?
Solved

Cisco ASA VPN not connecting on specific interface

Posted on 2009-02-20
4
Medium Priority
?
693 Views
Last Modified: 2012-05-06
Our vpn connections were coming in to our ASA on the outside interface using the ip  address xxx.xxx.xxx.208.  We changed our service and the outside interface changed to xxx.xxx.xxx.34.  I then moved the xxx.xxx.xxx.208 IP address to a free port and named it dsl.
All of the vpn clients can successfully connect to the outside interface with the new ip addr.  I would like to have our vendors vpn connection come in on the xxx.xxx.xxx.208 IP on interface dsl, and the other vpn's connect on the xxx.xxx.xxx.34 IP addr. on interface outside.
I created a new vpn using the ASDM wizard, and specified the interface dsl as the vpn interface but the vpn client never connects.  Please tell me what I need to add to allow the vendors vpn to connect on the interface dsl
ASA Version 7.1(2) 
hostname ciscoasa
domain-name ourdomain
enable password --------- encrypted
names
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.34 255.255.255.0 
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.100.100.1 255.255.255.0 
interface Ethernet0/2
 nameif dsl
 security-level 0
 ip address xxx.xxx.xxx.208 255.255.255.0 
interface Management0/0
shutdown
 nameif management
 security-level 100
 no ip address
 management-only
password ---------- encrypted
time-range Harris
 periodic Monday 7:00 to Friday 20:00
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.100.100.16
 domain-name ourdomain
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq smtp 
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq pop3 
access-list OUTSIDE extended permit tcp any host 7xxx.xxx.xxx.208 eq www 
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq https 
access-list OUTSIDE extended permit icmp any any echo-reply 
access-list OUTSIDE extended permit icmp any any source-quench 
access-list OUTSIDE extended permit icmp any any unreachable 
access-list OUTSIDE extended permit icmp any any time-exceeded 
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq 6001 
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq 6002 
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.208 eq 6004 
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq smtp 
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq pop3 
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq www 
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq https 
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq 6001 
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq 6002 
access-list OUTSIDE extended permit tcp any host xxx.xxx.xxx.34 eq 6004 
access-list inside_nat0_outbound extended permit ip any 10.100.90.0 255.255.255.248 
access-list inside_nat0_outbound extended permit ip any 10.100.80.0 255.255.255.240 
access-list vendors_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0 
access-list wwtp_splitTunnelAcl standard permit 10.100.100.0 255.255.255.0 
pager lines 24
logging enable
logging list Events level informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dsl 1500
ip local pool vendors 10.100.90.1-10.100.90.5 mask 255.255.255.0
ip local pool wwtp 10.100.80.2-10.100.80.10 mask 255.255.255.0
asdm image disk0:/asdm512-k8.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (dsl) 1 interface
nat (outside) 1 10.100.80.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dsl) 1 10.100.80.0 255.255.255.0
static (inside,outside) tcp interface www 10.100.100.19 www netmask 255.255.255.255 
static (inside,outside) tcp interface https 10.100.100.19 https netmask 255.255.255.255 
static (inside,outside) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255 
static (inside,outside) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255 
static (inside,outside) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255 
static (inside,dsl) tcp interface www 10.100.100.19 www netmask 255.255.255.255 
static (inside,dsl) tcp interface https 10.100.100.19 https netmask 255.255.255.255 
static (inside,dsl) tcp interface smtp 10.100.100.19 smtp netmask 255.255.255.255 
static (inside,dsl) tcp interface pop3 10.100.100.19 pop3 netmask 255.255.255.255 
static (inside,dsl) tcp interface 6001 10.100.100.19 6001 netmask 255.255.255.255 
static (inside,dsl) tcp interface 6002 10.100.100.19 6002 netmask 255.255.255.255 
static (inside,dsl) tcp interface 6004 10.100.100.19 6004 netmask 255.255.255.255 
access-group OUTSIDE in interface outside
access-group OUTSIDE in interface dsl
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.34 gateway 1
route dsl 0.0.0.0 0.0.0.0 xxx.xxx.xxx.208 gateway 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vendors internal
group-policy vendors attributes
 wins-server none
 dns-server value 10.100.100.16 10.100.100.17
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vendors_splitTunnelAcl
 default-domain value ourdomain
group-policy WasteWaterTreamentPlant internal
group-policy WasteWaterTreamentPlant attributes
 wins-server none
 dns-server value 10.100.100.16
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout none
 vpn-session-timeout none
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value wwtp_splitTunnelAcl
 default-domain value ourdomain
 user-authentication-idle-timeout none
 webvpn
  svc keepalive 60
username WWTP password -------- encrypted privilege 0
username WWTP attributes
 vpn-group-policy WasteWaterTreamentPlant
username Harris password ------- encrypted privilege 0
username Harris attributes
 vpn-group-policy vendors
 password-storage enable
http server enable
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 240 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 260 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 280 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 300 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 320 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 340 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 360 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 380 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 400 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map outside_map interface dsl
isakmp enable outside
isakmp enable dsl
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vendors type ipsec-ra
tunnel-group vendors general-attributes
 address-pool vendors
 default-group-policy vendors
tunnel-group vendors ipsec-attributes
 pre-shared-key *
tunnel-group WasteWaterTreamentPlant type ipsec-ra
tunnel-group WasteWaterTreamentPlant general-attributes
 address-pool wwtp
 default-group-policy WasteWaterTreamentPlant
tunnel-group WasteWaterTreamentPlant ipsec-attributes
 pre-shared-key *
telnet 10.100.100.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.100.100.16 
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain ourdomain
dhcprelay timeout 60
class-map global-class
 match any
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
policy-map global-policy
 class global-class
  csc fail-open
 class class-default
  csc fail-close
service-policy global-policy global
ntp server 192.35.82.50 source outside
smtp-server 10.100.100.19
client-update enable
Cryptochecksum:------

Open in new window

0
Comment
Question by:Zorniac
  • 2
  • 2
4 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 23694153
Here's the problem, VPN traffic will come in the DSL interface but route out the outside interface.  Add a route to the public IP of the vendor PC running the VPN client via the DSL interface.  Obviously this isn't a viable solution if the vendors have dynamic addresses.  Adding a second ASA to connect to the DSL may be your best bet.

Try this:

route dsl x.x.x.x 255.255.255.255 y.y.y.y

Where x.x.x.x is the public IP address of the vendor PC and y.y.y.y is the DSL next hop (gateway).

Add this also:

route dsl 10.100.90.0 255.255.255.0 y.y.y.y

0
 
LVL 1

Author Comment

by:Zorniac
ID: 23694200
JFrederick,
So y.y.y.y is the DSL connections gateway, the address given to us by the ISP or the internal gateway, our inside interface?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23694226
y.y.y.y is the DSL connections gateway.
0
 
LVL 1

Author Comment

by:Zorniac
ID: 23694279
figured it out it is our inside int ip address.

Thank you sir!
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question