?
Solved

ASA5505: Cannot ping, tracert and establish VPN connection to remote server

Posted on 2008-10-24
16
Medium Priority
?
2,201 Views
Last Modified: 2012-08-14
Hi,

Yesterday I relaced my old entry-level router (at least it was not so complicated for person like me to setup it using GUI) with ASA5505. I'm online now, but cannot connect to the remote server using regular VPN client built-in in Windows Vista or XP. I can't also ping and tracert from command prompt (request time out).

Here is the syslog message I believe is related to this issue:

"regular translation creation failed for protocol 47 src inside:192.168.2.15 dst outside: 82.113.xxx.xxx"

Can you please help me with these issues?


Below is my config:
: Saved
:
ASA Version 8.0(4) 
!
hostname asa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan3
 nameif backup
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.11-192.168.2.99 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:ed39c7c98cb3e45ec0ae43feea7673af
: end
asdm image disk0:/asdm-615.bin
no asdm history enable

Open in new window

0
Comment
Question by:MACROLEVEL
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
16 Comments
 

Author Comment

by:MACROLEVEL
ID: 22801153
My host OS is Windows Vista x64, and I have VMware Workstation with XP on it. Before firewall swap everything worked fine and VPN connection was fine either from host or from guest OS... Right now it tries to connect, "verify user name and password" for about a minute and then ...nothing.
0
 
LVL 4

Expert Comment

by:yurisk
ID: 22801770
Try adding on the command line of ASA:
asa#conf t
asa(config)#policy-map global_policy
asa(config-pmap-c)# inspect pptp
asa(config-pmap-c)#exit
asa(config-pmap)#exit
asa#write memory
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 2000 total points
ID: 22803347
For ping, enable inspect icmp

policy-map global-policy
 class global-class
  inspect icmp
  inspect pptp

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:MACROLEVEL
ID: 22803377
asa(config)# policy-map global-policy
asa(config-pmap)# inspect pptp
                    ^
ERROR: % Invalid input detected at '^' marker.
asa(config-pmap)#
0
 

Author Comment

by:MACROLEVEL
ID: 22803399
asa(config)# policy-map global-policy
asa(config-pmap)#  class global-class
ERROR: % class-map global-class not configured
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 22803443
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect icmp
  inspect pptp

service-policy global-policy global


0
 

Author Comment

by:MACROLEVEL
ID: 22803552
Tanks, lrmoore. I did apply commands and didn't get error messages, but still no luck... can't ping, tracert and VPN. Below is my config.
asa# show run
: Saved
:
ASA Version 8.0(4)
!
hostname asa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 nameif backup
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.11-192.168.2.99 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
!
class-map global-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map global-policy
 class global-class
  inspect icmp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1b63d9428945849435a4ee5784bcfab8
: end
asa#

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22803602
From the console of the asa, can you
asa#sho route

note the default route IP address  x.x.x.x

asa#ping x.x.x.x
If yes,
asa#ping 198.6.1.2
If yes
What ip addresses are you getting for DNS on your clients?
Can you ping that DNS server IP address from the ASA console?

Try adding this also:
access-list icmp_permit permit icmp any any
access-group icmp_permit in interface outside
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 2000 total points
ID: 22803619
You can also try:

policy-map global_policy
 class inspection_default
  inspect pptp
  inspect icmp
exit
 policy-map global-policy
 no class global-class
exit
 no class-map global-class


0
 

Author Comment

by:MACROLEVEL
ID: 22803673
2 lrmoore:

OK, ping and tracert worked after applying

access-list icmp_permit permit icmp any any
access-group icmp_permit in interface outside

should i try these below from your previous message?

policy-map global_policy
 class inspection_default
  inspect pptp
  inspect icmp
exit
 policy-map global-policy
 no class global-class
exit
 no class-map global-class
0
 

Author Comment

by:MACROLEVEL
ID: 22803677
asa# sho route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 74.72.118.1 to network 0.0.0.0

C    127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
C    192.168.2.0 255.255.255.0 is directly connected, inside
C    74.72.118.0 255.255.254.0 is directly connected, outside
d*   0.0.0.0 0.0.0.0 [1/0] via 74.72.118.1, outside
asa#
0
 

Author Comment

by:MACROLEVEL
ID: 22803869
asa#ping x.x.x.x
If yes,
asa#ping 198.6.1.2
If yes
What ip addresses are you getting for DNS on your clients?
Can you ping that DNS server IP address from the ASA console?

Yes, I can ping both addresses and DNS server which clients getting and I can see in ipconfig /all. I can also ping server's IP address I'm trying connect to, but probably something is still missing in my config... This is the message in syslog which contains server IP address:

regular translation creation failed for protocol 47 src inside:192.168.2.14 dst outside:82.113.xxx.xxx
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22803875
Yes, I would go ahead and apply the commands to put the inspects in your inspect_default instead of a new global-class.
That was my fault. I copied from my working config instead of from yours to apply the pptp and icmp inspect commands.

0
 

Author Comment

by:MACROLEVEL
ID: 22804142
Thank you, lrmoore. Finally I'm connected. Can you please tell me in just few words what was missing in original config and what we did adding these commands before I close the question?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22804956
The problem was that pptp inspect had to be enabled to allow outbound GRE/PPTP as yurisk correctly diagnosed. However, his command set did not work as you noticed.
Since icmp is a stateless protocol, you have to either inspect it or just allow it in with an access-list. Theoretically you should be able to remove the access-list now that the inspect is in place.
0
 

Expert Comment

by:Comptx
ID: 25172048
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect icmp
  inspect pptp

service-policy global-policy global

worked for me too, thanks as always, lrmoore.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question