bignewf
asked on
After a successful IpSec tunnel is established with the ASA 5510 with Cisco VPN client, traffic is not passed through the tunnel
After successful connection of an Ipsec tunnel with the ASA 5510 and Cisco VPN client(I have used versions from 4.8 to 5.02), the tunnel is established. I can ping the inside interface of the ASA, but not hosts on the LAN
The tunnel will connect with transparent tunneling, IPSec over UDP, IPSeco over TCP port 10000, or without transparent tunneling. I have also tried NAT Traversal Command
I seen this with 3000 series concentrators, and it is usually a routing issue where packets traversing the tunnel can't find the default gateways of the remote LAN segments.
The following is the basic LAN topology:
ASA inside Interface 192.168.1.1
Inside Networks: 192.168.3.0
192.168.4.0
192.168.5.0
each of the above subnets have a 192.168.3.1 , 192.168.4.1, 192.168.5.1 gateways in vlans in a Cisco 3550 layer 3 switch
There are static routes that route inside traffic from these networks to the inside interface of the ASA.
I am using an internal address pool of 192.168.3.85-90/24
I have tried all the nat0 access-lists scenarios to exempt the above subnets from translation, with no luck. I have an ASA 5505 on the network with an identical configuration, and it passes traffic fine, with the same nat0 access lists. (the 5505 has a 192.168.3.2 address for it's inside interface)
I have tried the sysopt connection permit-ipsec command, doesn't work.
If I try the route inside 0.0.0.0 0.0.0.0 192.168.3.1 tunneled
the route inside 0.0.0.0 0.0.0.0 192.168.4.1 tunneled or
the route inside 0.0.0.0 0.0.0.0 192.168.1.1 tunneled, I get error messages "default route exists", even after removing the static routes above
Could this be a routing problem, where the packets cannot find the gateways of the above LAN's? If I can ping the 192.168.1.1 which is the inside interface of the ASA, why can't the static routes send the packets to the default gateways inside the LAN if the correct nat0 access lists are exempting the above subnets from translation?
Also, I cannot telnet to 192.168.1.1 inside interface, even after adding the access lists;
Here is the current config
Any help is appreciated
Maybe I am missing something simple in the configuration
thanks
ASA5510# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ASA5510
domain-name default.domain.invalid
enable password 0VHZzUN3Y8hDcg1h encrypted
names
name 192.168.4.0 InsideNetwork description 192.168.4.0 Network
name 192.168.3.0 InsideSubnet description 192.168.3.0 subnet
name xxx.xxx.xxx.22 VPNOutside description VPN Public IP
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
no nameif
security-level 100
no ip address
!
interface Ethernet0/3
shutdown
nameif dmz
security-level 50
ip address 192.168.5.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_in extended deny tcp any any eq 445
access-list acl_in extended permit ip any any
access-list acl_in extended permit udp any any eq isakmp
access-list acl_in extended permit udp any any eq 10000
access-list acl_in extended permit tcp any any eq 10000
access-list acl_in extended permit udp any any eq 1723
access-list acl_in extended permit esp any any
access-list acl_in extended permit udp any any eq 1701
access-list acl_in extended permit tcp any host xxx.xxx.xxx.27 eq smtp
access-list acl_in extended permit tcp any host xxx.xxx.xxx.27 eq ssh
access-list acl_in extended permit tcp any host xxx.xxx.xxx.21 eq www
access-list acl_in extended permit tcp any host xxx.xxx.xxx.21 eq domain
access-list acl_in extended permit udp any host xxx.xxx.xxx.21 eq domain
access-list acl_in extended permit udp any host xxx.xxx.xxx.21 eq ntp
access-list acl_in extended permit gre any any
access-list acl_in extended permit udp any any eq 4500
access-list acl_in extended permit icmp any any
access-list acl_out extended deny tcp any any eq 445
access-list acl_out extended permit udp any any eq isakmp
access-list acl_out extended permit udp any any eq 4500
access-list acl_out extended permit udp any any eq 10000
access-list acl_out extended permit tcp any any eq 10000
access-list acl_out extended permit udp any any eq 1723
access-list acl_out extended permit tcp any host xxx.xxx.xxx.19 eq smtp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.19 eq https
access-list acl_out extended permit tcp any host xxx.xxx.xxx.19 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.20 eq smtp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.20 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.20 eq https
access-list acl_out extended permit tcp any host xxx.xxx.xxx.21 eq https
access-list acl_out extended permit esp any any
access-list acl_out extended permit udp any any eq 1701
access-list acl_out extended permit esp host xxx.xxx.xxx.23 any
access-list acl_out extended permit udp host xxx.xxx.xxx.23 eq 1701 any
access-list acl_out extended permit udp host xxx.xxx.xxx.23 eq isakmp any
access-list acl_out extended permit tcp any host xxx.xxx.xxx.25 eq smtp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.25 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.25 eq https
access-list acl_out extended permit tcp any host xxx.xxx.xxx.26 eq 3389
access-list acl_out extended permit tcp any host xxx.xxx.xxx.27 eq 123
access-list acl_out extended permit udp any host xxx.xxx.xxx.27 eq domain
access-list acl_out extended permit udp any host xxx.xxx.xxx.27 eq ntp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.27 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.27 eq smtp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.27 eq domain
