[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3112
  • Last Modified:

VPN not working

Hi There,

I've set up a VPN on a Cisco ASA and am using a Microsoft IAS to authenticate with a Cisco V5 VPN client.  The client connects fine and authenticates using the IAS as a radius server but I cannot connect to or ping any servers on the LAN side once connected.  I have reason to believe that I have a problem with the default gateway on the Cisco VPN adapter.  For some reason I am picking up 194.X.X.1 as the gateway address (should this be the same as the IP address?).  I also am using the same IP range for the VPN clients as the LAN side, will this cause problems?  Please see the Cisco VPN client log and IPCONFIG/ALL results below:

Cisco Systems VPN Client Version 5.0.01.0600
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      13:21:34.875  10/15/08  Sev=Warning/2      CVPND/0xE3400013
AddRoute failed to add a route: code 87
      Destination      192.168.0.255
      Netmask      255.255.255.255
      Gateway      194.129.15.1
      Interface      194.129.15.86

2      13:21:34.875  10/15/08  Sev=Warning/2      CM/0xA3100024
Unable to add route. Network: c0a800ff, Netmask: ffffffff, Interface: c2810f56, Gateway: c2810f01.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\ADMIN>ipconfig/all

Windows IP Configuration

        Host Name . . . . . . . . . . . . : NET104
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : ADROOT.XXX.CO.UK

Ethernet adapter Local Area Connection 2:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network Connecti
on
        Physical Address. . . . . . . . . : 00-13-A9-3F-28-11

Ethernet adapter Wireless Network Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Networ
k Connection
        Physical Address. . . . . . . . . : 00-13-02-CD-57-D0
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.0.30
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
        DHCP Server . . . . . . . . . . . : 192.168.0.1
        DNS Servers . . . . . . . . . . . : 192.168.0.1
        NetBIOS over Tcpip. . . . . . . . : Disabled
        Lease Obtained. . . . . . . . . . : 15 October 2008 13:02:37
        Lease Expires . . . . . . . . . . : 16 October 2008 13:02:37

Ethernet adapter Local Area Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Bluetooth Personal Area Network from
 TOSHIBA
        Physical Address. . . . . . . . . : 00-02-C7-EC-EF-CD

Ethernet adapter Local Area Connection 3:

        Connection-specific DNS Suffix  . : ADROOT.XXX.CO.UK
        Description . . . . . . . . . . . : Cisco Systems VPN Adapter
        Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 194.129.15.86
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 194.129.15.1
        DNS Servers . . . . . . . . . . . : 194.129.15.203
                                            194.129.15.198
        Primary WINS Server . . . . . . . : 194.129.15.198

C:\Documents and Settings\ADMIN>


Does anyone know what I might be doing wrong here?

Regards

Rob

Result of the command: "sho run"
 
