CISCO ASA 5505 problem on VPN
I have a CISCO ASA 5505 Ver 7.2(2). I have done a VPN with a Cisco3000 VPN Concentrator. The Vpn is up and I can ping all the remote hosts that I want, but if I ask something else (like a ftp or http connection) the internal network stop to respond me and i can't see anythings. I see that the VPN remain up and to bring up the internal network i must ping the internal host from the ASA. This firewall does only this work.
Have you any idea why it happens?
Regards
Alessandro
Have you any idea why it happens?
Regards
Alessandro
My experience with configuring cisco vpn tunnels is that it involves using an access list to identify the traffic to be encrypted and sent across the tunnel. Is this how you're setup, also? If so, please post the access list you're using, if not the entire config on the ASA, as you may be limiting the traffic in your access list and causing the problems you're reporting.
ASKER
Thi is the access list of the VPN. I think that I've enabled all.
access-list lta_list; 1 elements
access-list lta_list line 1 extended permit ip 192.168.X.X 255.255.X.X 10.X.X.X 255.X.X.X
The connection to the hosts start and I see it, but after the internal network stops to work. The log don't say me nothin about ethernet error or anyelse.
Thanks
access-list lta_list; 1 elements
access-list lta_list line 1 extended permit ip 192.168.X.X 255.255.X.X 10.X.X.X 255.X.X.X
The connection to the hosts start and I see it, but after the internal network stops to work. The log don't say me nothin about ethernet error or anyelse.
Thanks
Well, that's a little different than I'm used to, but I've only worked with the pix firewall and routers, not the newer ASA. Are you really using a class A subnet mask on your 10.x.x.x network? I wouldn't think that should be a problem. If your two networks are really 192.168.x and 10.x.y, with 254 hosts each, I'd use a class C mask (255.255.255.0) In my present job, I'm not configuring cisco vpns, but this also might require using an inverse mask (i.e. ..... permit ip 192.168.x.x 0.0.255.255 10.x.x.x 0.255.255.255) - can you try using an inverse mask once just to be sure that's not it?
I assume then you have a 'match address lta_list' statement in your crypto map?
I assume then you have a 'match address lta_list' statement in your crypto map?
Could you post your config for review?
ASKER
Naturally.
sho runn
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name label
enable password 2KFQnbNIdI.2KYOU encrypted
names
name 100.51.2.202 Server1.autostrade
name 100.51.4.212 Server2.autostrade
name 100.51.4.213 Server3.autostrade
name 192.168.0.249 Collaudo.label
name 192.168.0.250 Web1.label
name 192.168.0.251 Web2.label
name 192.168.0.252 DBServer.label
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.X.X 255.255.X.X
!
interface Vlan2
nameif outside
security-level 0
ip address 151.X.X.X 255.255.X.X
<--- More --->
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
<--- More --->
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name label
same-security-traffic permit intra-interface
object-group network Server_autostrade
access-list inside_access_in extended permit ip 192.168.0.248 255.255.255.248 any
access-list outside_access_in extended permit esp any interface outside
access-list outside_access_in extended permit ah any interface outside
access-list outside_access_in extended permit udp any interface outside eq isakmp
access-list lta_list extended permit ip 192.168.X.X 255.255.X.X 10.X.X.X 255.X.X.X
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
<--- More --->C
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list lta_list
nat (inside) 1 192.168.X.X 255.X.X.X
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 151.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
<--- More --->
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
<--- More --->
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry file-access file-entry file-browsing port-forward
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
<--- More --->
svc dpd-interval gateway none
svc compression deflate
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
http server enable
http 192.168.X.X 255.255.X.X inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
crypto ipsec transform-set lta_t esp-3des esp-sha-hmac
crypto ipsec fragmentation after-encryption inside
crypto ipsec fragmentation after-encryption outside
crypto map lta 10 match address lta_list
crypto map lta 10 set peer 193.X.X.X
crypto map lta 10 set transform-set lta_t
crypto map lta 10 set nat-t-disable
crypto map lta 10 set reverse-route
crypto map lta interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
<--- More --->
group 2
lifetime none
tunnel-group 193.X.X.X type ipsec-l2l
tunnel-group 193.X.X.X ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive disable
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
ntp server Collaudo.label source inside prefer
prompt hostname context
no compression svc http-comp
Cryptochecksum:6d42ed13c61
: end
----
That's all.
Have you any idea?
Thanks.
sho runn
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name label
enable password 2KFQnbNIdI.2KYOU encrypted
names
name 100.51.2.202 Server1.autostrade
name 100.51.4.212 Server2.autostrade
name 100.51.4.213 Server3.autostrade
name 192.168.0.249 Collaudo.label
name 192.168.0.250 Web1.label
name 192.168.0.251 Web2.label
name 192.168.0.252 DBServer.label
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.X.X 255.255.X.X
!
interface Vlan2
nameif outside
security-level 0
ip address 151.X.X.X 255.255.X.X
<--- More --->
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
<--- More --->
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name label
same-security-traffic permit intra-interface
object-group network Server_autostrade
access-list inside_access_in extended permit ip 192.168.0.248 255.255.255.248 any
access-list outside_access_in extended permit esp any interface outside
access-list outside_access_in extended permit ah any interface outside
access-list outside_access_in extended permit udp any interface outside eq isakmp
access-list lta_list extended permit ip 192.168.X.X 255.255.X.X 10.X.X.X 255.X.X.X
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
<--- More --->C
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list lta_list
nat (inside) 1 192.168.X.X 255.X.X.X
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 151.X.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
<--- More --->
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
<--- More --->
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry file-access file-entry file-browsing port-forward
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
<--- More --->
svc dpd-interval gateway none
svc compression deflate
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
http server enable
http 192.168.X.X 255.255.X.X inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
crypto ipsec transform-set lta_t esp-3des esp-sha-hmac
crypto ipsec fragmentation after-encryption inside
crypto ipsec fragmentation after-encryption outside
crypto map lta 10 match address lta_list
crypto map lta 10 set peer 193.X.X.X
crypto map lta 10 set transform-set lta_t
crypto map lta 10 set nat-t-disable
crypto map lta 10 set reverse-route
crypto map lta interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
<--- More --->
group 2
lifetime none
tunnel-group 193.X.X.X type ipsec-l2l
tunnel-group 193.X.X.X ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive disable
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
!
ntp server Collaudo.label source inside prefer
prompt hostname context
no compression svc http-comp
Cryptochecksum:6d42ed13c61
: end
----
That's all.
Have you any idea?
Thanks.
Try using the following command to allow VPN traffic to bypass the ACL's.
sysopt connection permit-ipsec
sysopt connection permit-ipsec
ah....didn't remember that - raptor is absolutely correct there - definitely need that command. (wish I had one of my old configs in hand to compare to :)
Any luck?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.