Solved

Cisco ASA 5505 VPN connection not providing outbound data to VPN client

Posted on 2008-06-19
38
2,769 Views
Last Modified: 2009-01-14
I have a Cisco ASA 5505 Firewall installed and am trying to establish a VPN connection using the Cisco VPN client.  

The VPN client connects ok, and the client shows outbound data.  The ASA shows incomming data.  However, there is no outbound data from the ASA to the client.

I have spent the day on this trying various suggestions that I found on the web, but have made no progress.  I have attached the config below, and any help would be gratefully received.
ASA Version 7.2(3) 

!

hostname ciscoasa

domain-name XX.local

enable password XX encrypted

names

name 10.9.62.1 RDJServer

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.9.62.253 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address XX.XX.XX.218 255.255.255.248 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 no ip address

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

 switchport access vlan 3

!

interface Ethernet0/6

 switchport access vlan 3

!

interface Ethernet0/7

 switchport access vlan 3

!

passwd 6jr.Xa4ijcMRJ2uX encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name XX.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service MyTCPServices tcp

 description Allow TCP inbound connections

 port-object eq smtp

 port-object eq pptp

 port-object eq https

 port-object eq www

 port-object eq echo

 port-object eq 3389

object-group protocol MyProtocolServices

 protocol-object gre

object-group service MyUDPConnections udp

 port-object range 4500 4500

 port-object eq isakmp

access-list acl_out extended permit tcp any any eq smtp 

access-list acl_out extended permit tcp any any eq ident 

access-list acl_out extended permit gre any any 

access-list acl_out extended permit tcp any any eq https 

access-list acl_out extended permit tcp any any eq pptp 

access-list acl_out extended permit tcp any eq 587 any eq smtp 

access-list acl_out extended permit udp any eq 587 any eq 25 

access-list acl_out extended permit tcp any any eq pop3 

access-list inside_access_in extended permit ip any any 

access-list inside_access_in extended permit udp any any 

access-list RemoteWorker_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 

access-list RemoteWorker_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 

access-list DefaultRAGroup_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 

access-list RemWorker_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 

access-list RemWorker_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 

access-list outside_access_in extended permit udp any any 

access-list outside_cryptomap_dyn_20 extended permit ip any 10.9.63.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool ippool 10.9.63.1-10.9.63.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp XX.XX.XX.218 smtp RDJServer smtp netmask 255.255.255.255 

static (inside,outside) tcp interface https RDJServer https netmask 255.255.255.255 

static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255 

static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255 

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 XX.XX.XX.217 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.9.62.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 20 set nat-t-disable

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet 10.9.63.0 255.255.255.0 inside

telnet 10.9.62.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs enable

 ipsec-udp enable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy RemWorker internal

group-policy RemWorker attributes

 wins-server value 10.9.62.1

 dns-server value 10.9.62.1

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value RemWorker_splitTunnelAcl

 default-domain value original106.local

username RobinM20 password yfCCyLP1t45Wo2.6 encrypted privilege 0

username RobinM20 attributes

 vpn-group-policy RemWorker

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group RemWorker type ipsec-ra

tunnel-group RemWorker general-attributes

 address-pool ippool

 default-group-policy RemWorker

tunnel-group RemWorker ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:bd1ee9e07a62ac604bca2a66f68cb8f6

: end

asdm image disk0:/asdm-523.bin

no asdm history enable

Open in new window

0
Comment
Question by:Mark2234
  • 16
  • 9
  • 9
  • +1
38 Comments
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21825118
Try using the following command to allow VPN traffic to bypass the ACL's.

sysopt connection permit-ipsec

If that doesn't help let me know and I will inspect he configuration in more detail.
0
 

Author Comment

by:Mark2234
ID: 21825891
Still the same with this command in.  Traffic in one direction only from VPN client to ASA, but not back.

Thanks for the suggestion though.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21828056
Looks like you need to enable RRI(Reverse route injection) to add routes to the VPN clients.

crypto dynamic-map outside_dyn_map 20 set reverse-route
0
 

Author Comment

by:Mark2234
ID: 21828770
I think I'd tried this before, but still no luck.  Also, with previous PIX devices, the sysopt connection permit-ipsec that you suggested has worked, but on the ASA, although the command looks to have been accepted, it doesn't show up in the sh conf - is this normal?

