Solved

Cisco ASA-5505 - VPN Connects, but cannot access or ping internal hosts

Posted on 2007-11-14
3
2,843 Views
Last Modified: 2009-12-16
1) I have a Cisco ASA-5505 running 8.03. I can establish VPN connections using Cisco VPN client 5.0.02.0060 (get an IP from .75 IP pool, and see data coming in when I got to Status->Statistics), but I see no outbound packets, and I am unable to ping hosts on the network or access them in any way....

2)On the Internal network (.50) , I would like to be able to access hosts on the DMZ network (i.e. have .50.245 map to .150.245) and pass all traffic back and forth to that IP.

3.)On the DMZ network, I would like to have hosts be able to access certain hosts on the Inside network (i..e. 150.200 map to .50.200).

Have done a bunch of 800, 2600, and 3600 series routers, but this is my first ASA, so bear with me.

Thank you,

  Andy
: Saved
:
ASA Version 8.0(3) 
!
hostname CASA
domain-name Johnston.local
enable password CCetPkc1IRraFqJi encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 backup interface Vlan13
 nameif ADSL
 security-level 50
 pppoe client vpdn group myisp.net
 pppoe client route track 1
 ip address pppoe setroute 
 ospf cost 10
!
interface Vlan3
 nameif dmz   
 security-level 80
 ip address 192.168.150.1 255.255.255.0 
 ospf cost 10
!
interface Vlan13
 nameif Backup
 security-level 50
 dhcp client route distance 5
 dhcp client route track 2
 ip address dhcp setroute 
 ospf cost 10
 ospf priority 222
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 13
!
interface Ethernet0/2
!
interface Ethernet0/3
 switchport access vlan 3
!             
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd CCetPkc1IRraFqJi encrypted
banner login Authorized Access Only - Disconnect if you are not an authorized user
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup ADSL
dns domain-lookup dmz
dns domain-lookup Backup
dns server-group DefaultDNS
 name-server 4.2.2.1
 name-server 199.72.1.1
 name-server 205.152.144.23
 domain-name Johnston.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any 192.168.75.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 192.168.50.64 255.255.255.192 
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access standard permit host 0.0.0.0 
pager lines 24
logging enable
logging asdm errors
logging from-address DanJohnstonsASA@myisp.net
logging recipient-address bobsmith@myworkplace.com level errors
mtu inside 1500
mtu ADSL 1500
mtu dmz 1500
mtu Backup 1500
ip local pool VPN_IP_Pool 192.168.75.2-192.168.75.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any ADSL
icmp permit any Backup
asdm image disk0:/asdm-603.bin
asdm history enable
arp timeout 14400
nat-control
global (ADSL) 1 interface
global (Backup) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
nat (dmz) 1 192.168.150.0 255.255.255.0
static (inside,dmz) 192.168.150.200 192.168.50.200 netmask 255.255.255.255 
static (inside,dmz) 192.168.150.245 192.168.50.245 netmask 255.255.255.255 
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
eou clientless password makeitgood
http server enable
http 68.157.114.0 255.255.255.0 ADSL
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 4.2.2.1 interface ADSL
 num-packets 3
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map ADSL_dyn_map 20 set pfs 
crypto dynamic-map ADSL_dyn_map 20 set transform-set TRANS_ESP_DES_SHA ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 40 set pfs 
crypto dynamic-map ADSL_dyn_map 40 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 60 set pfs 
crypto dynamic-map ADSL_dyn_map 60 set transform-set ESP-DES-MD5
crypto dynamic-map ADSL_dyn_map 80 set pfs 
crypto dynamic-map ADSL_dyn_map 80 set transform-set TRANS_ESP_DES_MD5
crypto dynamic-map ADSL_dyn_map 100 set pfs 
crypto dynamic-map ADSL_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 120 set pfs 
crypto dynamic-map ADSL_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 140 set pfs 
crypto dynamic-map ADSL_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map ADSL_dyn_map 160 set pfs 
crypto dynamic-map ADSL_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 set pfs 
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map ADSL_map 65535 ipsec-isakmp dynamic ADSL_dyn_map
crypto map ADSL_map interface ADSL
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable ADSL
crypto isakmp enable Backup
crypto isakmp policy 10
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication crack
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 70
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 90
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
!
track 1 rtr 123 reachability
!
track 2 rtr 321 reachability
telnet 192.168.50.0 255.255.255.0 inside
telnet 68.158.114.0 255.255.255.0 ADSL
telnet timeout 10
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 15
console timeout 0
vpdn group myisp.net request dialout pppoe
vpdn group myisp.net localname bobsmith69@myisp.net
vpdn group myisp.net ppp authentication pap
vpdn username bobsmith@myisp.net password ********* store-local
dhcpd address 192.168.50.10-192.168.50.99 inside
dhcpd dns 4.2.2.1 199.72.1.1 interface inside
dhcpd lease 86400 interface inside
dhcpd domain Johnston.local interface inside
dhcpd enable inside
!
dhcpd address 192.168.150.10-192.168.150.99 dmz
dhcpd dns 4.2.2.1 199.72.1.1 interface dmz
dhcpd lease 86400 interface dmz
dhcpd ping_timeout 80 interface dmz
dhcpd domain DMZ.local interface dmz
dhcpd enable dmz
!
 
