Mark2234
asked on
Cisco ASA 5505 VPN connection not providing outbound data to VPN client
I have a Cisco ASA 5505 Firewall installed and am trying to establish a VPN connection using the Cisco VPN client.
The VPN client connects ok, and the client shows outbound data. The ASA shows incomming data. However, there is no outbound data from the ASA to the client.
I have spent the day on this trying various suggestions that I found on the web, but have made no progress. I have attached the config below, and any help would be gratefully received.
The VPN client connects ok, and the client shows outbound data. The ASA shows incomming data. However, there is no outbound data from the ASA to the client.
I have spent the day on this trying various suggestions that I found on the web, but have made no progress. I have attached the config below, and any help would be gratefully received.
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name XX.local
enable password XX encrypted
names
name 10.9.62.1 RDJServer
!
interface Vlan1
nameif inside
security-level 100
ip address 10.9.62.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.XX.XX.218 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 6jr.Xa4ijcMRJ2uX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name XX.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
description Allow TCP inbound connections
port-object eq smtp
port-object eq pptp
port-object eq https
port-object eq www
port-object eq echo
port-object eq 3389
object-group protocol MyProtocolServices
protocol-object gre
object-group service MyUDPConnections udp
port-object range 4500 4500
port-object eq isakmp
access-list acl_out extended permit tcp any any eq smtp
access-list acl_out extended permit tcp any any eq ident
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any any eq https
access-list acl_out extended permit tcp any any eq pptp
access-list acl_out extended permit tcp any eq 587 any eq smtp
access-list acl_out extended permit udp any eq 587 any eq 25
access-list acl_out extended permit tcp any any eq pop3
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any
access-list RemoteWorker_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
access-list RemoteWorker_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
access-list RemWorker_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0
access-list RemWorker_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list outside_access_in extended permit udp any any
access-list outside_cryptomap_dyn_20 extended permit ip any 10.9.63.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 10.9.63.1-10.9.63.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XX.XX.XX.218 smtp RDJServer smtp netmask 255.255.255.255
static (inside,outside) tcp interface https RDJServer https netmask 255.255.255.255
static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.9.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 10.9.63.0 255.255.255.0 inside
telnet 10.9.62.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs enable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy RemWorker internal
group-policy RemWorker attributes
wins-server value 10.9.62.1
dns-server value 10.9.62.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemWorker_splitTunnelAcl
default-domain value original106.local
username RobinM20 password yfCCyLP1t45Wo2.6 encrypted privilege 0
username RobinM20 attributes
vpn-group-policy RemWorker
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group RemWorker type ipsec-ra
tunnel-group RemWorker general-attributes
address-pool ippool
default-group-policy RemWorker
tunnel-group RemWorker ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:bd1ee9e07a62ac604bca2a66f68cb8f6
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
ASKER
Still the same with this command in. Traffic in one direction only from VPN client to ASA, but not back.
Thanks for the suggestion though.
Thanks for the suggestion though.
Looks like you need to enable RRI(Reverse route injection) to add routes to the VPN clients.
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 20 set reverse-route
ASKER
I think I'd tried this before, but still no luck. Also, with previous PIX devices, the sysopt connection permit-ipsec that you suggested has worked, but on the ASA, although the command looks to have been accepted, it doesn't show up in the sh conf - is this normal?
Since a few lines have changed, I have attached the current sh conf.
Since a few lines have changed, I have attached the current sh conf.
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name XX.local
enable password 6jr.Xa4ijcMRJ2uX encrypted
names
name 10.9.62.1 RDJServer
!