Since a few lines have changed, I have attached the current sh conf.


: Saved

:

ASA Version 7.2(3) 

!

hostname ciscoasa

domain-name XX.local

enable password 6jr.Xa4ijcMRJ2uX encrypted

names

name 10.9.62.1 RDJServer

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.9.62.253 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address XX.218 255.255.255.248 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 no ip address

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

 switchport access vlan 3

!

interface Ethernet0/6

 switchport access vlan 3

!

interface Ethernet0/7

 switchport access vlan 3

!

passwd 6jr.Xa4ijcMRJ2uX encrypted

ftp mode passive

dns server-group DefaultDNS

 domain-name XX.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service MyTCPServices tcp

 description Allow TCP inbound connections

 port-object eq smtp

 port-object eq pptp

 port-object eq https

 port-object eq www

 port-object eq echo

 port-object eq 3389

object-group protocol MyProtocolServices

 protocol-object gre

object-group service MyUDPConnections udp

 port-object range 4500 4500

 port-object eq isakmp

access-list acl_out extended permit tcp any any eq smtp 

access-list acl_out extended permit tcp any any eq ident 

access-list acl_out extended permit gre any any 

access-list acl_out extended permit tcp any any eq https 

access-list acl_out extended permit tcp any any eq pptp 

access-list acl_out extended permit tcp any eq 587 any eq smtp 

access-list acl_out extended permit udp any eq 587 any eq 25 

access-list acl_out extended permit tcp any any eq pop3 

access-list inside_access_in extended permit ip any any 

access-list inside_access_in extended permit udp any any 

access-list RemoteWorker_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 

access-list RemoteWorker_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 

access-list DefaultRAGroup_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 

access-list RemWorker_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 

access-list RemWorker_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit ip any 10.9.63.0 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit udp any 10.9.63.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool ippool 10.9.63.1-10.9.63.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp XX.218 smtp RDJServer smtp netmask 255.255.255.255 

static (inside,outside) tcp interface https RDJServer https netmask 255.255.255.255 

static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255 

static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255 

route outside 0.0.0.0 0.0.0.0 XX.217 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.9.62.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet 10.9.63.0 255.255.255.0 inside

telnet 10.9.62.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!
 

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs enable

 ipsec-udp enable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy RemWorker internal

group-policy RemWorker attributes

 wins-server value 10.9.62.1

 dns-server value 10.9.62.1

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value RemWorker_splitTunnelAcl

 default-domain value XX.local

username RobinM20 password yfCCyLP1t45Wo2.6 encrypted privilege 0

username RobinM20 attributes

 vpn-group-policy RemWorker

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group RemWorker type ipsec-ra

tunnel-group RemWorker general-attributes

 address-pool ippool

 default-group-policy RemWorker

tunnel-group RemWorker ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:7f8523b477fde0a86d57e5428e76c008

: end

asdm image disk0:/asdm-523.bin

no asdm history enable

Open in new window

0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21830571
It should definitely show, has on all my ASA devices. Definitely odd, perhaps its worth a software update to 8.x.
0
 

Author Comment

by:Mark2234
ID: 21841051
After a bit of a fight, I have upgraded the ASA to version 8.03, and the ASDM to version 6.03.  I still have the same VPN connection problem, and still cannot see the sysopt connection permit-ipsec command, although it is accepted without errors when entered in the CLI.

Is there anything else I could try / could have missed?

Thanks in advance
0
 

Expert Comment

by:dkattan
ID: 21860955
I am having the exact same problem. Have you made any progress?
0
 

Author Comment

by:Mark2234
ID: 21864063
I've still had no luck with this problem.  I'll spend some more time on it tomorrow, but if anyone does have any suggestions it would be great.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21864672
My mistake, its not displayed in "sh run" but in "sh run sysopt" instead.

for version 8.x try using "sysopt connection permit-vpn"

Let me know if that works as I see RRI is also now enabled.
0
 

Author Comment

by:Mark2234
ID: 21865009
Thanks for that.

A sh run sysopt gives the following confirmation that sysopt connection permit-vpn was already in there.

ciscoasa# sh run sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn

Do I need to enable any of the other commands?

