davidkidder01
asked on
ASA 5510 Vpn Routing table issue with cisco vpn client
Cisco Vpn client v5 connects to asa 5510 and every vpn client is able to ping servers / pcs on the 10.19.xx.xx network however, they have no access to any of the remote sites that connect into the same asa and 1811 router. Remote site ips 10.18.xx.xx 10.39.xx.xx (etc.) This is odd because any computer on the 10.19.xx can ping the above remote sites. I think this is a routing table issue and tied in with OSPF but not knowledgable enough to fix this. Listed below I have the running-config of the ASA followed by the Cisco 2811. IPs 10.19.248.1-49 are the ips handed out by asa for vpn clients. Then cli shows:
router ospf 1
network 10.19.248.0 255.255.255.0 area 0
looking at the 2811 router theres a ip route for these cisco vpn clients to route back to the asa on 251.1 as shown below:
ip route 10.19.248.0 255.255.255.0 10.19.251.1
I also think the router ospf 1 section right above in the config file looks wrong. Please look at configs and advise on why the vpn client ips (10.19.248.xx) can only communicate with servers / pcs on the10.19.xx.xx network. As I am still new to posting questions on here I will pase in both configs and attach a .txt file that has both configs. Thanks for helping me resolve this.
ASA5510
mtu inside2 1500
mtu DMZ 1500
mtu management 1500
ip local pool RemoteUsers 10.19.248.1-10.19.248.49 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/ASDM-524.BIN
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside2) 25 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound outside
static (inside,outside) tcp xx.xx.xx.xx smtp Barracuda smtp netmask 255.255.2
55.255
static (inside,outside) tcp xx.xx.xx.xx https Server04 https netmask 255.255.
255.255
static (inside,outside) tcp xx.xx.xx.xx www Server04 www netmask 255.255.255.
255
static (inside,outside) tcp xx.xx.xx.xx ftp Server04 ftp netmask 255.255.255.
255
static (DMZ,outside) xx.xx.xx.xx 10.19.11.2 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.xx 10.19.250.2 netmask 255.255.255.255
static (inside,inside2) 10.19.10.3 10.19.10.3 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.xx 10.19.251.2 netmask 255.255.255.255
static (inside,DMZ) 10.19.10.0 10.19.10.0 netmask 255.255.255.0
static (inside,DMZ) voicevlan voicevlan netmask 255.255.255.0
static (inside,DMZ) 10.102.1.0 10.102.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.10.1.0 10.10.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.251.251.0 10.251.251.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
!
router ospf 1
network 10.19.11.0 255.255.255.0 area 0
network 10.19.248.0 255.255.255.0 area 0
network 10.19.249.0 255.255.255.248 area 0
network 10.19.251.0 255.255.255.248 area 0
area 0
log-adj-changes
redistribute static
default-information originate always
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 inside
http 10.102.0.0 255.255.0.0 inside
http 10.19.10.0 255.255.255.0 inside
http 10.100.0.0 255.255.0.0 inside
http 192.168.0.0 255.255.0.0 inside
http 10.19.0.0 255.255.0.0 inside
snmp-server host inside 10.100.10.101
snmp-server host inside 10.102.1.20
snmp-server host inside 10.19.20.3
snmp-server host inside 10.19.249.3
snmp-server host inside 10.27.10.100
snmp-server host inside 10.36.10.101
snmp-server host inside 10.48.10.100
snmp-server host inside 10.19.10.4
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs group1
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 10.19.0.0 255.255.0.0 inside
telnet 10.100.0.0 255.255.0.0 inside
telnet 10.102.0.0 255.255.0.0 inside
telnet 10.19.10.0 255.255.255.0 inside
telnet 10.19.249.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ftp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 10.19.10.2 10.19.10.4
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value nightingale.local
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-t imeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconne ct enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy FCCS internal
group-policy FCCS attributes
dns-server value 10.19.10.4 10.19.10.2
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value nightingale.local
group-policy mhsvendor internal
group-policy mhsvendor attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value mhsvendor_splitTunnelAcl
group-policy Connect internal
group-policy Connect attributes
dns-server value 10.19.10.2 10.19.10.4
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Connect_splitTunnelAcl
default-domain value nightingale.local
split-dns value nightingale.local
group-policy connect internal
group-policy connect attributes
dns-server value 10.19.10.4 10.19.10.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value connect_splitTunnelAcl
default-domain value nightingale.local
group-policy Connect_1 internal
group-policy Connect_1 attributes
dns-server value 10.19.10.4 10.19.10.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Connect_splitTunnelAcl
default-domain value nightingale.local
: end
Cisco 2811 config:
!
