cargomaster
asked on
New ASA 5505 doesn't allow https
Heya All,
Great forum!
I have a fresh ASA 5505 that I am trying to eventually setup a site-to-site VPN connection with, but in the meantime have to use it as a gateway to internet for about 40 users. When I connect the ASA 5505, all users get the internet, but it doesn't allow https sites. I'm sure it is something simple(maybe an inspect https statement?)but I'm new to this particular device(the granularity is overwhelming!).
I'd also be interested in any acls that will make the device more secure than the stock vanilla.
I look forward to learning more about this device and appreciate the responses.
Sanitized config below:
ASA Version 8.0(2)
!
hostname xxxx
enable password xxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.x.x.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 12.x.x.122 255.255.255.x
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxx encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list inside_nat0_outbound extended permit ip host 192.x.x.0 host 10.x.x.0
access-list outside_2_cryptomap extended permit ip 192.x.x.0 255.255.255.0 host 10.x.x.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool fourthcorp1 10.x.x.1-10.x.x.254
ip local pool interface1 192.x.x.2-192.x.x.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 12.x.x.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.x.x.0 255.255.255.0 inside
http 10.x.x.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 70.x.x.120
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.x.x.2-192.x.x.129 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
tunnel-group 70.x.x.120 type ipsec-l2l
tunnel-group 70.x.x.120 ipsec-attributes
pre-shared-key *
prompt hostname context
Great forum!
I have a fresh ASA 5505 that I am trying to eventually setup a site-to-site VPN connection with, but in the meantime have to use it as a gateway to internet for about 40 users. When I connect the ASA 5505, all users get the internet, but it doesn't allow https sites. I'm sure it is something simple(maybe an inspect https statement?)but I'm new to this particular device(the granularity is overwhelming!).
I'd also be interested in any acls that will make the device more secure than the stock vanilla.
I look forward to learning more about this device and appreciate the responses.
Sanitized config below:
ASA Version 8.0(2)
!
hostname xxxx
enable password xxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.x.x.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 12.x.x.122 255.255.255.x
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxx encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list inside_nat0_outbound extended permit ip host 192.x.x.0 host 10.x.x.0
access-list outside_2_cryptomap extended permit ip 192.x.x.0 255.255.255.0 host 10.x.x.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool fourthcorp1 10.x.x.1-10.x.x.254
ip local pool interface1 192.x.x.2-192.x.x.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 12.x.x.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.x.x.0 255.255.255.0 inside
http 10.x.x.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 70.x.x.120
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.x.x.2-192.x.x.129 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
tunnel-group 70.x.x.120 type ipsec-l2l
tunnel-group 70.x.x.120 ipsec-attributes
pre-shared-key *
prompt hostname context
There is nothing that should be blocking any secure sites. Oftentimes if you have a DSL/pppoe account, the added overhead of pppoe requires a MTU setting of 1492 vs the default 1500. You can try that either on the ASA or on the router/modem.
ASKER
Unfortunately I can't get into the router as it is the ISPs. Not sure if that is something I can request from them for troubleshooting or not. Thank you for the reply.
You can also try adjusting the MTU on the PC itself and see if it helps any
http://ask-leo.com/i_cant_access_some_websites_why.html
http://ask-leo.com/i_cant_access_some_websites_why.html
You can adjust the MTU on the ASA interfaces themselves. a setting of 1460 usually fixes 443 problems.
Try this,
sysopt connection tcp-mss 1380
and
mtu Outside 1460
The first will set the maximum TCP packet size, the second sets total packet size. Give them a try and see if they help. If not, the next step would be to run some packet traces and see what is happening to them.
As far your second question, the ASA is rather secure out of the box, it does not let anything in unless specifically told to do so with either the management commands, http, ssh, telnet, or through an ACL or ICMP commands. All connections opened up outgoing will close after a set timeout, and there are built in rules to prevent syn floods and dos attacks.
Try this,
sysopt connection tcp-mss 1380
and
mtu Outside 1460
The first will set the maximum TCP packet size, the second sets total packet size. Give them a try and see if they help. If not, the next step would be to run some packet traces and see what is happening to them.