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
ntp server 192.43.244.18
ntp server 17.254.0.31 source ADSL prefer
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol l2tp-ipsec 
 default-domain value CLIENT.local
group-policy JohnstonFamily internal
group-policy JohnstonFamily attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol IPSec 
 default-domain value Johnston.local
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy excludespecified
 split-tunnel-network-list value Local_LAN_Access
 default-domain value Johnston.local
group-policy CiscoVPN internal
group-policy CiscoVPN attributes
 dns-server value 4.2.2.1 199.72.1.1
 vpn-tunnel-protocol IPSec 
 password-storage enable
 default-domain value Client.local
username bobsmith password cXOXOXOOXg encrypted privilege 15
username bobsmith attributes
 vpn-group-policy CiscoVPN
username apatron password hsYXOXOXOK encrypted privilege 10
username sreagan password i7x8AxXOXOXOXA== nt-encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_IP_Pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
tunnel-group JohnstonFamily type remote-access
tunnel-group JohnstonFamily general-attributes
 address-pool VPN_IP_Pool
 default-group-policy JohnstonFamily
tunnel-group JohnstonFamily ipsec-attributes
 pre-shared-key *
tunnel-group CiscoVPNClient type remote-access
tunnel-group CiscoVPNClient general-attributes
 address-pool VPN_IP_Pool
 default-group-policy CiscoVPNClient
tunnel-group CiscoVPNClient ipsec-attributes
 pre-shared-key *
!
class-map icmp-class
 match default-inspection-traffic
class-map class_sip_tcp
 match port tcp eq sip
class-map icmp-classs
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map icmp_policy
 class icmp-class
  inspect icmp 
policy-map global_policy
 class inspection_default
  inspect pptp 
  inspect sip  
  inspect mgcp 
  inspect h323 h225 
  inspect h323 ras 
  inspect skinny  
 class class_sip_tcp
  inspect sip  
!
service-policy global_policy global
service-policy icmp_policy interface ADSL
service-policy icmp_policy interface Backup
smtp-server 205.152.59.16 205.152.59.17
prompt hostname context 
Cryptochecksum:43aasdf3aa3db5asdas9cd2badsa6b62

Open in new window

0
Comment
Question by:aalbert69
  • 2
3 Comments
 
LVL 5

Expert Comment

by:renill
ID: 20287615
did u check the loggs ??
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
ID: 20288344
group-policy CiscoVPNClient attributes dns-server value 4.2.2.1 199.72.1.1
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
default-domain value Johnston.local

change
split-tunnel-policy excludespecified

to
split-tunnel-policy tunnelspecified

Regards
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 250 total points
ID: 20288400
and

change
access-list Local_LAN_Access standard permit host 0.0.0.0

with
access-list Local_LAN_Access permit ip 192.168.50.0 255.255.255.0 192.168.75.0 255.255.255.0
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question