LOGSERVER
Logging to inside 192.168.100.10
History logging: level warnings, 777334953 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 1820437542 messages logged
show log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: disabled
Trap logging: level errors, facility 20, 775267971 messages logged
Logging to inside LOGSERVER
Logging to inside 192.168.100.10
History logging: level warnings, 777334953 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 1820437542 messages logged
please respond quickly ,as the time is running out
fisrt you have to enable the logging
conf t
loggin enable
logging buffere 7
I prefer you have to try the connectivity test from the actual vpn client .
fisrt you have to enable the logging
conf t
loggin enable
logging buffere 7
I prefer you have to try the connectivity test from the actual vpn client .
ASKER
ok, ran those commands and tried vpn-ing in, connected, then tried rdp-ing into 192.168.99.5
then give me the log output
ASKER
asafirewall# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 11875 messages logged
Trap logging: level errors, facility 20, 775268310 messages logged
Logging to inside LOGSERVER
Logging to inside 192.168.100.10
History logging: level warnings, 777335350 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 1820453768 messages logged
:00:00 bytes 413
Jul 20 2010 14:25:39: %ASA-7-609001: Built local-host outside:214.252.124.32
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601426 for outside:214.252.124.32/80 (214.252.124.32/80) to inside:LOGSERVER/45953 (214.136.89.200/45953)
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601427 for outside:65.54.51.28/443 (65.54.51.28/443) to inside:LOGSERVER/45954 (214.136.89.200/45954)
Jul 20 2010 14:25:39: %ASA-6-302016: Teardown UDP connection 532601425 for outside:4.2.2.2/53 to inside:COMPANYAP01-DNS/278 7 duration 0:00:00 bytes 161
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601428 for outside:161.168.214.15/443 (161.168.214.15/443) to inside:LOGSERVER/45955 (214.136.89.200/45955)
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601429 for outside:161.168.214.15/443 (161.168.214.15/443) to inside:LOGSERVER/45957 (214.136.89.200/45957)
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601430 for outside:65.54.81.177/80 (65.54.81.177/80) to inside:LOGSERVER/45959 (214.136.89.200/45959)
Jul 20 2010 14:25:39: %ASA-6-302014: Teardown TCP connection 532601339 for outside:65.54.81.177/80 to inside:LOGSERVER/45432 duration 0:00:16 bytes 15836 TCP FINs
Jul 20 2010 14:25:39: %ASA-6-302014: Teardown TCP connection 532601340 for outside:65.54.81.177/80 to inside:LOGSERVER/45433 duration 0:00:16 bytes 7947 TCP FINs
J 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:74.86.214.201 duration 0:00:09
Jul 20 2010 14:25:41: %ASA-7-711002: Task ran for 3 msec, Process = ssh, PC = 8b9ac8c, Traceback =
Jul 20 2010 14:25:41: %ASA-7-711002: Task ran for 3 msec, Process = ssh, PC = 8b9ac8c, Traceback = 0x08B9AC8C 0x08B9F32D 0x08B9F57F 0x08B9F653 0x08870CB4 0x08B16E19 0x08B1623B 0x08878A6F 0x08871C20 0x08948384 0x08948441 0x08871A97 0x08871B01 0x08879AC6
Jul 20 2010 14:25:41: %ASA-7-609001: Built local-host outside:69.147.112.160
Jul 20 2010 14:25:41: %ASA-6-302013: Built outbound TCP connection 532601438 for outside:69.147.112.160/80 (69.147.112.160/80) to inside:LOGSERVER/46019 (214.136.89.200/46019)
Jul 20 2010 14:25:41: %ASA-6-302016: Teardown UDP connection 532600374 for outside:207.171.179.1/53 to inside:COMPANYAP01-DNS/550 95 duration 0:02:03 bytes 47
Jul 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:207.171.179.1 duration 0:02:03
Jul 20 2010 14:25:41: %ASA-6-302013: Built outbound TCP connection 532601439 for outside:161.168.214.15/443 (161.168.214.15/443) to inside:LOGSERVER/46023 (214.136.89.200/46023)
Jul 20 2010 14:25:41: %ASA-6-302014: Teardown TCP connection 532601427 for outside:65.54.51.28/443 to inside:LOGSERVER/45954 duration 0:00:02 bytes 2744 TCP FINs
Jul 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:65.54.51.28 duration 0:00:03
Jul 20 2010 14:25:41: %ASA-6-302014: Teardown TCP connection 532599985 for outside:214.27.70.120/80 to inside:LOGSERVER/40859 duration 0:02:41 bytes 12727 TCP Reset-O
Jul 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:214.27.70.120 duration 0:02:41
Jul 20 2010 14:25:41: %ASA-6-302014: Teardown TCP connection 532601428 for outside:161.168.214.15/443 to inside:LOGSERVER/45955 duration 0:00:02 bytes 0 TCP FINs
Jul 20 2010 14:25:41: %ASA-6-302014: Teardown TCP connection 532601436 for outside:174.129.210.179/80 to inside:LOGSERVER/46011 duration 0:00:00 bytes 1021 TCP FINs
Jul 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:174.129.210.179 duration 0:00:00
Jul 20 2010 14:25:41: %ASA-7-609001: Built local-host outside:208.65.145.76
Jul 20 2010 14:25:41: %ASA-6-302013: Built inbound TCP connection 532601440 for outside:208.65.145.76/5963 8 (208.65.145.76/59638) to inside:COMPANYAP01-SMTP/25 (214.136.89.197/25)
Jul 20 2010 14:25:41: %ASA-7-609001: Built local-host outside:66.96.140.21
Jul 20 2010 14:25:41: %ASA-6-302015: Built inbound UDP connection 532601441 for outside:66.96.140.21/8441 (66.96.140.21/8441) to inside:COMPANYAP01-DNS/53 (214.136.89.194/53)
asafirewall# :25:41: %ASA-6-302016: Teardown UDP connection 532601441 fo
asafirewall# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 12014 messages logged
Trap logging: level errors, facility 20, 775268310 messages logged
Logging to inside LOGSERVER
Logging to inside 192.168.100.10
History logging: level warnings, 777335351 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 1820453844 messages logged
10 14:25:43: %ASA-6-302014: Teardown TCP connection 532601458 for outside:153.2.229.56/443 to inside:LOGSERVER/46076 duration 0:00:00 bytes 5225 TCP FINs
Jul 20 2010 14:25:43: %ASA-7-609002: Teardown local-host outside:153.2.229.56 duration 0:00:00
Jul 20 2010 14:25:43: %ASA-6-302013: Built outbound TCP connection 532601464 for outside:153.2.224.60/443 (153.2.224.60/443) to inside:LOGSERVER/46091 (214.136.89.200/46091)
Jul 20 2010 14:25:43: %ASA-6-302014: Teardown TCP connection 532601432 for outside:115.248.72.9/2848 to inside:COMPANYAP01-SMTP/25 duration 0:00:03 bytes 0 TCP FINs
Jul 20 2010 14:25:43: %ASA-7-609002: Teardown local-host outside:115.248.72.9 duration 0:00:03
Jul 20 2010 14:25:43: %ASA-6-302014: Teardown TCP connection 532601462 for outside:62.67.50.29/80 to inside:LOGSERVER/5990 duration 0:00:00 bytes 11188 TCP FINs
Jul 20 2010 14:25:43: %ASA-7-609002: Teardown local-host outside:62.67.50.29 duration 0:00:00
Jul 20 2010 14:25:43: %ASA-7-609001: Built local-host outside:82.228.240.131
Jul 20 2010 14:25:43: %ASA-6-302013: Built inbound TCP connection 532601465 for outside:82.228.240.131/128 96 (82.228.240.131/12896) to inside:COMPANYAP01-SMTP/25 (214.136.89.197/25)
Jul 20 2010 14:25:44: %ASA-6-302014: Teardown TCP connection 532601465 for outside:82.228.240.131/128 96 to inside:COMPANYAP01-SMTP/25 duration 0:00:00 bytes 0 TCP FINs
Jeardown TCP connection 532600616 for outside:207.114.197.86/80 to inside:LOGSERVER/14972 duration 0:01:38 bytes 870 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532600598 for outside:65.55.18.18/80 to inside:LOGSERVER/15034 duration 0:01:40 bytes 1304 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532600608 for outside:199.93.34.126/80 to inside:LOGSERVER/15030 duration 0:01:39 bytes 1006 TCP FINs
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532600697 for outside:72.14.204.149/80 to inside:LOGSERVER/15162 duration 0:01:33 bytes 671 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532600564 for outside:65.55.17.26/80 to inside:LOGSERVER/15047 duration 0:01:43 bytes 39761 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532601473 for outside:65.54.81.185/80 to inside:LOGSERVER/5996 duration 0:00:00 bytes 0 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302013: Built outbound TCP connection 532601469 for outside:66.235.133.14/80 (66.235.133.14/80) to inside:LOGSERVER/46134 (214.136.89.200/46134)
Jul 20 2010 14:25:45: %ASA-7-609001: Built local-host outside:207.114.197.85
Jul 20 2010 14:25:45: %ASA-6-302015: Built outbound UDP connection 532601470 for outside:207.114.197.85/53 (207.114.197.85/53) to inside:COMPANYAP01-DNS/575 23 (214.136.89.194/57523)
Jul 20 2010 14:25:45: %ASA-7-609001: Built local-host outside:214.176.177.83
Jul 20 2010 14:25:45: %ASA-6-302015: Built outbound UDP connection 532601471 for outside:214.176.177.83/53 (214.176.177.83/53) to inside:COMPANYAP01-DNS/491 85 (214.136.89.194/49185)
Jul 20 2010 14:25:45: %ASA-6-302016: Teardown UDP connection 532601470 for outside:207.114.197.85/53 to inside:COMPANYAP01-DNS/575 23 duration 0:00:00 bytes 104
Jul 20 2010 14:25:45: %ASA-7-609002: Teardown local-host outside:207.114.197.85 duration 0:00:00
Jul 20 2010 14:25:45: %ASA-6-302016: Teardown UDP connection 532601471 for outside:214.176.177.83/53 to inside:COMPANYAP01-DNS/491 85 duration 0:00:00 bytes 168