!
interface Loopback0
ip address 10.19.240.10 255.255.255.0
ip pim dense-mode
!
interface Tunnel1
no ip address
!
interface Tunnel18
description Multilink tunnel for all remote VPN Clients
bandwidth 1544
ip address 10.251.251.1 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip nhrp authentication S3tFre3
ip nhrp map multicast dynamic
ip nhrp network-id 18
ip nhrp holdtime 600
ip nhrp cache non-authoritative
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
no ip mroute-cache
ip ospf network broadcast
ip ospf cost 100
ip ospf priority 2
delay 1000
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 18
tunnel protection ipsec profile dmvpn
!
interface FastEthernet0/0
description Connection to 3560sw 0/22
ip address 10.19.251.2 255.255.255.248
ip access-group voicemarks out
ip pim dense-mode
ip virtual-reassembly
ip tcp adjust-mss 1200
duplex auto
speed auto
service-policy output voip-rtp
!
interface FastEthernet0/1
description GATEWAYS FOR VLAN's
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.19.1.254 255.255.255.0
standby 1 ip 10.19.1.10
standby 1 preempt
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 10.19.10.254 255.255.255.0
standby 10 ip 10.19.10.10
standby 10 priority 150
standby 10 preempt
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 10.19.20.254 255.255.255.0
standby 20 ip 10.19.20.10
standby 20 priority 150
standby 20 preempt
!
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn bind-l3 ccm-manager
no cdp enable
!
interface Serial0/0/1:2
ip address 10.19.253.1 255.255.255.252
compress stac
service-policy output voip-rtp-t1
!
router ospf 1
router-id 10.1.1.1
log-adjacency-changes
network 10.19.0.0 0.0.255.255 area 0
network 10.251.251.0 0.0.0.255 area 0
!
ip route 10.19.248.0 255.255.255.0 10.19.251.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip pim rp-address 10.19.20.10
ip pim autorp listener
!
ip access-list extended cmftest
deny ip host 10.19.20.1 any
permit ip any any
ip access-list extended voicemarks
permit udp any any precedence routine
permit udp any any precedence priority
permit udp any any precedence immediate
permit udp any any precedence flash
permit udp any any precedence flash-override
permit udp any any precedence critical
permit udp any any precedence internet
permit udp any any precedence network
permit tcp any any precedence routine
permit tcp any any precedence priority
permit tcp any any precedence immediate
permit tcp any any precedence flash
permit tcp any any precedence flash-override
permit tcp any any precedence critical
permit tcp any any precedence internet
permit tcp any any precedence network
permit ip any any
!
logging trap notifications
access-list 100 deny udp host 10.19.20.1 range 16384 32768 any
access-list 100 permit ip any any
snmp-server community
snmp-server community
snmp-server enable traps syslog
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0:23
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
voice-port 0/2/0
!
voice-port 0/2/1
!
voice-port 0/2/2
!
voice-port 0/2/3
!
voice-port 0/3/0
!
voice-port 0/3/1
!
voice-port 0/3/2
!
voice-port 0/3/3
!
ccm-manager fallback-mgcp
ccm-manager mgcp
ccm-manager music-on-hold
ccm-manager config server 10.19.20.1
!
mgcp
mgcp call-agent 10.19.20.1 2427 service-type mgcp version 0.1
mgcp dtmf-relay voip codec all mode out-of-band
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
no mgcp package-capability res-package
mgcp package-capability sst-package
no mgcp package-capability fxr-package
mgcp package-capability pre-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp rtp payload-type g726r16 static
mgcp bind control source-interface Loopback0
mgcp bind media source-interface Loopback0
!
mgcp profile default
!
sccp local FastEthernet0/0
sccp ccm 10.19.20.1 identifier 1 priority 1 version 4.1
sccp
!
sccp ccm group 1
associate ccm 1 priority 1
associate profile 1 register MTP001
!
dspfarm profile 1 transcode
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
maximum sessions 6
associate application SCCP
!
