setting up vpn on cisco asa 5505

add this:

sysopt connection permit-ipsec   (or permit vpn)

remove this
 no access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.224

remove this
no nat (inside) 0 access-list inside_nat0_outbound

add this
crypto isakmp identity address
add this access-list nonat extended permit ip 192.168.240.0 255.255.255.0 192.168.50.0 255.255.255.224
(assuming   192.168.50.0 is your address pool for your remote clients)

add this
nat (insied) 0 access-list no nat

also don't see an ip pool assigned for 192.168.50.0 to your tunnel group

statement could be:

ip local pool  vpnpool  192.168.50.1-192.168.50.100 mask 255.255.255.0

the pool can be called anything

while the access-list inside_nat0_oubound statements generally work, you will
probably have more success with the access-list nonat extended statements

let me know how this works out for you

also as a side note, the ip address pool for the vpnclients should be a totally different network than your inside lan

I am not going to verify your configuration!
According to my experience  Vpn clients getting connected but not passing traffic could be 3 to 4 things...

Facts about this specific case:
-Tunnel ALL!
-No encryption and no decryption.

Resolution steps:
********************
1.  Make sure that you have the correct bypass nat when your internal networks try to communicate with your POOL.

2. Make sure that you have the correct routes.
 (Assuming that you have more networks than the direct connected one)

3. Verify your security ACL for access-group applied on the interface.

4. CRYPTO ISAKMP NAT-TRAVERSAL 21
Please verify if you enabled this command.
Actually it is plus in the firewall that just take cares about packets passing through a NAT.
(Port 4500)

Please let me know if this information was helpful.

Others comments
He is not using a pool, there is A DHCP server that provides an IP in a scope address to every VPN Client. "Sysopt connection permit-vpn" is for version of FOS 7.x and UP, and should be enable by default in  the 5505 box.

This is my first ever encounter with a cisco device so pardon me for my lack of cisco knowledge. I tried your suggestions bignewf and also created and bind a new pool to my vpn clients (192.168.60.0) and now when i connect to vpn it is gettin ip from the new pool and also it is now sending the bytes and encrypting them, however it is  still not receiving any bytes or decrypting any packets. I am posting my running config once again, please review it and suggest modifications. I really appreciate your help. I think we are very close to solving this.

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname firewall
domain-name default.domain.invalid
enable password 18wVbLppqEl3uvIb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.240.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 204.14.166.188 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list testgroup_splitTunnelAcl standard permit any
access-list nonat extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.224
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool testpool 192.168.60.10-192.168.60.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 204.14.166.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server mba3 protocol nt
aaa-server mba3 (outside) host 192.168.240.150
 timeout 5
 nt-auth-domain-controller mba3
http server enable
http 192.168.240.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy testgroup internal
group-policy testgroup attributes
 wins-server value 192.168.240.150
 dns-server value 192.168.240.150
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testgroup_splitTunnelAcl
 default-domain value mba-qc.com
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
 address-pool testpool
 authentication-server-group mba3
 default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b2e2d186514c0f39ffbfebdb4f09c92a
: end

Please enable NAT-T
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2068300
#crypto isa nat-t 21

Also since you are tunnel-all please do not use tunnelspecified with ACL standar ANY.
Instead please use just tunnelall in your group policy, should look as:

# group-policy testgroup attributes
 # wins-server value 192.168.240.150
 # dns-server value 192.168.240.150
 # vpn-tunnel-protocol IPSec
 # split-tunnel-policy tunnelall
 # default-domain value mba-qc.com

Otherwise if you want to use split-tunneling please just change the ACL "testgroup_splitTunnelAcl":
# access-list testgroup_splitTunnelAcl standard permit ip 192.168.240.0 255.255.255.0

thanx for your reply geergon. i have implemented your suggestions and now i can see that in vpn client statistics it shows my internal network 192.168.240.0 as secured and 0.0.0.0 has disappeared. But now i dont see any packets being encrypted or decrypted.also there is no bytes being sent or received anymore. i made two extra changes to the configuration i had to enable nat for two internal addresses to be accessed using rdp and also i added an access rule under security policy for outsiide interface to permit any traffic that is inbound (natting wont work without it). please review my running config once again and advice me what to change. thank you

