Solved

Cisco ASA 5505 VPN connection not providing outbound data to VPN client

Posted on 2008-06-19
38
2,773 Views
Last Modified: 2009-01-14
I have a Cisco ASA 5505 Firewall installed and am trying to establish a VPN connection using the Cisco VPN client.  

The VPN client connects ok, and the client shows outbound data.  The ASA shows incomming data.  However, there is no outbound data from the ASA to the client.

I have spent the day on this trying various suggestions that I found on the web, but have made no progress.  I have attached the config below, and any help would be gratefully received.
ASA Version 7.2(3) 
!
hostname ciscoasa
domain-name XX.local
enable password XX encrypted
names
name 10.9.62.1 RDJServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.9.62.253 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.218 255.255.255.248 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 6jr.Xa4ijcMRJ2uX encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name XX.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
 description Allow TCP inbound connections
 port-object eq smtp
 port-object eq pptp
 port-object eq https
 port-object eq www
 port-object eq echo
 port-object eq 3389
object-group protocol MyProtocolServices
 protocol-object gre
object-group service MyUDPConnections udp
 port-object range 4500 4500
 port-object eq isakmp
access-list acl_out extended permit tcp any any eq smtp 
access-list acl_out extended permit tcp any any eq ident 
access-list acl_out extended permit gre any any 
access-list acl_out extended permit tcp any any eq https 
access-list acl_out extended permit tcp any any eq pptp 
access-list acl_out extended permit tcp any eq 587 any eq smtp 
access-list acl_out extended permit udp any eq 587 any eq 25 
access-list acl_out extended permit tcp any any eq pop3 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit udp any any 
access-list RemoteWorker_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 
access-list RemoteWorker_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 
access-list RemWorker_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 
access-list RemWorker_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 
access-list outside_access_in extended permit udp any any 
access-list outside_cryptomap_dyn_20 extended permit ip any 10.9.63.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 10.9.63.1-10.9.63.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XX.XX.XX.218 smtp RDJServer smtp netmask 255.255.255.255 
static (inside,outside) tcp interface https RDJServer https netmask 255.255.255.255 
static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.9.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 10.9.63.0 255.255.255.0 inside
telnet 10.9.62.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs enable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy RemWorker internal
group-policy RemWorker attributes
 wins-server value 10.9.62.1
 dns-server value 10.9.62.1
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemWorker_splitTunnelAcl
 default-domain value original106.local
username RobinM20 password yfCCyLP1t45Wo2.6 encrypted privilege 0
username RobinM20 attributes
 vpn-group-policy RemWorker
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group RemWorker type ipsec-ra
tunnel-group RemWorker general-attributes
 address-pool ippool
 default-group-policy RemWorker
tunnel-group RemWorker ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:bd1ee9e07a62ac604bca2a66f68cb8f6
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

Open in new window

0
Comment
Question by:Mark2234
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 16
  • 9
  • 9
  • +1
38 Comments
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21825118
Try using the following command to allow VPN traffic to bypass the ACL's.

sysopt connection permit-ipsec

If that doesn't help let me know and I will inspect he configuration in more detail.
0
 

Author Comment

by:Mark2234
ID: 21825891
Still the same with this command in.  Traffic in one direction only from VPN client to ASA, but not back.

Thanks for the suggestion though.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21828056
Looks like you need to enable RRI(Reverse route injection) to add routes to the VPN clients.

crypto dynamic-map outside_dyn_map 20 set reverse-route
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 

Author Comment

by:Mark2234
ID: 21828770
I think I'd tried this before, but still no luck.  Also, with previous PIX devices, the sysopt connection permit-ipsec that you suggested has worked, but on the ASA, although the command looks to have been accepted, it doesn't show up in the sh conf - is this normal?

Since a few lines have changed, I have attached the current sh conf.


