Solved

Cisco ASA-5505 - VPN Connects, but cannot access or ping internal hosts

Posted on 2007-11-14
3
2,831 Views
Last Modified: 2009-12-16
1) I have a Cisco ASA-5505 running 8.03. I can establish VPN connections using Cisco VPN client 5.0.02.0060 (get an IP from .75 IP pool, and see data coming in when I got to Status->Statistics), but I see no outbound packets, and I am unable to ping hosts on the network or access them in any way....

2)On the Internal network (.50) , I would like to be able to access hosts on the DMZ network (i.e. have .50.245 map to .150.245) and pass all traffic back and forth to that IP.

3.)On the DMZ network, I would like to have hosts be able to access certain hosts on the Inside network (i..e. 150.200 map to .50.200).

Have done a bunch of 800, 2600, and 3600 series routers, but this is my first ASA, so bear with me.

Thank you,

  Andy
: Saved

:

ASA Version 8.0(3) 

!

hostname CASA

domain-name Johnston.local

enable password CCetPkc1IRraFqJi encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.50.1 255.255.255.0 

 ospf cost 10

!

interface Vlan2

 backup interface Vlan13

 nameif ADSL

 security-level 50

 pppoe client vpdn group myisp.net

 pppoe client route track 1

 ip address pppoe setroute 

 ospf cost 10

!

interface Vlan3

 nameif dmz   

 security-level 80

 ip address 192.168.150.1 255.255.255.0 

 ospf cost 10

!

interface Vlan13

 nameif Backup

 security-level 50

 dhcp client route distance 5

 dhcp client route track 2

 ip address dhcp setroute 

 ospf cost 10

 ospf priority 222

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

 switchport access vlan 13

!

interface Ethernet0/2

!

interface Ethernet0/3

 switchport access vlan 3

!             

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

 switchport access vlan 3

!

passwd CCetPkc1IRraFqJi encrypted

banner login Authorized Access Only - Disconnect if you are not an authorized user

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup ADSL

dns domain-lookup dmz

dns domain-lookup Backup

dns server-group DefaultDNS

 name-server 4.2.2.1

 name-server 199.72.1.1

 name-server 205.152.144.23

 domain-name Johnston.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any 192.168.75.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip any 192.168.50.64 255.255.255.192 

access-list Local_LAN_Access remark VPN Client Local LAN Access

access-list Local_LAN_Access standard permit host 0.0.0.0 

pager lines 24

logging enable

logging asdm errors

logging from-address DanJohnstonsASA@myisp.net

logging recipient-address bobsmith@myworkplace.com level errors

mtu inside 1500

mtu ADSL 1500

mtu dmz 1500

mtu Backup 1500

ip local pool VPN_IP_Pool 192.168.75.2-192.168.75.200 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any ADSL

icmp permit any Backup

asdm image disk0:/asdm-603.bin

asdm history enable

arp timeout 14400

nat-control

global (ADSL) 1 interface

global (Backup) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 192.168.50.0 255.255.255.0

nat (dmz) 1 192.168.150.0 255.255.255.0

static (inside,dmz) 192.168.150.200 192.168.50.200 netmask 255.255.255.255 

static (inside,dmz) 192.168.150.245 192.168.50.245 netmask 255.255.255.255 

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

eou clientless password makeitgood

http server enable

http 68.157.114.0 255.255.255.0 ADSL

http 192.168.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 123

 type echo protocol ipIcmpEcho 4.2.2.1 interface ADSL

 num-packets 3

sla monitor schedule 123 life forever start-time now

crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map ADSL_dyn_map 20 set pfs 

crypto dynamic-map ADSL_dyn_map 20 set transform-set TRANS_ESP_DES_SHA ESP-3DES-SHA

crypto dynamic-map ADSL_dyn_map 40 set pfs 

crypto dynamic-map ADSL_dyn_map 40 set transform-set ESP-DES-MD5

crypto dynamic-map ADSL_dyn_map 60 set pfs 

crypto dynamic-map ADSL_dyn_map 60 set transform-set ESP-DES-MD5

crypto dynamic-map ADSL_dyn_map 80 set pfs 

crypto dynamic-map ADSL_dyn_map 80 set transform-set TRANS_ESP_DES_MD5

crypto dynamic-map ADSL_dyn_map 100 set pfs 

crypto dynamic-map ADSL_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map ADSL_dyn_map 120 set pfs 

crypto dynamic-map ADSL_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map ADSL_dyn_map 140 set pfs 

crypto dynamic-map ADSL_dyn_map 140 set transform-set ESP-3DES-SHA

crypto dynamic-map ADSL_dyn_map 160 set pfs 

crypto dynamic-map ADSL_dyn_map 160 set transform-set ESP-3DES-SHA

crypto dynamic-map inside_dyn_map 20 set pfs 

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-DES-SHA

crypto map ADSL_map 65535 ipsec-isakmp dynamic ADSL_dyn_map

crypto map ADSL_map interface ADSL

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable ADSL

crypto isakmp enable Backup

crypto isakmp policy 10

 authentication crack

 encryption des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 30

 authentication crack

 encryption des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 50

 authentication pre-share

 encryption des

 hash md5

 group 2

 lifetime 86400

crypto isakmp policy 70

 authentication crack

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 90

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

no crypto isakmp nat-traversal

!

