ASA5505: Cannot ping, tracert and establish VPN connection to remote server

Hi,

Yesterday I relaced my old entry-level router (at least it was not so complicated for person like me to setup it using GUI) with ASA5505. I'm online now, but cannot connect to the remote server using regular VPN client built-in in Windows Vista or XP. I can't also ping and tracert from command prompt (request time out).

Here is the syslog message I believe is related to this issue:

"regular translation creation failed for protocol 47 src inside:192.168.2.15 dst outside: 82.113.xxx.xxx"

Can you please help me with these issues?


Below is my config:
: Saved
:
ASA Version 8.0(4) 
!
hostname asa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan3
 nameif backup
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.11-192.168.2.99 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:ed39c7c98cb3e45ec0ae43feea7673af
: end
asdm image disk0:/asdm-615.bin
no asdm history enable

Open in new window

MACROLEVELAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MACROLEVELAuthor Commented:
My host OS is Windows Vista x64, and I have VMware Workstation with XP on it. Before firewall swap everything worked fine and VPN connection was fine either from host or from guest OS... Right now it tries to connect, "verify user name and password" for about a minute and then ...nothing.
0
yuriskCommented:
Try adding on the command line of ASA:
asa#conf t
asa(config)#policy-map global_policy
asa(config-pmap-c)# inspect pptp
asa(config-pmap-c)#exit
asa(config-pmap)#exit
asa#write memory
0
lrmooreCommented:
For ping, enable inspect icmp

policy-map global-policy
 class global-class
  inspect icmp
  inspect pptp

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

MACROLEVELAuthor Commented:
asa(config)# policy-map global-policy
asa(config-pmap)# inspect pptp
                    ^
ERROR: % Invalid input detected at '^' marker.
asa(config-pmap)#
0
MACROLEVELAuthor Commented:
asa(config)# policy-map global-policy
asa(config-pmap)#  class global-class
ERROR: % class-map global-class not configured
0
lrmooreCommented:
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect icmp
  inspect pptp

service-policy global-policy global


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MACROLEVELAuthor Commented:
Tanks, lrmoore. I did apply commands and didn't get error messages, but still no luck... can't ping, tracert and VPN. Below is my config.
asa# show run
: Saved
:
ASA Version 8.0(4)
!
hostname asa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 nameif backup
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.2.11-192.168.2.99 inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
 
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
!
class-map global-class
 match default-inspection-traffic
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
policy-map global-policy
 class global-class
  inspect icmp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1b63d9428945849435a4ee5784bcfab8
: end
asa#

Open in new window

0
lrmooreCommented:
From the console of the asa, can you
asa#sho route

note the default route IP address  x.x.x.x

asa#ping x.x.x.x
If yes,
asa#ping 198.6.1.2
If yes
What ip addresses are you getting for DNS on your clients?
Can you ping that DNS server IP address from the ASA console?

Try adding this also:
access-list icmp_permit permit icmp any any
access-group icmp_permit in interface outside
0
lrmooreCommented:
You can also try:

policy-map global_policy
 class inspection_default
  inspect pptp
  inspect icmp
exit
 policy-map global-policy
 no class global-class
exit
 no class-map global-class


0
MACROLEVELAuthor Commented:
2 lrmoore:

OK, ping and tracert worked after applying

access-list icmp_permit permit icmp any any
access-group icmp_permit in interface outside

should i try these below from your previous message?

policy-map global_policy
 class inspection_default
  inspect pptp
  inspect icmp
exit
 policy-map global-policy
 no class global-class
exit
 no class-map global-class
0
MACROLEVELAuthor Commented:
asa# sho route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 74.72.118.1 to network 0.0.0.0

C    127.0.0.0 255.255.255.0 is directly connected, _internal_loopback
C    192.168.2.0 255.255.255.0 is directly connected, inside
C    74.72.118.0 255.255.254.0 is directly connected, outside
d*   0.0.0.0 0.0.0.0 [1/0] via 74.72.118.1, outside
asa#
0
MACROLEVELAuthor Commented:
asa#ping x.x.x.x
If yes,
asa#ping 198.6.1.2
If yes
What ip addresses are you getting for DNS on your clients?
Can you ping that DNS server IP address from the ASA console?

Yes, I can ping both addresses and DNS server which clients getting and I can see in ipconfig /all. I can also ping server's IP address I'm trying connect to, but probably something is still missing in my config... This is the message in syslog which contains server IP address:

regular translation creation failed for protocol 47 src inside:192.168.2.14 dst outside:82.113.xxx.xxx
0
lrmooreCommented:
Yes, I would go ahead and apply the commands to put the inspects in your inspect_default instead of a new global-class.
That was my fault. I copied from my working config instead of from yours to apply the pptp and icmp inspect commands.

0
MACROLEVELAuthor Commented:
Thank you, lrmoore. Finally I'm connected. Can you please tell me in just few words what was missing in original config and what we did adding these commands before I close the question?
0
lrmooreCommented:
The problem was that pptp inspect had to be enabled to allow outbound GRE/PPTP as yurisk correctly diagnosed. However, his command set did not work as you noticed.
Since icmp is a stateless protocol, you have to either inspect it or just allow it in with an access-list. Theoretically you should be able to remove the access-list now that the inspect is in place.
0
ComptxCommented:
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect icmp
  inspect pptp

service-policy global-policy global

worked for me too, thanks as always, lrmoore.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.