As far your second question, the ASA is rather secure out of the box, it does not let anything in unless specifically told to do so with either the management commands, http, ssh, telnet, or through an ACL or ICMP commands. All connections opened up outgoing will close after a set timeout, and there are built in rules to prevent syn floods and dos attacks.
ASKER
I will give the interface commands a try. I'm assuming this should be applied to both vlan 1 and vlan 2?
Thanks!
Thanks!
Usually you only need it on the outside interface, but it doesn't hurt to have it on both.
ASKER
Ok I made the MTU changes on the 5505 side, but it didn't seem to make a difference. I still cannot access https websites. I also just for grins tried to connect(site to site) to the VPN peer and have the log files of those too..
Here is the current config of the ASA 5505(Home site):
ASA Version 8.0(2)
!
hostname ####
enable password #### encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.x.x.250 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd #### encrypted
banner login UNAUTHORIZED ACCESS IS PROHIBITED AND MONITORED
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list inside_nat0_outbound extended permit ip host 10.x.100.x host 10.x.99.x
access-list inside_nat0_outbound extended permit ip host 192.x.x.0 host 10.x.99.x
access-list inside_nat0_outbound extended permit ip 192.x.x.0 255.255.255.0 any
access-list outside_2_cryptomap extended permit ip 192.x.x.0 255.255.255.0 host 10.x.99.x
access-list outside_1_cryptomap extended permit ip 192.x.x.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.x.x.0 255.255.255.0 host 10.x.99.x
access-list inside_access_in extended permit tcp 192.x.x.0 255.255.255.0 any eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1460
ip local pool fourthcorp1 10.x.x.1-10.x.x.254
ip local pool interface1 192.x.x.2-192.x.x.249
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 12.x.x.121 1
route outside 12.x.x.122 255.255.255.255 12.x.x.121 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.x.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 70.x.x.120
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 70.x.x.120
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.x.x.251-192.x.x.254 inside
dhcpd dns 4.2.2.2 151.164.85.201 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
tunnel-group 70.x.x.120 type ipsec-l2l
tunnel-group 70.x.x.120 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:####
: end
Here is the config of the ASA 5520(Peer):
ASA Version 7.2(3)
!
hostname ####
domain-name ####
enable password #### encrypted
names
name 10.x.x.253 #### description #### Server
name 70.x.x.121 outside_#### description Outside Address of #### Server
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 70.x.x.120 255.255.255.128
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.x.x.10 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd #### encrypted
banner exec --- *** WARNING NOTICE *** ---
banner exec This system is restricted solely to #### authorized
banner exec users for legitimate business purposes only. The
banner exec actual or attempted unauthorized access, use, or
banner exec modification of this system is strictly prohibited
banner exec by ####.
banner exec Unauthorized users are subject to Company
banner exec disciplinary proceedings and/or criminal and civil
banner exec penalties under state, federal, or other applicable
banner exec domestic and foreign laws.
banner exec The use of this system may be monitored and recorded
banner exec for administrative and security reasons. Anyone
banner exec accessing this system expressly consents to such
banner exec monitoring and is advised that if monitoring reveals
banner exec possible evidence of criminal activity, #### may
banner exec provide the evidence of such activity to law
banner exec enforcement officials.
banner exec All users must comply with #### Corporate
banner exec Instructions regarding the protection of ####
banner exec information assets.
banner login --- *** WARNING NOTICE *** ---
banner login This system is restricted solely to #### authorized
banner login users for legitimate business purposes only. The
banner login actual or attempted unauthorized access, use, or
banner login modification of this system is strictly prohibited
banner login by ####.
banner login Unauthorized users are subject to Company
banner login disciplinary proceedings and/or criminal and civil
banner login penalties under state, federal, or other applicable
banner login domestic and foreign laws.
banner login The use of this system may be monitored and recorded
banner login for administrative and security reasons. Anyone
banner login accessing this system expressly consents to such
banner login monitoring and is advised that if monitoring reveals
banner login possible evidence of criminal activity, #### may
banner login provide the evidence of such activity to law
banner login enforcement officials.