interface Vlan1
nameif inside
security-level 100
ip address 10.9.62.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.218 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 6jr.Xa4ijcMRJ2uX encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name XX.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
description Allow TCP inbound connections
port-object eq smtp
port-object eq pptp
port-object eq https
port-object eq www
port-object eq echo
port-object eq 3389
object-group protocol MyProtocolServices
protocol-object gre
object-group service MyUDPConnections udp
port-object range 4500 4500
port-object eq isakmp
access-list acl_out extended permit tcp any any eq smtp
access-list acl_out extended permit tcp any any eq ident
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any any eq https
access-list acl_out extended permit tcp any any eq pptp
access-list acl_out extended permit tcp any eq 587 any eq smtp
access-list acl_out extended permit udp any eq 587 any eq 25
access-list acl_out extended permit tcp any any eq pop3
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any
access-list RemoteWorker_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
access-list RemoteWorker_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
access-list RemWorker_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0
access-list RemWorker_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 10.9.63.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit udp any 10.9.63.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 10.9.63.1-10.9.63.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp XX.218 smtp RDJServer smtp netmask 255.255.255.255
static (inside,outside) tcp interface https RDJServer https netmask 255.255.255.255
static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 XX.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.9.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 10.9.63.0 255.255.255.0 inside
telnet 10.9.62.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs enable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy RemWorker internal
group-policy RemWorker attributes
wins-server value 10.9.62.1
dns-server value 10.9.62.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemWorker_splitTunnelAcl
default-domain value XX.local
username RobinM20 password yfCCyLP1t45Wo2.6 encrypted privilege 0
username RobinM20 attributes
vpn-group-policy RemWorker
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group RemWorker type ipsec-ra
tunnel-group RemWorker general-attributes
address-pool ippool
default-group-policy RemWorker
tunnel-group RemWorker ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:7f8523b477fde0a86d57e5428e76c008
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
It should definitely show, has on all my ASA devices. Definitely odd, perhaps its worth a software update to 8.x.
ASKER
After a bit of a fight, I have upgraded the ASA to version 8.03, and the ASDM to version 6.03. I still have the same VPN connection problem, and still cannot see the sysopt connection permit-ipsec command, although it is accepted without errors when entered in the CLI.
Is there anything else I could try / could have missed?
Thanks in advance
Is there anything else I could try / could have missed?
Thanks in advance
I am having the exact same problem. Have you made any progress?
ASKER
I've still had no luck with this problem. I'll spend some more time on it tomorrow, but if anyone does have any suggestions it would be great.
My mistake, its not displayed in "sh run" but in "sh run sysopt" instead.
for version 8.x try using "sysopt connection permit-vpn"
Let me know if that works as I see RRI is also now enabled.
for version 8.x try using "sysopt connection permit-vpn"
Let me know if that works as I see RRI is also now enabled.
ASKER
Thanks for that.
A sh run sysopt gives the following confirmation that sysopt connection permit-vpn was already in there.
ciscoasa# sh run sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
Do I need to enable any of the other commands?
Also, it must be related, but in the ASDM log I see the following error after connecting the VPN, and also when I try and send any data over the VPN.
IKE Initiator unable to find policy: Intf outside Src 10.9.63.1 Dst: 10.9.63.255
Does this help point us in the right direction?
A sh run sysopt gives the following confirmation that sysopt connection permit-vpn was already in there.
ciscoasa# sh run sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
Do I need to enable any of the other commands?
Also, it must be related, but in the ASDM log I see the following error after connecting the VPN, and also when I try and send any data over the VPN.
IKE Initiator unable to find policy: Intf outside Src 10.9.63.1 Dst: 10.9.63.255
Does this help point us in the right direction?
I was able to get the VPN working in a non-conventional way. I created an VPN IP pool that was within our inside network, and now it is working... however, I had the exact config on an ASA 5510 and VPN worked fine... *shrug*
That's definitely odd. Glad its working for now. I will still look into this once I get some spare time. So you can leave this open for now.
ASKER
Changing my ippool to have a range from the internal network didn't help me. I still am unable to get two way communication, and am getting very frustrated by this.
Please help!!!
Please help!!!
>>access-list outside_cryptomap_dyn_20 extended permit ip any 10.9.63.0 255.255.255.0
>>access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
Change the above to as below;
access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
Then you should be good to go. I'm going to assume that your ip pool still is 10.9.62.0/24
Cheers,
Rajesh
>>access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
Change the above to as below;
access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
Then you should be good to go. I'm going to assume that your ip pool still is 10.9.62.0/24
Cheers,
Rajesh
Thanks for the review rsivanandan,
It seems I had overlooked the nat0 and crypto map access-lists.
It seems I had overlooked the nat0 and crypto map access-lists.
ASKER
Thanks Rajesh,
Still no luck. I've attached the current config again just incase I've stupidly changed anything along the way.