!
dial-peer voice 999000 pots
service mgcp
destination-pattern 9T
incoming called-number ....
direct-inward-dial
port 0/0/0:23
!
dial-peer voice 999010 pots
service mgcpapp
port 0/1/0
!
dial-peer voice 999011 pots
service mgcpapp
port 0/1/1
!
dial-peer voice 999012 pots
service mgcpapp
port 0/1/2
!
dial-peer voice 999013 pots
service mgcpapp
port 0/1/3
!
dial-peer voice 999020 pots
service mgcpapp
port 0/2/0
!
dial-peer voice 999021 pots
service mgcpapp
port 0/2/1
!
dial-peer voice 999022 pots
service mgcpapp
port 0/2/2
!
dial-peer voice 999023 pots
service mgcpapp
port 0/2/3
!
dial-peer voice 999030 pots
service mgcpapp
port 0/3/0
!
dial-peer voice 999031 pots
service mgcpapp
port 0/3/1
!
dial-peer voice 999032 pots
service mgcpapp
port 0/3/2
!
dial-peer voice 999033 pots
service mgcpapp
port 0/3/3
!
!
!
!
call-manager-fallback
max-conferences 8 gain -6
transfer-system full-consult
ip source-address 10.19.240.10 port 2000
max-ephones 42
max-dn 50
translate calling 1
translate called 1
!
banner login ^C This is a private network. Unauthorized access is prohibited ^C
alias exec c config t
alias exec i show ip route
alias exec snh show ip nhrp | in 10.251
alias exec sdp show run | b dial-peer
alias exec svcs show voice call sum | ex 50
alias exec svp show run | b voice-port
!
line con 0
login local
line aux 0
login local
line vty 0 4
session-timeout 45
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180158
ntp master
ntp server 192.73.48.2 prefer
!
end
asa5510.txt
Cisco2811.txt
router ospf 1
network 10.19.248.0 255.255.255.0 area 0
looking at the 2811 router theres a ip route for these cisco vpn clients to route back to the asa on 251.1 as shown below:
ip route 10.19.248.0 255.255.255.0 10.19.251.1
I also think the router ospf 1 section right above in the config file looks wrong. Please look at configs and advise on why the vpn client ips (10.19.248.xx) can only communicate with servers / pcs on the10.19.xx.xx network. As I am still new to posting questions on here I will pase in both configs and attach a .txt file that has both configs. Thanks for helping me resolve this.
ASA5510
mtu inside2 1500
mtu DMZ 1500
mtu management 1500
ip local pool RemoteUsers 10.19.248.1-10.19.248.49 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/ASDM-524.BIN
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside2) 25 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside2) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound outside
static (inside,outside) tcp xx.xx.xx.xx smtp Barracuda smtp netmask 255.255.2
55.255
static (inside,outside) tcp xx.xx.xx.xx https Server04 https netmask 255.255.
255.255
static (inside,outside) tcp xx.xx.xx.xx www Server04 www netmask 255.255.255.
255
static (inside,outside) tcp xx.xx.xx.xx ftp Server04 ftp netmask 255.255.255.