banner login All users must comply with #### Corporate
banner login Instructions regarding the protection of ####
banner login information assets.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name ####
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service ####_support tcp
description Support for #### Server
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group network ####Public
description These are all the public addresses for ####, headquartered on ####.
network-object host 12.x.x.120
network-object host 12.x.x.121
network-object host 12.x.x.122
network-object host 12.x.x.123
network-object host 12.x.x.124
network-object host 12.x.x.125
network-object host 12.x.x.126
network-object host 12.x.x.127
network-object host 65.x.x.17
network-object host 65.x.x.18
network-object host 65.x.x.19
network-object host 65.x.x.20
network-object host 65.x.x.21
network-object host 65.x.x.22
network-object host 65.x.x.23
network-object host 65.x.x.24
network-object host 65.x.x.25
network-object host 65.x.x.26
access-list outside_access_in remark Support #### Server
access-list outside_access_in extended permit tcp any host outside_#### object-group ####_support
access-list inside_nat0_outbound extended permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.x.x.0 255.255.255.0 10.x.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 10.x.10.0 255.255.255.0
access-list inside_access_in extended permit ip 10.x.0.0 255.255.255.0 10.x.x.0 255.255.255.0
pager lines 24
logging enable
logging list VPN-tunnels level alerts
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) outside_#### #### netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 70.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 70.x.x.10 255.255.255.255 outside
http 65.x.x.17 255.255.255.255 outside
http 12.x.x.122 255.255.255.255 outside
http 65.x.x.20 255.255.255.255 outside
http 12.x.x.120 255.255.255.255 outside
http 65.x.x.18 255.255.255.255 outside
http 65.x.x.26 255.255.255.255 outside
http 12.x.x.125 255.255.255.255 outside
http 65.x.x.23 255.255.255.255 outside
http 65.x.x.22 255.255.255.255 outside
http 12.x.x.126 255.255.255.255 outside
http 65.x.x.25 255.255.255.255 outside
http 65.x.x.24 255.255.255.255 outside
http 12.x.x.127 255.255.255.255 outside
http 12.x.x.121 255.255.255.255 outside
http 65.x.x.21 255.255.255.255 outside
http 65.x.x.19 255.255.255.255 outside
http 12.x.x.123 255.255.255.255 outside
http 12.x.x.124 255.255.255.255 outside
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.x.x.122
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 65.x.x.121
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
banner value This system is for authorized users only. All activity is logged and regulary checked by systems personnel. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked. Any unauthorized use or attempted unauthorized use on this system will be reported to local law enforcement, and said user will be punished to the full extent of the law. Anyone using this system consents to these terms.
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 50
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-t imeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconne ct enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username #### password #### encrypted privilege 15
username #### password #### encrypted privilege 15
username #### password #### encrypted privilege 15
username #### password #### encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group 12.x.x.122 type ipsec-l2l
tunnel-group 12.x.x.122 ipsec-attributes
pre-shared-key *
tunnel-group 65.x.x.121 type ipsec-l2l
tunnel-group 65.x.x.121 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:####
: end
And finally, here is the 5505 log when trying to establish tunnel with Peer:
6|Dec 05 2007|20:50:08|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:07|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:07|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:06|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:05|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|Dec 05 2007|20:50:05|713903|||Gro up = 70.x.x.120, IP = 70.x.x.120, Information Exchange processing failed
4|Dec 05 2007|20:50:05|713903|||Gro up = 70.x.x.120, IP = 70.x.x.120, Error, peer has indicated that something is wrong with our message. This could indicate a pre-shared key mismatch.
5|Dec 05 2007|20:50:05|713904|||Gro up = 70.x.x.120, IP = 70.x.x.120, Received an un-encrypted PAYLOAD_MALFORMED notify message, dropping
5|Dec 05 2007|20:50:05|713041|||IP = 70.x.x.120, IKE Initiator: New Phase 1, Intf inside, IKE Peer 70.x.x.120 local Proxy Address 192.x.x.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
4|Dec 05 2007|20:50:04|713903|||Gro up = 70.x.x.120, IP = 70.x.x.120, Error: Unable to remove PeerTblEntry
3|Dec 05 2007|20:50:04|713902|||Gro up = 70.x.x.120, IP = 70.x.x.120, Removing peer from peer table failed, no match!