I'm still seeing the ASDM syslog message "No translation group found for udp src outised:10.9.63.1/55161 dst inside: RDJServer/53"
From the client, I am able to ping and get a reply from the inside interface of the ASA but an ICMP trace shows no activity either way when pinging a device inside the firewall.
Is there anything else that could be causing this?
Thanks
Mark
Still no luck. I've attached the current config again just incase I've stupidly changed anything along the way.
I'm still seeing the ASDM syslog message "No translation group found for udp src outised:10.9.63.1/55161 dst inside: RDJServer/53"
From the client, I am able to ping and get a reply from the inside interface of the ASA but an ICMP trace shows no activity either way when pinging a device inside the firewall.
Is there anything else that could be causing this?
Thanks
Mark
: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name original106.local
enable password 6jr.Xa4ijcMRJ2uX encrypted
names
name 10.9.62.1 RDJServer
!
interface Vlan1
nameif inside
security-level 100
ip address 10.9.62.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 77.44.77.218 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 6jr.Xa4ijcMRJ2uX encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name original106.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
description Allow TCP inbound connections
port-object eq smtp
port-object eq pptp
port-object eq https
port-object eq www
port-object eq echo
port-object eq 3389
object-group protocol MyProtocolServices
protocol-object gre
object-group service MyUDPConnections udp
port-object range 4500 4500
port-object eq isakmp
access-list acl_out extended permit tcp any any eq smtp
access-list acl_out extended permit tcp any any eq ident
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any any eq https
access-list acl_out extended permit tcp any any eq pptp
access-list acl_out extended permit tcp any eq 587 any eq smtp
access-list acl_out extended permit udp any eq 587 any eq 25
access-list acl_out extended permit tcp any any eq pop3
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any
access-list OriginalSol_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0
access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 10.9.63.1-10.9.63.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 77.44.77.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask none default svc
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
default-acl unused
reval-period 36000
sq-period 300
http server enable
http 10.9.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn ciscoasa
subject-name CN=ciscoasa
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d
01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d
31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61
73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d
06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad
2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013
abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa
41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083
365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06
092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77
0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13
8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4
9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637
df70fb44 81c5c720 f538604e 8ab43cb3
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.9.63.0 255.255.255.0 inside
telnet 10.9.62.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
csd enable
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc profiles Default disk0:/dap.xml
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
pfs enable
ipsec-udp enable
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value ippool
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc ask none default svc
customization value DfltCustomization
group-policy OriginalSol internal
group-policy OriginalSol attributes
wins-server value 10.9.62.1
dns-server value 10.9.62.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value original106.local
username mark.robinson password fgfaddJl/KVjPIir encrypted privilege 0
username mark.robinson attributes
vpn-group-policy OriginalSol
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group OriginalSol type remote-access
tunnel-group OriginalSol general-attributes
address-pool ippool
default-group-policy OriginalSol
tunnel-group OriginalSol ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 10.9.62.1
prompt hostname context
Cryptochecksum:a088edeaa67e0acbf566a130bc23e19f
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
You know what :-) I typed it in wrong;
>>access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
>>access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
See, the access-list first network address specifies source and second specified the destination.
In the vpn connection, the source is 10.9.62.0/24 and destination should be 10.9.63.0/24.
So it should read;
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
My bad. Apologies.
Cheers,
Rajesh
>>access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
>>access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
See, the access-list first network address specifies source and second specified the destination.
In the vpn connection, the source is 10.9.62.0/24 and destination should be 10.9.63.0/24.
So it should read;
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
My bad. Apologies.
Cheers,
Rajesh
ASKER
With the above lines changed, I can now only see ICMP traffic when I ping a 10.9.63.X address from the client (there is no response because there are no machines on the lan with such an address). No traffic to a 10.9.62.X address - including the inside interface of the ASA shows up in a ICMP trace.
Also, do I need the line:
access-list outside_cryptomap_dyn_20 extended permit udp 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
Also, do I need the line:
access-list outside_cryptomap_dyn_20 extended permit udp 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
>>there is no response because there are no machines on the lan with such an address
I don't understand, you have your internal lan on this range right? (10.9.62.x) ? Your VPN Client would be on 10.9.63.x network. From that machine try pinging 10.9.62.x which is on the lan.
Yes you don't need the acl for udp there.
