[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 12858
  • Last Modified:

Cisco ASA 5505 VPN setup

I have a Cisco ASA 5505. I have the initial setup working fine. I have not setup a VPN before and, using the ASDM VPN Wizard configured it the way that seemed correct to me. I am using the Cisco VPN Client version 5. I have obviously not configured the 5505 correctly because I can't get in. Can one of you geniuses please help?

My current config:

  Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name sbcglobal.net
enable password 0duV6wY858Xg13N4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name sbcglobal.net
same-security-traffic permit intra-interface
access-list K2CONTROLS_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.1.32 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.1.34-192.168.1.40 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy K2CONTROLS internal
group-policy K2CONTROLS attributes
 dns-server value 68.94.156.1 68.94.157.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 default-domain value k2controls.com
username dwilson password T6U.2SHm.gQGq0.E encrypted privilege 0
username dwilson attributes
 vpn-group-policy K2CONTROLS
username kparrott password ECDkMSryjP4tnERe encrypted privilege 0
username kparrott attributes
 vpn-group-policy K2CONTROLS
http server enable
http 74.193.6.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group K2CONTROLS type ipsec-ra
tunnel-group K2CONTROLS general-attributes
 address-pool VPNpool
 default-group-policy K2CONTROLS
tunnel-group K2CONTROLS ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:5fa878773be37fd96c8ee2460d74a06d
: end
0
dw1958
Asked:
dw1958
  • 15
  • 12
  • 4
10 Solutions
 
lrmooreCommented:
>ip local pool VPNpool 192.168.1.34-192.168.1.40 mask 255.255.255.0
Your IP pool should be from a different IP subnet, and not smack in the middle of your LAN subnet.

Make sure also that your remote VPN user home lan is not also 192.168.1.x
0
 
dw1958Author Commented:
Ok I changed to local VPN pool.
Here's the messoge I get in the syslog:      
713903       Group = DefaultRAGroup, IP = 74.193.6.108, Error: Unable to remove PeerTblEntry
Also the current config:
Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name sbcglobal.net
enable password 0duV6wY858Xg13N4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name sbcglobal.net
same-security-traffic permit intra-interface
access-list K2CONTROLS_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.1.32 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.2.1-192.168.2.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy K2CONTROLS internal
group-policy K2CONTROLS attributes
 dns-server value 68.94.156.1 68.94.157.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 default-domain value k2controls.com
username dwilson password T6U.2SHm.gQGq0.E encrypted privilege 0
username dwilson attributes
 vpn-group-policy K2CONTROLS
username kparrott password ECDkMSryjP4tnERe encrypted privilege 0
username kparrott attributes
 vpn-group-policy K2CONTROLS
http server enable
http 74.193.6.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
 default-group-policy K2CONTROLS
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:c0d701a452953c0848386819328fb283
: end
0
 
Alan Huseyin KayahanCommented:
  Hi dw1958
       "Error: Unable to remove PeerTblEntry"
        Make sure you have license for 3DES, type sh ver in CLI, you should an output like following

Licensed features for this platform:
Maximum Physical Interfaces : 3        
Maximum VLANs               : 10        
Inside Hosts                : Unlimited
Failover                    : Disabled
VPN-DES                     : Enabled  
VPN-3DES-AES                : Enabled      <-------
Cut-through Proxy           : Enabled  
Guards                      : Enabled  
URL Filtering               : Enabled  
Security Contexts           : 0        
GTP/GPRS                    : Disabled  
VPN Peers                   : Unlimited

            Also add
           crypto isakmp nat-traversal  20
          Make sure your ISP supports Bridging (a few doesnt in some countries)
          Make sure you choose group auth in vpn client and typed TunnelGroup1 in VPN client.

Regards
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
lrmooreCommented:
You need to change the nat 0 acl to match the new pool:
no access-list inside_nat0_outbound extended permit ip any 192.168.1.32 255.255.255.240
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
 
Re-apply the acl to nat 0
    nat (inside) 0 access-list inside_nat0_outbound

I would also suggest changing the Split-tunnel acl:
no access-list K2CONTROLS_splitTunnelAcl standard permit any
access-list K2CONTROLS_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

Once you change that acl, you have to re-do the policy

group-policy K2CONTROLS attributes
  split-tunnel-network-list value K2CONTROLS_splitTunnelAcl

0
 
dw1958Author Commented:
I did as MrHusy suggested and I got much farther. At least now I get a response from the asa 5505. It disconnects right away...
The syslog errors follow:( it is reverse order)

6      Oct 06 2007      22:34:14      302015      74.193.6.108      76.247.252.133       Built inbound UDP connection 20192 for outside:74.193.6.108/50905 (74.193.6.108/50905) to NP Identity Ifc:76.247.252.133/500 (76.247.252.133/500)