track 1 rtr 123 reachability

!

track 2 rtr 321 reachability

telnet 192.168.50.0 255.255.255.0 inside

telnet 68.158.114.0 255.255.255.0 ADSL

telnet timeout 10

ssh 192.168.0.0 255.255.0.0 inside

ssh timeout 15

console timeout 0

vpdn group myisp.net request dialout pppoe

vpdn group myisp.net localname bobsmith69@myisp.net

vpdn group myisp.net ppp authentication pap

vpdn username bobsmith@myisp.net password ********* store-local

dhcpd address 192.168.50.10-192.168.50.99 inside

dhcpd dns 4.2.2.1 199.72.1.1 interface inside

dhcpd lease 86400 interface inside

dhcpd domain Johnston.local interface inside

dhcpd enable inside

!

dhcpd address 192.168.150.10-192.168.150.99 dmz

dhcpd dns 4.2.2.1 199.72.1.1 interface dmz

dhcpd lease 86400 interface dmz

dhcpd ping_timeout 80 interface dmz

dhcpd domain DMZ.local interface dmz

dhcpd enable dmz

!
 

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics access-list

ntp server 192.43.244.18

ntp server 17.254.0.31 source ADSL prefer

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 dns-server value 4.2.2.1 199.72.1.1

 vpn-tunnel-protocol l2tp-ipsec 

 default-domain value CLIENT.local

group-policy JohnstonFamily internal

group-policy JohnstonFamily attributes

 dns-server value 4.2.2.1 199.72.1.1

 vpn-tunnel-protocol IPSec 

 default-domain value Johnston.local

group-policy CiscoVPNClient internal

group-policy CiscoVPNClient attributes

 dns-server value 4.2.2.1 199.72.1.1

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy excludespecified

 split-tunnel-network-list value Local_LAN_Access

 default-domain value Johnston.local

group-policy CiscoVPN internal

group-policy CiscoVPN attributes

 dns-server value 4.2.2.1 199.72.1.1

 vpn-tunnel-protocol IPSec 

 password-storage enable

 default-domain value Client.local

username bobsmith password cXOXOXOOXg encrypted privilege 15

username bobsmith attributes

 vpn-group-policy CiscoVPN

username apatron password hsYXOXOXOK encrypted privilege 10

username sreagan password i7x8AxXOXOXOXA== nt-encrypted privilege 0

tunnel-group DefaultRAGroup general-attributes

 address-pool VPN_IP_Pool

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

 no authentication chap

tunnel-group JohnstonFamily type remote-access

tunnel-group JohnstonFamily general-attributes

 address-pool VPN_IP_Pool

 default-group-policy JohnstonFamily

tunnel-group JohnstonFamily ipsec-attributes

 pre-shared-key *

tunnel-group CiscoVPNClient type remote-access

tunnel-group CiscoVPNClient general-attributes

 address-pool VPN_IP_Pool

 default-group-policy CiscoVPNClient

tunnel-group CiscoVPNClient ipsec-attributes

 pre-shared-key *

!

class-map icmp-class

 match default-inspection-traffic

class-map class_sip_tcp

 match port tcp eq sip

class-map icmp-classs

 match default-inspection-traffic

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map icmp_policy

 class icmp-class

  inspect icmp 

policy-map global_policy

 class inspection_default

  inspect pptp 

  inspect sip  

  inspect mgcp 

  inspect h323 h225 

  inspect h323 ras 

  inspect skinny  

 class class_sip_tcp

  inspect sip  

!

service-policy global_policy global

service-policy icmp_policy interface ADSL

service-policy icmp_policy interface Backup

smtp-server 205.152.59.16 205.152.59.17

prompt hostname context 

Cryptochecksum:43aasdf3aa3db5asdas9cd2badsa6b62

Open in new window

0
Comment
Question by:aalbert69
  • 2
3 Comments
 
LVL 5

Expert Comment

by:renill
Comment Utility
did u check the loggs ??
0
 
LVL 29

Expert Comment

by:Alan Huseyin Kayahan
Comment Utility
group-policy CiscoVPNClient attributes dns-server value 4.2.2.1 199.72.1.1
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
default-domain value Johnston.local

change
split-tunnel-policy excludespecified

to
split-tunnel-policy tunnelspecified

Regards
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 250 total points
Comment Utility
and

change
access-list Local_LAN_Access standard permit host 0.0.0.0

with
access-list Local_LAN_Access permit ip 192.168.50.0 255.255.255.0 192.168.75.0 255.255.255.0
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now