Jul 20 2010 14:25:45: %ASA-7-609002: Teardown local-host outside:214.176.177.83 duration 0:00:00
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532601466 for outside:178.223.144.240/21 89 to inside:COMPANYAP01-SMTP/25 duration 0:00:01 bytes 0 TCP FINs
Jul 20 2010 14:25:45: %ASA-7-609002: Teardown local-host outside:178.223.144.240 duration 0:00:01
Jul 20 2010 14:25:45: %ASA-6-302013: Built outbound TCP connection 532601472 for outside:65.54.81.185/80 (65.54.81.185/80) to inside:LOGSERVER/5981 (214.136.89.200/5981)
Jul 20 2010 14:25:45: %ASA-6-302013: Built outbound TCP connection 532601473 for outside:65.54.81.185/80 (65.54.81.185/80) to inside:LOGSERVER/5996 (214.136.89.200/5996)
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 11875 messages logged
Trap logging: level errors, facility 20, 775268310 messages logged
Logging to inside LOGSERVER
Logging to inside 192.168.100.10
History logging: level warnings, 777335350 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 1820453768 messages logged
:00:00 bytes 413
Jul 20 2010 14:25:39: %ASA-7-609001: Built local-host outside:214.252.124.32
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601426 for outside:214.252.124.32/80 (214.252.124.32/80) to inside:LOGSERVER/45953 (214.136.89.200/45953)
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601427 for outside:65.54.51.28/443 (65.54.51.28/443) to inside:LOGSERVER/45954 (214.136.89.200/45954)
Jul 20 2010 14:25:39: %ASA-6-302016: Teardown UDP connection 532601425 for outside:4.2.2.2/53 to inside:COMPANYAP01-DNS/278
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601428 for outside:161.168.214.15/443
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601429 for outside:161.168.214.15/443
Jul 20 2010 14:25:39: %ASA-6-302013: Built outbound TCP connection 532601430 for outside:65.54.81.177/80 (65.54.81.177/80) to inside:LOGSERVER/45959 (214.136.89.200/45959)
Jul 20 2010 14:25:39: %ASA-6-302014: Teardown TCP connection 532601339 for outside:65.54.81.177/80 to inside:LOGSERVER/45432 duration 0:00:16 bytes 15836 TCP FINs
Jul 20 2010 14:25:39: %ASA-6-302014: Teardown TCP connection 532601340 for outside:65.54.81.177/80 to inside:LOGSERVER/45433 duration 0:00:16 bytes 7947 TCP FINs
J 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:74.86.214.201 duration 0:00:09
Jul 20 2010 14:25:41: %ASA-7-711002: Task ran for 3 msec, Process = ssh, PC = 8b9ac8c, Traceback =
Jul 20 2010 14:25:41: %ASA-7-711002: Task ran for 3 msec, Process = ssh, PC = 8b9ac8c, Traceback = 0x08B9AC8C 0x08B9F32D 0x08B9F57F 0x08B9F653 0x08870CB4 0x08B16E19 0x08B1623B 0x08878A6F 0x08871C20 0x08948384 0x08948441 0x08871A97 0x08871B01 0x08879AC6
Jul 20 2010 14:25:41: %ASA-7-609001: Built local-host outside:69.147.112.160
Jul 20 2010 14:25:41: %ASA-6-302013: Built outbound TCP connection 532601438 for outside:69.147.112.160/80 (69.147.112.160/80) to inside:LOGSERVER/46019 (214.136.89.200/46019)
Jul 20 2010 14:25:41: %ASA-6-302016: Teardown UDP connection 532600374 for outside:207.171.179.1/53 to inside:COMPANYAP01-DNS/550
Jul 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:207.171.179.1 duration 0:02:03
Jul 20 2010 14:25:41: %ASA-6-302013: Built outbound TCP connection 532601439 for outside:161.168.214.15/443
Jul 20 2010 14:25:41: %ASA-6-302014: Teardown TCP connection 532601427 for outside:65.54.51.28/443 to inside:LOGSERVER/45954 duration 0:00:02 bytes 2744 TCP FINs
Jul 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:65.54.51.28 duration 0:00:03
Jul 20 2010 14:25:41: %ASA-6-302014: Teardown TCP connection 532599985 for outside:214.27.70.120/80 to inside:LOGSERVER/40859 duration 0:02:41 bytes 12727 TCP Reset-O
Jul 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:214.27.70.120 duration 0:02:41
Jul 20 2010 14:25:41: %ASA-6-302014: Teardown TCP connection 532601428 for outside:161.168.214.15/443
Jul 20 2010 14:25:41: %ASA-6-302014: Teardown TCP connection 532601436 for outside:174.129.210.179/80
Jul 20 2010 14:25:41: %ASA-7-609002: Teardown local-host outside:174.129.210.179 duration 0:00:00
Jul 20 2010 14:25:41: %ASA-7-609001: Built local-host outside:208.65.145.76
Jul 20 2010 14:25:41: %ASA-6-302013: Built inbound TCP connection 532601440 for outside:208.65.145.76/5963
Jul 20 2010 14:25:41: %ASA-7-609001: Built local-host outside:66.96.140.21
Jul 20 2010 14:25:41: %ASA-6-302015: Built inbound UDP connection 532601441 for outside:66.96.140.21/8441 (66.96.140.21/8441) to inside:COMPANYAP01-DNS/53 (214.136.89.194/53)
asafirewall# :25:41: %ASA-6-302016: Teardown UDP connection 532601441 fo
asafirewall# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 12014 messages logged
Trap logging: level errors, facility 20, 775268310 messages logged
Logging to inside LOGSERVER
Logging to inside 192.168.100.10
History logging: level warnings, 777335351 messages logged
Device ID: disabled
Mail logging: disabled
ASDM logging: level informational, 1820453844 messages logged
10 14:25:43: %ASA-6-302014: Teardown TCP connection 532601458 for outside:153.2.229.56/443 to inside:LOGSERVER/46076 duration 0:00:00 bytes 5225 TCP FINs
Jul 20 2010 14:25:43: %ASA-7-609002: Teardown local-host outside:153.2.229.56 duration 0:00:00
Jul 20 2010 14:25:43: %ASA-6-302013: Built outbound TCP connection 532601464 for outside:153.2.224.60/443 (153.2.224.60/443) to inside:LOGSERVER/46091 (214.136.89.200/46091)
Jul 20 2010 14:25:43: %ASA-6-302014: Teardown TCP connection 532601432 for outside:115.248.72.9/2848 to inside:COMPANYAP01-SMTP/25
Jul 20 2010 14:25:43: %ASA-7-609002: Teardown local-host outside:115.248.72.9 duration 0:00:03
Jul 20 2010 14:25:43: %ASA-6-302014: Teardown TCP connection 532601462 for outside:62.67.50.29/80 to inside:LOGSERVER/5990 duration 0:00:00 bytes 11188 TCP FINs
Jul 20 2010 14:25:43: %ASA-7-609002: Teardown local-host outside:62.67.50.29 duration 0:00:00
Jul 20 2010 14:25:43: %ASA-7-609001: Built local-host outside:82.228.240.131
Jul 20 2010 14:25:43: %ASA-6-302013: Built inbound TCP connection 532601465 for outside:82.228.240.131/128
Jul 20 2010 14:25:44: %ASA-6-302014: Teardown TCP connection 532601465 for outside:82.228.240.131/128
Jeardown TCP connection 532600616 for outside:207.114.197.86/80 to inside:LOGSERVER/14972 duration 0:01:38 bytes 870 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532600598 for outside:65.55.18.18/80 to inside:LOGSERVER/15034 duration 0:01:40 bytes 1304 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532600608 for outside:199.93.34.126/80 to inside:LOGSERVER/15030 duration 0:01:39 bytes 1006 TCP FINs
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532600697 for outside:72.14.204.149/80 to inside:LOGSERVER/15162 duration 0:01:33 bytes 671 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532600564 for outside:65.55.17.26/80 to inside:LOGSERVER/15047 duration 0:01:43 bytes 39761 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532601473 for outside:65.54.81.185/80 to inside:LOGSERVER/5996 duration 0:00:00 bytes 0 TCP Reset-I
Jul 20 2010 14:25:45: %ASA-6-302013: Built outbound TCP connection 532601469 for outside:66.235.133.14/80 (66.235.133.14/80) to inside:LOGSERVER/46134 (214.136.89.200/46134)
Jul 20 2010 14:25:45: %ASA-7-609001: Built local-host outside:207.114.197.85
Jul 20 2010 14:25:45: %ASA-6-302015: Built outbound UDP connection 532601470 for outside:207.114.197.85/53 (207.114.197.85/53) to inside:COMPANYAP01-DNS/575
Jul 20 2010 14:25:45: %ASA-7-609001: Built local-host outside:214.176.177.83
Jul 20 2010 14:25:45: %ASA-6-302015: Built outbound UDP connection 532601471 for outside:214.176.177.83/53 (214.176.177.83/53) to inside:COMPANYAP01-DNS/491
Jul 20 2010 14:25:45: %ASA-6-302016: Teardown UDP connection 532601470 for outside:207.114.197.85/53 to inside:COMPANYAP01-DNS/575
Jul 20 2010 14:25:45: %ASA-7-609002: Teardown local-host outside:207.114.197.85 duration 0:00:00
Jul 20 2010 14:25:45: %ASA-6-302016: Teardown UDP connection 532601471 for outside:214.176.177.83/53 to inside:COMPANYAP01-DNS/491
Jul 20 2010 14:25:45: %ASA-7-609002: Teardown local-host outside:214.176.177.83 duration 0:00:00
Jul 20 2010 14:25:45: %ASA-6-302014: Teardown TCP connection 532601466 for outside:178.223.144.240/21
Jul 20 2010 14:25:45: %ASA-7-609002: Teardown local-host outside:178.223.144.240 duration 0:00:01
Jul 20 2010 14:25:45: %ASA-6-302013: Built outbound TCP connection 532601472 for outside:65.54.81.185/80 (65.54.81.185/80) to inside:LOGSERVER/5981 (214.136.89.200/5981)
Jul 20 2010 14:25:45: %ASA-6-302013: Built outbound TCP connection 532601473 for outside:65.54.81.185/80 (65.54.81.185/80) to inside:LOGSERVER/5996 (214.136.89.200/5996)
ASKER
yOU DO REALISE
ASKER
Sorry, you do realize that I'm on my company's firewall, and that I have hundreds of connections at the same time, would you much rather I filter my real time logs for you?
