OAC Technology
asked on
Easy VPN connection problems to Cisco ASA 5505 on Comcast line.
We have a Cisco ASA 5505 on a new Comcast line that three other 5505's connect to via Easy VPN. When this line gets flakey, it looks like the easy VPN connections stop sending data and the users cannot access anything over that VPN. When I go to Monitoring > VPN statistics > sessions it shows that the Tx and Rx bytes are at 0. If I click "Logout" to force the easy vpn connection to reconnect, the connection will come back and stay at 0 bytes. This problem never occured on the old DSL line that never went down. What do I need to do to make these VPN connections reliable even if the line goes down and comes back up?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can anyone help with this?
ASKER
: Saved
:
ASA Version 8.0(3)
!
hostname domain
domain-name domain.com
enable password
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.89 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone CST -6
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.1.17
name-server 4.2.2.4
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service IMAP-SSL tcp
description IMAP-SSL
port-object range 993 993
object-group service JABBER-SSL tcp-udp
description JABBER-SSL
port-object range 5222 5223
object-group service POP3-SSL tcp
description POP3-SSL
port-object range 995 995
object-group service RDP tcp
description RDP
port-object range 3389 3389
object-group service foldershare
service-object tcp eq www
service-object tcp eq https
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_access_in extended permit tcp any host x.x.x.89 eq www
access-list outside_access_in extended permit tcp any host x.x.x.89 eq sqlnet
access-list outside_access_in extended permit tcp any host x.x.x.89 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.89 eq pptp
access-list outside_access_in extended permit tcp any host x.x.x.89 eq 6571
access-list outside_access_in extended permit tcp any host x.x.x.89 eq 8333
access-list outside_access_in extended permit tcp any host x.x.x.92 eq https
access-list outside_access_in extended permit tcp any host x.x.x.91 eq https
access-list outside_access_in extended permit tcp any host x.x.x.92 eq www
access-list outside_access_in extended permit tcp any host x.x.x.91 eq 3389
access-list outside_access_in extended permit tcp any host x.x.x.92 eq ssh
access-list outside_access_in extended permit tcp any host x.x.x.92 eq 3690
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.0.0.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.240
access-list VPNCilents_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list VPNCilents_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list inside_access_out extended permit ip any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit udp any any eq domain
access-list inside_access_in extended permit tcp host 192.168.1.19 any eq 9100
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit icmp any any timestamp-request
access-list inside_access_in extended permit tcp any any eq sqlnet
access-list inside_access_in extended permit tcp host 192.168.1.134 any eq aol
access-list inside_access_in extended permit tcp any any eq domain
access-list inside_access_in extended permit udp any any eq ntp
access-list inside_access_in extended permit tcp host 192.168.1.19 any eq pop3
access-list inside_access_in extended permit tcp any any eq 5003
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in extended permit icmp any any timestamp-reply
access-list inside_access_in extended permit tcp any any eq 3389
access-list inside_access_in extended permit tcp any any eq pptp
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp any any eq 5500
access-list inside_access_in extended permit tcp any any eq ssh
access-list inside_access_in extended permit tcp any any eq 5900
access-list inside_access_in extended permit tcp any any eq 5901
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_access_in extended permit tcp host 192.168.1.17 any eq 6571
access-list inside_access_in extended deny ip any host 17.149.160.54
access-list inside_access_in extended permit ip any any inactive
access-list inside_access_in extended permit tcp any any eq pop3
access-list inside_access_in extended permit tcp any any eq smtp
access-list inside_access_in extended permit object-group TCPUDP any any eq 1935
access-list inside_access_in extended permit tcp any any eq 40000
access-list inside_access_in extended permit tcp any any eq 40001
access-list inside_access_in extended permit tcp any any eq ftp-data
access-list domainVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list global_mpc_1 extended permit object-group foldershare any host 216.166.75.5 inactive
access-list global_mpc_1 extended permit object-group foldershare any host 216.166.75.6 inactive
access-list global_mpc_1 extended permit object-group foldershare any host 216.166.75.7 inactive
access-list global_mpc_1 extended permit object-group foldershare any host 216.166.75.2 inactive
access-list global_mpc_1 extended permit tcp host 192.168.1.17 any eq https inactive
pager lines 24
logging enable
logging timestamp
logging list Syslog level notifications
logging trap informational
logging asdm informational
logging facility 22
