?
Solved

Users have problem accessing internet after ASAPIX install, and a config question

Posted on 2008-09-30
30
Medium Priority
?
373 Views
Last Modified: 2010-04-21
I just setup a new ASA/PIX 5505 firewall for a new client. I followed the Cisco document, (Link Below) as a guide:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094ea2.shtml
This is a very small company with 10-15 users. They have a dedicated buisness DSL connection of 9 MB and the ASA/PIX is behind te DSL modem.

Problem: I'm getting calls that some users can connect to the internet, and they say that it is blazing, but they end up getting kicked off or can't access the internet 10-15 minutes after they get on. I have heard that it appears to happen in cycles. I have even heard that from time to time if one person gets on another one gets booted off. They are not running any type of spam/internet filter. I did put an Exchange server in place but they are not using it yet. Any ideas  or configs I should try?

Question: What is the easiest way to setup the VPN on this type of device? I can't setup the Easy VPN server because the system will tell me I have to undo all the changes I made to the outside interface.

Thanks
0
Comment
Question by:haasjoh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 9
  • 8
30 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22610492
Can you please post the ASA config?
Regarding getting kicked off - do they all lose it all at the same time and get it back at the same?
Are the PCs using DHCP for addresses and what's the configured lease length if so? If they are using static addresses, can you verify that they all have unique IPs?
I'll address the VPN question as soon as we get this resolved since it's causing them downtime.
My initial thought is that it's either an address conflict between PCs or it's an ISP issue. Does it happen every 10-15 minues? How long?
I look forward to helping! ;-)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22611204
What model ASA? Is it the little 5505? does it have a limited 10-user license?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22611301
Good question - check the license by running a sh ver. If it is the base license (ASA5505-BUN-K9) and hasn't had a license upgrade then this is probably the case, but run the command anyways.
Look for the line Inside Hosts on the license printout.
It would make since that this is a possibility - the only thing is that when an ASA does fill up the user limit it just blocks communication from all other hosts until one becomes disconnected (meaning the cable is actually unplugged or the machine is turned off, or if a VPN user until their session has expired). This "lockout" usually stays active a few hours. I've run into this a few times before.
Check your syslogs when this is happening - you should see a level 3 error saying you've exceeded the maximum number of licensed users and it will repeat every time a host that is not active on the ASA tries to communicate.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:haasjoh
ID: 22611315
Ahhhh good point. I will check this Wed Oct 1. I'll be going again in the morning. I do remember looking at the license.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22611324
Also - didn't mention this - are the users sharing computers or are there more than 10 computers?
One more piece of info for you: If it turns out this is the problem, the upgrade PN for 10 to unlimited users is ASA5505-SW-10-UL=
It usually runs a little under $400.
If it turns out this is the issue, consider other possible requirements the site might have when upgrading the license - will they need servers in the DMZ or more than 2 SSL VPN users? This all costs extra money so it's best to get it out of the way.
0
 
LVL 2

Author Comment

by:haasjoh
ID: 22634106
Well, had I more experience with the ASA, I could have figured it out myself. Oh well, it happens. So, it looks like it was a license issue so far. I had to do a "sh ver" copy the output and email it to license@cisco.com. They reviewed the serial id and the output and sent a new license. Instructions on how to install it were also in the email. Pretty simple. So, how about the VPN setup?
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22635864
With VPN - remote access or site-to-site?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22635925
Just use the VPN wizard for either one.
When you get to the part about setting up an ip address pool, choose IP's in a totally different IP subnet than the local network, and do not use 192.168.1.x either..
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22635943
That's correct. The reason I was asking is that sometimes the VPN Wizard can mess you up if you don't know exactly what it means.
0
 
LVL 2

Author Comment

by:haasjoh
ID: 22636280
All I am trying to do is setup basic VPN access for about 10 users. It is not site to site. Just an average user on the road. I tried to use the ADSM and click on "Easy VPN". However, it failed to take the settings and said I had to under all the mods I did with the outside interface. As mentioned above, I used the Cisco doc as a reference to setup a single subnet FIRST. Then I tried to do the VPN second. I did create a VPN IP pool as a test, but for some reason I am still unable to get it to work. Basically I would like to create a connection by using Windows instead of installing Cisco's software.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22636478
Easy VPN is actually a site-to-site thing.
From the menu in the ASDM just select Remote Access VPN Wizard and follow the steps. Make sure you set the DH group to 2 when asked or the Cisco VPN client won't work. Use the same VPN IP pool as long as it doesn't conflict with any other networks on the ASA or inside your network.
Cheers!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22636486
Don't do EasyVPN, use the Wizard and select Remote Access VPN
I highly discourage you from using Windows PPTP for the VPN. The Cisco VPN client is free, simple to install and SECURE.
Check out this document
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
0
 