: Saved
:
ASA Version 7.2(2) 
!
hostname XXXciscoasa
domain-name adroot.XXX.co.uk
enable password xxx encrypted
names
!
interface Ethernet0/0
 nameif WAN
 security-level 0
 ip address xx.xx.23.62 255.255.255.0 standby xx.xx.23.63 
!
interface Ethernet0/1
 nameif LAN
 security-level 50
 ip address xx.xx.15.252 255.255.255.0 standby xx.xx.15.251 
!
interface Ethernet0/2
 description LAN Failover Interface
!
interface Ethernet0/3
 description STATE Failover Interface
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.7 
 management-only
!
passwd xxx encrypted
boot system disk0:/asa722k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name adroot.XXX.co.uk
object-group service FilemakerPro tcp-udp
 port-object range 5003 5003
object-group service CiscoVPN tcp
 description CiscoVPN allow ports 4500, 500
 port-object range 500 500
 port-object range 4500 4500
access-list WAN_access_out extended permit ip any any inactive 
access-list WAN_access_out extended permit udp any any eq ntp 
access-list WAN_access_out extended permit tcp any any eq 123 inactive 
access-list WAN_access_out remark Allow port 445 SMB MS File Sharing access to remote NAS device at James' Home
access-list WAN_access_out extended permit tcp interface WAN host 91.84.29.97 eq 445 
access-list WAN_access_out extended permit tcp any any eq ssh inactive 
access-list WAN_access_out remark Planning - Charnwood related documents link
access-list WAN_access_out extended permit tcp interface WAN host 193.129.245.154 eq 34965 
access-list WAN_access_out remark Planning - Barnet
access-list WAN_access_out extended permit tcp interface WAN host 195.171.200.80 eq 7778 
access-list WAN_access_out remark Planning - Breckland
access-list WAN_access_out extended permit tcp interface WAN host 212.240.79.100 eq 7778 
access-list WAN_access_out remark Planning website - havering.gov.uk
access-list WAN_access_out extended permit tcp any host 62.172.223.20 eq 7783 
access-list WAN_access_out remark Planning website - access to barking and dagenham
access-list WAN_access_out extended permit tcp interface WAN host 212.85.19.44 eq 8081 
access-list WAN_access_out remark Planning website - access to northamptonboroughcouncil.com
access-list WAN_access_out extended permit tcp interface WAN host 83.100.223.135 eq 8099 
access-list WAN_access_out remark Allow port 5003 file maker pro access to bulwein server - Bulwein allow access from our gateway IP
access-list WAN_access_out extended permit tcp any host 195.30.62.92 eq 5003 
access-list WAN_access_out remark Planning Website - Castle Morpeth Borough Council
access-list WAN_access_out extended permit tcp interface WAN host 195.224.122.231 eq 5757 
access-list WAN_access_out remark Planning website - St Helens Council
access-list WAN_access_out extended permit tcp any host 212.248.225.150 eq 7777 
access-list WAN_access_out remark planning
access-list WAN_access_out remark Planning Website - Uttlesford District Council
access-list WAN_access_out extended permit tcp any host 213.121.206.247 eq 7778 
access-list WAN_access_out remark planning
access-list WAN_access_out remark Planning Website - Ellesmere Port & Neston Borough Council
access-list WAN_access_out extended permit tcp any host 193.133.69.117 eq 7778 
access-list WAN_access_out remark Planning - Hartlepool
access-list WAN_access_out extended permit tcp interface WAN host 195.172.81.205 eq 7777 
access-list WAN_access_out remark planning
access-list WAN_access_out remark Planning Website - Arun District Council
access-list WAN_access_out extended permit tcp any host 195.224.159.100 eq 7778 
access-list WAN_access_out remark Planning Website - Maidstone Council
access-list WAN_access_out extended permit tcp any host 195.188.250.22 eq 8070 
access-list WAN_access_out remark Allow port 25 SMTP access from XXX to the Internet - in reality XXXs Exchange server only sends
access-list WAN_access_out remark outbound email to Messagelabs European cluster (set under SMTP connector on Exchange server)
access-list WAN_access_out extended permit tcp host xx.xx.23.56 any eq smtp 
access-list WAN_access_out remark Allow port 25 SMTP access from XXX NET25 Monitoring machine to the Internet for sending email alerts
access-list WAN_access_out remark  to external email servers
access-list WAN_access_out extended permit tcp host xx.xx.23.25 any eq smtp 
access-list WAN_access_out remark Allow UDP Port 53 DNS access from XXX to Internet
access-list WAN_access_out extended permit udp any any eq domain 
access-list WAN_access_out remark Allow TCP Port 53 DNS access from XXX to Internet
access-list WAN_access_out extended permit tcp any any eq domain 
access-list WAN_access_out remark Allow port 21 FTP access from XXX to Internet