thsts good , in ASDM you just filter it and run the test again
ASKER
ASKER
I'm baffled
give me the tracert to 99.5 from client pc
and the vpn client -->statistics-->route
and the vpn client -->statistics-->route
give me show crypto ipsec sa for the vpn client output from firewall as well
ASKER
tracert results
1. * * * request timed out
2. * * * request timed out
3. * * * request timed out
4. * * * request timed out
Route details:
Local Lan routes: Empty
Secured routes:
0.0.0.0 0.0.0.0
1. * * * request timed out
2. * * * request timed out
3. * * * request timed out
4. * * * request timed out
Route details:
Local Lan routes: Empty
Secured routes:
0.0.0.0 0.0.0.0
ASKER
asafirewall# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: XXX.XXX.XXX.XXX
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.200.1/255.255.255. 255/0/0)
current_peer: 69.211.136.71, username: user1
dynamic allocated peer ip: 172.16.200.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: XXX.XXX.XXX.XXX/4500, remote crypto endpt.: 69.211.136.71/52465
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 8FFE12AF
inbound esp sas:
spi: 0x282E3932 (674117938)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 585728, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 27985
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x8FFE12AF (2415792815)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 585728, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 27984
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP,
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.200.1/255.255.255.
current_peer: 69.211.136.71, username: user1
dynamic allocated peer ip: 172.16.200.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: XXX.XXX.XXX.XXX/4500, remote crypto endpt.: 69.211.136.71/52465
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 8FFE12AF
inbound esp sas:
spi: 0x282E3932 (674117938)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 585728, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 27985
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x8FFE12AF (2415792815)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 585728, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 27984
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
is the config pasted is the running one or manuplated one , except password ,public ip.
if not provide me the running config of your fw
if not provide me the running config of your fw
ASKER
pasted config is running config
is there a problem with the vpn client? routes and all
is there a problem with the vpn client? routes and all
what i can see is there is no packets going through the tunnel . if there is any firewall cleint running on the vpn client , just disable it and then reconnect the vpn client and then do a trace route
if its a windows pC , you should disbale widows firewall too
ASKER
No antivirus, no firewall on that test laptop
ASKER
windows firewall also turned off
is it a windows pC , then disable the windows built in firewall
also give me the tunne l detail from the client , duting the test
also give me the tunne l detail from the client , duting the test
did you add the below command
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
kindly give me your current running config
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
kindly give me your current running config
ASKER
Tunnel details
client: 172.16.200.1
server: XXX.XXX.XXX.XXX
bytes sent /received: 0
packets encrypted,decrypted, bypasssed: 0
packets discarded: 220
connection info:
entry: companyvpn
time: 5mins
crypto:
encryption: 128bit AES
authentication: HMAC-SHA1
transport:
transparent tunnelling: active on udp port 4500
local lan: disabled
compression: none
client: 172.16.200.1
server: XXX.XXX.XXX.XXX
bytes sent /received: 0
packets encrypted,decrypted, bypasssed: 0
packets discarded: 220
connection info:
entry: companyvpn
time: 5mins
crypto:
encryption: 128bit AES
authentication: HMAC-SHA1
transport:
transparent tunnelling: active on udp port 4500
local lan: disabled
compression: none
ASKER
It's the same as above with that access-list you've listed
now the problem is that none of the packets are goijng through the tunnel
just add the below commands on the firewall and see
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip 172.16.200.0 255.255.255.0 any
just add the below commands on the firewall and see
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip 172.16.200.0 255.255.255.0 any
ASKER
COMASA Version 8.2(1)
!
hostname COMASafirewall
domain-name company.prv
names
name 172.16.1.0 VPNUsers
name 10.0.0.197 CO01-SMTP
name 10.0.0.194 CO01-DNS
name 10.0.0.203 COM01
name 10.0.0.202 COMAS01B
name 161.168.228.14 CLMAS012c
name 161.168.228.13 CLMAS012a
name 161.165.202.14 CLMAS012d
name 161.165.202.13 CLMAS012b
name 10.0.0.253 COIS0101
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0 standby 10.0.0.252
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.253.2 255.255.255.248 standby 172.16.253.3
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name company.prv
object-group service COMAS2 tcp
port-object range 4080 4080
port-object range 5080 5080
object-group service ExchangeAccess tcp
port-object eq www
port-object eq pop3
port-object eq https
port-object eq imap4
object-group service Phones udp
port-object range 16400 16999
port-object eq 2427
object-group network CLMAS012
description Wal-Mart COMAS2 traffic incomming
network-object CLMAS012b 255.255.255.255
network-object CLMAS012d 255.255.255.255
network-object CLMAS012a 255.255.255.255
network-object CLMAS012c 255.255.255.255
object-group icmp-type icmp-allowed
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.194 eq domain
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.194 eq domain
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.197 eq smtp
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.195 object-group ExchangeAccess
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.200 eq pptp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp object-group CLMAS012 host xxx.xxx.xxx.202 object-group COMAS2 log
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.202 object-group COMAS2
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.204 object-group Phones
access-list outside_access_in remark For IP phones
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 VPNUsers 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 102 standard permit 192.168.96.0 255.255.224.0
access-list 102 standard permit 10.0.0.0 255.255.255.0
access-list cvpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list cvpnclient_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list outside_cryptomap_dyn_31 extended permit ip any 172.16.2.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.2.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
access-list user1_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list user1_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list outside_cryptomap_20 extended permit ip 192.168.98.0 255.255.255.240 10.20.28.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip 192.168.98.0 255.255.255.240 10.20.28.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 172.16.200.0 255.255.255.0 host 192.168.99.5
access-list DMZ_access_out extended permit tcp 10.20.28.0 255.255.252.0 host 192.168.98.1 eq telnet
access-list DMZ_access_out extended permit icmp 10.20.28.0 255.255.252.0 192.168.98.0 255.255.255.240
access-list DMZ_access_out extended permit ip 172.16.200.0 255.255.255.0 host 192.168.99.5
access-list DMZ_access_out extended deny ip 10.20.28.0 255.255.252.0 any
access-list TAC extended permit ip host 1.1.1.1 host 2.2.2.2
access-list AMP_Tools_splitTunnelAcl extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging COMASdm-buffer-size 512
logging buffered debugging
logging trap errors
logging history warnings
logging COMASdm informational
logging host inside COIS0101
logging host inside 192.168.100.9
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool CiscoVPN 172.16.2.1-172.16.2.254 mCOMASk 255.255.255.0
ip local pool Restricted_VPN_IP_Pool 172.16.200.1-172.16.200.25 4 mCOMASk 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
failover
failover lan unit primary
failover lan interface folink Ethernet0/3
failover link folink Ethernet0/3
failover interface ip folink 192.168.253.1 255.255.255.252 standby 192.168.253.2
no monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any echo dmz
icmp permit any echo-reply dmz
ASdm image disk0:/COMASdm-625-53.bin
ASdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (inside,outside) xxx.xxx.xxx.195 COM01 netmask 255.255.255.255 dns
static (inside,outside) xxx.xxx.xxx.194 CO01-DNS netmask 255.255.255.255 dns
static (inside,outside) xxx.xxx.xxx.197 CO01-SMTP netmask 255.255.255.255 dns
static (inside,outside) 192.168.98.2 192.168.98.2 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.202 COMAS01B netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.204 10.0.0.152 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.200 COIS0101 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group DMZ_access_out in interface dmz
!