255
static (DMZ,outside) xx.xx.xx.xx 10.19.11.2 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.xx 10.19.250.2 netmask 255.255.255.255
static (inside,inside2) 10.19.10.3 10.19.10.3 netmask 255.255.255.255
static (inside,outside) xx.xx.xx.xx 10.19.251.2 netmask 255.255.255.255
static (inside,DMZ) 10.19.10.0 10.19.10.0 netmask 255.255.255.0
static (inside,DMZ) voicevlan voicevlan netmask 255.255.255.0
static (inside,DMZ) 10.102.1.0 10.102.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.10.1.0 10.10.1.0 netmask 255.255.255.0
static (inside,DMZ) 10.251.251.0 10.251.251.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
!
router ospf 1
network 10.19.11.0 255.255.255.0 area 0
network 10.19.248.0 255.255.255.0 area 0
network 10.19.249.0 255.255.255.248 area 0
network 10.19.251.0 255.255.255.248 area 0
area 0
log-adj-changes
redistribute static
default-information originate always
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 inside
http 10.102.0.0 255.255.0.0 inside
http 10.19.10.0 255.255.255.0 inside
http 10.100.0.0 255.255.0.0 inside
http 192.168.0.0 255.255.0.0 inside
http 10.19.0.0 255.255.0.0 inside
snmp-server host inside 10.100.10.101
snmp-server host inside 10.102.1.20
snmp-server host inside 10.19.20.3
snmp-server host inside 10.19.249.3
snmp-server host inside 10.27.10.100
snmp-server host inside 10.36.10.101
snmp-server host inside 10.48.10.100
snmp-server host inside 10.19.10.4
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs group1
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 10.19.0.0 255.255.0.0 inside
telnet 10.100.0.0 255.255.0.0 inside
telnet 10.102.0.0 255.255.0.0 inside
telnet 10.19.10.0 255.255.255.0 inside
telnet 10.19.249.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ftp
!
service-policy global_policy global
ssl encryption des-sha1 rc4-md5
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value 10.19.10.2 10.19.10.4
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value nightingale.local
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconne
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not
been met or due to some specific group policy, you do not have permission to us
e any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy FCCS internal
group-policy FCCS attributes
dns-server value 10.19.10.4 10.19.10.2
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value nightingale.local
group-policy mhsvendor internal
group-policy mhsvendor attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value mhsvendor_splitTunnelAcl
group-policy Connect internal
group-policy Connect attributes
dns-server value 10.19.10.2 10.19.10.4
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Connect_splitTunnelAcl
default-domain value nightingale.local
split-dns value nightingale.local
group-policy connect internal
group-policy connect attributes
dns-server value 10.19.10.4 10.19.10.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value connect_splitTunnelAcl
default-domain value nightingale.local
group-policy Connect_1 internal
group-policy Connect_1 attributes
dns-server value 10.19.10.4 10.19.10.2
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Connect_splitTunnelAcl
default-domain value nightingale.local
: end
Cisco 2811 config:
!
!
interface Loopback0
ip address 10.19.240.10 255.255.255.0
ip pim dense-mode
!
interface Tunnel1
no ip address
!
interface Tunnel18
description Multilink tunnel for all remote VPN Clients
bandwidth 1544
ip address 10.251.251.1 255.255.255.0
no ip redirects
ip mtu 1400
ip pim sparse-dense-mode
ip nhrp authentication S3tFre3
ip nhrp map multicast dynamic
ip nhrp network-id 18
ip nhrp holdtime 600
ip nhrp cache non-authoritative
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
no ip mroute-cache
ip ospf network broadcast
ip ospf cost 100
ip ospf priority 2
delay 1000
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 18
tunnel protection ipsec profile dmvpn
!
interface FastEthernet0/0
description Connection to 3560sw 0/22
ip address 10.19.251.2 255.255.255.248
ip access-group voicemarks out
ip pim dense-mode
ip virtual-reassembly
ip tcp adjust-mss 1200
duplex auto
speed auto
service-policy output voip-rtp
!
interface FastEthernet0/1
description GATEWAYS FOR VLAN's
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.19.1.254 255.255.255.0
standby 1 ip 10.19.1.10
standby 1 preempt
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 10.19.10.254 255.255.255.0
standby 10 ip 10.19.10.10
standby 10 priority 150
standby 10 preempt
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 10.19.20.254 255.255.255.0
standby 20 ip 10.19.20.10
standby 20 priority 150
standby 20 preempt
!