6      Oct 06 2007      22:34:14      302015      74.193.6.108      76.247.252.133       Built inbound UDP connection 20193 for outside:74.193.6.108/50906 (74.193.6.108/50906) to NP Identity Ifc:76.247.252.133/4500 (76.247.252.133/4500)

6      Oct 06 2007      22:34:14      713172                   Group = TunnelGroup1, IP = 74.193.6.108, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device

6      Oct 06 2007      22:34:19      113012                   AAA user authentication Successful : local database : user = dwilson

6      Oct 06 2007      22:34:19      113003                   AAA group policy for user dwilson is being set to K2CONTROLS

6      Oct 06 2007      22:34:19      113011                   AAA retrieved user specific group policy (K2CONTROLS) for user = dwilson

6      Oct 06 2007      22:34:19      113009                   AAA retrieved default group policy (K2CONTROLS) for user = dwilson

6      Oct 06 2007      22:34:19      113008                   AAA transaction status ACCEPT : user = dwilson

5      Oct 06 2007      22:34:19      713130                   Group = TunnelGroup1, Username = dwilson, IP = 74.193.6.108, Received unsupported transaction mode attribute: 5

6      Oct 06 2007      22:34:19      713184                   Group = TunnelGroup1, Username = dwilson, IP = 74.193.6.108, Client Type: WinNT  Client Application Version: 5.0.00.0340

3      Oct 06 2007      22:34:19      713132                   Group = TunnelGroup1, Username = dwilson, IP = 74.193.6.108, Cannot obtain an IP address for remote peer

3      Oct 06 2007      22:34:19      713902                   Group = TunnelGroup1, Username = dwilson, IP = 74.193.6.108, Removing peer from peer table failed, no match!

4      Oct 06 2007      22:34:19      713903                   Group = TunnelGroup1, Username = dwilson, IP = 74.193.6.108, Error: Unable to remove PeerTblEntry

Lrmoore: do I still need to make the canges you suggested? Do I just type in what you wrote in the CLI?

Thanks
0
 
lrmooreCommented:
Yes, you need to make those changes, and one more:
Add this back in:
tunnel-group K2CONTROLS general-attributes
 address-pool VPNpool

0
 
Alan Huseyin KayahanCommented:
  Yep, Les finished it :), should work now.
0
 
Alan Huseyin KayahanCommented:
  Wait a minute
    "Client Type: WinNT  Client Application Version"
      Are you using Microsoft VPN client?
0
 
dw1958Author Commented:
After adding the 2 access-list lines I get this error when sending:
ERROR: Access-list K2CONTROLS_splitTunnelAcl is attached to class-map, route-map,
username, group-policy, distribute-list, multicast or wccp subsystem.
Please remove the relevant configuration before removing the access-list.

Here's the current config:

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name sbcglobal.net
enable password 0duV6wY858Xg13N4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name sbcglobal.net
same-security-traffic permit intra-interface
access-list K2CONTROLS_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list K2Controls_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.2.1-192.168.2.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy K2CONTROLS internal
group-policy K2CONTROLS attributes
 dns-server value 68.94.156.1 68.94.157.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 default-domain value k2controls.com
username dwilson password T6U.2SHm.gQGq0.E encrypted privilege 0
username dwilson attributes
 vpn-group-policy K2CONTROLS
username kparrott password ECDkMSryjP4tnERe encrypted privilege 0
username kparrott attributes
 vpn-group-policy K2CONTROLS
http server enable
http 74.193.6.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
 default-group-policy K2CONTROLS
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:4fd771c19a6da130226a7c395e8dbdb8
: end
0
 
dw1958Author Commented:
Reply to MrHusy:

I am using the Cisco VPN Client 5.
0
 
lrmooreCommented:
Getting closer....

group-policy K2CONTROLS attributes
 no split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 split-tunnel-network-list value K2Controls_splitTunnelAcl

You can clean up/remove the K2CONTROLS_splitTunnelAcl later...
 
You  need this:
 tunnel-group TunnelGroup1 general-attributes
   address-pool VPNpool
0
 
lrmooreCommented:
You also have to get rid of this - its going to screw everything up...
  no access-list inside_nat0_outbound extended permit ip any any

0
 
Alan Huseyin KayahanCommented:
   also
    same-security-traffic permit intra-interface
    Do you really want your VPN clients communicate to each other?
0
 
dw1958Author Commented:
Yes!!! I connected. I am unable to see files on the server. So...I guess we're not quite there. If you could assist with this it would be greatly appreciated.

MrHusy: There are not likely to be 2 clients on at the same time. This is for a really small office. However, I thought that config was to allow computers on the LAN to communicate with each other. Please correct me if i am mistaken.