Also, it must be related, but in the ASDM log I see the following error after connecting the VPN, and also when I try and send any data over the VPN.

IKE Initiator unable to find policy: Intf outside Src 10.9.63.1 Dst: 10.9.63.255

Does this help point us in the right direction?
0
 

Expert Comment

by:dkattan
ID: 21867195
I was able to get the VPN working in a non-conventional way. I created an VPN IP pool that was within our inside network, and now it is working... however, I had the exact config on an ASA 5510 and VPN worked fine... *shrug*
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21870463
That's definitely odd. Glad its working for now.  I will still look into this once I get some spare time. So you can leave this open for now.
0
 

Author Comment

by:Mark2234
ID: 21875631
Changing my ippool to have a range from the internal network didn't help me.  I still am unable to get two way communication, and am getting very frustrated by this.

Please help!!!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21883739
>>access-list outside_cryptomap_dyn_20 extended permit ip any 10.9.63.0 255.255.255.0
>>access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0


Change the above to as below;

access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0

Then you should be good to go. I'm going to assume that your ip pool still is 10.9.62.0/24

Cheers,
Rajesh

0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21884196
Thanks for the review rsivanandan,

It seems I had overlooked the nat0 and crypto map access-lists.
0
 

Author Comment

by:Mark2234
ID: 21885303
Thanks Rajesh,

Still no luck.  I've attached the current config again just incase I've stupidly changed anything along the way.

I'm still seeing the ASDM syslog message "No translation group found for udp src outised:10.9.63.1/55161 dst inside: RDJServer/53"

From the client, I am able to ping and get a reply from the inside interface of the ASA but an ICMP trace shows no activity either way when pinging a device inside the firewall.

Is there anything else that could be causing this?

Thanks

Mark


: Saved

:

ASA Version 8.0(3) 

!

hostname ciscoasa

domain-name original106.local

enable password 6jr.Xa4ijcMRJ2uX encrypted

names

name 10.9.62.1 RDJServer

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.9.62.253 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 77.44.77.218 255.255.255.248 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 no ip address

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

 switchport access vlan 3

!

interface Ethernet0/6

 switchport access vlan 3

!

interface Ethernet0/7

 switchport access vlan 3

!

passwd 6jr.Xa4ijcMRJ2uX encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name original106.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service MyTCPServices tcp

 description Allow TCP inbound connections

 port-object eq smtp

 port-object eq pptp

 port-object eq https

 port-object eq www

 port-object eq echo

 port-object eq 3389

object-group protocol MyProtocolServices

 protocol-object gre

object-group service MyUDPConnections udp

 port-object range 4500 4500

 port-object eq isakmp

access-list acl_out extended permit tcp any any eq smtp 

access-list acl_out extended permit tcp any any eq ident 

access-list acl_out extended permit gre any any 

access-list acl_out extended permit tcp any any eq https 

access-list acl_out extended permit tcp any any eq pptp 

access-list acl_out extended permit tcp any eq 587 any eq smtp 

access-list acl_out extended permit udp any eq 587 any eq 25 

access-list acl_out extended permit tcp any any eq pop3 

access-list inside_access_in extended permit ip any any 

access-list inside_access_in extended permit udp any any 

access-list OriginalSol_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 

access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool ippool 10.9.63.1-10.9.63.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255 

static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255 

route outside 0.0.0.0 0.0.0.0 77.44.77.217 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

 webvpn

  svc ask none default svc

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

 default-acl  unused

 reval-period 36000

 sq-period 300

http server enable

http 10.9.62.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 fqdn ciscoasa

 subject-name CN=ciscoasa

 no client-types

 crl configure

crypto ca certificate chain ASDM_TrustPoint0

 certificate 31

    308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 

    2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d 

    01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d 

    31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61 

    73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d 

    06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad 

    2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013 

    abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa 

    41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083 

    365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06 

    092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77 

    0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13 

    8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4 

    9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637 

    df70fb44 81c5c720 f538604e 8ab43cb3

  quit

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp nat-traversal 3600

crypto isakmp ipsec-over-tcp port 10000 

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 10.9.63.0 255.255.255.0 inside