access-list acl_out extended permit tcp any host xxx.xxx.xxx.21 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.20 eq ssh
access-list acl_out extended permit tcp any host xxx.xxx.xxx.24 eq www
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any host 192.168.3.3 eq smtp
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq ssh
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq telnet
access-list acl_out extended permit ip any InsideNetwork 255.255.255.0
access-list acl_out extended permit tcp InsideNetwork 255.255.255.0 host 192.168
.1.1 eq telnet
access-list inside_nat0_outbound extended permit ip InsideNetwork 255.255.255.0
any
access-list inside_nat0_outbound extended permit ip InsideSubnet 255.255.255.0 a
ny
access-list dmz_access_in extended permit ip any any
access-list dmz_in extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list dmz_out extended permit icmp any any
access-list dmz_out extended permit ip any any
access-list dmz_access_out extended permit ip any any
access-list dmz_access_in_1 extended permit icmp any any
access-list outside_access_out extended permit ip any any
access-list dmz_access_out_1 extended permit ip any any
access-list inside_dmz extended permit ip any any
access-list inside-dmz extended permit icmp any any
access-list inside_nat_0_outbound extended permit ip InsideSubnet 255.255.255.0
192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip any host 192.168.3.85
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
host 192.168.3.85
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 host 192.168.3.85
access-list outside_1_cryptomap extended permit ip InsideNetwork 255.255.255.0 1
92.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip InsideSubnet 255.255.255.0 19
2.168.1.0 255.255.255.0
access-list nonat extended permit ip any InsideSubnet 255.255.255.0
access-list nonat extended permit ip any InsideNetwork 255.255.255.0
access-list nonat extended permit ip any 192.168.5.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool NewinfosysPool 192.168.3.85-192.168.3.90 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 102 interface
nat (inside) 0 access-list nonat
nat (inside) 102 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.19 192.168.3.20 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.26 192.168.3.35 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.25 192.168.3.33 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.21 192.168.3.16 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.20 192.168.3.3 netmask 255.255.255.255 tcp 1
000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.24 192.168.3.17 netmask 255.255.255.255 tcp
1000 100 udp 1000
access-group dmz_out in interface outside
access-group outside_access_out out interface outside
access-group dmz_in in interface inside
access-group dmz_access_in_1 in interface dmz
access-group dmz_access_out_1 out interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.17 255
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner value You are connected to the MyCompany Private
Network. Unauthorized use is prohibited.
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-t imeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value MyCosysPool
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy ipsecgroup internal
group-policy ipsecgroup attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
ipsec-udp-port 10000
default-domain value MyCosys.com
address-pools value MyCosysPool
username user1 password /qBIjej5xxxx0K13 encrypted
username user1 attributes
vpn-group-policy somegroup
username user2 password belt2MxxxxZ0jdrz encrypted
username user2 attributes
vpn-group-policy somegroup
username user3 password ml0Dg4.xxxxNsXBF encrypted privilege 0
username user3 attributes
vpn-group-policy somegroup
http server enable
http InsideNetwork 255.255.255.0 inside
http InsideSubnet 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
http InsideSubnet 255.255.255.0 management
http InsideNetwork 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) MyCosysPool
dhcp-server 192.168.5.2
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group ipsecgroup type ipsec-ra
tunnel-group ipsecgroup general-attributes
address-pool (inside) MyCosysPool
address-pool MyCosysPool
default-group-policy somegroup
strip-group
tunnel-group somegroup ipsec-attributes
pre-shared-key *
tunnel-group somegroup ppp-attributes
authentication ms-chap-v2
tunnel-group mycosys type ipsec-ra
tunnel-group mycosys general-attributes
address-pool (inside) MyCosysPool
address-pool MyCosysPool
default-group-policy somegroup
tunnel-group mycosys ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet InsideSubnet 255.255.255.0 inside
telnet InsideNetwork 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet xxx.xxx.xxx.0 255.255.255.240 inside
telnet 192.168.1.0 255.255.255.0 management
telnet InsideSubnet 255.255.255.0 management
telnet InsideNetwork 255.255.255.0 management
telnet xxx.xxx.xxx.0 255.255.255.240 management
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh InsideSubnet 255.255.255.0 inside
ssh InsideNetwork 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh InsideSubnet 255.255.255.0 management
ssh InsideNetwork 255.255.255.0 management
ssh timeout 5
console timeout 20
dhcpd option 3 ip 192.168.1.1 interface inside
dhcpd option 6 ip xxx.xxx.xx.85 xxx.xxx.xx.2 interface inside
!