: Saved
:
ASA Version 7.2(3) 
!
hostname ciscoasa
domain-name XX.local
enable password 6jr.Xa4ijcMRJ2uX encrypted
names
name 10.9.62.1 RDJServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.9.62.253 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.218 255.255.255.248 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 6jr.Xa4ijcMRJ2uX encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name XX.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
 description Allow TCP inbound connections
 port-object eq smtp
 port-object eq pptp
 port-object eq https
 port-object eq www
 port-object eq echo
 port-object eq 3389
object-group protocol MyProtocolServices
 protocol-object gre
object-group service MyUDPConnections udp
 port-object range 4500 4500
 port-object eq isakmp
access-list acl_out extended permit tcp any any eq smtp 
access-list acl_out extended permit tcp any any eq ident 
access-list acl_out extended permit gre any any 
access-list acl_out extended permit tcp any any eq https 
access-list acl_out extended permit tcp any any eq pptp 
access-list acl_out extended permit tcp any eq 587 any eq smtp 
access-list acl_out extended permit udp any eq 587 any eq 25 
access-list acl_out extended permit tcp any any eq pop3 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit udp any any 
access-list RemoteWorker_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 
access-list RemoteWorker_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 
access-list RemWorker_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 
access-list RemWorker_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 
access-list outside_cryptomap_dyn_20 extended permit ip any 10.9.63.0 255.255.255.0 
access-list outside_cryptomap_dyn_20 extended permit udp any 10.9.63.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 10.9.63.1-10.9.63.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XX.218 smtp RDJServer smtp netmask 255.255.255.255 
static (inside,outside) tcp interface https RDJServer https netmask 255.255.255.255 
static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255 
route outside 0.0.0.0 0.0.0.0 XX.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.9.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 10.9.63.0 255.255.255.0 inside
telnet 10.9.62.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs enable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy RemWorker internal
group-policy RemWorker attributes
 wins-server value 10.9.62.1
 dns-server value 10.9.62.1
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemWorker_splitTunnelAcl
 default-domain value XX.local
username RobinM20 password yfCCyLP1t45Wo2.6 encrypted privilege 0
username RobinM20 attributes
 vpn-group-policy RemWorker
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group RemWorker type ipsec-ra
tunnel-group RemWorker general-attributes
 address-pool ippool
 default-group-policy RemWorker
tunnel-group RemWorker ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:7f8523b477fde0a86d57e5428e76c008
: end
asdm image disk0:/asdm-523.bin
no asdm history enable

Open in new window

0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21830571
It should definitely show, has on all my ASA devices. Definitely odd, perhaps its worth a software update to 8.x.
0
 

Author Comment

by:Mark2234
ID: 21841051
After a bit of a fight, I have upgraded the ASA to version 8.03, and the ASDM to version 6.03.  I still have the same VPN connection problem, and still cannot see the sysopt connection permit-ipsec command, although it is accepted without errors when entered in the CLI.

Is there anything else I could try / could have missed?

Thanks in advance
0
 

Expert Comment

by:dkattan
ID: 21860955
I am having the exact same problem. Have you made any progress?
0
 

Author Comment

by:Mark2234
ID: 21864063
I've still had no luck with this problem.  I'll spend some more time on it tomorrow, but if anyone does have any suggestions it would be great.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21864672
My mistake, its not displayed in "sh run" but in "sh run sysopt" instead.

for version 8.x try using "sysopt connection permit-vpn"

Let me know if that works as I see RRI is also now enabled.
0
 

Author Comment

by:Mark2234
ID: 21865009
Thanks for that.

A sh run sysopt gives the following confirmation that sysopt connection permit-vpn was already in there.

ciscoasa# sh run sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn

Do I need to enable any of the other commands?

Also, it must be related, but in the ASDM log I see the following error after connecting the VPN, and also when I try and send any data over the VPN.

IKE Initiator unable to find policy: Intf outside Src 10.9.63.1 Dst: 10.9.63.255

Does this help point us in the right direction?
0
 

Expert Comment

by:dkattan
ID: 21867195
I was able to get the VPN working in a non-conventional way. I created an VPN IP pool that was within our inside network, and now it is working... however, I had the exact config on an ASA 5510 and VPN worked fine... *shrug*
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21870463
That's definitely odd. Glad its working for now.  I will still look into this once I get some spare time. So you can leave this open for now.
0
 

Author Comment

by:Mark2234
ID: 21875631
Changing my ippool to have a range from the internal network didn't help me.  I still am unable to get two way communication, and am getting very frustrated by this.