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname firewall
domain-name default.domain.invalid
enable password 18wVbLppqEl3uvIb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.240.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 204.14.166.187 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list testgroup_splitTunnelAcl standard permit 192.168.240.0 255.255.255.0
access-list nonat extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.224
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool testpool 192.168.60.10-192.168.60.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.240.155 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.240.150 3390 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 204.14.166.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server mba3 protocol nt
aaa-server mba3 (outside) host 192.168.240.150
 timeout 5
 nt-auth-domain-controller mba3
http server enable
http 192.168.240.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  21
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy testgroup internal
group-policy testgroup attributes
 wins-server value 192.168.240.150
 dns-server value 192.168.240.150
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testgroup_splitTunnelAcl
 default-domain value mba-qc.com
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
 address-pool testpool
 authentication-server-group mba3
 default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9b6d2da7e13e0469797d734d5965c4ae
: end

also i need to use spllit tunneling. i want remote users to use their own internet connection for internet browsing.

go to the asdm gui and go to configuration>vpn>general>vpn system options
make sure "enable inbound IPSec sessions to bypass interface access lists"

this is the same as the CLI  sysopt permit-ipsec command, but this allows all decrypted traffic IPSec packets to pass without inspection against the ACL's

In many conversations with Cisco technical support as a side note they have admitted that the asdm and  CLI can be "out of sync"  this is a bug in the ios that even though the CLI may be perfect, commands may not work unless mirrored  in the asa. I found that access-lists that should have been working in the CLI were often absent in the asdm, and when added, everything would work. Worth an extra 5  minutes to check the asdm, especially with the last comment I made.

split tunnel commands:


asa(config)#access-list my split_tunnel  standard permit [network you want tunneled]
asa(config)#group-policy  mygroup attributes
asa(config-group-policy)#split-tunnel-policy tunnelspecified
asa(config-group-policy)#split-tunnel-network-list value  my split_tunnel


or in asdm:

vpn>general>group policy>
highlight your group
edit
click client configuration tab
then choose your networks in the split tunnel
these may be inherited from your default policy, or deselect inherit and add the networks for split tunneling

remember this is a security risk

also, on your group policy under client configuration I would enable IPSec over UDP port 10000
then on cisco client select transparent tunneling and try connecting on udp port 10000

I have checked everything and tried everything you suggested but still no packets encrypted or decrypted. no bytes being sent or received. thank you once again for your time and help. anymore suggestions!

do a clear xlate command, if not done so already

did you also enable  nat-t?

I think I see your problem now --

get rid  of this:
access-list outside_access_in extended permit ip any any  (this allows any traffic from outside to inside, defeats the security of the device)

You only need to allow inbound traffic to certain ports of services, not all ip traffic,

Since you statically mapped 2 different rdp servers, you then incorrectly used a portforward access list to allow the traffic

so you need to change your static nat commands:

no static (inside,outside) tcp interface 3389 192.168.240.155 3389 netmask 255.255.255.255
no static (inside,outside) tcp interface 3390 192.168.240.150 3390 netmask 255.255.255.255

use this syntax for a static one to one mapping  

 static (inside,outside)[ outside public ip of server]  [inside lan address of server ] netmask 255.255.255.255

do this for each static ip you need to translate static nat

then a corresponding access -list

 access-group outside_access_in  permit tcp any host  [public address of server]  eq 3389

this example allows rdp from the internet to your firewall


then you need an access-list statement to allow encrypted traffic thru the tunnel:
access-group outside_access_in permit ip 192.168.60.0 255.255.255.224 192.168.240.0 255.255.255.0


of course you then need correspond access-group statement to bind it to the outside interface:

access-group acl outside_access_in  in interface outside

If you want additional security and don't want to be able to access your inside servers without using the vpn, then you don't need the static mappings I gave you. This would prevent access to your internal servers over the internet

nat-t is already enabled and i just did clear xlate to no effect. still no bytes sent or received

did you see my last post?

please disregard my static nat corrections, I thought I saw multiple static ip's for your internal servers

but you need to get rid of this:

access-list outside_access_in extended permit ip any any  (this allows any traffic from outside to inside, defeats the security of the device)

add this:
then you need an access-list statement to allow encrypted traffic thru the tunnel:
access-group outside_access_in permit ip 192.168.60.0 255.255.255.224 192.168.240.0 255.255.255.0


of course you then need correspond access-group statement to bind it to the outside interface:

access-group acl outside_access_in  in interface outside

once vpn starts working i will not need rdp or nat at all. i think i should go to work and  get rid of rdp and its acl and then work with you to resolve this issue. i will be back with you in 15-20 minutes.

correct, I saw you are using your outside static ip o fthe asa to port forward your rdp servers.

the most important statements are your nat 0 and the access-list statement allowing the ip range of the vpn clients access to your internal lan. nat0 allows the traffic to bypass nat, the other allows encrypted traffic to flow thru the tunnel.

you can keep the rpd access-list if you need this for access during config. obviously, if you can be at the console with hyperterminal, that is the best way

got rid of the nat rules and the security policy for permitting all traffic on the outside interface. and here is the new running configuration after the changes.