access-list WAN_access_out extended permit tcp any any eq ftp 
access-list WAN_access_out extended permit tcp interface WAN any eq ftp-data inactive 
access-list WAN_access_out remark Allow XXX to Ping Internet
access-list WAN_access_out extended permit icmp any any echo 
access-list WAN_access_out remark Allow XXX to Ping Internet
access-list WAN_access_out extended permit icmp any any echo-reply 
access-list WAN_access_out remark Allow UDP Port 500 IKE key exchange for secure connections from XXX to Internet
access-list WAN_access_out extended permit udp any any eq isakmp 
access-list WAN_access_out remark Allow port 443 HTTPS secure access from XXX to Internet
access-list WAN_access_out extended permit tcp any any eq https 
access-list WAN_access_out remark Allow port 8080 HTTP access from XXX to Internet
access-list WAN_access_out remark Used for access to remote XXX routers and other websites (planning sites)
access-list WAN_access_out extended permit tcp any any eq 8080 
access-list WAN_access_out remark Allow port 1755 windows media player access from XXX to internet for website video streaming
access-list WAN_access_out extended permit tcp any any eq 1755 
access-list WAN_access_out remark Allow GRE from XXX VPN server to remote VPN users
access-list WAN_access_out extended permit gre host xx.xx.23.57 any 
access-list WAN_access_out remark Internal access to RTSP-Media Streaming servers on the internet - also requires TCP on same port.
access-list WAN_access_out extended permit udp any any eq 554 
access-list WAN_access_out remark Internal access to RTSP-Media Streaming servers on the internet - also requires UDP on same port.
access-list WAN_access_out extended permit tcp any any eq rtsp 
access-list WAN_access_out remark XXX LAN Access to remote users machines via Tight VNC
access-list WAN_access_out extended permit tcp any any eq 5900 
access-list WAN_access_out remark Allow port 80 HTTP access from XXX to internet - required for access to remote websites
access-list WAN_access_out extended permit tcp any any eq www 
access-list WAN_access_out remark Test Desk RDP connection
access-list WAN_access_out extended permit tcp any host 78.32.137.8 eq 3541 inactive 
access-list WAN_access_out extended permit tcp any any inactive 
access-list WAN_access_out extended permit udp any any inactive 
access-list WAN_access_out remark Default rule to block all traffic - subsequent rules allows traffic through
access-list WAN_access_out extended deny ip any any 
access-list WAN_access_in remark External access to XXX Backup WEB server.
access-list WAN_access_in remark xx.xx.15.194 translated from 194.74.191.44 using one-to-one NAT (see NAT rules).
access-list WAN_access_in extended permit tcp any host xx.xx.23.44 eq www 
access-list WAN_access_in remark Allow Port 1723 PPTP VPN Access from Internet to XXX VPN Server xx.xx.15.207
access-list WAN_access_in remark translated on one-to-one NAT from xx.xx.23.57
access-list WAN_access_in extended permit tcp any host xx.xx.23.57 eq pptp 
access-list WAN_access_in remark Allow GRE protocol for PPTP VPN Access from Internet to XXX VPN Server xx.xx.15.207
access-list WAN_access_in remark translated on one-to-one NAT from xx.xx.23.57
access-list WAN_access_in extended permit gre any host xx.xx.23.57 
access-list WAN_access_in remark Allow Internet to Ping XXX
access-list WAN_access_in extended permit icmp any any echo 
access-list WAN_access_in remark Allow Internet to Ping XXX - Public addresses only
access-list WAN_access_in extended permit icmp any any echo-reply 
access-list WAN_access_in remark Allow port 25 SMTP access to XXX Email server xx.xx.15.206
access-list WAN_access_in remark translated from one-to-one NAT address xx.xx.23.56
access-list WAN_access_in extended permit tcp any host xx.xx.23.56 eq smtp 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 216.82.240.0 255.255.240.0 host xx.xx.23.56 eq smtp inactive 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 85.158.136.0 255.255.248.0 host xx.xx.23.56 eq smtp inactive 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 117.120.16.0 255.255.248.0 host xx.xx.23.56 eq smtp inactive 
access-list WAN_access_in remark messagelabd email in
access-list WAN_access_in extended permit tcp 193.109.254.0 255.255.254.0 host xx.xx.23.56 eq smtp inactive 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 194.106.220.0 255.255.254.0 host xx.xx.23.56 eq smtp inactive 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 195.245.230.0 255.255.254.0 host xx.xx.23.56 eq smtp inactive 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 62.231.131.0 255.255.255.0 host xx.xx.23.56 eq smtp inactive 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 212.125.75.0 255.255.255.224 host xx.xx.23.56 eq smtp inactive 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 62.173.108.16 255.255.255.240 host xx.xx.23.56 eq smtp inactive 