telnet 10.9.62.0 255.255.255.0 inside

telnet timeout 5

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection statistics

ssl encryption 3des-sha1

ssl trust-point ASDM_TrustPoint0 outside

webvpn

 enable outside

 csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg

 csd enable

 svc image disk0:/sslclient-win-1.1.0.154.pkg 1

 svc profiles Default disk0:/dap.xml

 svc enable

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec svc 

 pfs enable

 ipsec-udp enable

 nac-settings value DfltGrpPolicy-nac-framework-create

 address-pools value ippool

 webvpn

  svc keepalive none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc ask none default svc

  customization value DfltCustomization

group-policy OriginalSol internal

group-policy OriginalSol attributes

 wins-server value 10.9.62.1

 dns-server value 10.9.62.1

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list none

 default-domain value original106.local

username mark.robinson password fgfaddJl/KVjPIir encrypted privilege 0

username mark.robinson attributes

 vpn-group-policy OriginalSol

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group OriginalSol type remote-access

tunnel-group OriginalSol general-attributes

 address-pool ippool

 default-group-policy OriginalSol

tunnel-group OriginalSol ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

smtp-server 10.9.62.1

prompt hostname context 

Cryptochecksum:a088edeaa67e0acbf566a130bc23e19f

: end

asdm image disk0:/asdm-603.bin

no asdm history enable

Open in new window

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21885610
You know what :-) I typed it in wrong;

>>access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
>>access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0

See, the access-list first network address specifies source and second specified the destination.

In the vpn connection, the source is 10.9.62.0/24 and destination should be 10.9.63.0/24.

So it should read;

access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0

My bad. Apologies.

Cheers,
Rajesh

0
 

Author Comment

by:Mark2234
ID: 21885936
With the above lines changed, I can now only see ICMP traffic when I ping a 10.9.63.X address from the client (there is no response because there are no machines on the lan with such an address).  No traffic to a 10.9.62.X address - including the inside interface of the ASA shows up in a ICMP trace.

Also, do I need the line:
access-list outside_cryptomap_dyn_20 extended permit udp 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 21886359
>>there is no response because there are no machines on the lan with such an address

I don't understand, you have your internal lan on this range right? (10.9.62.x) ? Your VPN Client would be on 10.9.63.x network. From that machine try pinging 10.9.62.x which is on the lan.

Yes you don't need the acl for udp there.

If it still doesn't work. Can you post these things as below;

1. Your current config.

2. route print output from the client when it connected to VPN.

3. A traceroute to 10.9.62.x machine from the client when it is connected to VPN.

Post these here and I'll take a look at it tomorrow morning my time.

Cheers,
Rajesh
0
 

Author Comment

by:Mark2234
ID: 21886732
Hi Rajesh,

Thanks so much for helping out on this.  

You are correct by the way, the network behind the firewall is in the 10.9.62.0 /24 range, and the ippool for the VPN clients is in the 10.9.63.0 range.

The output of the route print is interesting:
Network Dest        Netmask              Gateway          Interface           Metric
         0.0.0.0          0.0.0.0          192.168.16.254   192.168.16.127     20
        10.9.62.0    255.255.255.0        10.9.63.1       10.9.63.50    100
        10.9.63.0    255.255.255.0         On-link        10.9.63.50    276
        10.9.63.0    255.255.255.0        10.9.63.1       10.9.63.50    100
       10.9.63.50  255.255.255.255         On-link        10.9.63.50    276
      10.9.63.255  255.255.255.255         On-link        10.9.63.50    276
     77.44.77.218  255.255.255.255   192.168.16.254   192.168.16.127    100
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.16.0    255.255.255.0         On-link    192.168.16.127    276
     192.168.16.1  255.255.255.255         On-link    192.168.16.127    100
   192.168.16.127  255.255.255.255         On-link    192.168.16.127    276
   192.168.16.255  255.255.255.255         On-link    192.168.16.127    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.16.127    277
        224.0.0.0        240.0.0.0         On-link        10.9.63.50    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.16.127    276
  255.255.255.255  255.255.255.255         On-link        10.9.63.50    276

A tracert to a 10.9.62.X address times out - which given the routing information isn't a surprise.

The current version of the code is below.

Thanks

Mark.
         