6|Dec 05 2007|20:50:04|713905|||Gro up = 70.x.x.120, IP = 70.x.x.120, P1 Retransmit msg dispatched to MM FSM
5|Dec 05 2007|20:50:04|713201|||Gro up = 70.x.x.120, IP = 70.x.x.120, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Dec 05 2007|20:50:04|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:04|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:04|713905|||Gro up = 70.x.x.120, IP = 70.x.x.120, P1 Retransmit msg dispatched to MM FSM
5|Dec 05 2007|20:50:04|713201|||Gro up = 70.x.x.120, IP = 70.x.x.120, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Dec 05 2007|20:50:04|713905|||Gro up = 70.x.x.120, IP = 70.x.x.120, P1 Retransmit msg dispatched to MM FSM
5|Dec 05 2007|20:50:04|713201|||Gro up = 70.x.x.120, IP = 70.x.x.120, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Dec 05 2007|20:50:03|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:03|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
5|Dec 05 2007|20:50:03|713904|||IP = 70.x.x.120, Received encrypted packet with no matching SA, dropping
6|Dec 05 2007|20:50:00|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:50:00|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:49:59|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:49:59|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:49:58|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:49:57|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:49:57|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Dec 05 2007|20:49:56|713219|||Gro up = 70.x.x.120, IP = 70.x.x.120, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|Dec 05 2007|20:49:56|713903|||Gro up = 70.x.x.120, IP = 70.x.x.120, Information Exchange processing failed
4|Dec 05 2007|20:49:56|713903|||Gro up = 70.x.x.120, IP = 70.x.x.120, Error, peer has indicated that something is wrong with our message. This could indicate a pre-shared key mismatch.
I did reset the router to defaults and tried the wizard to redo the site-to-site VPN to see if that cleared the issue up to no avail.
Upping the point value : )
Respectfully,
Here is the current config of the ASA 5505(Home site):
ASA Version 8.0(2)
!
hostname ####
enable password #### encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.x.x.250 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd #### encrypted
banner login UNAUTHORIZED ACCESS IS PROHIBITED AND MONITORED
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list inside_nat0_outbound extended permit ip host 10.x.100.x host 10.x.99.x
access-list inside_nat0_outbound extended permit ip host 192.x.x.0 host 10.x.99.x
access-list inside_nat0_outbound extended permit ip 192.x.x.0 255.255.255.0 any
access-list outside_2_cryptomap extended permit ip 192.x.x.0 255.255.255.0 host 10.x.99.x
access-list outside_1_cryptomap extended permit ip 192.x.x.0 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.x.x.0 255.255.255.0 host 10.x.99.x
access-list inside_access_in extended permit tcp 192.x.x.0 255.255.255.0 any eq www
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1460
ip local pool fourthcorp1 10.x.x.1-10.x.x.254
ip local pool interface1 192.x.x.2-192.x.x.249
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo outside
icmp permit any echo-reply outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 12.x.x.121 1
route outside 12.x.x.122 255.255.255.255 12.x.x.121 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.x.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 70.x.x.120
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 70.x.x.120
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.x.x.251-192.x.x.254 inside
dhcpd dns 4.2.2.2 151.164.85.201 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
tunnel-group 70.x.x.120 type ipsec-l2l
tunnel-group 70.x.x.120 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:####
: end
Here is the config of the ASA 5520(Peer):
ASA Version 7.2(3)
!
hostname ####
domain-name ####
enable password #### encrypted
names
name 10.x.x.253 #### description #### Server
name 70.x.x.121 outside_#### description Outside Address of #### Server
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 70.x.x.120 255.255.255.128
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.x.x.10 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd #### encrypted
banner exec --- *** WARNING NOTICE *** ---
banner exec This system is restricted solely to #### authorized
banner exec users for legitimate business purposes only. The
banner exec actual or attempted unauthorized access, use, or
banner exec modification of this system is strictly prohibited
banner exec by ####.