router ospf 1
network xxx.xxx.xxx.192 255.255.255.192 area 0
log-adj-changes
!
route outside 10.20.28.0 255.255.252.0 xxx.xxx.xxx.193 1
route dmz 192.168.98.0 255.255.255.240 172.16.253.1 1
route dmz 192.168.99.5 255.255.255.255 172.16.253.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host COIS0101
timeout 60
key xxxxxx
aaa-server XauthVPN protocol radius
aaa-server XauthVPN (inside) host 192.168.100.2
timeout 60
key xxxxx
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 dmz
snmp-server host dmz 192.168.100.9 community XXXXXX
no snmp-server location
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change fru-insert fru-remove
auth-prompt prompt Welcome to the T. company Internet
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-none
crypto ipsec transform-set company esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TUNNEL_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map users 11 set transform-set ESP-3DES-SHA
crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
crypto dynamic-map users 31 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map remote 20 match address outside_cryptomap_20
crypto map remote 20 set peer YYY.YYY.YYY.YYY
crypto map remote 20 set transform-set TUNNEL_ESP_3DES_MD5
crypto map remote 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map remote 65535 ipsec-isakmp dynamic users
crypto map remote interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.100.4 source inside prefer
ntp server 192.168.100.2 source inside prefer
webvpn
group-policy 1 internal
group-policy 1 attributes
dns-server value 192.168.100.4 192.168.100.2
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102
default-domain value company.prv
group-policy mygroup internal
group-policy mygroup attributes
vpn-idle-timeout 30
group-policy bvftun internal
group-policy cvpnclient internal
group-policy cvpnclient attributes
dns-server value 192.168.100.2 192.168.100.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cvpnclient_splitTunnelAcl
default-domain value company.prv
group-policy AMP_Tools internal
group-policy AMP_Tools attributes
dns-server value 192.168.100.2 192.168.100.6
vpn-filter value AMP_Tools_splitTunnelAcl
vpn-tunnel-protocol IPSec
default-domain value company.prv
username amp_tools password xxxxxxxx encrypted privilege 0
username amp_tools attributes
vpn-group-policy AMP_Tools
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou p RADIUS
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group mygroup type remote-access
tunnel-group mygroup general-attributes
authentication-server-grou p RADIUS
default-group-policy mygroup
tunnel-group 1 type remote-access
tunnel-group 1 general-attributes
address-pool CiscoVPN
authentication-server-grou p RADIUS
authorization-server-group RADIUS
default-group-policy 1
tunnel-group 1 ipsec-attributes
pre-shared-key *
tunnel-group cvpnclient type remote-access
tunnel-group cvpnclient general-attributes
address-pool CiscoVPN
authentication-server-grou p RADIUS
default-group-policy cvpnclient
tunnel-group cvpnclient ipsec-attributes
pre-shared-key *
tunnel-group YYY.YYY.YYY.YYY type ipsec-l2l
tunnel-group YYY.YYY.YYY.YYY general-attributes
default-group-policy bvftun
tunnel-group YYY.YYY.YYY.YYY ipsec-attributes
pre-shared-key *
tunnel-group AMP_Tools type remote-access
tunnel-group AMP_Tools general-attributes
address-pool Restricted_VPN_IP_Pool
default-group-policy AMP_Tools
tunnel-group AMP_Tools ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 rCOMAS
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 10.0.0.203
prompt hostname context
Cryptochecksum:26bc203f021 7569b8d197 af4e9f8ff9 5
: end
!
hostname COMASafirewall
domain-name company.prv
names
name 172.16.1.0 VPNUsers
name 10.0.0.197 CO01-SMTP
name 10.0.0.194 CO01-DNS
name 10.0.0.203 COM01
name 10.0.0.202 COMAS01B
name 161.168.228.14 CLMAS012c
name 161.168.228.13 CLMAS012a
name 161.165.202.14 CLMAS012d
name 161.165.202.13 CLMAS012b
name 10.0.0.253 COIS0101
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0 standby 10.0.0.252
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.253.2 255.255.255.248 standby 172.16.253.3
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name company.prv
object-group service COMAS2 tcp
port-object range 4080 4080
port-object range 5080 5080
object-group service ExchangeAccess tcp
port-object eq www
port-object eq pop3
port-object eq https
port-object eq imap4
object-group service Phones udp
port-object range 16400 16999
port-object eq 2427
object-group network CLMAS012
description Wal-Mart COMAS2 traffic incomming
network-object CLMAS012b 255.255.255.255
network-object CLMAS012d 255.255.255.255
network-object CLMAS012a 255.255.255.255
network-object CLMAS012c 255.255.255.255
object-group icmp-type icmp-allowed
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.194 eq domain
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.194 eq domain
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.197 eq smtp
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.195 object-group ExchangeAccess
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.200 eq pptp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp object-group CLMAS012 host xxx.xxx.xxx.202 object-group COMAS2 log
access-list outside_access_in extended permit tcp any host xxx.xxx.xxx.202 object-group COMAS2
access-list outside_access_in extended permit udp any host xxx.xxx.xxx.204 object-group Phones
access-list outside_access_in remark For IP phones
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 VPNUsers 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 172.16.2.0 255.255.255.0
access-list 102 standard permit 192.168.96.0 255.255.224.0
access-list 102 standard permit 10.0.0.0 255.255.255.0
access-list cvpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list cvpnclient_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list outside_cryptomap_dyn_31 extended permit ip any 172.16.2.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.2.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
access-list user1_splitTunnelAcl standard permit 10.0.0.0 255.255.255.0
access-list user1_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
access-list outside_cryptomap_20 extended permit ip 192.168.98.0 255.255.255.240 10.20.28.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip 192.168.98.0 255.255.255.240 10.20.28.0 255.255.252.0
access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip 172.16.200.0 255.255.255.0 host 192.168.99.5
access-list DMZ_access_out extended permit tcp 10.20.28.0 255.255.252.0 host 192.168.98.1 eq telnet
access-list DMZ_access_out extended permit icmp 10.20.28.0 255.255.252.0 192.168.98.0 255.255.255.240
access-list DMZ_access_out extended permit ip 172.16.200.0 255.255.255.0 host 192.168.99.5
access-list DMZ_access_out extended deny ip 10.20.28.0 255.255.252.0 any
access-list TAC extended permit ip host 1.1.1.1 host 2.2.2.2
access-list AMP_Tools_splitTunnelAcl extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging COMASdm-buffer-size 512
logging buffered debugging
logging trap errors
logging history warnings
logging COMASdm informational
logging host inside COIS0101
logging host inside 192.168.100.9
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool CiscoVPN 172.16.2.1-172.16.2.254 mCOMASk 255.255.255.0
ip local pool Restricted_VPN_IP_Pool 172.16.200.1-172.16.200.25
ip verify reverse-path interface outside
ip verify reverse-path interface inside
failover
failover lan unit primary
failover lan interface folink Ethernet0/3
failover link folink Ethernet0/3
failover interface ip folink 192.168.253.1 255.255.255.252 standby 192.168.253.2
no monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any echo dmz
icmp permit any echo-reply dmz
ASdm image disk0:/COMASdm-625-53.bin
ASdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (inside,outside) xxx.xxx.xxx.195 COM01 netmask 255.255.255.255 dns
static (inside,outside) xxx.xxx.xxx.194 CO01-DNS netmask 255.255.255.255 dns
static (inside,outside) xxx.xxx.xxx.197 CO01-SMTP netmask 255.255.255.255 dns
static (inside,outside) 192.168.98.2 192.168.98.2 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.202 COMAS01B netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.204 10.0.0.152 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.200 COIS0101 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group DMZ_access_out in interface dmz
!
router ospf 1
network xxx.xxx.xxx.192 255.255.255.192 area 0
log-adj-changes
!