: Saved

:

ASA Version 8.0(3) 

!

hostname ciscoasa

domain-name original106.local

enable password 6jr.Xa4ijcMRJ2uX encrypted

names

name 10.9.62.1 RDJServer

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.9.62.253 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 77.44.77.218 255.255.255.248 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 no ip address

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

 switchport access vlan 3

!

interface Ethernet0/6

 switchport access vlan 3

!

interface Ethernet0/7

 switchport access vlan 3

!

passwd 6jr.Xa4ijcMRJ2uX encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name original106.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service MyTCPServices tcp

 description Allow TCP inbound connections

 port-object eq smtp

 port-object eq pptp

 port-object eq https

 port-object eq www

 port-object eq echo

 port-object eq 3389

object-group protocol MyProtocolServices

 protocol-object gre

object-group service MyUDPConnections udp

 port-object range 4500 4500

 port-object eq isakmp

access-list acl_out extended permit tcp any any eq smtp 

access-list acl_out extended permit tcp any any eq ident 

access-list acl_out extended permit gre any any 

access-list acl_out extended permit tcp any any eq https 

access-list acl_out extended permit tcp any any eq pptp 

access-list acl_out extended permit tcp any eq 587 any eq smtp 

access-list acl_out extended permit udp any eq 587 any eq 25 

access-list acl_out extended permit tcp any any eq pop3 

access-list inside_access_in extended permit ip any any 

access-list inside_access_in extended permit udp any any 

access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 

access-list OriginalSol_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool ippool 10.9.63.50-10.9.63.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255 

static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255 

route outside 0.0.0.0 0.0.0.0 77.44.77.217 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

 webvpn

  svc ask none default svc

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

 default-acl  unused

 reval-period 36000

 sq-period 300

http server enable

http 10.9.62.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 fqdn ciscoasa

 subject-name CN=ciscoasa

 no client-types

 crl configure

crypto ca certificate chain ASDM_TrustPoint0

 certificate 31

    308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 

    2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d 

    01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d 

    31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61 

    73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d 

    06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad 

    2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013 

    abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa 

    41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083 

    365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06 

    092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77 

    0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13 

    8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4 

    9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637 

    df70fb44 81c5c720 f538604e 8ab43cb3

  quit

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp nat-traversal 3600

crypto isakmp ipsec-over-tcp port 10000 

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 10.9.63.0 255.255.255.0 inside

telnet 10.9.62.0 255.255.255.0 inside

telnet timeout 5

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection statistics

ssl encryption 3des-sha1

ssl trust-point ASDM_TrustPoint0 outside

webvpn

 enable outside

 csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg

 csd enable

 svc image disk0:/sslclient-win-1.1.0.154.pkg 1

 svc profiles Default disk0:/dap.xml

 svc enable

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec svc 

 pfs enable

 ipsec-udp enable

 nac-settings value DfltGrpPolicy-nac-framework-create

 address-pools value ippool

 webvpn

  svc keepalive none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc ask none default svc

  customization value DfltCustomization

group-policy OriginalSol internal

group-policy OriginalSol attributes

 wins-server value 10.9.62.1

 dns-server value 10.9.62.1

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value OriginalSol_splitTunnelAcl

 default-domain value original106.local

username mark.robinson password fgfaddJl/KVjPIir encrypted privilege 0

username mark.robinson attributes

 vpn-group-policy OriginalSol

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group OriginalSol type remote-access

tunnel-group OriginalSol general-attributes

 address-pool ippool

 default-group-policy OriginalSol

tunnel-group OriginalSol ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect icmp 

!

service-policy global_policy global

smtp-server 10.9.62.1

prompt hostname context 

Cryptochecksum:8bf74093ad45a9d90379655a7f7c9118

: end

asdm image disk0:/asdm-603.bin

no asdm history enable
 

       

Open in new window

0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21888381
You should change:

access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0

to:

no access-list outside_cryptomap_dyn_20 extended permit udp 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0

Specifically, this removed the "permit udp" line in the ACL as the "Permit ip" lines includes udp. Also, I had to reverse the order of the subnets in your cryptomap and nat0 AC'sL. The first subnet should always be the inside vlan on your ASA and the second subnet the ippool of the vpn. rsivanandan stated this in a previous post but it is easy to miss.