banner exec Unauthorized users are subject to Company
banner exec disciplinary proceedings and/or criminal and civil
banner exec penalties under state, federal, or other applicable
banner exec domestic and foreign laws.
banner exec The use of this system may be monitored and recorded
banner exec for administrative and security reasons. Anyone
banner exec accessing this system expressly consents to such
banner exec monitoring and is advised that if monitoring reveals
banner exec possible evidence of criminal activity, #### may
banner exec provide the evidence of such activity to law
banner exec enforcement officials.
banner exec All users must comply with #### Corporate
banner exec Instructions regarding the protection of ####
banner exec information assets.
banner login --- *** WARNING NOTICE *** ---
banner login This system is restricted solely to #### authorized
banner login users for legitimate business purposes only. The
banner login actual or attempted unauthorized access, use, or
banner login modification of this system is strictly prohibited
banner login by ####.
banner login Unauthorized users are subject to Company
banner login disciplinary proceedings and/or criminal and civil
banner login penalties under state, federal, or other applicable
banner login domestic and foreign laws.
banner login The use of this system may be monitored and recorded
banner login for administrative and security reasons. Anyone
banner login accessing this system expressly consents to such
banner login monitoring and is advised that if monitoring reveals
banner login possible evidence of criminal activity, #### may
banner login provide the evidence of such activity to law
banner login enforcement officials.
banner login All users must comply with #### Corporate
banner login Instructions regarding the protection of ####
banner login information assets.
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name ####
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service ####_support tcp
description Support for #### Server
port-object eq ftp
port-object eq ftp-data
port-object eq ssh
object-group network ####Public
description These are all the public addresses for ####, headquartered on ####.
network-object host 12.x.x.120
network-object host 12.x.x.121
network-object host 12.x.x.122
network-object host 12.x.x.123
network-object host 12.x.x.124
network-object host 12.x.x.125
network-object host 12.x.x.126
network-object host 12.x.x.127
network-object host 65.x.x.17
network-object host 65.x.x.18
network-object host 65.x.x.19
network-object host 65.x.x.20
network-object host 65.x.x.21
network-object host 65.x.x.22
network-object host 65.x.x.23
network-object host 65.x.x.24
network-object host 65.x.x.25
network-object host 65.x.x.26
access-list outside_access_in remark Support #### Server
access-list outside_access_in extended permit tcp any host outside_#### object-group ####_support
access-list inside_nat0_outbound extended permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.x.x.0 255.255.255.0 10.x.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.x.x.0 255.255.255.0 10.x.10.0 255.255.255.0
access-list inside_access_in extended permit ip 10.x.0.0 255.255.255.0 10.x.x.0 255.255.255.0
pager lines 24
logging enable
logging list VPN-tunnels level alerts
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
monitor-interface outside
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) outside_#### #### netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 70.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 70.x.x.10 255.255.255.255 outside
http 65.x.x.17 255.255.255.255 outside
http 12.x.x.122 255.255.255.255 outside
http 65.x.x.20 255.255.255.255 outside
http 12.x.x.120 255.255.255.255 outside
http 65.x.x.18 255.255.255.255 outside
http 65.x.x.26 255.255.255.255 outside
http 12.x.x.125 255.255.255.255 outside
http 65.x.x.23 255.255.255.255 outside
http 65.x.x.22 255.255.255.255 outside
http 12.x.x.126 255.255.255.255 outside
http 65.x.x.25 255.255.255.255 outside
http 65.x.x.24 255.255.255.255 outside
http 12.x.x.127 255.255.255.255 outside
http 12.x.x.121 255.255.255.255 outside
http 65.x.x.21 255.255.255.255 outside
http 65.x.x.19 255.255.255.255 outside
http 12.x.x.123 255.255.255.255 outside
http 12.x.x.124 255.255.255.255 outside
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.x.x.122
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 65.x.x.121
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set reverse-route
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
inspect ipsec-pass-thru
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
banner value This system is for authorized users only. All activity is logged and regulary checked by systems personnel. Individuals using this system without authority or in excess of their authority are subject to having all their services revoked. Any unauthorized use or attempted unauthorized use on this system will be reported to local law enforcement, and said user will be punished to the full extent of the law. Anyone using this system consents to these terms.