If it still doesn't work. Can you post these things as below;
1. Your current config.
2. route print output from the client when it connected to VPN.
3. A traceroute to 10.9.62.x machine from the client when it is connected to VPN.
Post these here and I'll take a look at it tomorrow morning my time.
Cheers,
Rajesh
I don't understand, you have your internal lan on this range right? (10.9.62.x) ? Your VPN Client would be on 10.9.63.x network. From that machine try pinging 10.9.62.x which is on the lan.
Yes you don't need the acl for udp there.
If it still doesn't work. Can you post these things as below;
1. Your current config.
2. route print output from the client when it connected to VPN.
3. A traceroute to 10.9.62.x machine from the client when it is connected to VPN.
Post these here and I'll take a look at it tomorrow morning my time.
Cheers,
Rajesh
ASKER
Hi Rajesh,
Thanks so much for helping out on this.
You are correct by the way, the network behind the firewall is in the 10.9.62.0 /24 range, and the ippool for the VPN clients is in the 10.9.63.0 range.
The output of the route print is interesting:
Network Dest Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.16.254 192.168.16.127 20
10.9.62.0 255.255.255.0 10.9.63.1 10.9.63.50 100
10.9.63.0 255.255.255.0 On-link 10.9.63.50 276
10.9.63.0 255.255.255.0 10.9.63.1 10.9.63.50 100
10.9.63.50 255.255.255.255 On-link 10.9.63.50 276
10.9.63.255 255.255.255.255 On-link 10.9.63.50 276
77.44.77.218 255.255.255.255 192.168.16.254 192.168.16.127 100
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.16.0 255.255.255.0 On-link 192.168.16.127 276
192.168.16.1 255.255.255.255 On-link 192.168.16.127 100
192.168.16.127 255.255.255.255 On-link 192.168.16.127 276
192.168.16.255 255.255.255.255 On-link 192.168.16.127 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.16.127 277
224.0.0.0 240.0.0.0 On-link 10.9.63.50 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.16.127 276
255.255.255.255 255.255.255.255 On-link 10.9.63.50 276
A tracert to a 10.9.62.X address times out - which given the routing information isn't a surprise.
The current version of the code is below.
Thanks
Mark.
Thanks so much for helping out on this.
You are correct by the way, the network behind the firewall is in the 10.9.62.0 /24 range, and the ippool for the VPN clients is in the 10.9.63.0 range.
The output of the route print is interesting:
Network Dest Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.16.254 192.168.16.127 20
10.9.62.0 255.255.255.0 10.9.63.1 10.9.63.50 100
10.9.63.0 255.255.255.0 On-link 10.9.63.50 276
10.9.63.0 255.255.255.0 10.9.63.1 10.9.63.50 100
10.9.63.50 255.255.255.255 On-link 10.9.63.50 276
10.9.63.255 255.255.255.255 On-link 10.9.63.50 276
77.44.77.218 255.255.255.255 192.168.16.254 192.168.16.127 100
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.16.0 255.255.255.0 On-link 192.168.16.127 276
192.168.16.1 255.255.255.255 On-link 192.168.16.127 100
192.168.16.127 255.255.255.255 On-link 192.168.16.127 276
192.168.16.255 255.255.255.255 On-link 192.168.16.127 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.16.127 277
224.0.0.0 240.0.0.0 On-link 10.9.63.50 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.16.127 276
255.255.255.255 255.255.255.255 On-link 10.9.63.50 276
A tracert to a 10.9.62.X address times out - which given the routing information isn't a surprise.
The current version of the code is below.
Thanks
Mark.
: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name original106.local
enable password 6jr.Xa4ijcMRJ2uX encrypted
names
name 10.9.62.1 RDJServer
!