interface Serial0/0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
isdn incoming-voice voice
isdn bind-l3 ccm-manager
no cdp enable
!
interface Serial0/0/1:2
ip address 10.19.253.1 255.255.255.252
compress stac
service-policy output voip-rtp-t1
!
router ospf 1
router-id 10.1.1.1
log-adjacency-changes
network 10.19.0.0 0.0.255.255 area 0
network 10.251.251.0 0.0.0.255 area 0
!
ip route 10.19.248.0 255.255.255.0 10.19.251.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip pim rp-address 10.19.20.10
ip pim autorp listener
!
ip access-list extended cmftest
deny ip host 10.19.20.1 any
permit ip any any
ip access-list extended voicemarks
permit udp any any precedence routine
permit udp any any precedence priority
permit udp any any precedence immediate
permit udp any any precedence flash
permit udp any any precedence flash-override
permit udp any any precedence critical
permit udp any any precedence internet
permit udp any any precedence network
permit tcp any any precedence routine
permit tcp any any precedence priority
permit tcp any any precedence immediate
permit tcp any any precedence flash
permit tcp any any precedence flash-override
permit tcp any any precedence critical
permit tcp any any precedence internet
permit tcp any any precedence network
permit ip any any
!
logging trap notifications
access-list 100 deny udp host 10.19.20.1 range 16384 32768 any
access-list 100 permit ip any any
snmp-server community
snmp-server community
snmp-server enable traps syslog
!
!
!
!
control-plane
!
!
!
voice-port 0/0/0:23
!
voice-port 0/1/0
!
voice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
voice-port 0/2/0
!
voice-port 0/2/1
!
voice-port 0/2/2
!
voice-port 0/2/3
!
voice-port 0/3/0
!
voice-port 0/3/1
!
voice-port 0/3/2
!
voice-port 0/3/3
!
ccm-manager fallback-mgcp
ccm-manager mgcp
ccm-manager music-on-hold
ccm-manager config server 10.19.20.1
!
mgcp
mgcp call-agent 10.19.20.1 2427 service-type mgcp version 0.1
mgcp dtmf-relay voip codec all mode out-of-band
mgcp rtp unreachable timeout 1000 action notify
mgcp modem passthrough voip mode nse
mgcp package-capability rtp-package
no mgcp package-capability res-package
mgcp package-capability sst-package
no mgcp package-capability fxr-package
mgcp package-capability pre-package
no mgcp timer receive-rtcp
mgcp sdp simple
mgcp fax t38 inhibit
mgcp rtp payload-type g726r16 static
mgcp bind control source-interface Loopback0
mgcp bind media source-interface Loopback0
!
mgcp profile default
!
sccp local FastEthernet0/0
sccp ccm 10.19.20.1 identifier 1 priority 1 version 4.1
sccp
!
sccp ccm group 1
associate ccm 1 priority 1
associate profile 1 register MTP001
!
dspfarm profile 1 transcode
codec g711ulaw
codec g711alaw
codec g729ar8
codec g729abr8
maximum sessions 6
associate application SCCP
!
!
dial-peer voice 999000 pots
service mgcp
destination-pattern 9T
incoming called-number ....
direct-inward-dial
port 0/0/0:23
!
dial-peer voice 999010 pots
service mgcpapp
port 0/1/0
!
dial-peer voice 999011 pots
service mgcpapp
port 0/1/1
!
dial-peer voice 999012 pots
service mgcpapp
port 0/1/2
!
dial-peer voice 999013 pots
service mgcpapp
port 0/1/3
!
dial-peer voice 999020 pots
service mgcpapp
port 0/2/0
!
dial-peer voice 999021 pots
service mgcpapp
port 0/2/1
!
dial-peer voice 999022 pots
service mgcpapp
port 0/2/2
!
dial-peer voice 999023 pots
service mgcpapp
port 0/2/3
!
dial-peer voice 999030 pots
service mgcpapp
port 0/3/0
!
dial-peer voice 999031 pots
service mgcpapp
port 0/3/1
!
dial-peer voice 999032 pots
service mgcpapp
port 0/3/2
!
dial-peer voice 999033 pots
service mgcpapp
port 0/3/3
!
