DeZo1
asked on
Cisco ASA VPN not connecting on specific interface
Our vpn connections were coming in to our ASA on the outside interface using the ip address xxx.xxx.xxx.208. We changed our service and the outside interface changed to xxx.xxx.xxx.34. I then moved the xxx.xxx.xxx.208 IP address to a free port and named it dsl.
All of the vpn clients can successfully connect to the outside interface with the new ip addr. I would like to have our vendors vpn connection come in on the xxx.xxx.xxx.208 IP on interface dsl, and the other vpn's connect on the xxx.xxx.xxx.34 IP addr. on interface outside.
I created a new vpn using the ASDM wizard, and specified the interface dsl as the vpn interface but the vpn client never connects. Please tell me what I need to add to allow the vendors vpn to connect on the interface dsl
All of the vpn clients can successfully connect to the outside interface with the new ip addr. I would like to have our vendors vpn connection come in on the xxx.xxx.xxx.208 IP on interface dsl, and the other vpn's connect on the xxx.xxx.xxx.34 IP addr. on interface outside.
I created a new vpn using the ASDM wizard, and specified the interface dsl as the vpn interface but the vpn client never connects. Please tell me what I need to add to allow the vendors vpn to connect on the interface dsl
ASA Version 7.1(2)
hostname ciscoasa
domain-name ourdomain
enable password --------- encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.34 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.100.100.1 255.255.255.0
interface Ethernet0/2
nameif dsl
security-level 0
ip address xxx.xxx.xxx.208 255.255.255.0
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
management-only
password ---------- encrypted
time-range Harris
periodic Monday 7:00 to Friday 20:00
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.100.100.16
domain-name ourdomain
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq smtp
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq pop3
access-list OUTSIDE extended permit tcp any host 7xxx.xxx.xxx.208 eq www
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq https
access-list OUTSIDE extended permit icmp any any echo-reply
access-list OUTSIDE extended permit icmp any any source-quench
access-list OUTSIDE extended permit icmp any any unreachable
access-list OUTSIDE extended permit icmp any any time-exceeded
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq 6001
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq 6002
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq 6004
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq smtp
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq pop3
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq www
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq https
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq 6001
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq 6002
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq 6004
access-list inside_nat0_outbound extended permit ip any 10.100.90.0 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 10.100.80.0 255.255.255.240
access-list vendors_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
access-list wwtp_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0
pager lines 24
logging enable
logging list Events level informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dsl 1500
ip local pool vendors 10.100.90.1-10.100.90.5 mask 255.255.255.0
ip local pool wwtp 10.100.80.2-10.100.80.10 mask 255.255.255.0
asdm image disk0:/asdm512-k8.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dsl) 1 interface
nat (outside) 1 10.100.80.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dsl) 1 10.100.80.0 255.255.255.0
static (inside,outside) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,outside) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,outside) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,outside) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
static (inside,dsl) tcp interface www 10.100.100.19 www netmask 255.255.255.255
static (inside,dsl) tcp interface https 10.100.100.19 https netmask 255.255.255.255
static (inside,dsl) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255
static (inside,dsl) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255
static (inside,dsl) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255
static (inside,dsl) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255
static (inside,dsl) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255
access-group OUTSIDE in interface outside
access-group OUTSIDE in interface dsl
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.34 gateway 1
route dsl 0.0.0.0 0.0.0.0 xxx.xxx.xxx.208 gateway 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vendors internal
group-policy vendors attributes
wins-server none
dns-server value 10.100.100.16 10.100.100.17
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vendors_splitTunnelAcl
default-domain value ourdomain
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
wins-server none
dns-server value 10.100.100.16
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value wwtp_splitTunnelAcl
default-domain value ourdomain
user-authentication-idle-timeout none
webvpn
svc keepalive 60
username WWTP password -------- encrypted privilege 0
username WWTP attributes
vpn-group-policy WasteWaterTreamentPlant
username Harris password ------- encrypted privilege 0
username Harris attributes
vpn-group-policy vendors
password-storage enable
http server enable
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 240 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 260 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 280 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 300 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 320 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 340 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 360 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 380 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 400 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_map interface dsl
isakmp enable outside
isakmp enable dsl
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vendors type ipsec-ra
tunnel-group vendors general-attributes
address-pool vendors
default-group-policy vendors
tunnel-group vendors ipsec-attributes
pre-shared-key *
tunnel-group WasteWaterTreamentPlant type ipsec-ra
tunnel-group WasteWaterTreamentPlant general-attributes
address-pool wwtp
default-group-policy WasteWaterTreamentPlant
tunnel-group WasteWaterTreamentPlant ipsec-attributes
pre-shared-key *
telnet 10.100.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.100.100.16
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain ourdomain
dhcprelay timeout 60
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map global-policy
class global-class
csc fail-open
class class-default
csc fail-close
service-policy global-policy global
ntp server 192.35.82.50 source outside
smtp-server 10.100.100.19
client-update enable
Cryptochecksum:------
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
y.y.y.y is the DSL connections gateway.
ASKER
figured it out it is our inside int ip address.
Thank you sir!
Thank you sir!
ASKER
So y.y.y.y is the DSL connections gateway, the address given to us by the ISP or the internal gateway, our inside interface?