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 50
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconne
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
username #### password #### encrypted privilege 15
username #### password #### encrypted privilege 15
username #### password #### encrypted privilege 15
username #### password #### encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group 12.x.x.122 type ipsec-l2l
tunnel-group 12.x.x.122 ipsec-attributes
pre-shared-key *
tunnel-group 65.x.x.121 type ipsec-l2l
tunnel-group 65.x.x.121 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:####
: end
And finally, here is the 5505 log when trying to establish tunnel with Peer:
6|Dec 05 2007|20:50:08|713219|||Gro
6|Dec 05 2007|20:50:07|713219|||Gro
6|Dec 05 2007|20:50:07|713219|||Gro
6|Dec 05 2007|20:50:06|713219|||Gro
6|Dec 05 2007|20:50:05|713219|||Gro
4|Dec 05 2007|20:50:05|713903|||Gro
4|Dec 05 2007|20:50:05|713903|||Gro
5|Dec 05 2007|20:50:05|713904|||Gro
5|Dec 05 2007|20:50:05|713041|||IP = 70.x.x.120, IKE Initiator: New Phase 1, Intf inside, IKE Peer 70.x.x.120 local Proxy Address 192.x.x.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
4|Dec 05 2007|20:50:04|713903|||Gro
3|Dec 05 2007|20:50:04|713902|||Gro
6|Dec 05 2007|20:50:04|713905|||Gro
5|Dec 05 2007|20:50:04|713201|||Gro
6|Dec 05 2007|20:50:04|713219|||Gro
6|Dec 05 2007|20:50:04|713219|||Gro
6|Dec 05 2007|20:50:04|713905|||Gro
5|Dec 05 2007|20:50:04|713201|||Gro
6|Dec 05 2007|20:50:04|713905|||Gro
5|Dec 05 2007|20:50:04|713201|||Gro
6|Dec 05 2007|20:50:03|713219|||Gro
6|Dec 05 2007|20:50:03|713219|||Gro
5|Dec 05 2007|20:50:03|713904|||IP = 70.x.x.120, Received encrypted packet with no matching SA, dropping
6|Dec 05 2007|20:50:00|713219|||Gro
6|Dec 05 2007|20:50:00|713219|||Gro
6|Dec 05 2007|20:49:59|713219|||Gro
6|Dec 05 2007|20:49:59|713219|||Gro
6|Dec 05 2007|20:49:58|713219|||Gro
6|Dec 05 2007|20:49:57|713219|||Gro
6|Dec 05 2007|20:49:57|713219|||Gro
6|Dec 05 2007|20:49:56|713219|||Gro
4|Dec 05 2007|20:49:56|713903|||Gro
4|Dec 05 2007|20:49:56|713903|||Gro
I did reset the router to defaults and tried the wizard to redo the site-to-site VPN to see if that cleared the issue up to no avail.
Upping the point value : )
Respectfully,
ASKER
I'm thinking I may just do a "clear configure all" and start from scratch. That way I can focus solely on:
A) Getting the device on the internet
B) Resolving the HTTPS issue
C) Connect to VPN Peer
What do you all recommend? Also, should I post a new topic for point A?
A) Getting the device on the internet
B) Resolving the HTTPS issue
C) Connect to VPN Peer
What do you all recommend? Also, should I post a new topic for point A?
Interesting that https isnt working. Your inspection policy is fine. Just for kicks, did you verify that you can get to the same sites from outside the firewall? One item I like to do is change the NAT
nat (inside) 1 0.0.0.0 0.0.0.0
to more specific addressing, just the traffic you want to translate. I find it makes for a cleaner config and easier for troubleshooting since you know exactly what you are translating.
