Guile777
asked on
ASA Vpn Client connects, but can't ping, rdp or anything, but site 2 site tunnel works.
First, the Cisco Vpn Client does connect, but ping, tracert, rdp won't work. 10.0.25.0
Second, the site 2 site vpn does work and has ping, tracert and rdp working. 10.x.2.0
Second, the site 2 site vpn does work and has ping, tracert and rdp working. 10.x.2.0
ASA Version 7.2(3)
!
hostname TestingReports
domain-name confidentialinternal.com
enable password aYl8zRPttQq77nTz encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.7.250 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 65.x.x.20 255.255.255.0
!
interface Vlan3
shutdown
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name confidentialinternal.com
access-list outside_1_cryptomap extended permit ip 10.0.7.0 255.255.255.0 10.x.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.7.0 255.255.255.0 10.x.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.7.0 255.255.255.0 10.0.25.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool remotepool 10.0.25.100-10.0.25.101 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 65.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.0.7.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 64.x.x.200
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.7.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
dhcpd address 10.0.7.251-10.0.7.254 inside
dhcpd enable inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy testingtnl internal
group-policy testingtnl attributes
vpn-tunnel-protocol IPSec
default-domain value Testingsecure
username impy77 password KNL8o601vo2dDHXr encrypted privilege 0
username impy77 attributes
vpn-group-policy testingtnl
tunnel-group 64.x.x.200 type ipsec-l2l
tunnel-group 64x.x.200 ipsec-attributes
pre-shared-key *
tunnel-group testingtnl type ipsec-ra
tunnel-group testingtnl general-attributes
address-pool remotepool
default-group-policy testingtnl
tunnel-group testingtnl ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:932d96706239c3bc4f77a1053cb10824
: end
Testing(config)#
Last Comment
ASKER
Hi Voltz what do crypto isakmp nat-t 20 and crypto isakmp identity address do?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Cisco
Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).
27K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
crypto isakmp nat-t 20
crypto isakmp identity address