Here is the current config:

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name sbcglobal.net
enable password 0duV6wY858Xg13N4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name sbcglobal.net
same-security-traffic permit intra-interface
access-list K2CONTROLS_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list K2Controls_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.2.1-192.168.2.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy K2CONTROLS internal
group-policy K2CONTROLS attributes
 dns-server value 68.94.156.1 68.94.157.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 default-domain value k2controls.com
username dwilson password T6U.2SHm.gQGq0.E encrypted privilege 0
username dwilson attributes
 vpn-group-policy K2CONTROLS
username kparrott password ECDkMSryjP4tnERe encrypted privilege 0
username kparrott attributes
 vpn-group-policy K2CONTROLS
http server enable
http 74.193.6.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
 address-pool VPNpool
 default-group-policy K2CONTROLS
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:4fd771c19a6da130226a7c395e8dbdb8
: end

I'm seeing this in syslog: Where did it come from?
6      Oct 06 2007      23:43:39      110001       No route to 239.255.255.250 from 192.168.2.1
0
 
lrmooreCommented:
It's the split tunnel acl...

group-policy K2CONTROLS attributes
 no split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 split-tunnel-network-list value K2Controls_splitTunnelAcl

The acl name is case sensitive... when you revised the acl you spelled it differently.

>dns-server value 68.94.156.1 68.94.157.1
If you want to access your internal systems, you need to put your internal DNS server here and not public IP's.
0
 
dw1958Author Commented:
Ok, I can see the shared folder on the server now which is what they wanted. I can see it by name and IP address. Any idea why I can't reach the server via VNC with name or IP?

Current config:

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name k2controls.com
enable password 0duV6wY858Xg13N4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.2
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name k2controls.com
same-security-traffic permit intra-interface
access-list K2CONTROLS_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list K2Controls_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.2.1-192.168.2.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy K2CONTROLS internal
group-policy K2CONTROLS attributes
 dns-server value 68.94.156.1 68.94.157.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 default-domain value k2controls.com
username dwilson password T6U.2SHm.gQGq0.E encrypted privilege 0
username dwilson attributes
 vpn-group-policy K2CONTROLS
username kparrott password HQW0Aj3viz/md37t encrypted privilege 0
username kparrott attributes
 vpn-group-policy K2CONTROLS
http server enable
http 74.193.6.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
 address-pool VPNpool
 default-group-policy K2CONTROLS
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:d96e5a1018daea13dd02234f42a69273
: end
0
 
lrmooreCommented:
>access-list K2CONTROLS_splitTunnelAcl standard permit any
>split-tunnel-network-list value K2CONTROLS_splitTunnelAcl

You still are referencing the wrong split tunnel acl.
If you can map a share drive, there is no reason why you can't vnc unless it is something in the VNC setup.
0
 
dw1958Author Commented:
Hi lrmoore:
  So... do I need to key in what you have referenced? I thought I had. Just let me know and I will try again and post the resulting config and any errors, if any.
0
 
lrmooreCommented:
Yes, you can even copy/paste this exactly as it is:

group-policy K2CONTROLS attributes
 no split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 split-tunnel-network-list value K2Controls_splitTunnelAcl
0
 
dw1958Author Commented:
Sorry, had to work downtown Houston. Here is the config now:

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name k2controls.com
enable password 0duV6wY858Xg13N4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.2
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name k2controls.com
same-security-traffic permit intra-interface
access-list K2CONTROLS_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list K2Controls_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.2.1-192.168.2.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy K2CONTROLS internal
group-policy K2CONTROLS attributes
 dns-server value 192.168.1.2 68.94.156.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 default-domain value k2controls.com
username dwilson password T6U.2SHm.gQGq0.E encrypted privilege 0
username dwilson attributes
 vpn-group-policy K2CONTROLS
username kparrott password qyrc8poHKa8jkaNE encrypted privilege 0
username kparrott attributes
 vpn-group-policy K2CONTROLS
http server enable
http 74.193.6.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
 address-pool VPNpool
 default-group-policy K2CONTROLS
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:bbe596b532df8428ac16c6c32eede6f9
: end
0
 
lrmooreCommented:
It is still not changing anything...