route outside 10.20.28.0 255.255.252.0 xxx.xxx.xxx.193 1
route dmz 192.168.98.0 255.255.255.240 172.16.253.1 1
route dmz 192.168.99.5 255.255.255.255 172.16.253.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host COIS0101
timeout 60
key xxxxxx
aaa-server XauthVPN protocol radius
aaa-server XauthVPN (inside) host 192.168.100.2
timeout 60
key xxxxx
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 dmz
snmp-server host dmz 192.168.100.9 community XXXXXX
no snmp-server location
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps entity config-change fru-insert fru-remove
auth-prompt prompt Welcome to the T. company Internet
service resetoutside
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-none
crypto ipsec transform-set company esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TUNNEL_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map users 11 set transform-set ESP-3DES-SHA
crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
crypto dynamic-map users 31 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map remote 20 match address outside_cryptomap_20
crypto map remote 20 set peer YYY.YYY.YYY.YYY
crypto map remote 20 set transform-set TUNNEL_ESP_3DES_MD5
crypto map remote 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map remote 65535 ipsec-isakmp dynamic users
crypto map remote interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.100.4 source inside prefer
ntp server 192.168.100.2 source inside prefer
webvpn
group-policy 1 internal
group-policy 1 attributes
dns-server value 192.168.100.4 192.168.100.2
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102
default-domain value company.prv
group-policy mygroup internal
group-policy mygroup attributes
vpn-idle-timeout 30
group-policy bvftun internal
group-policy cvpnclient internal
group-policy cvpnclient attributes
dns-server value 192.168.100.2 192.168.100.4
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cvpnclient_splitTunnelAcl
default-domain value company.prv
group-policy AMP_Tools internal
group-policy AMP_Tools attributes
dns-server value 192.168.100.2 192.168.100.6
vpn-filter value AMP_Tools_splitTunnelAcl
vpn-tunnel-protocol IPSec
default-domain value company.prv
username amp_tools password xxxxxxxx encrypted privilege 0
username amp_tools attributes
vpn-group-policy AMP_Tools
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
authentication-server-grou
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group mygroup type remote-access
tunnel-group mygroup general-attributes
authentication-server-grou
default-group-policy mygroup
tunnel-group 1 type remote-access
tunnel-group 1 general-attributes
address-pool CiscoVPN
authentication-server-grou
authorization-server-group
default-group-policy 1
tunnel-group 1 ipsec-attributes
pre-shared-key *
tunnel-group cvpnclient type remote-access
tunnel-group cvpnclient general-attributes
address-pool CiscoVPN
authentication-server-grou
default-group-policy cvpnclient
tunnel-group cvpnclient ipsec-attributes
pre-shared-key *
tunnel-group YYY.YYY.YYY.YYY type ipsec-l2l
tunnel-group YYY.YYY.YYY.YYY general-attributes
default-group-policy bvftun
tunnel-group YYY.YYY.YYY.YYY ipsec-attributes
pre-shared-key *
tunnel-group AMP_Tools type remote-access
tunnel-group AMP_Tools general-attributes
address-pool Restricted_VPN_IP_Pool
default-group-policy AMP_Tools
tunnel-group AMP_Tools ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 rCOMAS
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
smtp-server 10.0.0.203
prompt hostname context
Cryptochecksum:26bc203f021
: end
ASKER
put those lines in, still nothing
ASKER
no success in tracert or rdp
for testing add the below command
no crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
even after adding this tunnel details showin 0 ,, then try to connect the vpn client from some other PC.
no crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
even after adding this tunnel details showin 0 ,, then try to connect the vpn client from some other PC.
ASKER
DanJ:
I reverted all my configs to original and followed your advice and have tested with the packet tracer. Here's the output:
asafirewall# packet-tracer input dmz tcp 172.16.200.1 1125 192.168.99.5 3389 detail
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8476560, priority=12, domain=capture, deny=false
hits=13327, user_data=0xd8476a90, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7b0a238, priority=1, domain=permit, deny=false
hits=11780, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.99.5 255.255.255.255 dmz
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_out in interface dmz
access-list DMZ_access_out extended permit ip 172.16.200.0 255.255.255.0 host 192.168.99.5
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd83760e8, priority=12, domain=permit, deny=false
hits=3, user_data=0xd6873400, cs_id=0x0, flags=0x0, protocol=0
src ip=172.16.200.0, mask=255.255.255.0, port=0
dst ip=192.168.99.5, mask=255.255.255.255, port=0, dscp=0x0
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7b0c838, priority=0, domain=permit-ip-option, deny=true
hits=1914, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7a350d0, priority=20, domain=lu, deny=false
hits=59, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
nat-control
match ip dmz host 192.168.99.5 dmz 172.16.200.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 4
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7d59c00, priority=6, domain=nat-exempt-reverse, deny=false
hits=3, user_data=0xd78dcab8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=172.16.200.0, mask=255.255.255.0, port=0
dst ip=192.168.99.5, mask=255.255.255.255, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 0 0.0.0.0 0.0.0.0
nat-control
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd78afc20, priority=0, domain=host, deny=false
hits=3568, user_data=0xd78af808, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd7b0c838, priority=0, domain=permit-ip-option, deny=true
hits=1915, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 0 0.0.0.0 0.0.0.0
nat-control
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 0
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd78afc20, priority=0, domain=host, deny=false
hits=3569, user_data=0xd78af808, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 532818227, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
I get through all the way. But, when my clients connect, they can't get to the server. What gives?
I reverted all my configs to original and followed your advice and have tested with the packet tracer. Here's the output:
asafirewall# packet-tracer input dmz tcp 172.16.200.1 1125 192.168.99.5 3389 detail
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd8476560, priority=12, domain=capture, deny=false
hits=13327, user_data=0xd8476a90, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7b0a238, priority=1, domain=permit, deny=false
hits=11780, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.99.5 255.255.255.255 dmz
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_access_out in interface dmz
access-list DMZ_access_out extended permit ip 172.16.200.0 255.255.255.0 host 192.168.99.5
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd83760e8, priority=12, domain=permit, deny=false
hits=3, user_data=0xd6873400, cs_id=0x0, flags=0x0, protocol=0
src ip=172.16.200.0, mask=255.255.255.0, port=0
dst ip=192.168.99.5, mask=255.255.255.255, port=0, dscp=0x0
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7b0c838, priority=0, domain=permit-ip-option, deny=true
hits=1914, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7a350d0, priority=20, domain=lu, deny=false
hits=59, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
nat-control
match ip dmz host 192.168.99.5 dmz 172.16.200.0 255.255.255.0
NAT exempt
translate_hits = 0, untranslate_hits = 4
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7d59c00, priority=6, domain=nat-exempt-reverse,
hits=3, user_data=0xd78dcab8, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=172.16.200.0, mask=255.255.255.0, port=0
dst ip=192.168.99.5, mask=255.255.255.255, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 0 0.0.0.0 0.0.0.0
nat-control
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd78afc20, priority=0, domain=host, deny=false
hits=3568, user_data=0xd78af808, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd7b0c838, priority=0, domain=permit-ip-option, deny=true
hits=1915, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (dmz) 0 0.0.0.0 0.0.0.0
nat-control
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 0
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd78afc20, priority=0, domain=host, deny=false
hits=3569, user_data=0xd78af808, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 532818227, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: dmz
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
I get through all the way. But, when my clients connect, they can't get to the server. What gives?
ASKER
Is my test wrong? I believe that the interface should be outside. Am I right?
did you try from other PC/laptop ? yesterday what we found is packets are not going thorugh the tunnel
ASKER
I've tried with other laptops. when I put that command in, packets are going through
you mean the below command
no crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
no crypto dynamic-map users 31 match address outside_cryptomap_dyn_11
ASKER
No, I meant DanJ's command "same-security-traffic permit intra-interface"
i dont know how it matters ,becuase u dont have any same-security interface
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0 standby 10.0.0.252
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.253.2 255.255.255.248 standby 172.16.253.3
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0 standby 10.0.0.252
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 172.16.253.2 255.255.255.248 standby 172.16.253.3
any way get the real time logs from ASDM + show crypto ipsec sa
any update
ASKER
anoopkmr: are you there?
I want to upload my raw config to a site and want you to download it and view it. I'll erase it from that site once we're done.
Let me know when. I really need your help in this matter. Thanks
I want to upload my raw config to a site and want you to download it and view it. I'll erase it from that site once we're done.
Let me know when. I really need your help in this matter. Thanks
yes you can do it ?
but how you will communicate to me that link
but how you will communicate to me that link
ASKER
http://jump.fm/VLJOD
please let me know when you've downloaded it and I'll erase it from that server. Thanks
please let me know when you've downloaded it and I'll erase it from that server. Thanks
OK I did
ASKER
ok, file deleted. Anything else you need, we'll have to do it this way. Sorry.
this is your current running config, isn't it ?
also I just want to recollect your issue .. if I am not mistaken your isssue is vpn client users cannot communicate to DMZ lan ? isn't it ?
also I just want to recollect your issue .. if I am not mistaken your isssue is vpn client users cannot communicate to DMZ lan ? isn't it ?
ASKER
Yes, it's my current config - exactly.
Yes, the vpn users can get connected to the asa, and are assigned an IP. But, they can't rdp into a server on the DMZ. We want to restrict them to JUST that server.
Yes, the vpn users can get connected to the asa, and are assigned an IP. But, they can't rdp into a server on the DMZ. We want to restrict them to JUST that server.
your vpn pool : 172.16.200.1-172.16.200.25 4 mask 255.255.255.0
vpn client want to communicate to : 192.168.98.0 255.255.255.240
please clarify me
vpn client want to communicate to : 192.168.98.0 255.255.255.240
please clarify me
ASKER
vpn client want to communicate to : 192.168.99.5
only
only
you are using the below tunnel group for getting connected isn't it ?
tunnel-group amp_tools type remote-access
tunnel-group amp_tools general-attributes
address-pool Restricted_VPN_Pool
default-group-policy amp_tools
tunnel-group amp_tools ipsec-attributes
pre-shared-key *
ASKER
Yes
first off all we need to check , 192.168.99.5 can able to reach the firewall DMZ IP (172.16.253.2) ?
can you confirm me that .
