Solved

ASA5505: Cannot ping, tracert and establish VPN connection to remote server

Posted on 2008-10-24
16
2,170 Views
Last Modified: 2012-08-14
Hi,

Yesterday I relaced my old entry-level router (at least it was not so complicated for person like me to setup it using GUI) with ASA5505. I'm online now, but cannot connect to the remote server using regular VPN client built-in in Windows Vista or XP. I can't also ping and tracert from command prompt (request time out).

Here is the syslog message I believe is related to this issue:

"regular translation creation failed for protocol 47 src inside:192.168.2.15 dst outside: 82.113.xxx.xxx"

Can you please help me with these issues?


Below is my config:
: Saved

:

ASA Version 8.0(4) 

!

hostname asa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 

!

interface Vlan3

 nameif backup

 security-level 0

 ip address dhcp setroute 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

 switchport access vlan 3

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.2.11-192.168.2.99 inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!

 

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:ed39c7c98cb3e45ec0ae43feea7673af

: end

asdm image disk0:/asdm-615.bin

no asdm history enable

Open in new window

0
Comment
Question by:MACROLEVEL
16 Comments
 

Author Comment

by:MACROLEVEL
ID: 22801153
My host OS is Windows Vista x64, and I have VMware Workstation with XP on it. Before firewall swap everything worked fine and VPN connection was fine either from host or from guest OS... Right now it tries to connect, "verify user name and password" for about a minute and then ...nothing.
0
 
LVL 4

Expert Comment

by:yurisk
ID: 22801770
Try adding on the command line of ASA:
asa#conf t
asa(config)#policy-map global_policy
asa(config-pmap-c)# inspect pptp
asa(config-pmap-c)#exit
asa(config-pmap)#exit
asa#write memory
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 22803347
For ping, enable inspect icmp

policy-map global-policy
 class global-class
  inspect icmp
  inspect pptp

0
 

Author Comment

by:MACROLEVEL
ID: 22803377
asa(config)# policy-map global-policy
asa(config-pmap)# inspect pptp
                    ^
ERROR: % Invalid input detected at '^' marker.
asa(config-pmap)#
0
 

Author Comment

by:MACROLEVEL
ID: 22803399
asa(config)# policy-map global-policy
asa(config-pmap)#  class global-class
ERROR: % class-map global-class not configured
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22803443
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect icmp
  inspect pptp

service-policy global-policy global


0
 

Author Comment

by:MACROLEVEL
ID: 22803552
Tanks, lrmoore. I did apply commands and didn't get error messages, but still no luck... can't ping, tracert and VPN. Below is my config.
asa# show run

: Saved

:

ASA Version 8.0(4)

!

hostname asa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute

!

interface Vlan3

 nameif backup

 security-level 0

 ip address dhcp setroute

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

 switchport access vlan 3

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu backup 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.2.11-192.168.2.99 inside

dhcpd auto_config outside interface inside

dhcpd enable inside

!
 

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

!

class-map global-class

 match default-inspection-traffic

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

policy-map global-policy

 class global-class

  inspect icmp

  inspect pptp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:1b63d9428945849435a4ee5784bcfab8

: end

asa#

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22803602
From the console of the asa, can you
asa#sho route

note the default route IP address  x.x.x.x

asa#ping x.x.x.x
If yes,
asa#ping 198.6.1.2
If yes
What ip addresses are you getting for DNS on your clients?
Can you ping that DNS server IP address from the ASA console?

Try adding this also:
access-list icmp_permit permit icmp any any
access-group icmp_permit in interface outside
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 500 total points
ID: 22803619
You can also try:

policy-map global_policy
 class inspection_default
  inspect pptp
  inspect icmp
exit
 policy-map global-policy
 no class global-class
exit
 no class-map global-class


0
 

Author Comment

by:MACROLEVEL
ID: 22803673
2 lrmoore:

OK, ping and tracert worked after applying

access-list icmp_permit permit icmp any any
access-group icmp_permit in interface outside

should i try these below from your previous message?

policy-map global_policy
 class inspection_default
  inspect pptp
  inspect icmp
exit
 policy-map global-policy
 no class global-class
exit
 no class-map global-class
0
 

Author Comment

by:MACROLEVEL
ID: 22803677
asa# sho route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 74.72.118.1 to network 0.0.0.0

C    127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
C    192.168.2.0 255.255.255.0 is directly connected, inside
C    74.72.118.0 255.255.254.0 is directly connected, outside
d*   0.0.0.0 0.0.0.0 [1/0] via 74.72.118.1, outside
asa#
0
 

Author Comment

by:MACROLEVEL
ID: 22803869
asa#ping x.x.x.x
If yes,
asa#ping 198.6.1.2
If yes
What ip addresses are you getting for DNS on your clients?
Can you ping that DNS server IP address from the ASA console?

Yes, I can ping both addresses and DNS server which clients getting and I can see in ipconfig /all. I can also ping server's IP address I'm trying connect to, but probably something is still missing in my config... This is the message in syslog which contains server IP address:

regular translation creation failed for protocol 47 src inside:192.168.2.14 dst outside:82.113.xxx.xxx
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22803875
Yes, I would go ahead and apply the commands to put the inspects in your inspect_default instead of a new global-class.
That was my fault. I copied from my working config instead of from yours to apply the pptp and icmp inspect commands.

0
 

Author Comment

by:MACROLEVEL
ID: 22804142
Thank you, lrmoore. Finally I'm connected. Can you please tell me in just few words what was missing in original config and what we did adding these commands before I close the question?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22804956
The problem was that pptp inspect had to be enabled to allow outbound GRE/PPTP as yurisk correctly diagnosed. However, his command set did not work as you noticed.
Since icmp is a stateless protocol, you have to either inspect it or just allow it in with an access-list. Theoretically you should be able to remove the access-list now that the inspect is in place.
0
 

Expert Comment

by:Comptx
ID: 25172048
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect icmp
  inspect pptp

service-policy global-policy global

worked for me too, thanks as always, lrmoore.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now