LVL 2

Author Comment

by:haasjoh
ID: 22636589
The problem I have ran into with the Cisco software is that it kills my network and wireless connections or make them not want to connect to the network. This is w/o me trying to logon to the VPN. I did try Cisco software on a HP laptop, rebooted, then it would not let me log onto any wireless or wired connections. I guess I would use the Cisco software if I didn't have a problem with the network connections.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22636695
I've been using it for years and have deployed it with many many clients and have never had an issue like that.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22637453
Same here on the usage - although I'll tell you what the problem is. I took down a network of 500+ users with it for 10 minutes one time by accident.
You have the crypto map mistakenly applied to the inside interface without all necessary parts. Please post the config you had when experiencing this problem and I'll see what I can do. One other thing to note - the Remote Access VPN Wizard doesn't always work (I mentioned this above). You might give Cisco TAC a call and they'll help you get it straightened out if you're in a time pinch!
Cheers!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22637462
Lol why do I only get paid $10 an hour!? Seems I can roll with the pros on this stuff but I get paid $10 an hour! I guess it's because I'm 20... :(
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22637512
>why do I only get paid $10 an hour!?
>I took down a network of 500+ users with it for 10 minutes one time by accident.
x
Just kidding.....
<8-}
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22637712
Lol well that was actually TAC that remotely entered the command. :-P Gotta love them when they help you out like that.
0
 
LVL 2

Author Comment

by:haasjoh
ID: 22639307
Here it is. I changed some stuff for obvious reasons. Let me know.


ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 68.94.156.1
 name-server 68.94.157.1
 domain-name ain'tgettingit.com
access-list 100 extended permit icmp any any echo-reply
access-list 100 extended permit icmp any any time-exceeded
access-list 100 extended permit icmp any any unreachable
access-list 100 extended permit tcp any host 67.77.18x.x eq www
access-list 100 extended permit tcp any host 67.77.18x.x eq pop3
access-list 100 extended permit tcp any host 67.77.18x.x eq 995
access-list 100 extended permit tcp any host 67.77.18x.x eq smtp
access-list 100 extended permit tcp any host 67.77.18x.x eq https
access-list 100 extended permit tcp any host 67.77.18x.x eq 1034
access-list 100 extended permit tcp any host 67.77.18x.x eq 587
access-list 100 extended permit tcp any host 67.77.18x.x eq 589
access-list 100 extended permit tcp any host 67.77.18x.x eq imap4
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 10.200.1.224 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 10.200.1.128 255.255.255.128
pager lines 24
logging enable
logging buffered errors
logging trap notifications
mtu inside 1500
mtu outside 1500
ip local pool IPPOOL 10.200.1.235-10.200.1.253 mask 255.255.0.0
ip local pool TEST 10.200.1.180-10.200.1.210 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 67.77.18X.X 10.200.1.18 netmask 255.255.255.255
static (inside,outside) 67.77.18X.X 10.200.1.10 netmask 255.255.255.255
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 67.77.X.X 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set TRANS_ESP_DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpnclient server 67.77.18X.X
vpnclient mode client-mode
vpnclient vpngroup EXAMPLE password ********
vpnclient username EXAMPLE password ********
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value ain'tgettingit.com
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 dns-server value .
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 default-domain value ain'tgettingit.com
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy AIAGP internal
tunnel-group DefaultL2LGroup general-attributes
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool IPPOOL
 address-pool TEST
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
prompt hostname context
Cryptochecksum:82bd6d87d105a4fbb34eb515d0b35f04
EXAMPLE#

Open in new window

0
 
LVL 12

Accepted Solution

by:
Pugglewuggle earned 700 total points
ID: 22640001
Hi haasjoh,
Try running these commands: they will overrule your current cryptomaps and insert working values.
Try it with this and let me know if it still takes your network down.

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

Open in new window

0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 700 total points
ID: 22640508
Didn't I mention that you should use a totally different ip subnet for the vpn address pool?
inside = 10.200.1.x
vpn pool = 10.200.1.x
Not different
0
 
LVL 2

Author Comment

by:haasjoh
ID: 22640783
Lrmoore:
This was all setup before I read your post. I didn't make any changes yet :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22640859
Where are you with testing? What works, what doesn't?
0
 
LVL 2

Author Comment

by:haasjoh
ID: 22640885
I need to start testing again today. I didn't want to mess with the ASA while they were all working. However they don't work weekends (good for me) and I plan on getting in today to do just that.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22640898
Just remember, that you can only test the VPN from actually outside the network.
I usually open up http to my home IP address so that I can use the ASDM GUI from home to setup the VPN and then to test it at the same time.
 just add:
   http <home ip> 255.255.255.255 outside
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22642633
Yes indeed :-) If you don't have another internet connection available try linking a laptop to your cellphone if your phone supports it (most smartphones and even little phones like the RAZR do). That's plenty fast to establish a VPN connection and test if it's functioning correctly/debug the error messages.
Cheers!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22642637
Oh woops - didn't read the line about using your home address.
You do have to have the ASDM on your home computer though, as well as a VPN connecion to home.
lrmoore and I may, but you may not, so the phone will work if you don't. :)
Cheers lr! Didn't mean to overlap your post.
0
 
LVL 2

Author Comment

by:haasjoh
ID: 22665832
Sorry for the delay. I haven't been out to the site yet. I was working on their Exchange stuff. I will work on your soultions soon.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22666088
No problem! Just let me know!
Cheers!
0
 
LVL 2

Author Closing Comment

by:haasjoh
ID: 31501763
Thanks Guys!
0

Featured Post

Enroll in August's Course of the Month

August's CompTIA IT Fundamentals course includes 19 hours of basic computer principle modules and prepares you for the certification exam. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question