ASKER
if 99.5 can reach firewall, then just copy and paste the below commands,
then try the reachblity and let me know
no access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 RestrictedVPNUsers 255.255.255.0
access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
access-list DMZ_access_out extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
no access-list amp_tools_split extended permit ip host 192.168.99.5 RestrictedVPNUsers 255.255.255.0
access-list amp_tools_split extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
no access-list outside_cryptomap_dyn_11 extended permit ip any RestrictedVPNUsers 255.255.255.0
no access-list outside_cryptomap_dyn_11 extended permit ip RestrictedVPNUsers 255.255.255.0 any
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip 172.16.200.0 255.255.255.0 any
then try the reachblity and let me know
no access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 RestrictedVPNUsers 255.255.255.0
access-list dmz_nat0_outbound extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
access-list DMZ_access_out extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
no access-list amp_tools_split extended permit ip host 192.168.99.5 RestrictedVPNUsers 255.255.255.0
access-list amp_tools_split extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
no access-list outside_cryptomap_dyn_11 extended permit ip any RestrictedVPNUsers 255.255.255.0
no access-list outside_cryptomap_dyn_11 extended permit ip RestrictedVPNUsers 255.255.255.0 any
access-list outside_cryptomap_dyn_11 extended permit ip any 172.16.200.0 255.255.255.0
access-list outside_cryptomap_dyn_11 extended permit ip 172.16.200.0 255.255.255.0 any
from the test output I can see there is a connectivity problem in your lan itself
is that DMZ swittch a Laye3 ?
just check the correct interface is connected to Firewall?
can you tell me what below parameters means
untagged A4
tagged Trk1
is that DMZ swittch a Laye3 ?
just check the correct interface is connected to Firewall?
can you tell me what below parameters means
untagged A4
tagged Trk1
ASKER
sorry about this: http://jump.fm/QPCMF
ASKER
you see my issues? plus the other engineer isn't here today. But I can get on the devices and make whatever changes that are necessary.
i dont know anything about procurve.
first try my comands listed above and see , send me the tunnel statistics from client and show crypto ipsec sa from fw
first try my comands listed above and see , send me the tunnel statistics from client and show crypto ipsec sa from fw
ASKER
configured with commands
trying to rdp on client
Tunnel details
client: 172.16.200.1
server: XXX.XXX.XXX.XXX
bytes sent : 144
bytes received: 0
packets encrypted: 3
packets decrypted:0
packets bypassed: 2
packets discarded: 327
connection info:
entry: companyvpn
time: 2mins
crypto:
encryption: 128bit AES
authentication: HMAC-SHA1
transport:
transparent tunnelling: active on udp port 4500
local lan: disabled
compression: none
tracert results
1. * * * request timed out
2. * * * request timed out
3. * * * request timed out
4. * * * request timed out
Route details:
Local Lan routes: Empty
Secured routes:
192.168.99.5 255.255.255.255
asafirewall# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: XXX.XXX.XXX.XXX
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.200.1/255.255.255. 255/0/0)
current_peer: 69.211.139.78, username: amp_tools
dynamic allocated peer ip: 172.16.200.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: XXX.XXX.XXX.XXX/4500, remote crypto endpt.: 69.211.139.78/2284
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: F79A0271
inbound esp sas:
spi: 0x6DF5E7F3 (1844832243)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 712704, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28529
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000000FF
outbound esp sas:
spi: 0xF79A0271 (4154065521)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 712704, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28528
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
trying to rdp on client
Tunnel details
client: 172.16.200.1
server: XXX.XXX.XXX.XXX
bytes sent : 144
bytes received: 0
packets encrypted: 3
packets decrypted:0
packets bypassed: 2
packets discarded: 327
connection info:
entry: companyvpn
time: 2mins
crypto:
encryption: 128bit AES
authentication: HMAC-SHA1
transport:
transparent tunnelling: active on udp port 4500
local lan: disabled
compression: none
tracert results
1. * * * request timed out
2. * * * request timed out
3. * * * request timed out
4. * * * request timed out
Route details:
Local Lan routes: Empty
Secured routes:
192.168.99.5 255.255.255.255
asafirewall# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP,
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.200.1/255.255.255.
current_peer: 69.211.139.78, username: amp_tools
dynamic allocated peer ip: 172.16.200.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: XXX.XXX.XXX.XXX/4500, remote crypto endpt.: 69.211.139.78/2284
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: F79A0271
inbound esp sas:
spi: 0x6DF5E7F3 (1844832243)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 712704, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28529
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000000FF
outbound esp sas:
spi: 0xF79A0271 (4154065521)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 712704, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28528
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
see now the packets are comming to the firewall , but the server 99.5 is not replying back / reply packets from 99.5 is not reaching the firewall
as a workaround remove the access-list fron vlan 4 ( i dont know the command ) and see server can reach firewall
interface A4
ip access-group "IPsecVpn" in
interface A4
ip access-group "IPsecVpn" in
hello waiting for your feedback,
if u need further asistance please let me know .
if u need further asistance please let me know .
ASKER
I'm stuck with that last request of yours. I don't know how to remove that acl. I've obviously tried the no form of the command, no luck
wait ,dont go any where
let me see
let me see
ASKER
done, removed that access-list from the switch. tried with the client, still can't get to the server
what is interface A4
is it interface vlan 4
clarify me
is it interface vlan 4
clarify me
chekc the reachablity from the firewall to server , or from the server to Firewall IP
ASKER
I've done it, it was interface a4, removed the acl from that port
still can't get to the server
still can't get to the server
ASKER
now from the ASA i can ping that server
ASKER
and vice versa
ping from asa to server : ok
ping from server to asa : ok
ping from asa to server : ok
ping from server to asa : ok
now just get the real time logs from ASDM
as you did yesterday
as you did yesterday
ASKER
pinging from the client to 192.168.99.5
request timed out
request timed out
request timed out
request timed out
result on asdm:
6|Jul 22 2010|14:24:50|302021|172.1 6.200.1|10 24|192.168 .99.5|0|Te ardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:48|302020|172.1 6.200.1|10 24|192.168 .99.5|0|Bu ilt inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:45|302021|172.1 6.200.1|10 24|192.168 .99.5|0|Te ardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:43|302020|172.1 6.200.1|10 24|192.168 .99.5|0|Bu ilt inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:39|302021|172.1 6.200.1|10 24|192.168 .99.5|0|Te ardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:37|302020|172.1 6.200.1|10 24|192.168 .99.5|0|Bu ilt inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:34|302021|172.1 6.200.1|10 24|192.168 .99.5|0|Te ardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|14:24:32|302020|172.1 6.200.1|10 24|192.168 .99.5|0|Bu ilt inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
trying to rdp from client
result on asdm:
6|Jul 22 2010|14:26:35|302014|172.1 6.200.1|23 69|192.168 .99.5|3389 |Teardown TCP connection 533606188 for outside:172.16.200.1/2369 to dmz:192.168.99.5/3389 duration 0:00:30 bytes 0 SYN Timeout (amp_tools)
6|Jul 22 2010|14:26:05|302013|172.1 6.200.1|23 69|192.168 .99.5|3389 |Built inbound TCP connection 533606188 for outside:172.16.200.1/2369 (172.16.200.1/2369) to dmz:192.168.99.5/3389 (192.168.99.5/3389) (amp_tools)
request timed out
request timed out
request timed out
request timed out
result on asdm:
6|Jul 22 2010|14:24:50|302021|172.1
6|Jul 22 2010|14:24:48|302020|172.1
6|Jul 22 2010|14:24:45|302021|172.1
6|Jul 22 2010|14:24:43|302020|172.1
6|Jul 22 2010|14:24:39|302021|172.1
6|Jul 22 2010|14:24:37|302020|172.1
6|Jul 22 2010|14:24:34|302021|172.1
6|Jul 22 2010|14:24:32|302020|172.1
trying to rdp from client
result on asdm:
6|Jul 22 2010|14:26:35|302014|172.1
6|Jul 22 2010|14:26:05|302013|172.1
now what is gateway configured on that server
ASKER
that server's at a remote location, so the gateway's it's mpls router's IP address
ASKER
that hasn't changed, the only thing changes o far is the removal of that IP access-list on that switch
ok
in that mpls router you have to add a route for 172.16.200.0 255.255.255.0
otherwise we have to do a natting on the firewall, which one you prefer let me know
in that mpls router you have to add a route for 172.16.200.0 255.255.255.0
otherwise we have to do a natting on the firewall, which one you prefer let me know
ASKER
natting on the firewall would be the accepted way, thanks
ok just wait i will send you the commands
how many vpn client users will connect to this server
ASKER
at a given time, only one or two
try the below commands and try traffic initiate from client
access-list vpn-nat extended permit 172.16.200.0 255.255.255.0 host 192.168.99.5
nat (outside) 8 access-list vpn-nat
global (dmz) 8 interface
access-list vpn-nat extended permit 172.16.200.0 255.255.255.0 host 192.168.99.5
nat (outside) 8 access-list vpn-nat
global (dmz) 8 interface
ASKER
won't those command disrupt my current asa traffic
no
ASKER
gave me a warning
asafirewall(config)# nat (outside) 8 access-list vpn-nat
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
asafirewall(config)# global (dmz) 8 interface
INFO: dmz interface address added to PAT pool
done, now?
asafirewall(config)# nat (outside) 8 access-list vpn-nat
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
asafirewall(config)# global (dmz) 8 interface
INFO: dmz interface address added to PAT pool
done, now?