Please help!!!
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21883739
>>access-list outside_cryptomap_dyn_20 extended permit ip any 10.9.63.0 255.255.255.0
>>access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0


Change the above to as below;

access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0

Then you should be good to go. I'm going to assume that your ip pool still is 10.9.62.0/24

Cheers,
Rajesh

0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21884196
Thanks for the review rsivanandan,

It seems I had overlooked the nat0 and crypto map access-lists.
0
 

Author Comment

by:Mark2234
ID: 21885303
Thanks Rajesh,

Still no luck.  I've attached the current config again just incase I've stupidly changed anything along the way.

I'm still seeing the ASDM syslog message "No translation group found for udp src outised:10.9.63.1/55161 dst inside: RDJServer/53"

From the client, I am able to ping and get a reply from the inside interface of the ASA but an ICMP trace shows no activity either way when pinging a device inside the firewall.

Is there anything else that could be causing this?

Thanks

Mark


: Saved
:
ASA Version 8.0(3) 
!
hostname ciscoasa
domain-name original106.local
enable password 6jr.Xa4ijcMRJ2uX encrypted
names
name 10.9.62.1 RDJServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.9.62.253 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 77.44.77.218 255.255.255.248 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 6jr.Xa4ijcMRJ2uX encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name original106.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
 description Allow TCP inbound connections
 port-object eq smtp
 port-object eq pptp
 port-object eq https
 port-object eq www
 port-object eq echo
 port-object eq 3389
object-group protocol MyProtocolServices
 protocol-object gre
object-group service MyUDPConnections udp
 port-object range 4500 4500
 port-object eq isakmp
access-list acl_out extended permit tcp any any eq smtp 
access-list acl_out extended permit tcp any any eq ident 
access-list acl_out extended permit gre any any 
access-list acl_out extended permit tcp any any eq https 
access-list acl_out extended permit tcp any any eq pptp 
access-list acl_out extended permit tcp any eq 587 any eq smtp 
access-list acl_out extended permit udp any eq 587 any eq 25 
access-list acl_out extended permit tcp any any eq pop3 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit udp any any 
access-list OriginalSol_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 
access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 
access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 10.9.63.1-10.9.63.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255 
route outside 0.0.0.0 0.0.0.0 77.44.77.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  svc ask none default svc
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 default-acl  unused
 reval-period 36000
 sq-period 300
http server enable
http 10.9.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31
    308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 
    2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d 
    01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d 
    31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61 
    73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d 
    06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad 
    2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013 
    abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa 
    41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083 
    365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06 
    092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77 
    0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13 
    8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4 
    9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637 
    df70fb44 81c5c720 f538604e 8ab43cb3
  quit
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000 
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.9.63.0 255.255.255.0 inside
telnet 10.9.62.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
 csd enable
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 svc profiles Default disk0:/dap.xml
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 pfs enable
 ipsec-udp enable
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value ippool
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask none default svc
  customization value DfltCustomization
group-policy OriginalSol internal
group-policy OriginalSol attributes
 wins-server value 10.9.62.1
 dns-server value 10.9.62.1
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list none
 default-domain value original106.local
username mark.robinson password fgfaddJl/KVjPIir encrypted privilege 0
username mark.robinson attributes
 vpn-group-policy OriginalSol
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group OriginalSol type remote-access
tunnel-group OriginalSol general-attributes
 address-pool ippool
 default-group-policy OriginalSol
tunnel-group OriginalSol ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
smtp-server 10.9.62.1
prompt hostname context 
Cryptochecksum:a088edeaa67e0acbf566a130bc23e19f
: end
asdm image disk0:/asdm-603.bin
no asdm history enable

Open in new window

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21885610
You know what :-) I typed it in wrong;

>>access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
>>access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0

See, the access-list first network address specifies source and second specified the destination.

In the vpn connection, the source is 10.9.62.0/24 and destination should be 10.9.63.0/24.

