smckellar
asked on
Cisco ASA - Howto configure remote access VPN via Cisco VPN Client
Hi,
I have configured a VPN on a Cisco ASA firewall, and my client software (Cisco VPN Client) is connecting with no problems. The split tunneling works, i.e. I can still browse the net on my own connection whilst connection, however, no traffic for the VPN can be sent over the connection.
I have configured the VPN using ASDM under Wizards, VPN Wizard.
Please see sh run
name 192.168.1.105 WWW1-I
name 192.168.1.106 WWW2-I
name 192.168.1.108 WWW3-I
name 192.168.1.227 WWW4-I
name 61.XX.XX.128 Outside-Network
name 61.XX.XX.129 Internet-Router
name 61.XX.XX.133 WWW4-O
name 61.XX.XX.134 ASA-O
name 61.XX.XX.135 WWW_Web1-O
name 61.XX.XX.136 WWW_Web2-O
name 61.XX.XX.137 WWW_DB1-O
name 61.XX.XX.138 WWW_Report-O
name 210.XX.XX.226 WWW6-O
name 210.XX.XX.225 WWW2-O
name 210.XX.XX.227 WWW1-O
name 210.XX.XX.228 WWW3-O
name 192.168.1.89 ASA-I
name 192.168.1.109 WWW5
!
interface Ethernet0/0
nameif outside
security-level 0
ip address ASA-O 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address ASA-I 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd <removed> encrypted
ftp mode passive
clock timezone AEST 10
clock summer-time AEDT recurring last Sun Oct 2:00 last Sun Mar 2:00
object-group icmp-type ICMP-Permitted
description Permitted ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object echo
icmp-object time-exceeded
object-group service Outbound-TCP tcp
description TCP Ports Allowed Outbound
port-object eq ftp
port-object eq www
port-object eq https
port-object eq domain
port-object eq 1863
port-object eq 6901
port-object eq 6891
port-object eq 6900
port-object eq 3389
port-object eq 1433
port-object eq telnet
port-object eq pcanywhere-data
port-object eq smtp
port-object eq ftp-data
port-object eq pop3
port-object eq pop2
object-group service Outbound-UDP udp
description UDP Ports Allowed Outbound
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
port-object eq 1433
access-list Outside extended permit icmp any any object-group ICMP-Permitted
access-list Outside extended permit tcp any host WWW2-O eq www
access-list Outside extended permit tcp any host WWW6-O eq 5555
access-list Outside extended permit tcp any host WWW6-O eq www
access-list Outside extended permit tcp any host WWW6-O eq smtp
access-list Outside extended permit tcp any host WWW6-O eq pop3
access-list Outside extended permit tcp any host WWW6-O eq imap4
access-list Outside extended permit tcp any host WWW1-O eq ftp
access-list Outside extended permit tcp any host 61.XX.XX.139 eq www
access-list Outside extended permit tcp any host WWW1-O eq domain
access-list Outside extended permit tcp any host WWW1-O eq pop3
access-list Outside extended permit tcp any host WWW1-O eq smtp
access-list Outside extended permit tcp any host WWW1-O eq imap4
access-list Outside extended permit tcp any host WWW1-O eq https
access-list Outside extended permit tcp any host WWW1-O eq www
access-list Outside extended permit tcp any host WWW1-O eq 32000
access-list Outside extended permit tcp any any eq ssh
access-list Outside extended deny ip any any log notifications
access-list Inside extended permit icmp Inside-Network 255.255.255.0 any object-group ICMP-Permitted
access-list Inside extended permit tcp Inside-Network 255.255.255.0 any
access-list Inside extended permit udp Inside-Network 255.255.255.0 any
access-list Inside extended deny ip any any log notifications
access-list NONAT extended permit ip Inside-Network 255.255.255.0 10.10.10.0 255.255.255.0
access-list NONAT extended permit ip Inside-Network 255.255.255.0 192.168.253.0 255.255.255.0
access-list NONAT extended permit ip any 192.168.253.0 255.255.255.128
access-list VPNCLIENTS remark VPN Client Local LAN Access
access-list tac extended permit ip any any
access-list tac extended permit ip host 171.XX.XX.102 any
access-list tac extended permit ip any host 171.XX.XX.102
access-list ciscoASA_splitTunnelAcl standard permit Inside-Network 255.255.255.0
access-list ciscoASA_splitTunnelAcl standard permit 192.168.253.0 255.255.255.0
access-list outside_cryptomap_dyn_180 extended permit ip any 192.168.253.0 255.255.255.128
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNPOOL 192.168.253.1-192.168.253.