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname firewall
domain-name default.domain.invalid
enable password 18wVbLppqEl3uvIb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.240.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 204.14.166.187 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list testgroup_splitTunnelAcl standard permit 192.168.240.0 255.255.255.0
access-list nonat extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.224
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool testpool 192.168.60.10-192.168.60.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 204.14.166.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server mba3 protocol nt
aaa-server mba3 (outside) host 192.168.240.150
 timeout 5
 nt-auth-domain-controller mba3
http server enable
http 192.168.240.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  21
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy testgroup internal
group-policy testgroup attributes
 wins-server value 192.168.240.150
 dns-server value 192.168.240.150
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testgroup_splitTunnelAcl
 default-domain value mba-qc.com
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
 address-pool testpool
 authentication-server-group mba3
 default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4f46cbb99a482d92543daa2cbd05074c
: end

subnet mask is wrong: for your ip pool?

access-list nonat extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.224   (should be 255.255.255.0)

I don't see an access-list allowing traffic through the tunnel -  
asa(config)#access-list outside_in permit ip 192.168.60.0 255.255.255.0 192.168.240.0 255.255.255.0

i changed the mask and here is the config once again. i tried connecting and still its not sending or receiving any byter.

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname firewall
domain-name default.domain.invalid
enable password 18wVbLppqEl3uvIb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.240.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 204.14.166.187 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list testgroup_splitTunnelAcl standard permit 192.168.240.0 255.255.255.0
access-list nonat extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool testpool 192.168.60.10-192.168.60.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 204.14.166.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server mba3 protocol nt
aaa-server mba3 (outside) host 192.168.240.150
 timeout 5
 nt-auth-domain-controller mba3
http server enable
http 192.168.240.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  21
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy testgroup internal
group-policy testgroup attributes
 wins-server value 192.168.240.150
 dns-server value 192.168.240.150
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testgroup_splitTunnelAcl
 default-domain value mba-qc.com
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
 address-pool testpool
 authentication-server-group mba3
 default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fa95687156a8ebe5968d3b394680dbae
: end

unless I am missing something, I don't see an access list allowing the vpnclient ip pool access to the inside lan. I only see the nonat access-list

how about now!

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname firewall
domain-name default.domain.invalid
enable password 18wVbLppqEl3uvIb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.240.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 204.14.166.187 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list testgroup_splitTunnelAcl standard permit 192.168.240.0 255.255.255.0
access-list nonat extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list outside_in extended permit ip 192.168.60.0 255.255.255.0 192.168.240.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool testpool 192.168.60.10-192.168.60.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 204.14.166.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server mba3 protocol nt
aaa-server mba3 (outside) host 192.168.240.150
 timeout 5
 nt-auth-domain-controller mba3
http server enable
http 192.168.240.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  21
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy testgroup internal
group-policy testgroup attributes
 wins-server value 192.168.240.150
 dns-server value 192.168.240.150
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testgroup_splitTunnelAcl
 default-domain value mba-qc.com
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
 address-pool testpool
 authentication-server-group mba3
 default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fa95687156a8ebe5968d3b394680dbae
: end

I see it, so let's troubleshoot this

add:

access-group outside_in in interface outside

added

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname firewall
domain-name default.domain.invalid
enable password 18wVbLppqEl3uvIb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.240.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 204.14.166.187 255.255.255.248
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
access-list testgroup_splitTunnelAcl standard permit 192.168.240.0 255.255.255.0
access-list nonat extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list outside_in extended permit ip 192.168.60.0 255.255.255.0 192.168.240.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool testpool 192.168.60.10-192.168.60.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 204.14.166.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server mba3 protocol nt
aaa-server mba3 (outside) host 192.168.240.150
 timeout 5
 nt-auth-domain-controller mba3
http server enable
http 192.168.240.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  21
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy testgroup internal
group-policy testgroup attributes
 wins-server value 192.168.240.150
 dns-server value 192.168.240.150
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testgroup_splitTunnelAcl
 default-domain value mba-qc.com
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
 address-pool testpool
 authentication-server-group mba3
 default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:120af42d96fb1d9238210ed9ad0dc7ac
: end

can you reach inside hosts now?

cannot reach inside hosts

It is an access-list issue, I will check your config one more time, probably some typo's

but look at this pdf, it has all the correct commands and you can copy and paste

vpnrmote.pdf

add this and try again:

access-list nonat extended permit ip any 192.168.240.0 255.255.255.0

let me know

make sure you do a copy run start or write mem to save the config

added acl, saved to flash and reconnected with same results.

for now get rid of this:

no access-list testgroup_splitTunnelAcl standard permit 192.168.240.0 255.255.255.0

the do clear xlate and reboot asa

tried but get this error message.