ASKER
still can't ping the server from the client, or rdp into it
ASKER
different error when pinging and rdp-ing
6|Jul 22 2010|15:32:17|109025|172.1 6.200.1|25 33|192.168 .99.5|3389 |Authoriza tion denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/2533 to 192.168.99.5/3389 on interface outside using TCP
6|Jul 22 2010|15:32:11|109025|172.1 6.200.1|25 33|192.168 .99.5|3389 |Authoriza tion denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/2533 to 192.168.99.5/3389 on interface outside using TCP
6|Jul 22 2010|15:32:08|109025|172.1 6.200.1|25 33|192.168 .99.5|3389 |Authoriza tion denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/2533 to 192.168.99.5/3389 on interface outside using TCP
6|Jul 22 2010|15:31:45|109025|172.1 6.200.1|10 24|192.168 .99.5|0|Au thorizatio n denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/1024 to 192.168.99.5/0 on interface outside using ICMP
6|Jul 22 2010|15:31:39|109025|172.1 6.200.1|10 24|192.168 .99.5|0|Au thorizatio n denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/1024 to 192.168.99.5/0 on interface outside using ICMP
6|Jul 22 2010|15:31:34|109025|172.1 6.200.1|10 24|192.168 .99.5|0|Au thorizatio n denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/1024 to 192.168.99.5/0 on interface outside using ICMP
6|Jul 22 2010|15:31:28|109025|172.1 6.200.1|10 24|192.168 .99.5|0|Au thorizatio n denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/1024 to 192.168.99.5/0 on interface outside using ICMP
6|Jul 22 2010|15:32:17|109025|172.1
6|Jul 22 2010|15:32:11|109025|172.1
6|Jul 22 2010|15:32:08|109025|172.1
6|Jul 22 2010|15:31:45|109025|172.1
6|Jul 22 2010|15:31:39|109025|172.1
6|Jul 22 2010|15:31:34|109025|172.1
6|Jul 22 2010|15:31:28|109025|172.1
just delete those commands ,we will add one to one natting
no access-list vpn-nat extended permit 172.16.200.0 255.255.255.0 host 192.168.99.5
no nat (outside) 8 access-list vpn-nat
no global (dmz) 8 interface
static (outside,dmz) 172.16.253.x 172.16.200.1 netmask 255.255.255.255
here : 172.16.253.x will be any free IP from your DMZ network
172.16.200.1 : i hope this is the client IP assigned. if not chane accordingly
expecting a quick reply ,, becuase here time is 11PM.
no access-list vpn-nat extended permit 172.16.200.0 255.255.255.0 host 192.168.99.5
no nat (outside) 8 access-list vpn-nat
no global (dmz) 8 interface
static (outside,dmz) 172.16.253.x 172.16.200.1 netmask 255.255.255.255
here : 172.16.253.x will be any free IP from your DMZ network
172.16.200.1 : i hope this is the client IP assigned. if not chane accordingly
expecting a quick reply ,, becuase here time is 11PM.
hold on , let me check that error
ASKER
too late, already removed
ok try with static nat and let me know
ASKER
I don't have any spare IPs in that segment
If you notice it's the 172.16.200.0 network with the subnet mask 255.255.255.248
Network 172.16.253.0
Hosts
from 172.16.253.1
to 172.16.253.2
Broadcast Address 172.16.253.3
If you notice it's the 172.16.200.0 network with the subnet mask 255.255.255.248
Network 172.16.253.0
Hosts
from 172.16.253.1
to 172.16.253.2
Broadcast Address 172.16.253.3
ASKER
sorry: If you notice it's the 172.16.253.0 network with the subnet mask 255.255.255.248
no you are wrong
with 255.255.255.248 mask you will have 6 free iP
172.16.253.1
172.16.253.2
172.16.253.3
172.16.253.4
172.16.253.5
172.16.253.6
with 255.255.255.248 mask you will have 6 free iP
172.16.253.1
172.16.253.2
172.16.253.3
172.16.253.4
172.16.253.5
172.16.253.6
ASKER
yes, you right
I'm using 1, 2, and 3
so your command would be
static (outside,dmz) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
But, that 172.16.200.1 comes from a pool, and it'll change remember?
I'm using 1, 2, and 3
so your command would be
static (outside,dmz) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
But, that 172.16.200.1 comes from a pool, and it'll change remember?
ASKER
This shouldn't be so complicated. I wonder if we're on the wrong path?
no we are in the right path only , that command is only for testing , other wise you have to add the proper routing on the MPLS router .
kindly add those command and let me knwo , if its working then we wiil see with policy nat
kindly add those command and let me knwo , if its working then we wiil see with policy nat
ASKER
ok, the command
static (outside,dmz) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
is in place
you sure, it's not supposed to be
static (dmz, outside) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
static (outside,dmz) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
is in place
you sure, it's not supposed to be
static (dmz, outside) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
ASKER
tried with the client, still nothing
give me the log
172.16.253.4 is the free iP isn't ?
I need the show conn output also.
I need the show conn output also.
ASKER
yes that ip is free
6|Jul 22 2010|16:10:34|109025|172.1 6.200.1|25 57|192.168 .99.5|3389 |Authoriza tion denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/2557 to 192.168.99.5/3389 on interface outside using TCP
6|Jul 22 2010|16:10:28|109025|172.1 6.200.1|25 57|192.168 .99.5|3389 |Authoriza tion denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/2557 to 192.168.99.5/3389 on interface outside using TCP
6|Jul 22 2010|16:10:25|109025|172.1 6.200.1|25 57|192.168 .99.5|3389 |Authoriza tion denied (acl=amp_tools_split) for user 'amp_tools' from 172.16.200.1/2557 to 192.168.99.5/3389 on interface outside using TCP
sh conn is huge, can i filter it for a specific section?
6|Jul 22 2010|16:10:34|109025|172.1
6|Jul 22 2010|16:10:28|109025|172.1
6|Jul 22 2010|16:10:25|109025|172.1
sh conn is huge, can i filter it for a specific section?
now what i can see is our split tunnel rule is denying the traffic ,so can you add the below line
access-list amp_tools_split extended permit ip host 172.16.253.4 172.16.200.0 255.255.255.0
access-list amp_tools_split extended permit ip host 172.16.253.4 172.16.200.0 255.255.255.0
ASKER
same error
just remove the split tunnel rule and see
no access-list amp_tools_split extended permit ip host 172.16.253.4 172.16.200.0 255.255.255.0
no access-list amp_tools_split extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
no access-list amp_tools_split extended permit ip host 172.16.253.4 172.16.200.0 255.255.255.0
no access-list amp_tools_split extended permit ip host 192.168.99.5 172.16.200.0 255.255.255.0
if you trust me , then give me the ssh access to your firewall .
ASKER
I trust you my friend, but there's no need now. IT WORKED!!!!
ASKER
now how do we make it dynamic?
oh gr8
did you remove those "amp_tools_split" access-list
did you remove those "amp_tools_split" access-list
ASKER
that's when it started working
ok
now you want dynamic, no need to add those access-list again , follow the lines
no static (dmz, outside) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
access-list vpn-nat extended permit 172.16.200.0 255.255.255.0 host 192.168.99.5
nat (outside) 8 access-list vpn-nat
global (dmz) 8 interface
now you want dynamic, no need to add those access-list again , follow the lines
no static (dmz, outside) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
access-list vpn-nat extended permit 172.16.200.0 255.255.255.0 host 192.168.99.5
nat (outside) 8 access-list vpn-nat
global (dmz) 8 interface
ASKER
Nope, does not work
give me the log
ASKER
6|Jul 22 2010|16:47:30|302021|172.1 6.200.1|10 24|192.168 .99.5|0|Te ardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:28|302020|172.1 6.200.1|10 24|192.168 .99.5|0|Bu ilt inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:27|302014|172.1 6.200.1|26 21|192.168 .99.5|3389 |Teardown TCP connection 533749231 for outside:172.16.200.1/2621 to dmz:192.168.99.5/3389 duration 0:00:30 bytes 0 SYN Timeout (amp_tools)
6|Jul 22 2010|16:47:25|302021|172.1 6.200.1|10 24|192.168 .99.5|0|Te ardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:22|302020|172.1 6.200.1|10 24|192.168 .99.5|0|Bu ilt inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:20|302021|172.1 6.200.1|10 24|192.168 .99.5|0|Te ardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:17|302020|172.1 6.200.1|10 24|192.168 .99.5|0|Bu ilt inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:14|302021|172.1 6.200.1|10 24|192.168 .99.5|0|Te ardown ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:47:12|302020|172.1 6.200.1|10 24|192.168 .99.5|0|Bu ilt inbound ICMP connection for faddr 172.16.200.1/1024 gaddr 192.168.99.5/0 laddr 192.168.99.5/0 (amp_tools)
6|Jul 22 2010|16:46:57|302013|172.1 6.200.1|26 21|192.168 .99.5|3389 |Built inbound TCP connection 533749231 for outside:172.16.200.1/2621 (172.16.200.1/2621) to dmz:192.168.99.5/3389 (192.168.99.5/3389) (amp_tools)
6|Jul 22 2010|16:47:28|302020|172.1
6|Jul 22 2010|16:47:27|302014|172.1
6|Jul 22 2010|16:47:25|302021|172.1
6|Jul 22 2010|16:47:22|302020|172.1
6|Jul 22 2010|16:47:20|302021|172.1
6|Jul 22 2010|16:47:17|302020|172.1
6|Jul 22 2010|16:47:14|302021|172.1
6|Jul 22 2010|16:47:12|302020|172.1
6|Jul 22 2010|16:46:57|302013|172.1
try the below commands copy and paste
no nat (outside) 8 access-list vpn-nat
no global (dmz) 8 interface
static (outside,dmz) 172.16.253.4 access-list vpn-nat
dont delete the access-list vpn-nat
no nat (outside) 8 access-list vpn-nat
no global (dmz) 8 interface
static (outside,dmz) 172.16.253.4 access-list vpn-nat
dont delete the access-list vpn-nat
ASKER
give it a rest for now. you told me almost 2 hrs ago that it was 11pm. get some sleep and we can touch base again tomorrow.