ip local pool VPNPOOL2 10.6.253.1-10.6.253.99 mask 255.255.255.0
ip verify reverse-path interface outside
asdm image disk0:/asdm-504.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 Inside-Network 255.255.255.0
static (inside,outside) tcp WWW2-O www WWW2-I 5555 netmask 255.255.255.255
static (inside,outside) tcp WWW1-O www WWW1-I www netmask 255.255.255.255
static (inside,outside) tcp WWW1-O https WWW1-I https netmask 255.255.255.255
static (inside,outside) tcp WWW1-O imap4 WWW1-I imap4 netmask 255.255.255.255
static (inside,outside) tcp WWW1-O smtp WWW1-I smtp netmask 255.255.255.255
static (inside,outside) tcp WWW1-O pop3 WWW1-I pop3 netmask 255.255.255.255
static (inside,outside) tcp WWW1-O domain WWW1-I domain netmask 255.255.255.255
static (inside,outside) tcp WWW1-O ftp WWW1-I ftp netmask 255.255.255.255
static (inside,outside) tcp WWW6-O www WWW6-I www netmask 255.255.255.255
static (inside,outside) tcp WWW6-O imap4 WWW6-I imap4 netmask 255.255.255.255
static (inside,outside) tcp WWW6-O pop3 WWW6-I pop3 netmask 255.255.255.255
static (inside,outside) tcp WWW6-O smtp WWW6-I smtp netmask 255.255.255.255
static (inside,outside) tcp WWW6-O 5555 WWW6-I 5555 netmask 255.255.255.255
static (inside,outside) WWW_Web1-O WWW_Web1-I netmask 255.255.255.255
static (inside,outside) WWW_Web2-O WWW_Web2-I netmask 255.255.255.255
static (inside,outside) WWW_DB1-O WWW_DB1-I netmask 255.255.255.255
static (inside,outside) WWW_Report-O WWW_Report-I netmask 255.255.255.255
static (inside,outside) WWW3-O WWW3-I netmask 255.255.255.255
static (inside,outside) 61.XX.XX.139 WWW5 netmask 255.255.255.255
access-group Outside in interface outside
access-group Inside in interface inside
route outside 0.0.0.0 0.0.0.0 Internet-Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ciscoASA internal
group-policy ciscoASA attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ciscoASA_splitTunnelAcl
webvpn
username user3 password <removed> encrypted
username user2 password <removed> encrypted
username user1 password <removed> encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 61.XX.XX.XXX 255.255.255.255 outside
http 218.XX.XX.XX 255.255.255.255 outside
http Inside-Network 255.255.255.0 inside
http 192.168.253.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN-SET esp-aes-256 esp-sha-hmac
crypto ipsec transform-set VPN-SET2 esp-3des esp-sha-hmac
crypto dynamic-map VPN-DYNMAP 100 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 120 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 140 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 160 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 180 match address outside_cryptomap_dyn_180
crypto dynamic-map VPN-DYNMAP 180 set transform-set VPN-SET2
crypto dynamic-map inside_dyn_map 20 set transform-set VPN-SET2
crypto map VPN-MAP 100 ipsec-isakmp dynamic VPN-DYNMAP
crypto map VPN-MAP interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
isakmp identity address
isakmp enable outside
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 30
isakmp ipsec-over-tcp port 15000
tunnel-group ciscoASA type ipsec-ra
tunnel-group ciscoASA general-attributes
address-pool VPNPOOL
default-group-policy ciscoASA
tunnel-group ciscoASA ipsec-attributes
pre-shared-key *
telnet Inside-Network 255.255.255.0 inside
telnet timeout 5
ssh XX.XX.8.0 255.255.255.0 outside
ssh 61.XX.XX.150 255.255.255.255 outside
ssh 218.214.XX.XX 255.255.255.255 outside
ssh Inside-Network 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
ciscoASA-fw01#
I have configured a VPN on a Cisco ASA firewall, and my client software (Cisco VPN Client) is connecting with no problems. The split tunneling works, i.e. I can still browse the net on my own connection whilst connection, however, no traffic for the VPN can be sent over the connection.