So it should read;

access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0

My bad. Apologies.

Cheers,
Rajesh

0
 

Author Comment

by:Mark2234
ID: 21885936
With the above lines changed, I can now only see ICMP traffic when I ping a 10.9.63.X address from the client (there is no response because there are no machines on the lan with such an address).  No traffic to a 10.9.62.X address - including the inside interface of the ASA shows up in a ICMP trace.

Also, do I need the line:
access-list outside_cryptomap_dyn_20 extended permit udp 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21886359
>>there is no response because there are no machines on the lan with such an address

I don't understand, you have your internal lan on this range right? (10.9.62.x) ? Your VPN Client would be on 10.9.63.x network. From that machine try pinging 10.9.62.x which is on the lan.

Yes you don't need the acl for udp there.

If it still doesn't work. Can you post these things as below;

1. Your current config.

2. route print output from the client when it connected to VPN.

3. A traceroute to 10.9.62.x machine from the client when it is connected to VPN.

Post these here and I'll take a look at it tomorrow morning my time.

Cheers,
Rajesh
0
 

Author Comment

by:Mark2234
ID: 21886732
Hi Rajesh,

Thanks so much for helping out on this.  

You are correct by the way, the network behind the firewall is in the 10.9.62.0 /24 range, and the ippool for the VPN clients is in the 10.9.63.0 range.

The output of the route print is interesting:
Network Dest        Netmask              Gateway          Interface           Metric
         0.0.0.0          0.0.0.0          192.168.16.254   192.168.16.127     20
        10.9.62.0    255.255.255.0        10.9.63.1       10.9.63.50    100
        10.9.63.0    255.255.255.0         On-link        10.9.63.50    276
        10.9.63.0    255.255.255.0        10.9.63.1       10.9.63.50    100
       10.9.63.50  255.255.255.255         On-link        10.9.63.50    276
      10.9.63.255  255.255.255.255         On-link        10.9.63.50    276
     77.44.77.218  255.255.255.255   192.168.16.254   192.168.16.127    100
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
     192.168.16.0    255.255.255.0         On-link    192.168.16.127    276
     192.168.16.1  255.255.255.255         On-link    192.168.16.127    100
   192.168.16.127  255.255.255.255         On-link    192.168.16.127    276
   192.168.16.255  255.255.255.255         On-link    192.168.16.127    276
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.16.127    277
        224.0.0.0        240.0.0.0         On-link        10.9.63.50    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.16.127    276
  255.255.255.255  255.255.255.255         On-link        10.9.63.50    276

A tracert to a 10.9.62.X address times out - which given the routing information isn't a surprise.

The current version of the code is below.

Thanks

Mark.
         
: Saved
:
ASA Version 8.0(3) 
!
hostname ciscoasa
domain-name original106.local
enable password 6jr.Xa4ijcMRJ2uX encrypted
names
name 10.9.62.1 RDJServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.9.62.253 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 77.44.77.218 255.255.255.248 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 6jr.Xa4ijcMRJ2uX encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name original106.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
 description Allow TCP inbound connections
 port-object eq smtp
 port-object eq pptp
 port-object eq https
 port-object eq www
 port-object eq echo
 port-object eq 3389
object-group protocol MyProtocolServices
 protocol-object gre
object-group service MyUDPConnections udp
 port-object range 4500 4500
 port-object eq isakmp
access-list acl_out extended permit tcp any any eq smtp 
access-list acl_out extended permit tcp any any eq ident 
access-list acl_out extended permit gre any any 
access-list acl_out extended permit tcp any any eq https 
access-list acl_out extended permit tcp any any eq pptp 
access-list acl_out extended permit tcp any eq 587 any eq smtp 
access-list acl_out extended permit udp any eq 587 any eq 25 
access-list acl_out extended permit tcp any any eq pop3 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit udp any any 
access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 
access-list OriginalSol_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 
access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 10.9.63.50-10.9.63.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255 
route outside 0.0.0.0 0.0.0.0 77.44.77.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  svc ask none default svc
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 default-acl  unused
 reval-period 36000
 sq-period 300
http server enable
http 10.9.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31
    308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 
    2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d 
    01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d 
    31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61 
    73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d 
    06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad 
    2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013 
    abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa 
    41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083 
    365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06 
    092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77 
    0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13 
    8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4 
    9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637 
    df70fb44 81c5c720 f538604e 8ab43cb3
  quit
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000 
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.9.63.0 255.255.255.0 inside
telnet 10.9.62.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
 csd enable
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 svc profiles Default disk0:/dap.xml
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 pfs enable
 ipsec-udp enable
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value ippool
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask none default svc
  customization value DfltCustomization
group-policy OriginalSol internal
group-policy OriginalSol attributes
 wins-server value 10.9.62.1
 dns-server value 10.9.62.1
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value OriginalSol_splitTunnelAcl
 default-domain value original106.local
username mark.robinson password fgfaddJl/KVjPIir encrypted privilege 0
username mark.robinson attributes
 vpn-group-policy OriginalSol
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group OriginalSol type remote-access
tunnel-group OriginalSol general-attributes
 address-pool ippool
 default-group-policy OriginalSol
tunnel-group OriginalSol ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 10.9.62.1
prompt hostname context 
Cryptochecksum:8bf74093ad45a9d90379655a7f7c9118
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
 
