Solved

Users have problem accessing internet after ASAPIX install, and a config question

Posted on 2008-09-30
30
326 Views
Last Modified: 2010-04-21
I just setup a new ASA/PIX 5505 firewall for a new client. I followed the Cisco document, (Link Below) as a guide:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094ea2.shtml
This is a very small company with 10-15 users. They have a dedicated buisness DSL connection of 9 MB and the ASA/PIX is behind te DSL modem.

Problem: I'm getting calls that some users can connect to the internet, and they say that it is blazing, but they end up getting kicked off or can't access the internet 10-15 minutes after they get on. I have heard that it appears to happen in cycles. I have even heard that from time to time if one person gets on another one gets booted off. They are not running any type of spam/internet filter. I did put an Exchange server in place but they are not using it yet. Any ideas  or configs I should try?

Question: What is the easiest way to setup the VPN on this type of device? I can't setup the Easy VPN server because the system will tell me I have to undo all the changes I made to the outside interface.

Thanks
0
Comment
Question by:haasjoh
  • 13
  • 9
  • 8
30 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Can you please post the ASA config?
Regarding getting kicked off - do they all lose it all at the same time and get it back at the same?
Are the PCs using DHCP for addresses and what's the configured lease length if so? If they are using static addresses, can you verify that they all have unique IPs?
I'll address the VPN question as soon as we get this resolved since it's causing them downtime.
My initial thought is that it's either an address conflict between PCs or it's an ISP issue. Does it happen every 10-15 minues? How long?
I look forward to helping! ;-)
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
What model ASA? Is it the little 5505? does it have a limited 10-user license?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Good question - check the license by running a sh ver. If it is the base license (ASA5505-BUN-K9) and hasn't had a license upgrade then this is probably the case, but run the command anyways.
Look for the line Inside Hosts on the license printout.
It would make since that this is a possibility - the only thing is that when an ASA does fill up the user limit it just blocks communication from all other hosts until one becomes disconnected (meaning the cable is actually unplugged or the machine is turned off, or if a VPN user until their session has expired). This "lockout" usually stays active a few hours. I've run into this a few times before.
Check your syslogs when this is happening - you should see a level 3 error saying you've exceeded the maximum number of licensed users and it will repeat every time a host that is not active on the ASA tries to communicate.
0
 
LVL 2

Author Comment

by:haasjoh
Comment Utility
Ahhhh good point. I will check this Wed Oct 1. I'll be going again in the morning. I do remember looking at the license.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Also - didn't mention this - are the users sharing computers or are there more than 10 computers?
One more piece of info for you: If it turns out this is the problem, the upgrade PN for 10 to unlimited users is ASA5505-SW-10-UL=
It usually runs a little under $400.
If it turns out this is the issue, consider other possible requirements the site might have when upgrading the license - will they need servers in the DMZ or more than 2 SSL VPN users? This all costs extra money so it's best to get it out of the way.
0
 
LVL 2

Author Comment

by:haasjoh
Comment Utility
Well, had I more experience with the ASA, I could have figured it out myself. Oh well, it happens. So, it looks like it was a license issue so far. I had to do a "sh ver" copy the output and email it to license@cisco.com. They reviewed the serial id and the output and sent a new license. Instructions on how to install it were also in the email. Pretty simple. So, how about the VPN setup?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
With VPN - remote access or site-to-site?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Just use the VPN wizard for either one.
When you get to the part about setting up an ip address pool, choose IP's in a totally different IP subnet than the local network, and do not use 192.168.1.x either..
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
That's correct. The reason I was asking is that sometimes the VPN Wizard can mess you up if you don't know exactly what it means.
0
 
LVL 2

Author Comment

by:haasjoh
Comment Utility
All I am trying to do is setup basic VPN access for about 10 users. It is not site to site. Just an average user on the road. I tried to use the ADSM and click on "Easy VPN". However, it failed to take the settings and said I had to under all the mods I did with the outside interface. As mentioned above, I used the Cisco doc as a reference to setup a single subnet FIRST. Then I tried to do the VPN second. I did create a VPN IP pool as a test, but for some reason I am still unable to get it to work. Basically I would like to create a connection by using Windows instead of installing Cisco's software.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Easy VPN is actually a site-to-site thing.
From the menu in the ASDM just select Remote Access VPN Wizard and follow the steps. Make sure you set the DH group to 2 when asked or the Cisco VPN client won't work. Use the same VPN IP pool as long as it doesn't conflict with any other networks on the ASA or inside your network.
Cheers!
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Don't do EasyVPN, use the Wizard and select Remote Access VPN
I highly discourage you from using Windows PPTP for the VPN. The Cisco VPN client is free, simple to install and SECURE.
Check out this document
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
0
 