I would also suggest you remove the ippool subnet from the OriginalSol_splitTunnelAcl access-list.

no access-list OriginalSol_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0

You already have the "sysopt connection permit-vpn" and RRI(set reverse route) configured. Beyond that and the changes rsivanandan suggested(reversing the subnets in the ACL's) I do not see any misconfiguration.

Please make these changes, test and repost your config. If it does not work at that point I will see about setting up a test lab environment to test this.

Below is a summary of suggested config changes
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 

no access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 

no access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 

no access-list OriginalSol_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 

Open in new window

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21889086
Mark,
 
  You still have the access-list wrong. It is not as I asked you do it it;

It should read the below;

access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0

Just do this; copy and paste the below;

no access-list outside_cryptomap_dyn_20
no access-list inside_nat0_outbound
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0

and do a save.

After that try connecting.

Cheers,
Rajesh


0
 

Author Comment

by:Mark2234
ID: 21897231
Hi,

I have changed the lines as suggested, but am still getting the same results.  I can ping and get a response from the inside interface of the ASA, but cannot get a reponse from anything on the lan inside the firewall.  I have also tried connecting to a machine inside, just in case pings were not allowed, but with no luck.

The config is below showing the changes, and the route print is also attached.

Your help is really appreciated.

Thanks

Mark.


IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     77.102.238.1    77.102.238.79     20
        10.9.62.0    255.255.255.0        10.9.63.1       10.9.63.50    100
        10.9.63.0    255.255.255.0        10.9.63.1       10.9.63.50    100
       10.9.63.50  255.255.255.255         On-link        10.9.63.50    276
    62.30.112.122  255.255.255.255     77.102.238.1    77.102.238.79    100
     77.44.77.218  255.255.255.255     77.102.238.1    77.102.238.79    100
     77.102.238.0    255.255.255.0         On-link     77.102.238.79    276
    77.102.238.79  255.255.255.255         On-link     77.102.238.79    276
   77.102.238.255  255.255.255.255         On-link     77.102.238.79    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     77.102.238.79    277
        224.0.0.0        240.0.0.0         On-link        10.9.63.50    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     77.102.238.79    276
  255.255.255.255  255.255.255.255         On-link        10.9.63.50    276
: Saved

:

ASA Version 8.0(3) 

!

hostname ciscoasa

domain-name XX.local

enable password 6jr.Xa4ijcMRJ2uX encrypted

names

name 10.9.62.1 RDJServer

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.9.62.253 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address XX.218 255.255.255.248 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 no ip address

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

 switchport access vlan 3

!

interface Ethernet0/6

 switchport access vlan 3

!

interface Ethernet0/7

 switchport access vlan 3

!

passwd 6jr.Xa4ijcMRJ2uX encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name original106.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service MyTCPServices tcp

 description Allow TCP inbound connections

 port-object eq smtp

 port-object eq pptp

 port-object eq https

 port-object eq www

 port-object eq echo

 port-object eq 3389

object-group protocol MyProtocolServices

 protocol-object gre

object-group service MyUDPConnections udp

 port-object range 4500 4500

 port-object eq isakmp

access-list acl_out extended permit tcp any any eq smtp 

access-list acl_out extended permit tcp any any eq ident 

access-list acl_out extended permit gre any any 

access-list acl_out extended permit tcp any any eq https 

access-list acl_out extended permit tcp any any eq pptp 

access-list acl_out extended permit tcp any eq 587 any eq smtp 

access-list acl_out extended permit udp any eq 587 any eq 25 

access-list acl_out extended permit tcp any any eq pop3 

access-list inside_access_in extended permit ip any any 

access-list inside_access_in extended permit udp any any 

access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 

access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool ippool 10.9.63.50-10.9.63.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255 

static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255 

route outside 0.0.0.0 0.0.0.0 XX.217 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

 webvpn

  svc ask none default svc

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

 default-acl  unused

 reval-period 36000

 sq-period 300

http server enable

http 10.9.62.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 fqdn ciscoasa

 subject-name CN=ciscoasa

 no client-types

 crl configure

crypto ca certificate chain ASDM_TrustPoint0

 certificate 31

    308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 

    2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d 

    01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d 

    31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61 

    73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d 

    06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad 

    2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013 

    abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa 

    41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083 

    365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06 

    092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77 

    0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13 

    8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4 

    9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637 

    df70fb44 81c5c720 f538604e 8ab43cb3

  quit

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp nat-traversal 3600

crypto isakmp ipsec-over-tcp port 10000 

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 10.9.63.0 255.255.255.0 inside