Do a show xlate and look for the IP of the website you are attempting to reach to verify that it is translating, and there is another thing that can be done to troubleshoot this. The good news is you are running version 8.0 which means you have ASDM ver 6. There is a tool called packet trace in the NAT configuration. Run a packet trace using port443 and see what comes up. If you dont get any errors, then the problem it on the outside of the firewall, and we can do some further testing with CLI tools.
nat (inside) 1 0.0.0.0 0.0.0.0
to more specific addressing, just the traffic you want to translate. I find it makes for a cleaner config and easier for troubleshooting since you know exactly what you are translating.
Do a show xlate and look for the IP of the website you are attempting to reach to verify that it is translating, and there is another thing that can be done to troubleshoot this. The good news is you are running version 8.0 which means you have ASDM ver 6. There is a tool called packet trace in the NAT configuration. Run a packet trace using port443 and see what comes up. If you dont get any errors, then the problem it on the outside of the firewall, and we can do some further testing with CLI tools.
I think you may have overlooked your inside access list is only permitting www.
access-list inside_access_in extended permit tcp 192.x.x.0 255.255.255.0 any eq www
add...
access-list inside_access_in extended permit tcp 192.x.x.0 255.255.255.0 any eq https
access-list inside_access_in extended permit tcp 192.x.x.0 255.255.255.0 any eq www
add...
access-list inside_access_in extended permit tcp 192.x.x.0 255.255.255.0 any eq https
ASKER
I now have the internet with https after doing "clear configure all"... Now A and B are completed, I just need to establish VPN with peer:
Here is the current 5505 config:
ASA Version 8.0(2)
!
hostname ####
domain-name ####
enable password #### encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.x.x.250 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 12.x.x.122 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
shutdown
!
passwd #### encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name ####
access-list inside_nat0_outbound extended permit ip host 10.x.100.x host 10.x.99.x
access-list inside_nat0_outbound extended permit ip host 192.x.x.0 host 10.x.99.x
access-list inside_nat0_outbound extended permit ip 192.x.x.0 255.255.255.0 host 10.x.99.x
access-list outside_1_cryptomap extended permit ip 192.x.x.0 255.255.255.0 host 10.x.99.x
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool fourthcorp1 10.x.x.1-10.x.x.254
ip local pool interface1 192.x.x.2-192.x.x.249
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 12.x.x.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.x.0.x 255.255.0.0 inside
http 192.x.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 70.x.x.120
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 151.164.85.201 151.164.11.201
dhcpd ping_timeout 750
dhcpd domain transportindustries.local
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tunnel-group 70.x.x.120 type ipsec-l2l
tunnel-group 70.x.x.120 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:####
: end
Here is the current 5505 config:
ASA Version 8.0(2)
!
hostname ####
domain-name ####
enable password #### encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.x.x.250 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 12.x.x.122 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
shutdown
!
passwd #### encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name ####
access-list inside_nat0_outbound extended permit ip host 10.x.100.x host 10.x.99.x
access-list inside_nat0_outbound extended permit ip host 192.x.x.0 host 10.x.99.x
access-list inside_nat0_outbound extended permit ip 192.x.x.0 255.255.255.0 host 10.x.99.x
access-list outside_1_cryptomap extended permit ip 192.x.x.0 255.255.255.0 host 10.x.99.x
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool fourthcorp1 10.x.x.1-10.x.x.254
ip local pool interface1 192.x.x.2-192.x.x.249
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 12.x.x.121 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.x.0.x 255.255.0.0 inside
http 192.x.x.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 70.x.x.120
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 151.164.85.201 151.164.11.201
dhcpd ping_timeout 750
dhcpd domain transportindustries.local
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
tunnel-group 70.x.x.120 type ipsec-l2l
tunnel-group 70.x.x.120 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:####
: end
ASKER
Heya Theeter!
Just saw you post right before I did. I had already cleared the device yesterday and hooked it back up for testing and that cleared it up.
thanks!
Just saw you post right before I did. I had already cleared the device yesterday and hooked it back up for testing and that cleared it up.
thanks!
Your debug indicates the pre-share is not matching. Make sure the key at both ends is identical, and reenter them just to make sure.
ASKER
Going to try that again on both sides RouterDude, thanks. Will let ya know what happens.
ASKER
Ok I entered the pre-shared key on both sides and also made sure the algorithm matches. Still no tunnel.