       

Open in new window

0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21888381
You should change:

access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0

to:

no access-list outside_cryptomap_dyn_20 extended permit udp 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0

Specifically, this removed the "permit udp" line in the ACL as the "Permit ip" lines includes udp. Also, I had to reverse the order of the subnets in your cryptomap and nat0 AC'sL. The first subnet should always be the inside vlan on your ASA and the second subnet the ippool of the vpn. rsivanandan stated this in a previous post but it is easy to miss.

I would also suggest you remove the ippool subnet from the OriginalSol_splitTunnelAcl access-list.

no access-list OriginalSol_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0

You already have the "sysopt connection permit-vpn" and RRI(set reverse route) configured. Beyond that and the changes rsivanandan suggested(reversing the subnets in the ACL's) I do not see any misconfiguration.

Please make these changes, test and repost your config. If it does not work at that point I will see about setting up a test lab environment to test this.

Below is a summary of suggested config changes
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 
no access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 
no access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0 
no access-list OriginalSol_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0 

Open in new window

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21889086
Mark,
 
  You still have the access-list wrong. It is not as I asked you do it it;

It should read the below;

access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0

Just do this; copy and paste the below;

no access-list outside_cryptomap_dyn_20
no access-list inside_nat0_outbound
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0

and do a save.

After that try connecting.

Cheers,
Rajesh


0
 

Author Comment

by:Mark2234
ID: 21897231
Hi,

I have changed the lines as suggested, but am still getting the same results.  I can ping and get a response from the inside interface of the ASA, but cannot get a reponse from anything on the lan inside the firewall.  I have also tried connecting to a machine inside, just in case pings were not allowed, but with no luck.

The config is below showing the changes, and the route print is also attached.

Your help is really appreciated.

Thanks

Mark.


IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     77.102.238.1    77.102.238.79     20
        10.9.62.0    255.255.255.0        10.9.63.1       10.9.63.50    100
        10.9.63.0    255.255.255.0        10.9.63.1       10.9.63.50    100
       10.9.63.50  255.255.255.255         On-link        10.9.63.50    276
    62.30.112.122  255.255.255.255     77.102.238.1    77.102.238.79    100
     77.44.77.218  255.255.255.255     77.102.238.1    77.102.238.79    100
     77.102.238.0    255.255.255.0         On-link     77.102.238.79    276
    77.102.238.79  255.255.255.255         On-link     77.102.238.79    276
   77.102.238.255  255.255.255.255         On-link     77.102.238.79    276
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     77.102.238.79    277
        224.0.0.0        240.0.0.0         On-link        10.9.63.50    276
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     77.102.238.79    276
  255.255.255.255  255.255.255.255         On-link        10.9.63.50    276
: Saved
:
ASA Version 8.0(3) 
!
hostname ciscoasa
domain-name XX.local
enable password 6jr.Xa4ijcMRJ2uX encrypted
names
name 10.9.62.1 RDJServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.9.62.253 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.218 255.255.255.248 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 6jr.Xa4ijcMRJ2uX encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name original106.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
 description Allow TCP inbound connections
 port-object eq smtp
 port-object eq pptp
 port-object eq https
 port-object eq www
 port-object eq echo
 port-object eq 3389
object-group protocol MyProtocolServices
 protocol-object gre
object-group service MyUDPConnections udp
 port-object range 4500 4500
 port-object eq isakmp
access-list acl_out extended permit tcp any any eq smtp 
access-list acl_out extended permit tcp any any eq ident 
access-list acl_out extended permit gre any any 
access-list acl_out extended permit tcp any any eq https 
access-list acl_out extended permit tcp any any eq pptp 
access-list acl_out extended permit tcp any eq 587 any eq smtp 
access-list acl_out extended permit udp any eq 587 any eq 25 
access-list acl_out extended permit tcp any any eq pop3 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit udp any any 
access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 10.9.63.50-10.9.63.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255 
route outside 0.0.0.0 0.0.0.0 XX.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  svc ask none default svc
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 default-acl  unused
 reval-period 36000
 sq-period 300
http server enable
http 10.9.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31
    308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 
    2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d 
    01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d 
    31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61 
    73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d 
    06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad 
    2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013 
    abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa 
    41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083 
    365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06 
    092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77 
    0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13 
    8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4 
    9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637 
    df70fb44 81c5c720 f538604e 8ab43cb3
  quit
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000 
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.9.63.0 255.255.255.0 inside
telnet 10.9.62.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
 csd enable
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 svc profiles Default disk0:/dap.xml
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 pfs enable
 ipsec-udp enable
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value ippool
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask none default svc
  customization value DfltCustomization
group-policy OriginalSol internal
group-policy OriginalSol attributes
 wins-server value 10.9.62.1
 dns-server value 10.9.62.1
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value OriginalSol_splitTunnelAcl
 default-domain value original106.local
username mark.robinson password fgfaddJl/KVjPIir encrypted privilege 0
username mark.robinson attributes
 vpn-group-policy OriginalSol
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group OriginalSol type remote-access
tunnel-group OriginalSol general-attributes
 address-pool ippool
 default-group-policy OriginalSol
tunnel-group OriginalSol ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 10.9.62.1
prompt hostname context 
Cryptochecksum:8bf74093ad45a9d90379655a7f7c9118
: end
asdm image disk0:/asdm-603.bin
no asdm history enable

Open in new window

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21897447
>>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

Shouldn't the above be;

crypto map outside_map 65535 ipsec-isakmp dynamic outside_cryptomap_dyn_20?

Cheers,
Rajesh
0
 

Author Comment

by:Mark2234
ID: 21898300
I see what you mean.  I changed the access list name instead so that they now match.  Although I now realise I have an access list and a crypto map with the same name - would this cause any issues?

I still can't get access inside the lan, or get ping responses - Any other mistakes that you can see?

Thanks

Mark.