logging host inside 192.168.1.17
logging flash-bufferwrap
logging permit-hostdown
mtu inside 1500
mtu outside 1500
ip local pool 192.168.1.0 192.168.1.201-192.168.1.23
ip verify reverse-path interface outside
ip audit name Attack attack action alarm
ip audit interface outside Attack
ip audit attack action alarm drop
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https 192.168.1.20 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.40 www netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.19 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.1.17 pptp netmask 255.255.255.255
static (inside,outside) tcp interface sqlnet 192.168.1.19 sqlnet netmask 255.255.255.255
static (inside,outside) tcp interface 6571 192.168.1.17 6571 netmask 255.255.255.255
static (inside,outside) tcp interface 8333 192.168.1.17 8333 netmask 255.255.255.255
static (inside,outside) tcp x.x.x.92 https 192.168.1.28 https netmask 255.255.255.255
static (inside,outside) tcp x.x.x.92 www 192.168.1.28 www netmask 255.255.255.255
static (inside,outside) tcp x.x.x.92 ssh 192.168.1.30 ssh netmask 255.255.255.255
static (inside,outside) tcp x.x.x.92 3690 192.168.1.30 3690 netmask 255.255.255.255
static (inside,outside) x.x.x.91 192.168.1.29 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.94 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.1.17
key
aaa-server partnerauth protocol radius
aaa-server partnerauth host 192.168.1.20
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer y.y.y.6
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.20 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
priority-queue inside
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 192.168.1.0 255.255.255.0
threat-detection statistics
group-policy VPNClients internal
group-policy VPNClients attributes
wins-server value 192.168.1.20
dns-server value 192.168.1.17
vpn-simultaneous-logins 99
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNCilents_splitTunnelAcl
default-domain value domain.com
nem enable
group-policy domainVPN internal
group-policy domainVPN attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domainVPN_splitTunnelAcl
nem enable
group-policy domainVPN_1 internal
group-policy domainVPN_1 attributes
wins-server value 192.168.1.17
dns-server value 192.168.1.17 192.168.1.25
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value domainVPN_splitTunnelAcl
default-domain value domain.com
user-authentication-idle-t
nem enable
username user1 password
username user1 attributes
service-type remote-access
memberof domainVPN
username domainVPN password encrypted privilege 0
username domainVPN attributes
vpn-group-policy VPNClients
username user2 password encrypted
username user2 attributes
service-type remote-access
tunnel-group y.y.y.6 type ipsec-l2l
tunnel-group y.y.y.6 ipsec-attributes
pre-shared-key *
tunnel-group VPNClients type remote-access
tunnel-group VPNClients general-attributes
address-pool VPNPool
authentication-server-grou
default-group-policy VPNClients
dhcp-server 192.168.1.17
tunnel-group VPNClients ipsec-attributes
pre-shared-key *
tunnel-group domainVPN type remote-access
tunnel-group domainVPN general-attributes
address-pool VPNPool
authentication-server-grou
default-group-policy domainVPN_1
dhcp-server 192.168.1.17
tunnel-group domainVPN ipsec-attributes
pre-shared-key *
tunnel-group HWVpn type remote-access
tunnel-group HWVpn general-attributes
address-pool VPNPool
default-group-policy domainVPN_1
dhcp-server 192.168.1.17
tunnel-group HWVpn ipsec-attributes
pre-shared-key *
!
class-map foldershare2
match access-list global_mpc_1
class-map type regex match-any JunkServices
class-map type inspect http match-all asdm_medium_security_metho
match not request method head
match not request method post
match not request method get
class-map inspection_default
match default-inspection-traffic
class-map Yahoo-MSN
match default-inspection-traffic
class-map type inspect im match-any JunkClass
match peer-login-name regex class JunkServices
match login-name regex _default_msn-messenger
match protocol msn-im yahoo-im
match login-name regex class JunkServices
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect im YahooMSNBlock
parameters
match protocol msn-im yahoo-im
log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
inspect icmp
inspect ipsec-pass-thru
inspect http
class foldershare2
police input 204500 25000
police output 204500 25000
class Yahoo-MSN
inspect im YahooMSNBlock
policy-map type inspect http Low
parameters
protocol-violation action drop-connection
match request uri regex _default_yahoo-messenger
drop-connection log
match request uri regex _default_GoToMyPC-tunnel
drop-connection log
match request uri regex _default_GoToMyPC-tunnel_2
drop-connection log
match request uri regex _default_aim-messenger
drop-connection log
match request uri regex _default_msn-messenger
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
match request uri regex _default_shoutcast-tunneli
drop-connection log
policy-map type inspect im MSNBlock
parameters
match protocol msn-im
drop-connection log
policy-map type inspect im MessengerInspection
parameters
class JunkClass
reset log
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1a20c33f7e4
: end
asdm image disk0:/asdm-603.bin
no asdm history enable