access-list WAN_access_in remark messagelabs email in
access-list WAN_access_in extended permit tcp 62.173.108.208 255.255.255.240 host xx.xx.23.56 eq smtp inactive 
access-list WAN_access_in remark Allow port 80 HTTP access to XXX Web server at xx.xx.15.211
access-list WAN_access_in remark translated from one-to-one NAT address of xx.xx.23.11
access-list WAN_access_in extended permit tcp any host xx.xx.23.11 eq www 
access-list WAN_access_in remark Allow port 80 HTTP access to XXX Web server at xx.xx.15.199
access-list WAN_access_in remark translated from one-to-one NAT address of xx.xx.23.49
access-list WAN_access_in extended permit tcp any host xx.xx.23.49 eq www 
access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Email Web server at xx.xx.15.206
access-list WAN_access_in remark translated from one-to-one NAT address of xx.xx.23.56
access-list WAN_access_in extended permit tcp any host xx.xx.23.56 eq https 
access-list WAN_access_in remark Allow port 80 HTTP access to XXX Email Web server at xx.xx.15.206
access-list WAN_access_in remark translated from one-to-one NAT address of xx.xx.23.56
access-list WAN_access_in extended permit tcp any host xx.xx.23.56 eq www 
access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Web server at xx.xx.15.211
access-list WAN_access_in remark translated from one-to-one NAT address of xx.xx.23.11
access-list WAN_access_in extended permit tcp any host xx.xx.23.11 eq https 
access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Web server at xx.xx.15.199
access-list WAN_access_in remark translated from one-to-one NAT address of xx.xx.23.49
access-list WAN_access_in extended permit tcp any host xx.xx.23.49 eq https 
access-list WAN_access_in extended permit udp any any eq ntp inactive 
access-list WAN_access_in extended permit tcp any host xx.xx.23.25 eq 15401 
access-list WAN_access_in extended permit tcp any host xx.xx.23.11 eq 3541 inactive 
access-list WAN_access_in extended permit tcp any any object-group CiscoVPN 
access-list management_nat0_outbound extended permit ip any xx.xx.15.128 255.255.255.224 
access-list Inside_nat0_outbound extended permit ip any xx.xx.15.128 255.255.255.224 
access-list outside_cryptomap_dyn_20 extended permit ip any xx.xx.15.0 255.255.255.0 
access-list XXX_VPN_ACL remark XXX Lan
access-list XXX_VPN_ACL standard permit xx.xx.15.0 255.255.255.0 
no pager
logging enable
logging timestamp
logging list Email_Alerts level warnings
logging asdm informational
logging mail Email_Alerts
logging from-address FirewallLogs@XXX.co.uk
logging recipient-address FirewallLogs@XXX.co.uk level errors
logging class auth mail warnings 
logging class np mail warnings 
logging class sys mail warnings 
logging class vpdn mail warnings 
mtu WAN 1500
mtu LAN 1500
mtu management 1500
ip local pool VPN_IPS xx.xx.15.140-xx.xx.15.150 mask 255.255.255.0
ip local pool VPN_XXX 192.168.0.2-192.168.0.10 mask 255.255.255.0
ip verify reverse-path interface WAN
failover
failover lan unit primary
failover lan interface LANFailover Ethernet0/2
failover key *****
failover replication http
failover link StateFailover Ethernet0/3
failover interface ip LANFailover 192.168.250.1 255.255.255.0 standby 192.168.250.2
failover interface ip StateFailover 192.168.251.1 255.255.255.0 standby 192.168.251.2
monitor-interface WAN
monitor-interface LAN
no monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
nat-control
global (WAN) 10 interface
nat (LAN) 0 access-list Inside_nat0_outbound
nat (LAN) 10 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound
nat (management) 10 0.0.0.0 0.0.0.0
static (LAN,WAN) xx.xx.23.25 xx.xx.15.25 netmask 255.255.255.255 
static (LAN,WAN) xx.xx.23.56 xx.xx.15.206 netmask 255.255.255.255 
static (LAN,WAN) xx.xx.23.57 xx.xx.15.207 netmask 255.255.255.255 
static (LAN,WAN) xx.xx.23.11 xx.xx.15.211 netmask 255.255.255.255 
static (LAN,WAN) xx.xx.23.49 xx.xx.15.199 netmask 255.255.255.255 
static (LAN,WAN) xx.xx.15.252 xx.xx.15.252 netmask 255.255.255.255 
static (LAN,WAN) xx.xx.23.44 xx.xx.15.194 netmask 255.255.255.255 
access-group WAN_access_in in interface WAN
access-group WAN_access_out out interface WAN
route WAN 0.0.0.0 0.0.0.0 xx.xx.23.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server ADROOT protocol nt
aaa-server ADROOT (LAN) host xx.xx.15.203
 nt-auth-domain-controller adroot.XXX.co
aaa-server XXX_Auth protocol radius
aaa-server XXX_Auth (LAN) host xx.xx.15.214
 key ctWAmYogyVect8a9pGow
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-tunnel-protocol IPSec 
group-policy DfltGrpPolicy attributes
 banner none
 wins-server value xx.xx.15.197