interface Vlan1
nameif inside
security-level 100
ip address 10.9.62.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 77.44.77.218 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 6jr.Xa4ijcMRJ2uX encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name original106.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
description Allow TCP inbound connections
port-object eq smtp
port-object eq pptp
port-object eq https
port-object eq www
port-object eq echo
port-object eq 3389
object-group protocol MyProtocolServices
protocol-object gre
object-group service MyUDPConnections udp
port-object range 4500 4500
port-object eq isakmp
access-list acl_out extended permit tcp any any eq smtp
access-list acl_out extended permit tcp any any eq ident
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any any eq https
access-list acl_out extended permit tcp any any eq pptp
access-list acl_out extended permit tcp any eq 587 any eq smtp
access-list acl_out extended permit udp any eq 587 any eq 25
access-list acl_out extended permit tcp any any eq pop3
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any
access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
access-list OriginalSol_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 10.9.63.50-10.9.63.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 77.44.77.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask none default svc
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
default-acl unused
reval-period 36000
sq-period 300
http server enable
http 10.9.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn ciscoasa
subject-name CN=ciscoasa
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d
01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d
31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61
73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d
06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad
2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013
abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa
41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083
365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06
092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77
0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13
8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4
9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637
df70fb44 81c5c720 f538604e 8ab43cb3
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.9.63.0 255.255.255.0 inside
telnet 10.9.62.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
csd enable
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc profiles Default disk0:/dap.xml
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
pfs enable
ipsec-udp enable
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value ippool
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc ask none default svc
customization value DfltCustomization
group-policy OriginalSol internal
group-policy OriginalSol attributes
wins-server value 10.9.62.1
dns-server value 10.9.62.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value OriginalSol_splitTunnelAcl
default-domain value original106.local
username mark.robinson password fgfaddJl/KVjPIir encrypted privilege 0
username mark.robinson attributes
vpn-group-policy OriginalSol
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group OriginalSol type remote-access
tunnel-group OriginalSol general-attributes
address-pool ippool
default-group-policy OriginalSol
tunnel-group OriginalSol ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
smtp-server 10.9.62.1
prompt hostname context
Cryptochecksum:8bf74093ad45a9d90379655a7f7c9118
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
You should change:
access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
to:
no access-list outside_cryptomap_dyn_20 extended permit udp 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
Specifically, this removed the "permit udp" line in the ACL as the "Permit ip" lines includes udp. Also, I had to reverse the order of the subnets in your cryptomap and nat0 AC'sL. The first subnet should always be the inside vlan on your ASA and the second subnet the ippool of the vpn. rsivanandan stated this in a previous post but it is easy to miss.
I would also suggest you remove the ippool subnet from the OriginalSol_splitTunnelAcl access-list.
no access-list OriginalSol_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0
You already have the "sysopt connection permit-vpn" and RRI(set reverse route) configured. Beyond that and the changes rsivanandan suggested(reversing the subnets in the ACL's) I do not see any misconfiguration.
Please make these changes, test and repost your config. If it does not work at that point I will see about setting up a test lab environment to test this.
Below is a summary of suggested config changes
access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
to:
no access-list outside_cryptomap_dyn_20 extended permit udp 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
Specifically, this removed the "permit udp" line in the ACL as the "Permit ip" lines includes udp. Also, I had to reverse the order of the subnets in your cryptomap and nat0 AC'sL. The first subnet should always be the inside vlan on your ASA and the second subnet the ippool of the vpn. rsivanandan stated this in a previous post but it is easy to miss.
I would also suggest you remove the ippool subnet from the OriginalSol_splitTunnelAcl
no access-list OriginalSol_splitTunnelAcl
You already have the "sysopt connection permit-vpn" and RRI(set reverse route) configured. Beyond that and the changes rsivanandan suggested(reversing the subnets in the ACL's) I do not see any misconfiguration.
Please make these changes, test and repost your config. If it does not work at that point I will see about setting up a test lab environment to test this.
Below is a summary of suggested config changes
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
no access-list outside_cryptomap_dyn_20 extended permit udp 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
no access-list outside_cryptomap_dyn_20 extended permit ip 10.9.63.0 255.255.255.0 10.9.62.0 255.255.255.0
no access-list OriginalSol_splitTunnelAcl standard permit 10.9.63.0 255.255.255.0
Mark,
You still have the access-list wrong. It is not as I asked you do it it;
It should read the below;
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
Just do this; copy and paste the below;
no access-list outside_cryptomap_dyn_20
no access-list inside_nat0_outbound
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
and do a save.
After that try connecting.
Cheers,
Rajesh
You still have the access-list wrong. It is not as I asked you do it it;
It should read the below;
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
Just do this; copy and paste the below;
no access-list outside_cryptomap_dyn_20
no access-list inside_nat0_outbound
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
and do a save.