Result of the command: "no access-list testgroup_splitTunnelAcl standard permit 192.168.240.0 255.255.255.0"

ERROR: Access-list testgroup_splitTunnelAcl is attached to class-map, route-map,
username, group-policy, distribute-list, multicast or wccp subsystem.
Please remove the relevant configuration before removing the access-list.

At this point we might want to consider wiping config and start clean. Will only take a few minutes and you can use wizards in asdm. If not working, then send me the new config.

ok i am going to restore to factory defaults and start clean. lemme give you an overview of what i want and then you can guide me how to go step by step. i want a remote access vpn that will use windows authentication and split tunneling. i will create a vpn with windows authentication and will change nothing else and get back to you in 5 minutes

will you be using the cisco vpn client, or window client? the windows client can be more troublesome

and are you referring to using aaa server , ie. RADIUS?
I would first get the connection working and do that secondary

should i use local database instead of  aaa authentication just to keep it simple , if it works we can change it later right! and also for my knowledge aaa authentication is setup on outside interface!

i restored to defaults and ran startup wizard. now i can connect to internet , havenot run the vpn wizard yet. aaa authentication means windows domain authentication that i was using before

lets configure that later. run the vpn wizard, try to connect and let's troubleshoot if not working
R U using cisco client?

using cisco client

vpn created and here is the new running config

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname firewall
domain-name mba-qc.com
enable password 18wVbLppqEl3uvIb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.240.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 204.14.166.187 255.255.255.248
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name mba-qc.com
same-security-traffic permit intra-interface
access-list testgroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.224
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool testpool 192.168.60.10-192.168.60.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 204.14.166.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server windows protocol nt
aaa-server windows (outside) host 192.168.240.150
 timeout 5
 nt-auth-domain-controller mba3
http server enable
http 192.168.240.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy testgroup internal
group-policy testgroup attributes
 wins-server value 192.168.240.150
 dns-server value 192.168.240.150
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testgroup_splitTunnelAcl
 default-domain value mba-qc.com
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
 address-pool testpool
 authentication-server-group windows
 default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d2ae0fe1e01b2c9fb3b652670022e6fd
: end

can you connect?

I see the subnet mask of the ip pool is different that the subnet mask in the ip pool

vpn connected and now it is encrypting packets and but not decrypting any.

can you ping any inside hosts?

the wizard created this:
access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.224
but your subnet mask created in the wizard for your ip pool is this:

ip local pool testpool 192.168.60.10-192.168.60.25 mask 255.255.255.0

now it is also receiving some packets but not too many (only 12 decrypted and 212 encrypted, i still cant access or see any internal resources. mask for vpn is different in acl but asdm creates that automatically when you run the wizard. i am still able to connect and gettin an ip from the pool.

should i change the mask in acl and try? i cannot ping any inside hosts

remove this:

no access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.224

add this
access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0

if still not connecting add this:

access-list inside_nat0_outbound extended permit ip any 192.168.240.0 255.255.255.0

after removing and adding the acl in your second last message i am able to connect to vpn but still not accesssing any internal resources. do i need to add the acl you suggested in your last comment?

from cisco's asa manual the correct nat0 access list is:

access-list inside_nat0_outbound extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0

but let's see if the above works

remove this
no access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0

add this

access-list inside_nat0_outbound extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0

tell me what nat 0 access list you have now

implemented and removed all you suggested and still not receiving bytes or able to access the lan resources. here is the current running config

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname firewall
domain-name mba-qc.com
enable password 18wVbLppqEl3uvIb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.240.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 204.14.166.187 255.255.255.248
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name mba-qc.com
same-security-traffic permit intra-interface
access-list testgroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.240.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool testpool 192.168.60.10-192.168.60.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 204.14.166.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server windows protocol nt
aaa-server windows (outside) host 192.168.240.150
 timeout 5
 nt-auth-domain-controller mba3
http server enable
http 192.168.240.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy testgroup internal
group-policy testgroup attributes
 wins-server value 192.168.240.150
 dns-server value 192.168.240.150
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testgroup_splitTunnelAcl
 default-domain value mba-qc.com
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
 address-pool testpool
 authentication-server-group windows
 default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1c9ff0abfc62285019f3bc0c0bf404ef
: end

go to the asdm and try this:

 go to configuration>vpn>general>vpn system options
make sure "enable inbound IPSec sessions to bypass interface access lists"

sorry, just check this setting and apply the configuration

it was already checked.