I have configured the VPN using ASDM under Wizards, VPN Wizard.
Please see sh run
name 192.168.1.105 WWW1-I
name 192.168.1.106 WWW2-I
name 192.168.1.108 WWW3-I
name 192.168.1.227 WWW4-I
name 61.XX.XX.128 Outside-Network
name 61.XX.XX.129 Internet-Router
name 61.XX.XX.133 WWW4-O
name 61.XX.XX.134 ASA-O
name 61.XX.XX.135 WWW_Web1-O
name 61.XX.XX.136 WWW_Web2-O
name 61.XX.XX.137 WWW_DB1-O
name 61.XX.XX.138 WWW_Report-O
name 210.XX.XX.226 WWW6-O
name 210.XX.XX.225 WWW2-O
name 210.XX.XX.227 WWW1-O
name 210.XX.XX.228 WWW3-O
name 192.168.1.89 ASA-I
name 192.168.1.109 WWW5
!
interface Ethernet0/0
nameif outside
security-level 0
ip address ASA-O 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address ASA-I 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
passwd <removed> encrypted
ftp mode passive
clock timezone AEST 10
clock summer-time AEDT recurring last Sun Oct 2:00 last Sun Mar 2:00
object-group icmp-type ICMP-Permitted
description Permitted ICMP traffic
icmp-object echo-reply
icmp-object unreachable
icmp-object echo
icmp-object time-exceeded
object-group service Outbound-TCP tcp
description TCP Ports Allowed Outbound
port-object eq ftp
port-object eq www
port-object eq https
port-object eq domain
port-object eq 1863
port-object eq 6901
port-object eq 6891
port-object eq 6900
port-object eq 3389
port-object eq 1433
port-object eq telnet
port-object eq pcanywhere-data
port-object eq smtp
port-object eq ftp-data
port-object eq pop3
port-object eq pop2
object-group service Outbound-UDP udp
description UDP Ports Allowed Outbound
port-object eq domain
port-object eq ntp
port-object eq isakmp
port-object eq 4500
port-object eq 1433
access-list Outside extended permit icmp any any object-group ICMP-Permitted
access-list Outside extended permit tcp any host WWW2-O eq www
access-list Outside extended permit tcp any host WWW6-O eq 5555
access-list Outside extended permit tcp any host WWW6-O eq www
access-list Outside extended permit tcp any host WWW6-O eq smtp
access-list Outside extended permit tcp any host WWW6-O eq pop3
access-list Outside extended permit tcp any host WWW6-O eq imap4
access-list Outside extended permit tcp any host WWW1-O eq ftp
access-list Outside extended permit tcp any host 61.XX.XX.139 eq www
access-list Outside extended permit tcp any host WWW1-O eq domain
access-list Outside extended permit tcp any host WWW1-O eq pop3
access-list Outside extended permit tcp any host WWW1-O eq smtp
access-list Outside extended permit tcp any host WWW1-O eq imap4
access-list Outside extended permit tcp any host WWW1-O eq https
access-list Outside extended permit tcp any host WWW1-O eq www
access-list Outside extended permit tcp any host WWW1-O eq 32000
access-list Outside extended permit tcp any any eq ssh
access-list Outside extended deny ip any any log notifications
access-list Inside extended permit icmp Inside-Network 255.255.255.0 any object-group ICMP-Permitted
access-list Inside extended permit tcp Inside-Network 255.255.255.0 any
access-list Inside extended permit udp Inside-Network 255.255.255.0 any
access-list Inside extended deny ip any any log notifications
access-list NONAT extended permit ip Inside-Network 255.255.255.0 10.10.10.0 255.255.255.0
access-list NONAT extended permit ip Inside-Network 255.255.255.0 192.168.253.0 255.255.255.0
access-list NONAT extended permit ip any 192.168.253.0 255.255.255.128
access-list VPNCLIENTS remark VPN Client Local LAN Access
access-list tac extended permit ip any any
access-list tac extended permit ip host 171.XX.XX.102 any
access-list tac extended permit ip any host 171.XX.XX.102
access-list ciscoASA_splitTunnelAcl standard permit Inside-Network 255.255.255.0
access-list ciscoASA_splitTunnelAcl standard permit 192.168.253.0 255.255.255.0
access-list outside_cryptomap_dyn_180 extended permit ip any 192.168.253.0 255.255.255.128
pager lines 24
logging enable
logging buffered warnings
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNPOOL 192.168.253.1-192.168.253.