telnet 10.9.62.0 255.255.255.0 inside

telnet timeout 5

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection statistics

ssl encryption 3des-sha1

ssl trust-point ASDM_TrustPoint0 outside

webvpn

 enable outside

 csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg

 csd enable

 svc image disk0:/sslclient-win-1.1.0.154.pkg 1

 svc profiles Default disk0:/dap.xml

 svc enable

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec svc 

 pfs enable

 ipsec-udp enable

 nac-settings value DfltGrpPolicy-nac-framework-create

 address-pools value ippool

 webvpn

  svc keepalive none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc ask none default svc

  customization value DfltCustomization

group-policy OriginalSol internal

group-policy OriginalSol attributes

 wins-server value 10.9.62.1

 dns-server value 10.9.62.1

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value OriginalSol_splitTunnelAcl

 default-domain value original106.local

username mark.robinson password fgfaddJl/KVjPIir encrypted privilege 0

username mark.robinson attributes

 vpn-group-policy OriginalSol

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group OriginalSol type remote-access

tunnel-group OriginalSol general-attributes

 address-pool ippool

 default-group-policy OriginalSol

tunnel-group OriginalSol ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect icmp 

!

service-policy global_policy global

smtp-server 10.9.62.1

prompt hostname context 

Cryptochecksum:8bf74093ad45a9d90379655a7f7c9118

: end

asdm image disk0:/asdm-603.bin

no asdm history enable

Open in new window

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21897447
>>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

Shouldn't the above be;

crypto map outside_map 65535 ipsec-isakmp dynamic outside_cryptomap_dyn_20?

Cheers,
Rajesh
0
 

Author Comment

by:Mark2234
ID: 21898300
I see what you mean.  I changed the access list name instead so that they now match.  Although I now realise I have an access list and a crypto map with the same name - would this cause any issues?

I still can't get access inside the lan, or get ping responses - Any other mistakes that you can see?

Thanks

Mark.

: Saved

:

ASA Version 8.0(3) 

!

hostname ciscoasa

domain-name original106.local

enable password 6jr.Xa4ijcMRJ2uX encrypted

names

name 10.9.62.1 RDJServer

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 10.9.62.253 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 77.44.77.218 255.255.255.248 

!

interface Vlan3

 no forward interface Vlan1

 nameif dmz

 security-level 50

 no ip address

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

 switchport access vlan 3

!

interface Ethernet0/6

 switchport access vlan 3

!

interface Ethernet0/7

 switchport access vlan 3

!

passwd 6jr.Xa4ijcMRJ2uX encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name original106.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service MyTCPServices tcp

 description Allow TCP inbound connections

 port-object eq smtp

 port-object eq pptp

 port-object eq https

 port-object eq www

 port-object eq echo

 port-object eq 3389

object-group protocol MyProtocolServices

 protocol-object gre

object-group service MyUDPConnections udp

 port-object range 4500 4500

 port-object eq isakmp

access-list acl_out extended permit tcp any any eq smtp 

access-list acl_out extended permit tcp any any eq ident 

access-list acl_out extended permit gre any any 

access-list acl_out extended permit tcp any any eq https 

access-list acl_out extended permit tcp any any eq pptp 

access-list acl_out extended permit tcp any eq 587 any eq smtp 

access-list acl_out extended permit udp any eq 587 any eq 25 

access-list acl_out extended permit tcp any any eq pop3 

access-list inside_access_in extended permit ip any any 

access-list inside_access_in extended permit udp any any 

access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 

access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 

access-list outside_dyn_map extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool ippool 10.9.63.50-10.9.63.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255 

static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255 

route outside 0.0.0.0 0.0.0.0 77.44.77.217 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

 webvpn

  svc ask none default svc

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

 default-acl  unused

 reval-period 36000

 sq-period 300

http server enable

http 10.9.62.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto dynamic-map outside_dyn_map 20 set pfs 