dhcpd option 3 ip 192.168.5.1 interface dmz
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:012e17a0451 0a04exxxx9 69fbe77b9f 0
: end
The tunnel will connect with transparent tunneling, IPSec over UDP, IPSeco over TCP port 10000, or without transparent tunneling. I have also tried NAT Traversal Command
I seen this with 3000 series concentrators, and it is usually a routing issue where packets traversing the tunnel can't find the default gateways of the remote LAN segments.
The following is the basic LAN topology:
ASA inside Interface 192.168.1.1
Inside Networks: 192.168.3.0
192.168.4.0
192.168.5.0
each of the above subnets have a 192.168.3.1 , 192.168.4.1, 192.168.5.1 gateways in vlans in a Cisco 3550 layer 3 switch
There are static routes that route inside traffic from these networks to the inside interface of the ASA.
I am using an internal address pool of 192.168.3.85-90/24
I have tried all the nat0 access-lists scenarios to exempt the above subnets from translation, with no luck. I have an ASA 5505 on the network with an identical configuration, and it passes traffic fine, with the same nat0 access lists. (the 5505 has a 192.168.3.2 address for it's inside interface)
I have tried the sysopt connection permit-ipsec command, doesn't work.
If I try the route inside 0.0.0.0 0.0.0.0 192.168.3.1 tunneled
the route inside 0.0.0.0 0.0.0.0 192.168.4.1 tunneled or
the route inside 0.0.0.0 0.0.0.0 192.168.1.1 tunneled, I get error messages "default route exists", even after removing the static routes above
Could this be a routing problem, where the packets cannot find the gateways of the above LAN's? If I can ping the 192.168.1.1 which is the inside interface of the ASA, why can't the static routes send the packets to the default gateways inside the LAN if the correct nat0 access lists are exempting the above subnets from translation?
Also, I cannot telnet to 192.168.1.1 inside interface, even after adding the access lists;
Here is the current config
Any help is appreciated
Maybe I am missing something simple in the configuration
thanks
ASA5510# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ASA5510
domain-name default.domain.invalid
enable password 0VHZzUN3Y8hDcg1h encrypted
names
name 192.168.4.0 InsideNetwork description 192.168.4.0 Network
name 192.168.3.0 InsideSubnet description 192.168.3.0 subnet
name xxx.xxx.xxx.22 VPNOutside description VPN Public IP
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.18 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
no nameif
security-level 100
no ip address
!