ip local pool VPNPOOL2 10.6.253.1-10.6.253.99 mask 255.255.255.0
ip verify reverse-path interface outside
asdm image disk0:/asdm-504.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 Inside-Network 255.255.255.0
static (inside,outside) tcp WWW2-O www WWW2-I 5555 netmask 255.255.255.255
static (inside,outside) tcp WWW1-O www WWW1-I www netmask 255.255.255.255
static (inside,outside) tcp WWW1-O https WWW1-I https netmask 255.255.255.255
static (inside,outside) tcp WWW1-O imap4 WWW1-I imap4 netmask 255.255.255.255
static (inside,outside) tcp WWW1-O smtp WWW1-I smtp netmask 255.255.255.255
static (inside,outside) tcp WWW1-O pop3 WWW1-I pop3 netmask 255.255.255.255
static (inside,outside) tcp WWW1-O domain WWW1-I domain netmask 255.255.255.255
static (inside,outside) tcp WWW1-O ftp WWW1-I ftp netmask 255.255.255.255
static (inside,outside) tcp WWW6-O www WWW6-I www netmask 255.255.255.255
static (inside,outside) tcp WWW6-O imap4 WWW6-I imap4 netmask 255.255.255.255
static (inside,outside) tcp WWW6-O pop3 WWW6-I pop3 netmask 255.255.255.255
static (inside,outside) tcp WWW6-O smtp WWW6-I smtp netmask 255.255.255.255
static (inside,outside) tcp WWW6-O 5555 WWW6-I 5555 netmask 255.255.255.255
static (inside,outside) WWW_Web1-O WWW_Web1-I netmask 255.255.255.255
static (inside,outside) WWW_Web2-O WWW_Web2-I netmask 255.255.255.255
static (inside,outside) WWW_DB1-O WWW_DB1-I netmask 255.255.255.255
static (inside,outside) WWW_Report-O WWW_Report-I netmask 255.255.255.255
static (inside,outside) WWW3-O WWW3-I netmask 255.255.255.255
static (inside,outside) 61.XX.XX.139 WWW5 netmask 255.255.255.255
access-group Outside in interface outside
access-group Inside in interface inside
route outside 0.0.0.0 0.0.0.0 Internet-Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy ciscoASA internal
group-policy ciscoASA attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ciscoASA_splitTunnelAcl
webvpn
username user3 password <removed> encrypted
username user2 password <removed> encrypted
username user1 password <removed> encrypted privilege 15
aaa authentication ssh console LOCAL
http server enable
http 61.XX.XX.XXX 255.255.255.255 outside
http 218.XX.XX.XX 255.255.255.255 outside
http Inside-Network 255.255.255.0 inside
http 192.168.253.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN-SET esp-aes-256 esp-sha-hmac
crypto ipsec transform-set VPN-SET2 esp-3des esp-sha-hmac
crypto dynamic-map VPN-DYNMAP 100 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 120 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 140 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 160 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 180 match address outside_cryptomap_dyn_180
crypto dynamic-map VPN-DYNMAP 180 set transform-set VPN-SET2
crypto dynamic-map inside_dyn_map 20 set transform-set VPN-SET2
crypto map VPN-MAP 100 ipsec-isakmp dynamic VPN-DYNMAP
crypto map VPN-MAP interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
isakmp identity address
isakmp enable outside
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 30
isakmp ipsec-over-tcp port 15000
tunnel-group ciscoASA type ipsec-ra
tunnel-group ciscoASA general-attributes
address-pool VPNPOOL
default-group-policy ciscoASA