 dns-server value xx.xx.15.203 xx.xx.15.198
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 50
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec 
 password-storage disable
 ip-comp disable
 re-xauth enable
 group-lock none
 pfs enable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy xx.xx.240.154 internal
group-policy xx.xx.240.154 attributes
 wins-server value xx.xx.15.198
 dns-server value xx.xx.15.203 xx.xx.15.198
 vpn-tunnel-protocol IPSec 
 group-lock value xx.xx.240.154
 ipsec-udp enable
 split-tunnel-policy excludespecified
 split-tunnel-network-list value XXX_VPN_ACL
 default-domain value ADROOT.XXX.CO.UK
username rob_admin password oPv83W5h./yuqWL. encrypted privilege 15
username rob_admin attributes
 vpn-group-policy xx.xx.240.154
 vpn-tunnel-protocol IPSec 
aaa authentication telnet console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map WAN_dyn_map 10 match address outside_cryptomap_dyn_20
crypto dynamic-map WAN_dyn_map 10 set transform-set ESP-DES-SHA ESP-3DES-SHA TRANS_ESP_3DES_SHA
crypto dynamic-map WAN_dyn_map 20 set pfs 
crypto dynamic-map WAN_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map WAN_dyn_map 40 set pfs 
crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 60 set pfs 
crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 80 set pfs 
crypto dynamic-map WAN_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 100 set pfs 
crypto dynamic-map WAN_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 120 set pfs 
crypto dynamic-map WAN_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map WAN_dyn_map 140 set pfs 
crypto dynamic-map WAN_dyn_map 140 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map management_dyn_map 20 set pfs 
crypto dynamic-map management_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map management_dyn_map 40 set pfs 
crypto dynamic-map management_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map management_dyn_map 60 set pfs 
crypto dynamic-map management_dyn_map 60 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map management_dyn_map 80 set pfs 
crypto dynamic-map management_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map management_dyn_map 100 set pfs 
crypto dynamic-map management_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map
crypto map WAN_map interface WAN
crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map
crypto map management_map interface management
crypto isakmp enable WAN
crypto isakmp enable management
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000 
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_IPS
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group xx.xx.240.154 type ipsec-ra
tunnel-group xx.xx.240.154 general-attributes
 authentication-server-group XXX_Auth
 default-group-policy xx.xx.240.154
 dhcp-server xx.xx.15.198
tunnel-group xx.xx.240.154 ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
tunnel-group xx.xx.240.154 ppp-attributes
 authentication pap
 authentication ms-chap-v2
vpn-sessiondb max-session-limit 250
telnet 0.0.0.0 0.0.0.0 LAN
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect ftp 
!
service-policy global_policy global
ntp server 130.88.202.49 source WAN prefer
client-update enable
prompt hostname context 
Cryptochecksum:80c27a5234b189dada3a4d01d544722b
: end

Open in new window

0
robclarke41
Asked:
robclarke41
  • 2
1 Solution
 
knightfoxCommented:
Well it looks like your tunnel is established.. Your ipconfig is fine the way it is, btw. No default gateway needed. (it acutally uses your local default gateway and only routes through the tunnel the traffic destined for your local network.

Add the following lines to use your internal DNS server when connecting to the VPN:
group-policy Para_RAS_VPN attributes
 dns-server value 192.168.20.44

/Fox
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_23791886.html?sfQueryTermInfo=1+%22addrout+fail+add+rout+code+87%22
0
 
robclarke41Author Commented:
Hi Fox,

What will those commands do?

Rob
0
 
robclarke41Author Commented:
Can anyone help with this?
0
 
donaldchapellCommented:
I ran into something similar.  Make sure you enable (In ASDM) the same interface command via the second check box on the Interfaces screen.  Two or more connected on the same interface.  This will enable a hairpin effect which will allow communication to the Internet while on VPN.  

In addition, make sure all your rules to anything on the inside are done on the outside interface.  Remember, all your communication is happening on the outside interface.

Don't forget the NAT on the outside interface - your inside subnet will need to NAT to the inside and outside interfaces in the same Dynamic Policy NAT.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now