interface Ethernet0/3
shutdown
nameif dmz
security-level 50
ip address 192.168.5.2 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.2.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_in extended deny tcp any any eq 445
access-list acl_in extended permit ip any any
access-list acl_in extended permit udp any any eq isakmp
access-list acl_in extended permit udp any any eq 10000
access-list acl_in extended permit tcp any any eq 10000
access-list acl_in extended permit udp any any eq 1723
access-list acl_in extended permit esp any any
access-list acl_in extended permit udp any any eq 1701
access-list acl_in extended permit tcp any host xxx.xxx.xxx.27 eq smtp
access-list acl_in extended permit tcp any host xxx.xxx.xxx.27 eq ssh
access-list acl_in extended permit tcp any host xxx.xxx.xxx.21 eq www
access-list acl_in extended permit tcp any host xxx.xxx.xxx.21 eq domain
access-list acl_in extended permit udp any host xxx.xxx.xxx.21 eq domain
access-list acl_in extended permit udp any host xxx.xxx.xxx.21 eq ntp
access-list acl_in extended permit gre any any
access-list acl_in extended permit udp any any eq 4500
access-list acl_in extended permit icmp any any
access-list acl_out extended deny tcp any any eq 445
access-list acl_out extended permit udp any any eq isakmp
access-list acl_out extended permit udp any any eq 4500
access-list acl_out extended permit udp any any eq 10000
access-list acl_out extended permit tcp any any eq 10000
access-list acl_out extended permit udp any any eq 1723
access-list acl_out extended permit tcp any host xxx.xxx.xxx.19 eq smtp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.19 eq https
access-list acl_out extended permit tcp any host xxx.xxx.xxx.19 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.20 eq smtp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.20 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.20 eq https
access-list acl_out extended permit tcp any host xxx.xxx.xxx.21 eq https
access-list acl_out extended permit esp any any
access-list acl_out extended permit udp any any eq 1701
access-list acl_out extended permit esp host xxx.xxx.xxx.23 any
access-list acl_out extended permit udp host xxx.xxx.xxx.23 eq 1701 any
access-list acl_out extended permit udp host xxx.xxx.xxx.23 eq isakmp any
access-list acl_out extended permit tcp any host xxx.xxx.xxx.25 eq smtp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.25 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.25 eq https
access-list acl_out extended permit tcp any host xxx.xxx.xxx.26 eq 3389
access-list acl_out extended permit tcp any host xxx.xxx.xxx.27 eq 123
access-list acl_out extended permit udp any host xxx.xxx.xxx.27 eq domain
access-list acl_out extended permit udp any host xxx.xxx.xxx.27 eq ntp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.27 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.27 eq smtp
access-list acl_out extended permit tcp any host xxx.xxx.xxx.27 eq domain
access-list acl_out extended permit tcp any host xxx.xxx.xxx.21 eq www
access-list acl_out extended permit tcp any host xxx.xxx.xxx.20 eq ssh
access-list acl_out extended permit tcp any host xxx.xxx.xxx.24 eq www
access-list acl_out extended permit gre any any
access-list acl_out extended permit tcp any host 192.168.3.3 eq smtp
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq ssh
access-list acl_out extended permit tcp InsideSubnet 255.255.255.0 host 192.168.
1.1 eq telnet
access-list acl_out extended permit ip any InsideNetwork 255.255.255.0
access-list acl_out extended permit tcp InsideNetwork 255.255.255.0 host 192.168
.1.1 eq telnet
access-list inside_nat0_outbound extended permit ip InsideNetwork 255.255.255.0
any
access-list inside_nat0_outbound extended permit ip InsideSubnet 255.255.255.0 a
ny
access-list dmz_access_in extended permit ip any any
access-list dmz_in extended permit ip any any
access-list dmz_in extended permit icmp any any
access-list dmz_out extended permit icmp any any
access-list dmz_out extended permit ip any any
access-list dmz_access_out extended permit ip any any
access-list dmz_access_in_1 extended permit icmp any any
access-list outside_access_out extended permit ip any any
access-list dmz_access_out_1 extended permit ip any any
access-list inside_dmz extended permit ip any any
access-list inside-dmz extended permit icmp any any
access-list inside_nat_0_outbound extended permit ip InsideSubnet 255.255.255.0
192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip any host 192.168.3.85
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip InsideSubnet 255.255.255.0
host 192.168.3.85
access-list inside_nat0_outbound_1 extended permit ip InsideNetwork 255.255.255.
0 host 192.168.3.85
access-list outside_1_cryptomap extended permit ip InsideNetwork 255.255.255.0 1
92.168.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip InsideSubnet 255.255.255.0 19
2.168.1.0 255.255.255.0
access-list nonat extended permit ip any InsideSubnet 255.255.255.0
access-list nonat extended permit ip any InsideNetwork 255.255.255.0
access-list nonat extended permit ip any 192.168.5.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool NewinfosysPool 192.168.3.85-192.168.3.90 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 102 interface
nat (inside) 0 access-list nonat
nat (inside) 102 0.0.0.0 0.0.0.0
nat (management) 101 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.19 192.168.3.20 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.26 192.168.3.35 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.25 192.168.3.33 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.21 192.168.3.16 netmask 255.255.255.255 tcp
1000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.20 192.168.3.3 netmask 255.255.255.255 tcp 1
000 100 udp 1000
static (inside,outside) xxx.xxx.xxx.24 192.168.3.17 netmask 255.255.255.255 tcp
1000 100 udp 1000
access-group dmz_out in interface outside
access-group outside_access_out out interface outside
access-group dmz_in in interface inside
access-group dmz_access_in_1 in interface dmz
access-group dmz_access_out_1 out interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.17 255
route inside 192.168.2.0 255.255.255.0 192.168.1.1 1
route inside 192.168.5.0 255.255.255.0 192.168.1.1 1
route inside 192.168.6.0 255.255.255.0 192.168.1.1 1
route inside InsideNetwork 255.255.255.0 192.168.1.1 1
route inside InsideSubnet 255.255.255.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner value You are connected to the MyCompany Private
Network. Unauthorized use is prohibited.