tunnel-group ciscoASA ipsec-attributes
pre-shared-key *
telnet Inside-Network 255.255.255.0 inside
telnet timeout 5
ssh XX.XX.8.0 255.255.255.0 outside
ssh 61.XX.XX.150 255.255.255.255 outside
ssh 218.214.XX.XX 255.255.255.255 outside
ssh Inside-Network 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd lease 3600
dhcpd ping_timeout 50
ciscoASA-fw01#
Keith Alabaster
On the work station that the connection is being made from, can you provide a route print and post it here as well?
>isakmp enable inside
You don't want this enabled on the inside
Try adding these entries:
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.253.0 255.255.255.128
crypto dynamic-map inside_dyn_map 20 match address outside_cryptomap_dyn_20
isakmp nat-traversal
You don't want this enabled on the inside
Try adding these entries:
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.253.0 255.255.255.128
crypto dynamic-map inside_dyn_map 20 match address outside_cryptomap_dyn_20
isakmp nat-traversal
i never use the adsm, but say these lines should be removed as it looks like they aren't being used even
crypto ipsec transform-set VPN-SET esp-aes-256 esp-sha-hmac
crypto dynamic-map VPN-DYNMAP 100 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 120 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 140 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 160 set transform-set VPN-SET2
on command line you just do
>en
#config t
(config)# <--this prompt type the following
no crypto ipsec transform-set VPN-SET esp-aes-256 esp-sha-hmac
no crypto dynamic-map VPN-DYNMAP 100 set transform-set VPN-SET2
no crypto dynamic-map VPN-DYNMAP 120 set transform-set VPN-SET2
no crypto dynamic-map VPN-DYNMAP 140 set transform-set VPN-SET2
no crypto dynamic-map VPN-DYNMAP 160 set transform-set VPN-SET2
fyi, those changes should have absolutely nothing to do with what you're experiencing, just my opinion to keep it nice and tidy to ensure no unintended consequences.
now on to what your issue is
you specify
ip local pool VPNPOOL 192.168.253.1-192.168.253.
but your acl applied to the crypto to ID interesting traffic is
access-list outside_cryptomap_dyn_180 extended permit ip any 192.168.253.0 255.255.255.128
meaning return traffic is impossible
crypto ipsec transform-set VPN-SET esp-aes-256 esp-sha-hmac
crypto dynamic-map VPN-DYNMAP 100 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 120 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 140 set transform-set VPN-SET2
crypto dynamic-map VPN-DYNMAP 160 set transform-set VPN-SET2
on command line you just do
>en
#config t
(config)# <--this prompt type the following
no crypto ipsec transform-set VPN-SET esp-aes-256 esp-sha-hmac
no crypto dynamic-map VPN-DYNMAP 100 set transform-set VPN-SET2
no crypto dynamic-map VPN-DYNMAP 120 set transform-set VPN-SET2
no crypto dynamic-map VPN-DYNMAP 140 set transform-set VPN-SET2
no crypto dynamic-map VPN-DYNMAP 160 set transform-set VPN-SET2
fyi, those changes should have absolutely nothing to do with what you're experiencing, just my opinion to keep it nice and tidy to ensure no unintended consequences.
now on to what your issue is
you specify
ip local pool VPNPOOL 192.168.253.1-192.168.253.