add this

crypto identity address

add this
crypto isakmp ipsec-over-tcp port 10000

add this:

isakmp nat-traversal

then try connecting over udp port 10000 using transparent tunneling

can you ping 192.168.240.1 from the vpn client?

i think you meant to say that connect on tcp port 10000 . i did that and it connects fine over tcp and starts sending and receiving the bytes straight away but not decrypting any packets.i still cant access any internals or ping 192.168.240.1. but the sent and received byte count has improved a lot now

should we try packet tracer in asdm?

NAT-T is suspect here is there a nat-t setting in this router the client is behind?
if still not successful behind this router, we need to try connecting from another location.

you can but the following debugging is more accurate

debug crypto isakmp 127
debug crypto ipsec 127  

you can do this in asdm
enable logging

we might get error message that the remote client is having difficulties with nat

again, to rule out the config, we need to try a connection from another location
it just might be the router

I am going to have to sign off soon, but we can pick this up later 2-nite

also, have you tried connecting without transparent tunneling?
what is the status of the packets decrypted/encrypted?
what does the route show under route details?

just tried with transperant tunneling off and still the same results. in statistics under route details its showing 0.0.0.0 as secured routes and the sent and received bytes are almost the same no. but it is not decrypting any packets. earlier today i was connecting from home and now i am connecting from another connection at work. i am in california usa. around what time i should come online

we can continue around 5 PM PST or 8PM EST

see if removing this has any effect:
access-list inside_nat0_outbound extended permit ip any 192.168.240.0 255.255.255.0

but leave this in:
access-list nonat extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0

I will research your issue some more
it definitely is nat-related, as we can see packets getting encrypted. NAT issues will prevent traffic from going thru the tunnel

As a test for telnet to an inside host try this:

access-list outside_in extended permit 192.168.60.0 255.255.255.0 host 192.168.240.150 eq 23
access-list outside_in extended permit 192.168.60.0 255.255.255.0 host 192.168.240.150 eq 3389


also add this

access-list outside_in permit icmp any any

let me know if you can telnet into this host and rdp

sorry, forgot to add tcp in the above statements:

access-list outside_in extended permit  tcp 192.168.60.0 255.255.255.0 host 192.168.240.150 eq 23
access-list outside_in extended permit tcp 192.168.60.0 255.255.255.0 host 192.168.240.150 eq 3389

i enabled logging and i think i have some cluet o what is happening. this is what looks fishy to me in log

3      Jan 18 2009      14:59:30      305005      192.168.240.150             No translation group found for udp src outside:192.168.60.10/137 dst inside:192.168.240.150/137

is this after adding the above commands to allow traffic?

no it was before i have not added the commands yet.

try those, but after some research the error you are getting is definitely due to the nat statements. This is a common error is the asa. I am looking at other command syntax to get this to work

the commands above though are from an asa manual written by a cisco CCIE engineer, but obviously with this error this is a problem with the translation groups not being exempt from nat.

should we add this command!

nat (inside) 0 access-list inside_nat0_outbound

whenever i try to access an internal resource this error starts appearing in the log window so it definitely has major part in the problem

definitely, the nat exempt lists don't work without this. This  were in your config, was it accidently removed?

after adding, do a clear xlate, reboot asa and I will wait for response. I then have dinner guests, but we can resume later. I need to look at your cryptomap statements also.

I have an asa 5505,5510, and 5520  on my network, and these are the commands I use to setup remote vpn's. These are standard cisco asa commands

add this  (we tried it earlier) if the rdp access list and telnet access list doen't  Those are restrictive lists


but to allow all traffic to your lan from the vpn clients:
access-list outside_in extended permit  ip 192.168.240.0 255.255.255.0 192.168.60.255.255.255.0

access-group outside_in in interface outside

thank you for being so helpful and patient with me. i implemented your suggestions and added the command nat (inside) 0 access-list inside_nat0_outbound and now i dont see the error message in log window no more but still no packets decrypted or access to any internal computers. take your time and enjoy your lunch we can resume at 5 pacific time if thats ok with you

see you soon

we will tackle this

NAT is the culprit

did you also add this:

access-list outside_in extended permit  ip 192.168.240.0 255.255.255.0 192.168.60.255.255.255.0

access-group outside_in in interface outside

added both lines but still the same result

finally, try this and we will pick this up later-----------


access-list outside_1_cryptomap extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0

tried to no effect. will do it later. enjoy your meal. thanks a lot

it could be the "1" in the cryptomap statement
your cryptomap group i noticed has no one so try this and I am signing off
guests coming now
access-list outside_cryptomap extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0

tried but same result.