Here is the log from the PEER Side which says crypto map not found. What do you suggest I do?
4|Dec 06 2007|08:54:11|113019|||Gro up = 12.x.x.122, Username = 12.x.x.122, IP = 12.x.x.122, Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
3|Dec 06 2007|08:54:11|713902|||Gro up = 12.x.x.122, IP = 12.x.x.122, Removing peer from correlator table failed, no match!
3|Dec 06 2007|08:54:11|713902|||Gro up = 12.x.x.122, IP = 12.x.x.122, QM FSM error (P2 struct &0x4d86ae8, mess id 0x7c852be5)!
3|Dec 06 2007|08:54:11|713061|||Gro up = 12.x.x.122, IP = 12.x.x.122, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.100.0/255.255.255. 0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
Thanks!
Here is the log from the PEER Side which says crypto map not found. What do you suggest I do?
4|Dec 06 2007|08:54:11|113019|||Gro
3|Dec 06 2007|08:54:11|713902|||Gro
3|Dec 06 2007|08:54:11|713902|||Gro
3|Dec 06 2007|08:54:11|713061|||Gro
Thanks!
ASKER
In looking at the packet tracer on both the home and remote site, it gets to the ACL portion and drops packets:
Info: (acl-drop) Flow is denied by configured rule.
Info: (acl-drop) Flow is denied by configured rule.
ASKER
In looking at the ACL Manager from the remote site, I have the following:
Outside_1_cryptomap
inside network/24(source) to 10.x.x.0(destination) IP (service) Permit
1 Inside_nat0_outbound
10.x.100.0(source) to 10.x.99.0(destination) IP (service) Permit
2 192.x.100.x(255.255.255.25 5) to 10.x.99.x(destination) IP (service) Permit
3 Inside network/24(source) to 10.x.99.x(destination) IP(service) Permit
I have tried removing the tunnels and recreating with the ASDM gui but it still says that a rule or acl is blocking my VPN tunnel.
Outside_1_cryptomap
inside network/24(source) to 10.x.x.0(destination) IP (service) Permit
1 Inside_nat0_outbound
10.x.100.0(source) to 10.x.99.0(destination) IP (service) Permit
2 192.x.100.x(255.255.255.25
3 Inside network/24(source) to 10.x.99.x(destination) IP(service) Permit
I have tried removing the tunnels and recreating with the ASDM gui but it still says that a rule or acl is blocking my VPN tunnel.
ASKER
Ok Now from the PEER side I removed the ACL's and want to start from scratch.
I need remote network 192.x.x.0/24(Inside) & 12.x.x.122(Outside)
to be able to access
remote network 10.x.x.253(Inside) & 70.x.x.121(Outside)
The Peer is 70.x.x.120
Here is the ACL config from the PEER side:
access-list outside_access_in remark Support #### Server
access-list outside_access_in extended permit tcp any host outside_#### object-group ####_support
access-list inside_nat0_outbound extended permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.x.99.0 255.255.255.0 10.x.10.0 255.255.255.0
access-list inside_access_in extended permit tcp 10.x.0.0 255.255.255.0 10.x.0.0 255.255.255.0
Here is the Tunnel Info:
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.x.x.122
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
I need remote network 192.x.x.0/24(Inside) & 12.x.x.122(Outside)
to be able to access
remote network 10.x.x.253(Inside) & 70.x.x.121(Outside)
The Peer is 70.x.x.120
Here is the ACL config from the PEER side:
access-list outside_access_in remark Support #### Server
access-list outside_access_in extended permit tcp any host outside_#### object-group ####_support
access-list inside_nat0_outbound extended permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.x.99.0 255.255.255.0 10.x.10.0 255.255.255.0
access-list inside_access_in extended permit tcp 10.x.0.0 255.255.255.0 10.x.0.0 255.255.255.0
Here is the Tunnel Info:
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 12.x.x.122
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
RouterDude,
Thanks so much for your tenacity on helping me solve my issue(s). Your help is greatly appreciated!
Thanks so much for your tenacity on helping me solve my issue(s). Your help is greatly appreciated!
Glad I could help.