After that try connecting.
Cheers,
Rajesh
ASKER
Hi,
I have changed the lines as suggested, but am still getting the same results. I can ping and get a response from the inside interface of the ASA, but cannot get a reponse from anything on the lan inside the firewall. I have also tried connecting to a machine inside, just in case pings were not allowed, but with no luck.
The config is below showing the changes, and the route print is also attached.
Your help is really appreciated.
Thanks
Mark.
IPv4 Route Table
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 77.102.238.1 77.102.238.79 20
10.9.62.0 255.255.255.0 10.9.63.1 10.9.63.50 100
10.9.63.0 255.255.255.0 10.9.63.1 10.9.63.50 100
10.9.63.50 255.255.255.255 On-link 10.9.63.50 276
62.30.112.122 255.255.255.255 77.102.238.1 77.102.238.79 100
77.44.77.218 255.255.255.255 77.102.238.1 77.102.238.79 100
77.102.238.0 255.255.255.0 On-link 77.102.238.79 276
77.102.238.79 255.255.255.255 On-link 77.102.238.79 276
77.102.238.255 255.255.255.255 On-link 77.102.238.79 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 77.102.238.79 277
224.0.0.0 240.0.0.0 On-link 10.9.63.50 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 77.102.238.79 276
255.255.255.255 255.255.255.255 On-link 10.9.63.50 276
I have changed the lines as suggested, but am still getting the same results. I can ping and get a response from the inside interface of the ASA, but cannot get a reponse from anything on the lan inside the firewall. I have also tried connecting to a machine inside, just in case pings were not allowed, but with no luck.
The config is below showing the changes, and the route print is also attached.
Your help is really appreciated.
Thanks
Mark.
IPv4 Route Table
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 77.102.238.1 77.102.238.79 20
10.9.62.0 255.255.255.0 10.9.63.1 10.9.63.50 100
10.9.63.0 255.255.255.0 10.9.63.1 10.9.63.50 100
10.9.63.50 255.255.255.255 On-link 10.9.63.50 276
62.30.112.122 255.255.255.255 77.102.238.1 77.102.238.79 100
77.44.77.218 255.255.255.255 77.102.238.1 77.102.238.79 100
77.102.238.0 255.255.255.0 On-link 77.102.238.79 276
77.102.238.79 255.255.255.255 On-link 77.102.238.79 276
77.102.238.255 255.255.255.255 On-link 77.102.238.79 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 77.102.238.79 277
224.0.0.0 240.0.0.0 On-link 10.9.63.50 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 77.102.238.79 276
255.255.255.255 255.255.255.255 On-link 10.9.63.50 276
: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name XX.local
enable password 6jr.Xa4ijcMRJ2uX encrypted
names
name 10.9.62.1 RDJServer
!
interface Vlan1
nameif inside
security-level 100
ip address 10.9.62.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XX.218 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 6jr.Xa4ijcMRJ2uX encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name original106.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
description Allow TCP inbound connections
port-object eq smtp
port-object eq pptp
port-object eq https
port-object eq www
port-object eq echo
port-object eq 3389
object-group protocol MyProtocolServices
protocol-object gre
object-group service MyUDPConnections udp
port-object range 4500 4500
port-object eq isakmp
access-list acl_out extended permit tcp any any eq smtp
access-list acl_out extended permit tcp any any eq ident
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any any eq https
access-list acl_out extended permit tcp any any eq pptp
access-list acl_out extended permit tcp any eq 587 any eq smtp
access-list acl_out extended permit udp any eq 587 any eq 25
access-list acl_out extended permit tcp any any eq pop3
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any
access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 10.9.63.50-10.9.63.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 XX.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask none default svc
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
default-acl unused
reval-period 36000
sq-period 300
http server enable
http 10.9.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn ciscoasa
subject-name CN=ciscoasa
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d
01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d
31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61
73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d
06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad
2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013
abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa
41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083
365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06
092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77
0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13
8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4
9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637
df70fb44 81c5c720 f538604e 8ab43cb3
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.9.63.0 255.255.255.0 inside
telnet 10.9.62.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
csd enable
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc profiles Default disk0:/dap.xml
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
pfs enable
ipsec-udp enable
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value ippool
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc ask none default svc
customization value DfltCustomization
group-policy OriginalSol internal
group-policy OriginalSol attributes
wins-server value 10.9.62.1
dns-server value 10.9.62.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value OriginalSol_splitTunnelAcl
default-domain value original106.local
username mark.robinson password fgfaddJl/KVjPIir encrypted privilege 0
username mark.robinson attributes
vpn-group-policy OriginalSol
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group OriginalSol type remote-access
tunnel-group OriginalSol general-attributes
address-pool ippool
default-group-policy OriginalSol
tunnel-group OriginalSol ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
smtp-server 10.9.62.1
prompt hostname context
Cryptochecksum:8bf74093ad45a9d90379655a7f7c9118
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
>>crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
Shouldn't the above be;
crypto map outside_map 65535 ipsec-isakmp dynamic outside_cryptomap_dyn_20?