ok now i am going home for lunch . will be back at 5:15 pacific time. bye

ok i am back. after the last changes we made to configuration, i am not able to connect over tcp port 10000 , now i can only connect over udp.

send me the new config after we added the changes in the last few posts
also, we need

show crypto isakmp sa detail
show crypto ipsec sa

sorry that was because of my zonealram firewalll on my client computer. shut it down and it connected

Result of the command: "show crypto isakmp sa detail"

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 204.14.166.186
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
    Encrypt : 3des            Hash    : SHA      
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 86300

Result of the command: "show crypto ipsec sa"

interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 204.14.166.187

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.60.10/255.255.255.255/0/0)
      current_peer: 204.14.166.186, username: irfan
      dynamic allocated peer ip: 192.168.60.10

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 204.14.166.187/10000, remote crypto endpt.: 204.14.166.186/61461
      path mtu 1500, ipsec overhead 94, media mtu 1500
      current outbound spi: 4A792FD8

    inbound esp sas:
      spi: 0xCAF5839D (3405087645)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  TCP-Encaps, }
         slot: 0, conn_id: 8, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28644
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x4A792FD8 (1249456088)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  TCP-Encaps, }
         slot: 0, conn_id: 8, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28644
         IV size: 8 bytes
         replay detection support: Y

her goes the running config    


Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname firewall
domain-name mba-qc.com
enable password 18wVbLppqEl3uvIb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.240.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 204.14.166.187 255.255.255.248
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name mba-qc.com
same-security-traffic permit intra-interface
access-list testgroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.240.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list outside_in extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool testpool 192.168.60.10-192.168.60.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 204.14.166.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server windows protocol nt
aaa-server windows (outside) host 192.168.240.150
 timeout 5
 nt-auth-domain-controller mba3
http server enable
http 192.168.240.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy testgroup internal
group-policy testgroup attributes
 wins-server value 192.168.240.150
 dns-server value 192.168.240.150
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testgroup_splitTunnelAcl
 default-domain value mba-qc.com
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
 address-pool testpool
 authentication-server-group windows
 default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:43a94e022013f49accc810d03a24c6bf
: end

connection over tcp is not working. in log it shows that phase one and phase 2 completes but the client keeps trying to secure communication channel .

remove:

no access-list outside_1_cryptomap extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0
no access-list outside_cryptomap extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0

removed but still not able to connect over tcp.

I thought you were connecting over udp 10000

yes i am connected over udp now coz tcp is not connecting. some progress here. i tried acessing the dc mba3 and it showed my my redirection folder and printers only but no shares. when i clicked on redirection shared folder on server it asked me for my domain credentials that i entered and now it showed me all the shares on the server. but i still cant acess any other computers or shares on them

that is a netbios broadcast issue

have you tried accessing a network share via unc path?
I will check the config for icmp access-list so we can test pings

unc paths diid not work. it works only for dc mba3 that just recently became accessible

add the following access lists:

access-list acl_outside_in permit icmp any any
access-list acl_inside_out permit icmp any any
you generally don't need this inside out, by default all asa traffic is permitted

so you can access a shared folder, then?
enable pings so we can test

what is the ip address of dcmba3  ?

its 192.168.240.150. i have added both commands

can you ping inside hosts now?
can you access files in this share ?
It sound's like we have connectivity, but problems with the access lists

after trying pinging, then do a

clear xlate

reboot the asa

disconnected and reconnected and now i cant acess mba3 again. cant ping any internals. no unc paths work, and also the client stats show its once again not sending or receiving and not encrypting or decrypting any packets or bytes. will clear xlate and reboot now

Is this the same remote location we tried earlier?  are you able to try another location? I am thinking it could be this nat router

we did not reenable nat traversal:

isakmp nat-traversal

i tried connecting from home when i went home. and it did not work. added the command and still no luck.

lets backtrack a bit-  you connected before and could see a share on an internal server. That indicates a successful connection. In this location, what type of router are your behind? Does it have IPSec pass-through, and NAT_T setting?