: Saved
:
ASA Version 8.0(3) 
!
hostname ciscoasa
domain-name original106.local
enable password 6jr.Xa4ijcMRJ2uX encrypted
names
name 10.9.62.1 RDJServer
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.9.62.253 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 77.44.77.218 255.255.255.248 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 3
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 3
!
passwd 6jr.Xa4ijcMRJ2uX encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name original106.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
 description Allow TCP inbound connections
 port-object eq smtp
 port-object eq pptp
 port-object eq https
 port-object eq www
 port-object eq echo
 port-object eq 3389
object-group protocol MyProtocolServices
 protocol-object gre
object-group service MyUDPConnections udp
 port-object range 4500 4500
 port-object eq isakmp
access-list acl_out extended permit tcp any any eq smtp 
access-list acl_out extended permit tcp any any eq ident 
access-list acl_out extended permit gre any any 
access-list acl_out extended permit tcp any any eq https 
access-list acl_out extended permit tcp any any eq pptp 
access-list acl_out extended permit tcp any eq 587 any eq smtp 
access-list acl_out extended permit udp any eq 587 any eq 25 
access-list acl_out extended permit tcp any any eq pop3 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit udp any any 
access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 
access-list outside_dyn_map extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 10.9.63.50-10.9.63.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255 
route outside 0.0.0.0 0.0.0.0 77.44.77.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 webvpn
  svc ask none default svc
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 default-acl  unused
 reval-period 36000
 sq-period 300
http server enable
http 10.9.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn ciscoasa
 subject-name CN=ciscoasa
 no client-types
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31
    308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 
    2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d 
    01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d 
    31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61 
    73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d 
    06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad 
    2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013 
    abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa 
    41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083 
    365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06 
    092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77 
    0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13 
    8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4 
    9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637 
    df70fb44 81c5c720 f538604e 8ab43cb3
  quit
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000 
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.9.63.0 255.255.255.0 inside
telnet 10.9.62.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
 csd enable
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 svc profiles Default disk0:/dap.xml
 svc enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc 
 pfs enable
 ipsec-udp enable
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value ippool
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc ask none default svc
  customization value DfltCustomization
group-policy OriginalSol internal
group-policy OriginalSol attributes
 wins-server value 10.9.62.1
 dns-server value 10.9.62.1
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value OriginalSol_splitTunnelAcl
 default-domain value original106.local
username mark.robinson password fgfaddJl/KVjPIir encrypted privilege 0
username mark.robinson attributes
 vpn-group-policy OriginalSol
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group OriginalSol type remote-access
tunnel-group OriginalSol general-attributes
 address-pool ippool
 default-group-policy OriginalSol
tunnel-group OriginalSol ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 10.9.62.1
prompt hostname context 
Cryptochecksum:878796cb1963a1bc07b80651ccc7ff4c
: end
asdm image disk0:/asdm-603.bin
no asdm history enable

Open in new window

0
 

Author Comment

by:Mark2234
ID: 21901138
I have done a bit more investigation on this, and things are slightly better than before.

When running an ICMP trace on the firewall, I can see incomming pings to machines on the lan, coming from the VPN client, but there are no replies. As before I get a response from pinging the inside interface of the firewall from the VPN client.

Does this indicate a further issue with the cryptomap routing?

Thanks so much for your help on this, it is really appreciated.
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21901219
Are there any software firewall's enabled on the clients?
0
 

Author Comment

by:Mark2234
ID: 21901362
Each time I try a revised configuration I make sure I try it with the client firewall turned off.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21904478
The internal machines have the ASA as their default gateway right? If true, then on ASA run this command;

show running-config sysopt

to see if the proxy-arp is disabled.

Proxy Arp is used for the return traffic.

Cheers,
Rajesh
0
 

Author Comment

by:Mark2234
ID: 21905789
Thanks Rajesh,

Proxy Arp wasn't disabled.  I cleared the Arp Cache as a Cisco connection troubleshooting guide suggested, but still no difference.

Thanks

Mark.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21906094
Still can you post the output of that command?

Cheers,
Rajesh
0
 

Author Comment

by:Mark2234
ID: 21906213
Here it is:

ciscoasa# sh running-config sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21907979
hmm. I'm stumped. That is all you need for this to work;

>>access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0

The split-tunnel acl if you're using it should be as below;

access-list OriginalSol_splitTunnelAcl extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0

That is all what is needed.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 21908000
Also just try this once again;

no crypto isakmp enable outside
crypto isakmp enable outside


and see if that makes any difference (it only disables and enables it again).

Cheers,
Rajesh
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21977587
Any updates to this situation?
0
 

Accepted Solution

by:
Mark2234 earned 0 total points
ID: 23338222
The problem revolved around a small workgroup of computers that were also attached to the internal LAN using the IP address range that I had allocated to the VPN pool.  THis was obvioulsy causing routing issues.  Once I tried a range outside that used by the LAN, and the workgroup everything worked as it should have done form the beginning.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question