Cheers,
Rajesh
Shouldn't the above be;
crypto map outside_map 65535 ipsec-isakmp dynamic outside_cryptomap_dyn_20?
Cheers,
Rajesh
ASKER
I see what you mean. I changed the access list name instead so that they now match. Although I now realise I have an access list and a crypto map with the same name - would this cause any issues?
I still can't get access inside the lan, or get ping responses - Any other mistakes that you can see?
Thanks
Mark.
I still can't get access inside the lan, or get ping responses - Any other mistakes that you can see?
Thanks
Mark.
: Saved
:
ASA Version 8.0(3)
!
hostname ciscoasa
domain-name original106.local
enable password 6jr.Xa4ijcMRJ2uX encrypted
names
name 10.9.62.1 RDJServer
!
interface Vlan1
nameif inside
security-level 100
ip address 10.9.62.253 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 77.44.77.218 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
passwd 6jr.Xa4ijcMRJ2uX encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name original106.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service MyTCPServices tcp
description Allow TCP inbound connections
port-object eq smtp
port-object eq pptp
port-object eq https
port-object eq www
port-object eq echo
port-object eq 3389
object-group protocol MyProtocolServices
protocol-object gre
object-group service MyUDPConnections udp
port-object range 4500 4500
port-object eq isakmp
access-list acl_out extended permit tcp any any eq smtp
access-list acl_out extended permit tcp any any eq ident
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any any eq https
access-list acl_out extended permit tcp any any eq pptp
access-list acl_out extended permit tcp any eq 587 any eq smtp
access-list acl_out extended permit udp any eq 587 any eq 25
access-list acl_out extended permit tcp any any eq pop3
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit udp any any
access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
access-list outside_dyn_map extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool ippool 10.9.63.50-10.9.63.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www RDJServer www netmask 255.255.255.255
static (inside,outside) tcp interface pop3 RDJServer pop3 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 77.44.77.217 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask none default svc
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
default-acl unused
reval-period 36000
sq-period 300
http server enable
http 10.9.62.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn ciscoasa
subject-name CN=ciscoasa
no client-types
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201cc 30820135 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
2c311130 0f060355 04031308 63697363 6f617361 31173015 06092a86 4886f70d
01090216 08636973 636f6173 61301e17 0d303830 36323232 31343031 365a170d
31383036 32303231 34303136 5a302c31 11300f06 03550403 13086369 73636f61
73613117 30150609 2a864886 f70d0109 02160863 6973636f 61736130 819f300d
06092a86 4886f70d 01010105 0003818d 00308189 02818100 b2d34eae a32556ad
2b9d1747 63aef9a7 aa2d8f42 b2579008 12d0ee99 4629b3d3 42219061 cbb13013
abc856f0 e1e685cc 83e8789c fd42c820 84304924 8a4ff377 3e3d2dfd 44c69dfa
41a53007 5f145916 ce9eaeac ec37a3d0 362d45a5 661ed30e dbe4ee8b cb718083
365756e1 7e5dd819 956e9de2 cd6c4199 bd5a9ee4 1751a613 02030100 01300d06
092a8648 86f70d01 01040500 03818100 3783b827 489193e6 4b769a50 8d827b77
0802b366 e0f7d8d5 0fa6cb77 d9e97347 c4c8689d d6a44e08 8571033e f27afa13
8c716e0e 8ef7e65a 0d16c99b 0d4714d3 82e31e77 91ed7eec 3d56924e 2d8d21a4
9fd4af14 1df0a0bd e7280b2b c919cfa5 7114ba7a fbe8d9ad 1fc01d0a 1795e637
df70fb44 81c5c720 f538604e 8ab43cb3
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
crypto isakmp ipsec-over-tcp port 10000
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 10.9.63.0 255.255.255.0 inside
telnet 10.9.62.0 255.255.255.0 inside
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
ssl encryption 3des-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
csd enable
svc image disk0:/sslclient-win-1.1.0.154.pkg 1