yes it worked only twice. i tried to acess the dc mba3 by unc \\mba3 and it showed me redirection shared folder and printers only whereas it did not show any other shares on the dc. when i clicked on the redirection folder it poped up the window asking for credentials. i gave it the login and password and then it showed me all the shares on the server but still i was unable to acess any other network computer resources. and after i disconnected the vpn and reconnected i was not able to acess mba3 once again .if i click on redirection folder that it still shows i dont get the same credectials window any more and it tells me that the folder is empty. it worked only twice. i am not behind any router. i am using asa as firewalll router and it goes out through isp modem. so its pretty simply. just gateway modem and then asa

add this:

access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0

My question is - you are connecting to this asa from a remote location using the vpnclient. The location you are connecting from has a modem only, no linksys or netgear router, (or something like that )  correct?

it is a different static publib ip from the same isp with totally different hardware. and the client network has a netopia router. that i am behind on the client network. but the asa network has the asa and isp modem only , no router of any kind but asa is working in routing mode.

that is what I meant originally - so this netopia router should have IPSec pass through, using NAT-T
please check this router for this The fact that you were able to connect from behind this router a couple of times , were asked for a password to conncet to network shares means you had a connection
The fact that  you can't connect now indicates some sort of NAT issue behind the router. '

did you add this?
access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0

yes i added that line. you can connect to the vpn i trust you. testgroup, test key- testvpn,testpass

Ok

shared secret is testvpn or testpass?

testkey

first two are group and key and following two are user and pass

ok now when i try to connect over tcp it connects and also it is asking for login and pass for every resource i am trying to connect to and when i give it the pass it actually opens up the connection to resource so it is working with tcp but i have to give password and login for every resource

test key  is two words or one? I tried both

finally it is working , it asked me for login and pass only the first time and now when i disconneted and reconneted to vpn it is not asking me for login or pass any more and it connects straight to the resources. and also it is showing all the computers under my network places so it is working under tcp  but not udp . and also if there isnothing wrong with tcp i would like to keep it instead of udp. whatever you suggest

Interesting, I am not able to connect

now, can you ping hosts
can you map a shared drive and connect to it and see files?

all i gave you are one word

yes i can do it all

so we can consider this case closed, then?

I am able to ping 192.168.240.150

so we are looking good

now the bad news. i cannot access internet when i am connected to the vpn :[

I had the wrong ip address first, tried 188 instead of 187

just need to configure split tunnel
we don't give up after all this-   right!

i think the problem lies with securing all lthe traffic. if you see in client statistics under route details you will find 0.0.0.0 as secured network

almost there. you are amazing and very patient you never gaveup on me. hats off to you man.i am really really thankful. lets sort out this little glitch

show me a screenshot from the asdm on this tunnel group so we can check the spilit tunnel

I think that you might have inheritance checked from the default tunnel group, and never configured the tunnel list

the pdf I am enclosing has screenshots from the asdm you can look at
remvpn-b.pdf

now my internet has started working all by itself. i think the asa configuration needs a little fine tuning its a little erratic. for a few seconds i was not able to access internals but then it started working. somethin is confusing asa. i am posting trhe runnin config once again

Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname firewall
domain-name mba-qc.com
enable password 18wVbLppqEl3uvIb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.240.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 204.14.166.187 255.255.255.248
!
interface Vlan3
 shutdown
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name mba-qc.com
same-security-traffic permit intra-interface
access-list testgroup_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.240.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0
access-list outside_in extended permit ip 192.168.240.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list acl_outside_in extended permit icmp any any
access-list acl_inside_out extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool testpool 192.168.60.10-192.168.60.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 204.14.166.185 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server windows protocol nt
aaa-server windows (outside) host 192.168.240.150
 timeout 5
 nt-auth-domain-controller mba3
http server enable
http 192.168.240.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy testgroup internal
group-policy testgroup attributes
 wins-server value 192.168.240.150
 dns-server value 192.168.240.150
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value testgroup_splitTunnelAcl
 default-domain value mba-qc.com
tunnel-group testgroup type ipsec-ra
tunnel-group testgroup general-attributes
 address-pool testpool
 authentication-server-group windows
 default-group-policy testgroup
tunnel-group testgroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:41ebd32822beba3f82918e5c720e6dfb
: end

are you saying the split tunneling is working from the vpnclient?

send me the new config, while you look at the pdf I sent u

also forgot to add you need to check "local lan access" on the vpn client once split tunnel is configured. If you need the steps for split tunnel, I will go over this again

i am loosing access to local lan resources. so it works off and on. in client the local lan access is checked. something is confussing asa.