but your acl applied to the crypto to ID interesting traffic is
access-list outside_cryptomap_dyn_180 extended permit ip any 192.168.253.0 255.255.255.128
meaning return traffic is impossible
oops misread something, i'm an idiot
however, if you do have access to the asa console when you vpn (thru ssh probably), then try
sh logging
to see if that shows any related errors that might help us (you already have buffered logging setup), preferrably during vpn login, and when you try to access lan resources
btw, i thought I remembered reading 192.168.253.128 in the crypto acl. need to pay more attention to what i'm doing when I'm on EE, rebuilding machines and talking to consultants at the same time :)
sh logging
to see if that shows any related errors that might help us (you already have buffered logging setup), preferrably during vpn login, and when you try to access lan resources
btw, i thought I remembered reading 192.168.253.128 in the crypto acl. need to pay more attention to what i'm doing when I'm on EE, rebuilding machines and talking to consultants at the same time :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for answering, but may I ask why only a C grade when your question was answered very specifically, very quickly and very thouroughly? Our points are awarded as muliple of the question points based on the grade.
C is the lowest grade possible = 2x point value. B = 3x point value and A = 4x point value.
All we get for our efforts is points. I know I don't need them, but I like to be honest and fair.
I can re-open the question myself and let you close it again with a least a B, else I can have a moderator review.
Thanks!
C is the lowest grade possible = 2x point value. B = 3x point value and A = 4x point value.
All we get for our efforts is points. I know I don't need them, but I like to be honest and fair.
I can re-open the question myself and let you close it again with a least a B, else I can have a moderator review.
Thanks!
ASKER
I wasn't aware of the 2x 3x ..
The shown answer was that of a cisco config. I was using the ASDM because I am not great with cisco console, it took me an extra 2hrs or so to translate what changes needed making within ASDM to have the same affect as your console script.
The shown answer was that of a cisco config. I was using the ASDM because I am not great with cisco console, it took me an extra 2hrs or so to translate what changes needed making within ASDM to have the same affect as your console script.
Being a CCSP I find the ASDM can throw in a lot of unnecessary content which makes troubleshooting VPN's troublesome. Lmoores answer is actually very good. A simple view through the CLI by doing a show run and comparing what he listed and what you see on yours may have saved you some time. Personally I prefer the CLI over ASDM with one exception, viewing or modifying ACL's, or using the packet trace tool in version 6. All other configuration I do only through the CLI, especially VPN since the ASDM throws in so much more unneeded ISAKMP and IPSEC transforms. Another side benefit I find is when creating the ACL for VPNs through CLI, you can specify more clearly what the ACL is for.
Another side note, there are several ways of setting up VPN for split tunneling that work, so not all ACL's will look the same. What I tend to do in most cases is setup a single named ACL for VPN and use it for both interesting traffic and also for NAT 0 for simplicity. Works fine for the majority of the VPN setups I do.
Another side note, there are several ways of setting up VPN for split tunneling that work, so not all ACL's will look the same. What I tend to do in most cases is setup a single named ACL for VPN and use it for both interesting traffic and also for NAT 0 for simplicity. Works fine for the majority of the VPN setups I do.
SMCKellar - I have to agree with LRMoore that a B grade is more appropriate here.
Many people use the ADSM as sometimes it is just easier. If you had stated that you were only familiar with the ADSM or had mentioned that you were unfamilar with the command line, someone would have responded to you and explained how to add the commands saving you those extra hours.
keith_alabaster
EE Networking Zones Adbvisor.
Many people use the ADSM as sometimes it is just easier. If you had stated that you were only familiar with the ADSM or had mentioned that you were unfamilar with the command line, someone would have responded to you and explained how to add the commands saving you those extra hours.
keith_alabaster
EE Networking Zones Adbvisor.
lrmoore,
For what its worth you have an "A" in my book.
your solution helped me big time.
Thanks
For what its worth you have an "A" in my book.
your solution helped me big time.
Thanks