!
!
!
call-manager-fallback
max-conferences 8 gain -6
transfer-system full-consult
ip source-address 10.19.240.10 port 2000
max-ephones 42
max-dn 50
translate calling 1
translate called 1
!
banner login ^C This is a private network. Unauthorized access is prohibited ^C
alias exec c config t
alias exec i show ip route
alias exec snh show ip nhrp | in 10.251
alias exec sdp show run | b dial-peer
alias exec svcs show voice call sum | ex 50
alias exec svp show run | b voice-port
!
line con 0
login local
line aux 0
login local
line vty 0 4
session-timeout 45
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180158
ntp master
ntp server 192.73.48.2 prefer
!
end
asa5510.txt
Cisco2811.txt
ASKER
Added sysopt connection permit-vpn in cisco asa. Connected via the cisco client vpn.
Shown below is the ipconfig of the vpn client pc and 3 different ping attempts. 1 ping in the 10.19.xx and had replies. 2 more outside the 10.19.xx and "request timed out. It would still appear that there is some sort of breakdown in the routing. 10.19.248.0 255.255.255.0 should be able to access any of our internal networkable addresses besides the 10.19.xx.xx range.
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : nightingale.local
IPv4 Address. . . . . . . . . . . : 10.19.248.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Pinging server04.nightingale.local [10.19.10.12] with 32 bytes of data:
Reply from 10.19.10.12: bytes=32 time=62ms TTL=127
Reply from 10.19.10.12: bytes=32 time=59ms TTL=127
Reply from 10.19.10.12: bytes=32 time=60ms TTL=127
Pinging petrel.nightingale.local [10.39.10.110] with 32 bytes of data:
Request timed out.
Pinging rno-002.nightingale.local [10.49.10.100] with 32 bytes of data:
Request timed out.
Shown below is the ipconfig of the vpn client pc and 3 different ping attempts. 1 ping in the 10.19.xx and had replies. 2 more outside the 10.19.xx and "request timed out. It would still appear that there is some sort of breakdown in the routing. 10.19.248.0 255.255.255.0 should be able to access any of our internal networkable addresses besides the 10.19.xx.xx range.
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : nightingale.local
IPv4 Address. . . . . . . . . . . : 10.19.248.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Pinging server04.nightingale.local
Reply from 10.19.10.12: bytes=32 time=62ms TTL=127
Reply from 10.19.10.12: bytes=32 time=59ms TTL=127
Reply from 10.19.10.12: bytes=32 time=60ms TTL=127
Pinging petrel.nightingale.local [10.39.10.110] with 32 bytes of data:
Request timed out.
Pinging rno-002.nightingale.local [10.49.10.100] with 32 bytes of data:
Request timed out.
You dont seems to have route for 10.49.x.x and 10.39.x.x .
trying adding it statically:
route 10.49.0.0 255.255.0.0 10.19.251.1/ any appropriate interface
route 10.39.0.0 255.255.0.0 10.19.251.1/ any appropriate interface
or dynamically on ospf if desired
trying adding it statically:
route 10.49.0.0 255.255.0.0 10.19.251.1/ any appropriate interface
route 10.39.0.0 255.255.0.0 10.19.251.1/ any appropriate interface
or dynamically on ospf if desired
ASKER
would perfer to have this dynamic on ospf. There are 18 different remote sites. As we grow i don't want to have to continue to statically add the routes. Can you guide me through routing dyn on ospf. Keeping in mind I only want to impact the 10.19.248.0 group.
Thanks
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This worked. Sorry for the delay. Finally back at the office after all this traveling. Thanks
sysopt connection permit-vpn ( this will bypass acl and nat for all ipsec traffic)
let me know howit goes, once we get this working, we can narrow down by working on acl or nat only.