i cannot access internet and lan at the same time. if one becomes accessible the other i cant access. any suggestions!

we did not configure local lan access :

this is in the pdf I sent you also
create an access-list to allow local lan access:
access-list lacal_lan_access remark vpnclient local lan access
access-list local_lan_access standard permit host 0.0.0.0

enter the group policy config mode for the policy you want to modify:
group-policy  testgroup attributes
specify the split tunnel policy:

split-tunnel-policy excludespecified

split-tunnel-netowrk-list value  local_lan_access


then:
tunnel-group testcpn general-attributes

associate the group policy with the tunnel group
default-group-policy testcpn

save:
copy run start

remember, split tunneling is a security risk, but a great convenience

i enter all my commands from the command line interface in asdm and the command
split-tunnel-policy excludespecified

i am unable to send, how do i enter the policy config mode ? is there a way i can do it from asdm/

the commands I gave you allow you to do it from the CLI  use hyperterminal or telnet or ssh client like putty

or just follow the pdf I gave you and do it directly in the gui  it contains step by step pictures

whatever is easier for you
if you do it via cli, the last post I sent shows you haow to enter the policy config mode. I am not a fan of the cli in the asdm

that pdf shows the screenshots of vpn wizard that i have already ran when i setup the vpn and i did same except exposing the whole network to vpn clients. and now i can not run the wizard to modify the same vpn. i think i should study and research tonite and let you go now. what you think!

the screenshots will give you local lan access so you can print, access network shares, etc. I will send you another doc to configure internet access
we are almost there. The major issue is solved

tomorrow is a workday but I will still get this out to you 2-nite, and will assist you tommorrow with this to complete the project

so nice of you. what else i can say!

here is the cisco article on how to configure internet access while on the vpn. Again, this is a security risk
asa-split-tunnel-vpn-client.pdf

so now you have all the docs, give it a read and we will fine tune this motor tomorrow

thank you so much. i am really greatful to you. i will go through alll these docs tonite and get in touch with you tomorrow. have a good nite. and thank you once again

did it.  i followed the pdf you sent me and created acl for split and it is workin fine so far. you are awesome man. yahoo finally i m done with this testing. can you just go over my config whenever you have time and scan it for any unneeded acls or security holes whenever you have time. actually i have to setup this asa on another network. i will do modifications of ip schemes and addresses and see how it goes. shoudl not be difficult. is there any way i can save this configuration to some file from where i can import it incase i mess up while makein changes. i just want to be able to revert back to this config that is workin now ?

all your hard work and patience paid off. going home now.will close case tomorrow.thankx a lot.bye

Here is download link for cisco tftp server:
http://www.brothersoft.com/tftp-server-download-65551.html
install this on any pc to transfer start-up configurationn (or running config)

first, open the tftp program

in the CLI:

ASA5510# copy start tftp

Address or name of remote host []? 192.168.4.60  (whatever your tftp server ip is)

Destination filename [startup-config]? config_1-19-09  (call it anything you like)
!!!!!!
23298 bytes copied in 0.80 secs

The file will be in C:\program files\cisco systems\cisco tftp server


you can view the config in wordpad

if you ever need to restore it, do the reverse:

copy tftp   start

you will be asked ip address of tftp server
then you will input the file name in the tftp server
this should be done after restoring to factory defaults, as you can get merge effect of current config

also, when you have a backup config in notepad or wordpad, you can always cut in paste to hyperterminal

have setup many pix and asa's using standardized configs, just substitue your ip addresses, etc

i was able to backup runnning config to tftp server. i have the config open in the word pad, now i have to substitute the ips with the ip addresses of the actual network this asa willl protect. can i simply open the asa backup file in wordpad and substitute the ips in the word pad file and save the file, and then later restore the asa to factory defaults and load the modified config file from tftp! is this how it works? i consider this problem resolved and am very thankful to you for all your time and efforts. best tech support experience ever. is there a way i can add you to my favorite experts or some like that!

by far the best support ever got from any blog or forum. best expert i ever interacted with. very patient and very understanding. wish i could give you more points. thanks a lot i actually learned a lot. you could make a great it instructor.

yes, you can open the saved config in wordpad, resave it and just tftp the file back in.

If you need any more assistance, I am glad to help. Just simply reopen the question in either vpn category or cisco pix or hardware firewalls. These categories get immediate attention from EE (are very popular) and if I don't see the post another cisco person will probably pick up your post quickly. I believe you can post in 2 categories simultaneously for immediate response.

thanks for your comments

cheers!