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 fqdn ciscoasa

 subject-name CN=ciscoasa

 no client-types

 crl configure

crypto ca certificate chain ASDM_TrustPoint0

 certificate 31

    308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 

    2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d 

    01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d 

    31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61 

    73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d 

    06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad 

    2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013 

    abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa 

    41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083 

    365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06 

    092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77 

    0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13 

    8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4 

    9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637 

    df70fb44 81c5c720 f538604e 8ab43cb3

  quit

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400

crypto isakmp nat-traversal 3600

crypto isakmp ipsec-over-tcp port 10000 

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 10.9.63.0 255.255.255.0 inside

telnet 10.9.62.0 255.255.255.0 inside

telnet timeout 5

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection statistics

ssl encryption 3des-sha1

ssl trust-point ASDM_TrustPoint0 outside

webvpn

 enable outside

 csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg

 csd enable

 svc image disk0:/sslclient-win-1.1.0.154.pkg 1

 svc profiles Default disk0:/dap.xml

 svc enable

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec l2tp-ipsec svc 

 pfs enable

 ipsec-udp enable

 nac-settings value DfltGrpPolicy-nac-framework-create

 address-pools value ippool

 webvpn

  svc keepalive none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc ask none default svc

  customization value DfltCustomization

group-policy OriginalSol internal

group-policy OriginalSol attributes

 wins-server value 10.9.62.1

 dns-server value 10.9.62.1

 vpn-tunnel-protocol IPSec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value OriginalSol_splitTunnelAcl

 default-domain value original106.local

username mark.robinson password fgfaddJl/KVjPIir encrypted privilege 0

username mark.robinson attributes

 vpn-group-policy OriginalSol

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group OriginalSol type remote-access

tunnel-group OriginalSol general-attributes

 address-pool ippool

 default-group-policy OriginalSol

tunnel-group OriginalSol ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect icmp 

!

service-policy global_policy global

smtp-server 10.9.62.1

prompt hostname context 

Cryptochecksum:878796cb1963a1bc07b80651ccc7ff4c

: end

asdm image disk0:/asdm-603.bin

no asdm history enable

Open in new window

0
 

Author Comment

by:Mark2234
ID: 21901138
I have done a bit more investigation on this, and things are slightly better than before.

When running an ICMP trace on the firewall, I can see incomming pings to machines on the lan, coming from the VPN client, but there are no replies. As before I get a response from pinging the inside interface of the firewall from the VPN client.

Does this indicate a further issue with the cryptomap routing?

Thanks so much for your help on this, it is really appreciated.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21901219
Are there any software firewall's enabled on the clients?
0
 

Author Comment

by:Mark2234
ID: 21901362
Each time I try a revised configuration I make sure I try it with the client firewall turned off.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21904478
The internal machines have the ASA as their default gateway right? If true, then on ASA run this command;

show running-config sysopt

to see if the proxy-arp is disabled.

Proxy Arp is used for the return traffic.

Cheers,
Rajesh
0
 

Author Comment

by:Mark2234
ID: 21905789
Thanks Rajesh,

Proxy Arp wasn't disabled.  I cleared the Arp Cache as a Cisco connection troubleshooting guide suggested, but still no difference.

Thanks

Mark.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21906094
Still can you post the output of that command?

Cheers,
Rajesh
0
 

Author Comment

by:Mark2234
ID: 21906213
Here it is:

ciscoasa# sh running-config sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21907979
hmm. I'm stumped. That is all you need for this to work;

>>access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0

The split-tunnel acl if you're using it should be as below;

access-list OriginalSol_splitTunnelAcl extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0

That is all what is needed.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21908000
Also just try this once again;

no crypto isakmp enable outside
crypto isakmp enable outside


and see if that makes any difference (it only disables and enables it again).

Cheers,
Rajesh
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21977587
Any updates to this situation?
0
 

Accepted Solution

by:
Mark2234 earned 0 total points
ID: 23338222
The problem revolved around a small workgroup of computers that were also attached to the internal LAN using the IP address range that I had allocated to the VPN pool.  THis was obvioulsy causing routing issues.  Once I tried a range outside that used by the LAN, and the workgroup everything worked as it should have done form the beginning.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now