Let's try this another way:

access-list K2CONTROLS_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
no access-list K2CONTROLS_splitTunnelAcl standard permit any
0
 
dw1958Author Commented:
OK here it is. I think I screwed up and typed 192.158.x.x:

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name k2controls.com
enable password 0duV6wY858Xg13N4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.2
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name k2controls.com
same-security-traffic permit intra-interface
access-list K2CONTROLS_splitTunnelAcl standard permit 192.158.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list K2Controls_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.2.1-192.168.2.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy K2CONTROLS internal
group-policy K2CONTROLS attributes
 dns-server value 192.168.1.2 68.94.156.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 default-domain value k2controls.com
username dwilson password T6U.2SHm.gQGq0.E encrypted privilege 0
username dwilson attributes
 vpn-group-policy K2CONTROLS
username kparrott password qyrc8poHKa8jkaNE encrypted privilege 0
username kparrott attributes
 vpn-group-policy K2CONTROLS
http server enable
http 74.193.6.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
 address-pool VPNpool
 default-group-policy K2CONTROLS
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:07a099a2184ed2a21e7ad768313c8166
: end
0
 
dw1958Author Commented:
I got that fixed. How's it look now?

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name k2controls.com
enable password 0duV6wY858Xg13N4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.2
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name k2controls.com
same-security-traffic permit intra-interface
access-list K2CONTROLS_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list K2Controls_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.2.1-192.168.2.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy K2CONTROLS internal
group-policy K2CONTROLS attributes
 dns-server value 192.168.1.2 68.94.156.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 default-domain value k2controls.com
username dwilson password T6U.2SHm.gQGq0.E encrypted privilege 0
username dwilson attributes
 vpn-group-policy K2CONTROLS
username kparrott password qyrc8poHKa8jkaNE encrypted privilege 0
username kparrott attributes
 vpn-group-policy K2CONTROLS
http server enable
http 74.193.6.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
 address-pool VPNpool
 default-group-policy K2CONTROLS
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:afae91f3347397dbdc7a8ceac6cba64f
: end
0
 
lrmooreCommented:
Everything looks good now. Any changes in how it works?
0
 
dw1958Author Commented:
I'm back downtown again. I think it is working great. I took out that second split tunnel reference(access-list K2Controls_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0). I hope I was supposed to. I'll send the config when I get home this evening for a final check.
I think the biggest issue with folders mapped to the server and VNC is that the computer I am using is not on the K2CONTROLS domain. When I run a virtual WinXP Pro, that I added to that domain, with the client software and VNC everything works fine.
I really appreciate the help and will send what I hope is the final config this evening.
0
 
dw1958Author Commented:
Here's the config:

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name k2controls.com
enable password 0duV6wY858Xg13N4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.1.2
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name k2controls.com
same-security-traffic permit intra-interface
access-list K2CONTROLS_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.2.1-192.168.2.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy K2CONTROLS internal
group-policy K2CONTROLS attributes
 dns-server value 192.168.1.2 68.94.156.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 default-domain value k2controls.com
username dwilson password T6U.2SHm.gQGq0.E encrypted privilege 0
username dwilson attributes
 vpn-group-policy K2CONTROLS
username kparrott password qyrc8poHKa8jkaNE encrypted privilege 0
username kparrott attributes
 vpn-group-policy K2CONTROLS
http server enable
http 74.193.6.0 255.255.255.0 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
 address-pool VPNpool
 default-group-policy K2CONTROLS
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:a291290cd8daae015b1c27b6f4146a74
: end
0
 
lrmooreCommented:
Looks good now. Only thing I will caution you about is using 192.168.1.0 on the inside network. If other remote users are also 192.168.1.0 at their home network, it will be problems. It is easier to change yours than how many home users/hotels, etc. Start planning now for a change to some other network number.

0
 
dw1958Author Commented:
Ok, I'll do that tonight and post (hopefully) one last time.
0
 
dw1958Author Commented:
Here it is:

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name k2controls.com
enable password 0duV6wY858Xg13N4 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.22.0.1 255.255.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 76.247.252.133 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 172.22.0.2
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name k2controls.com
same-security-traffic permit intra-interface
access-list K2CONTROLS_splitTunnelAcl standard permit 172.22.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 172.22.0.0 255.255.0.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.2.1-192.168.2.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 76.247.252.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy K2CONTROLS internal
group-policy K2CONTROLS attributes
 dns-server value 172.22.0.2 68.94.156.1
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value K2CONTROLS_splitTunnelAcl
 default-domain value k2controls.com
username dwilson password T6U.2SHm.gQGq0.E encrypted privilege 0
username dwilson attributes
 vpn-group-policy K2CONTROLS
username kparrott password qyrc8poHKa8jkaNE encrypted privilege 0
username kparrott attributes
 vpn-group-policy K2CONTROLS
http server enable
http 172.22.0.0 255.255.0.0 inside
http 74.193.6.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
 address-pool VPNpool
 default-group-policy K2CONTROLS
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
client-update enable
prompt hostname context
Cryptochecksum:d77d29906107bd37419a489ab63d2640
: end
0
 
lrmooreCommented:
Looks good. So, how's it working out for you?
0
 
dw1958Author Commented:
Thanks for your help. It is working great!! I learned a lot.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 15
  • 12
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now