Thank you for your persistence and your patience.
Thank you for your persistence and your patience.
try the above command , I can wait for you .
ASKER
I get this error:
asafirewall(config)# static (outside,dmz) 172.16.253.4 access-list vpn-nat
global address overlaps with mask
asafirewall(config)# static (outside,dmz) 172.16.253.4 access-list vpn-nat
global address overlaps with mask
try
static (outside,dmz) 172.16.253.4 access-list vpn-nat netmask 255.255.255.255
static (outside,dmz) 172.16.253.4 access-list vpn-nat netmask 255.255.255.255
ASKER
asafirewall(config)# static (outside,dmz) 172.16.253.4 access-list vpn-nat netmask 255.255.255.255
invalid option netmask
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
show running-config [all] static [<mapped_ip>]
clear configure static
let's call it a day now. get some rest and we'll look at it tomorrow. Good night, and thanks
invalid option netmask
Usage: [no] static [(real_ifc, mapped_ifc)]
{<mapped_ip>|interface}
{<real_ip> [netmask <mask>]} | {access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
[no] static [(real_ifc, mapped_ifc)] {tcp|udp}
{<mapped_ip>|interface} <mapped_port>
{<real_ip> <real_port> [netmask <mask>]} |
{access-list <acl_name>}
[dns]
[[tcp] <max_conns> [<emb_lim> [<norandomseq> [nailed]]]]
[udp <max_conns>]
show running-config [all] static [<mapped_ip>]
clear configure static
let's call it a day now. get some rest and we'll look at it tomorrow. Good night, and thanks
ok as you wish ,I think there are some limitiations in the nat commands
so better tommorow you correct your route in mpls router , then everything should work
by the way did you remove all your static config
above i can see a command like "clear configure static"
so better tommorow you correct your route in mpls router , then everything should work
by the way did you remove all your static config
above i can see a command like "clear configure static"
ASKER
could you remind me what those route corrections were?
your quote : that server's at a remote location, so the gateway's it's mpls router's IP address
99.5 gw is to a router's ip address, there you have to add the proper route to 172.16.200.0/24
99.5 gw is to a router's ip address, there you have to add the proper route to 172.16.200.0/24
ASKER
I've already corrected that route, and that's how we started getting to it from the ASA, ofcourse with modifications to the switch's acls.
see if you send some packet from ASA , it will have the source IP of ASA not the vpn client IP , same when the VPN client try to access 99.5 , the particular packet will have the source ip of 172.16.200.1
so the server / server'Gw must know where is this 172.16.200.0
so the server / server'Gw must know where is this 172.16.200.0
ASKER
when I RDP from the vpn client this is the log on the ASA
6|Jul 23 2010|08:53:54|302014|172.1 6.200.1|29 82|192.168 .99.5|3389 |Teardown TCP connection 534352879 for outside:172.16.200.1/2982 to dmz:192.168.99.5/3389 duration 0:00:08 bytes 28334 TCP Reset-I (amp_tools)
6|Jul 23 2010|08:53:46|302014|172.1 6.200.1|29 81|192.168 .99.5|3389 |Teardown TCP connection 534352876 for outside:172.16.200.1/2981 to dmz:192.168.99.5/3389 duration 0:00:00 bytes 38 TCP FINs (amp_tools)
6|Jul 23 2010|08:53:46|302013|172.1 6.200.1|29 82|192.168 .99.5|3389 |Built inbound TCP connection 534352879 for outside:172.16.200.1/2982 (172.16.253.4/2982) to dmz:192.168.99.5/3389 (192.168.99.5/3389) (amp_tools)
6|Jul 23 2010|08:53:45|302013|172.1 6.200.1|29 81|192.168 .99.5|3389 |Built inbound TCP connection 534352876 for outside:172.16.200.1/2981 (172.16.253.4/2981) to dmz:192.168.99.5/3389 (192.168.99.5/3389) (amp_tools)
source ip: ip of vpn client
and it's getting to the server and back, routes must be ok, right
6|Jul 23 2010|08:53:54|302014|172.1
6|Jul 23 2010|08:53:46|302014|172.1
6|Jul 23 2010|08:53:46|302013|172.1
6|Jul 23 2010|08:53:45|302013|172.1
source ip: ip of vpn client
and it's getting to the server and back, routes must be ok, right
yea seems to be working now !!! give me the show conn
is rdp enabled on this server
what abt ping ?
is rdp enabled on this server
what abt ping ?
did you remove the below command from asa,fter remove this only i can say routing is ok
static (dmz, outside) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
static (dmz, outside) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
sorry this is the command to remove
static (outside,dmz) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
static (outside,dmz) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
ASKER
no ping getting through because of the acls on the other switches, that's ok. RDP gets through.
so its working isn't it ?
ASKER
no, that line is still in the asa config, here's the sh conn
asafirewall# sh conn | inc dmz
TCP outside 172.16.253.4(172.16.200.1) :3818 dmz 192.168.99.5:3389, idle 0:00:00, bytes 927, flags UIOB
asafirewall# sh conn | inc dmz
TCP outside 172.16.253.4(172.16.200.1)
i think your RDP is ok now please confirm
from the conn output i can see nat transaltion is hapening for 172.16.200.1
so i don't think your routing is correct until unles that line is removed.
from the conn output i can see nat transaltion is hapening for 172.16.200.1
so i don't think your routing is correct until unles that line is removed.
ASKER
please explain
my client get's it's ip and route from the asa
it wasn't going anywhere until we put in that vpn-nat acl and the static
my client get's it's ip and route from the asa
it wasn't going anywhere until we put in that vpn-nat acl and the static
ASKER
all i need now is to change that static into a dynamic and I'm done
I just need that elusive command :) I don't think I need to make any modifications on other network devices
I just need that elusive command :) I don't think I need to make any modifications on other network devices
no nat dynamic from outside to inside has certain limitiations, it will not work as you expect .
if you dont want to correct your route , then go for static nat.
if you dont want to correct your route , then go for static nat.
ASKER
isn't that called pat?
yes it is pat.
you can have a try anyway
add the below commands and see
no static (outside,dmz) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
nat (outside) 8 access-list vpn-nat
global (dmz) 8 interface
you can have a try anyway
add the below commands and see
no static (outside,dmz) 172.16.253.4 172.16.200.1 netmask 255.255.255.255
nat (outside) 8 access-list vpn-nat
global (dmz) 8 interface
before you add those commands
please add the line
access-list vpn-nat extended permit 172.16.200.0 255.255.255.0 host 192.168.99.5
please add the line
access-list vpn-nat extended permit 172.16.200.0 255.255.255.0 host 192.168.99.5
ASKER
asafirewall(config)# no static (outside,dmz) 172.16.253.4 172.16.200.1 netmask$
asafirewall(config)# nat (outside) 8 access-list vpn-nat
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
asafirewall(config)# global (dmz) 8 interface
INFO: dmz interface address added to PAT pool
anything to worry about?
asafirewall(config)# nat (outside) 8 access-list vpn-nat
WARNING: Binding inside nat statement to outermost interface.
WARNING: Keyword "outside" is probably missing.
asafirewall(config)# global (dmz) 8 interface
INFO: dmz interface address added to PAT pool
anything to worry about?
ASKER
while RDP-ing
asafirewall# sh conn | in dmz
TCP outside 172.16.200.1:3856 dmz 192.168.99.5:3389, idle 0:00:20, bytes 0, flags SaAB
asafirewall# sh conn | in dmz
TCP outside 172.16.200.1:3856 dmz 192.168.99.5:3389, idle 0:00:20, bytes 0, flags SaAB
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
you were right, that switch did not have a route back. I put it in and now the pat is working.
YOU ARE THE MAN!!!!
YOU ARE THE MAN!!!!
ok shall we close this?
ASKER
Yes, and the other one as well, please put in a comment on the other ticket as well referencing this page's url, and we'll close that as well.
sure let me see that .
if you are atisfied with my support , kindly give some good bonus point too.
cheers
if you are atisfied with my support , kindly give some good bonus point too.
cheers
ASKER
access-list vpn-nat extended permit ip 172.16.200.0 255.255.255.0 host 192.168.99.5
global (dmz) 8 interface
nat (outside) 8 access-list vpn-nat
Just what are we saying with these commands?
an acl to allow ip traffic from 172 to 192 . .5 is patted on the dmz interface?
global (dmz) 8 interface
nat (outside) 8 access-list vpn-nat
Just what are we saying with these commands?
an acl to allow ip traffic from 172 to 192 . .5 is patted on the dmz interface?
exactly!!! you are right.
i did the comment on other ticket
ASKER
This comment isn't necessarily the solution, it's the last one in a sequence of steps and troubleshooting that got me to the solution.
Best support in terms of persistence and patience.
Thank you
Best support in terms of persistence and patience.
Thank you
ASKER
strange, why 7.7 very good? I chose A and excellent!