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools value MyCosysPool
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy ipsecgroup internal
group-policy ipsecgroup attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
ipsec-udp-port 10000
default-domain value MyCosys.com
address-pools value MyCosysPool
username user1 password /qBIjej5xxxx0K13 encrypted
username user1 attributes
vpn-group-policy somegroup
username user2 password belt2MxxxxZ0jdrz encrypted
username user2 attributes
vpn-group-policy somegroup
username user3 password ml0Dg4.xxxxNsXBF encrypted privilege 0
username user3 attributes
vpn-group-policy somegroup
http server enable
http InsideNetwork 255.255.255.0 inside
http InsideSubnet 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 management
http InsideSubnet 255.255.255.0 management
http InsideNetwork 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) MyCosysPool
dhcp-server 192.168.5.2
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group ipsecgroup type ipsec-ra
tunnel-group ipsecgroup general-attributes
address-pool (inside) MyCosysPool
address-pool MyCosysPool
default-group-policy somegroup
strip-group
tunnel-group somegroup ipsec-attributes
pre-shared-key *
tunnel-group somegroup ppp-attributes
authentication ms-chap-v2
tunnel-group mycosys type ipsec-ra
tunnel-group mycosys general-attributes
address-pool (inside) MyCosysPool
address-pool MyCosysPool
default-group-policy somegroup
tunnel-group mycosys ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet InsideSubnet 255.255.255.0 inside
telnet InsideNetwork 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet xxx.xxx.xxx.0 255.255.255.240 inside
telnet 192.168.1.0 255.255.255.0 management
telnet InsideSubnet 255.255.255.0 management
telnet InsideNetwork 255.255.255.0 management
telnet xxx.xxx.xxx.0 255.255.255.240 management
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh InsideSubnet 255.255.255.0 inside
ssh InsideNetwork 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh InsideSubnet 255.255.255.0 management
ssh InsideNetwork 255.255.255.0 management
ssh timeout 5
console timeout 20
dhcpd option 3 ip 192.168.1.1 interface inside
dhcpd option 6 ip xxx.xxx.xx.85 xxx.xxx.xx.2 interface inside
!
dhcpd option 3 ip 192.168.5.1 interface dmz
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:012e17a0451
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I can't thank you enough. I overlooked the most simple thing, a different subnet.
I spent hours reading the Cisco ASA book by Jazib Frahim, and this was so simple. Since I just joined today, I need to understand the point system to award.
Please forgive me on this
Have a great day
I spent hours reading the Cisco ASA book by Jazib Frahim, and this was so simple. Since I just joined today, I need to understand the point system to award.
Please forgive me on this
Have a great day
ASKER
The solution worked, I just rebooted the ASA. I tried with three different versions of Cisco VPN clients, with and without transparent tunneling. Hosts on all the remote LAN networks are now accessible. I even removed the sysopt connection permit-ipsec for additional security, so the decrypted packedts are inspected against the access lists
The different subnet did the trick.
thanks again
The different subnet did the trick.
thanks again
Glad you got it all working out.
You would not have had to put any route statements in at all since this network is not in any route table, it would simply fall into the default route category on your switch, then it would be "connected" to the asa so it knows what to do with it.
-Cheers, and welcome to EE. I hope you find your journey a pleasant one.
You would not have had to put any route statements in at all since this network is not in any route table, it would simply fall into the default route category on your switch, then it would be "connected" to the asa so it knows what to do with it.
-Cheers, and welcome to EE. I hope you find your journey a pleasant one.
ASKER
thanks again. There have been so many posts in knowledge bases about this issue, may seem to have gone down the wrong path thinking it is the "nat0 nonat" access lists, which have nothing to do with routing.
ASKER
ip route 192.168.99.0 255.255.255.0 192.168.1.1
ip route 192.168.99.0 255.255.255.0 192.168.3.1
ip route 192.168.99.0 255.255.255.0 192.168.4.1
This is so the 192.168.99.0 network has a path to the inside gateway of the ASA, as well as the other default LAN gateways.
The 192.168.99.0 is now the only address pool for the ipsec tunnels, and I removed the other internal LAN networks from any internal client pools
any suggestions
thanks