LVL 2

Author Comment

by:haasjoh
Comment Utility
The problem I have ran into with the Cisco software is that it kills my network and wireless connections or make them not want to connect to the network. This is w/o me trying to logon to the VPN. I did try Cisco software on a HP laptop, rebooted, then it would not let me log onto any wireless or wired connections. I guess I would use the Cisco software if I didn't have a problem with the network connections.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I've been using it for years and have deployed it with many many clients and have never had an issue like that.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Same here on the usage - although I'll tell you what the problem is. I took down a network of 500+ users with it for 10 minutes one time by accident.
You have the crypto map mistakenly applied to the inside interface without all necessary parts. Please post the config you had when experiencing this problem and I'll see what I can do. One other thing to note - the Remote Access VPN Wizard doesn't always work (I mentioned this above). You might give Cisco TAC a call and they'll help you get it straightened out if you're in a time pinch!
Cheers!
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Lol why do I only get paid $10 an hour!? Seems I can roll with the pros on this stuff but I get paid $10 an hour! I guess it's because I'm 20... :(
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>why do I only get paid $10 an hour!?
>I took down a network of 500+ users with it for 10 minutes one time by accident.
x
Just kidding.....
<8-}
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Lol well that was actually TAC that remotely entered the command. :-P Gotta love them when they help you out like that.
0
 
LVL 2

Author Comment

by:haasjoh
Comment Utility
Here it is. I changed some stuff for obvious reasons. Let me know.


ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 68.94.156.1

 name-server 68.94.157.1

 domain-name ain'tgettingit.com

access-list 100 extended permit icmp any any echo-reply

access-list 100 extended permit icmp any any time-exceeded

access-list 100 extended permit icmp any any unreachable

access-list 100 extended permit tcp any host 67.77.18x.x eq www

access-list 100 extended permit tcp any host 67.77.18x.x eq pop3

access-list 100 extended permit tcp any host 67.77.18x.x eq 995

access-list 100 extended permit tcp any host 67.77.18x.x eq smtp

access-list 100 extended permit tcp any host 67.77.18x.x eq https

access-list 100 extended permit tcp any host 67.77.18x.x eq 1034

access-list 100 extended permit tcp any host 67.77.18x.x eq 587

access-list 100 extended permit tcp any host 67.77.18x.x eq 589

access-list 100 extended permit tcp any host 67.77.18x.x eq imap4

access-list DefaultRAGroup_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 10.200.1.224 255.255.255.224

access-list inside_nat0_outbound extended permit ip any 10.200.1.128 255.255.255.128

pager lines 24

logging enable

logging buffered errors

logging trap notifications

mtu inside 1500

mtu outside 1500

ip local pool IPPOOL 10.200.1.235-10.200.1.253 mask 255.255.0.0

ip local pool TEST 10.200.1.180-10.200.1.210 mask 255.255.0.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) 67.77.18X.X 10.200.1.18 netmask 255.255.255.255

static (inside,outside) 67.77.18X.X 10.200.1.10 netmask 255.255.255.255

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 67.77.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_DES_SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

no vpn-addr-assign local

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

vpnclient server 67.77.18X.X

vpnclient mode client-mode

vpnclient vpngroup EXAMPLE password ********

vpnclient username EXAMPLE password ********

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

ssl encryption des-sha1 rc4-md5

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 dns-server value 

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

 default-domain value ain'tgettingit.com

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

 dns-server value .

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 default-domain value ain'tgettingit.com

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy AIAGP internal

tunnel-group DefaultL2LGroup general-attributes

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

 address-pool IPPOOL

 address-pool TEST

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

 authentication pap

 authentication ms-chap-v2

 authentication eap-proxy

prompt hostname context

Cryptochecksum:82bd6d87d105a4fbb34eb515d0b35f04

EXAMPLE#

Open in new window

0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 175 total points
Comment Utility
Hi haasjoh,
Try running these commands: they will overrule your current cryptomaps and insert working values.
Try it with this and let me know if it still takes your network down.

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

no crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_DES_SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

Open in new window

0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 175 total points
Comment Utility
Didn't I mention that you should use a totally different ip subnet for the vpn address pool?
inside = 10.200.1.x
vpn pool = 10.200.1.x
Not different
0
 
LVL 2

Author Comment

by:haasjoh
Comment Utility
Lrmoore:
This was all setup before I read your post. I didn't make any changes yet :)
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Where are you with testing? What works, what doesn't?
0
 
LVL 2

Author Comment

by:haasjoh
Comment Utility
I need to start testing again today. I didn't want to mess with the ASA while they were all working. However they don't work weekends (good for me) and I plan on getting in today to do just that.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Just remember, that you can only test the VPN from actually outside the network.
I usually open up http to my home IP address so that I can use the ASDM GUI from home to setup the VPN and then to test it at the same time.
 just add:
   http <home ip> 255.255.255.255 outside
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Yes indeed :-) If you don't have another internet connection available try linking a laptop to your cellphone if your phone supports it (most smartphones and even little phones like the RAZR do). That's plenty fast to establish a VPN connection and test if it's functioning correctly/debug the error messages.
Cheers!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
Oh woops - didn't read the line about using your home address.
You do have to have the ASDM on your home computer though, as well as a VPN connecion to home.
lrmoore and I may, but you may not, so the phone will work if you don't. :)
Cheers lr! Didn't mean to overlap your post.
0
 
LVL 2

Author Comment

by:haasjoh
Comment Utility
Sorry for the delay. I haven't been out to the site yet. I was working on their Exchange stuff. I will work on your soultions soon.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
Comment Utility
No problem! Just let me know!
Cheers!
0
 
LVL 2

Author Closing Comment

by:haasjoh
Comment Utility
Thanks Guys!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now