svc profiles Default disk0:/dap.xml
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
pfs enable
ipsec-udp enable
nac-settings value DfltGrpPolicy-nac-framework-create
address-pools value ippool
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc ask none default svc
customization value DfltCustomization
group-policy OriginalSol internal
group-policy OriginalSol attributes
wins-server value 10.9.62.1
dns-server value 10.9.62.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value OriginalSol_splitTunnelAcl
default-domain value original106.local
username mark.robinson password fgfaddJl/KVjPIir encrypted privilege 0
username mark.robinson attributes
vpn-group-policy OriginalSol
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group OriginalSol type remote-access
tunnel-group OriginalSol general-attributes
address-pool ippool
default-group-policy OriginalSol
tunnel-group OriginalSol ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
smtp-server 10.9.62.1
prompt hostname context
Cryptochecksum:878796cb1963a1bc07b80651ccc7ff4c
: end
asdm image disk0:/asdm-603.bin
no asdm history enable
ASKER
I have done a bit more investigation on this, and things are slightly better than before.
When running an ICMP trace on the firewall, I can see incomming pings to machines on the lan, coming from the VPN client, but there are no replies. As before I get a response from pinging the inside interface of the firewall from the VPN client.
Does this indicate a further issue with the cryptomap routing?
Thanks so much for your help on this, it is really appreciated.
When running an ICMP trace on the firewall, I can see incomming pings to machines on the lan, coming from the VPN client, but there are no replies. As before I get a response from pinging the inside interface of the firewall from the VPN client.
Does this indicate a further issue with the cryptomap routing?
Thanks so much for your help on this, it is really appreciated.
Are there any software firewall's enabled on the clients?
ASKER
Each time I try a revised configuration I make sure I try it with the client firewall turned off.
The internal machines have the ASA as their default gateway right? If true, then on ASA run this command;
show running-config sysopt
to see if the proxy-arp is disabled.
Proxy Arp is used for the return traffic.
Cheers,
Rajesh
show running-config sysopt
to see if the proxy-arp is disabled.
Proxy Arp is used for the return traffic.
Cheers,
Rajesh
ASKER
Thanks Rajesh,
Proxy Arp wasn't disabled. I cleared the Arp Cache as a Cisco connection troubleshooting guide suggested, but still no difference.
Thanks
Mark.
Proxy Arp wasn't disabled. I cleared the Arp Cache as a Cisco connection troubleshooting guide suggested, but still no difference.
Thanks
Mark.
Still can you post the output of that command?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Here it is:
ciscoasa# sh running-config sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
ciscoasa# sh running-config sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
hmm. I'm stumped. That is all you need for this to work;
>>access-list OriginalSol_splitTunnelAcl standard permit 10.9.62.0 255.255.255.0
The split-tunnel acl if you're using it should be as below;
access-list OriginalSol_splitTunnelAcl extended permit ip 10.9.62.0 255.255.255.0 10.9.63.0 255.255.255.0
That is all what is needed.
Cheers,
Rajesh
>>access-list OriginalSol_splitTunnelAcl
The split-tunnel acl if you're using it should be as below;
access-list OriginalSol_splitTunnelAcl
That is all what is needed.
Cheers,
Rajesh
Also just try this once again;
no crypto isakmp enable outside
crypto isakmp enable outside
and see if that makes any difference (it only disables and enables it again).
Cheers,
Rajesh
no crypto isakmp enable outside
crypto isakmp enable outside
and see if that makes any difference (it only disables and enables it again).
Cheers,
Rajesh
Any updates to this situation?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sysopt connection permit-ipsec
If that doesn't help let me know and I will inspect he configuration in more detail.