AboutPricingCommunityTeamsStart Free TrialLog in
Avatar of dsrumer
dsrumer
Flag for United States of America asked on

Cisco ASA VPN attaches but no traffic

Hello Experts!

I have a Cisco ASA5510 and am trying to set up a VPN.  I connect fine but am unable to ping hosts on another interface.  The VPN is coming in on the wireless interface and I am trying to contact a host on the patron interface.  Here is the config.  I cannot find what is blocking the traffic.  Any help is appreciated.
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/1
 nameif patrons
 security-level 50
 ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/2
 nameif wireless
 security-level 50
 ip address 192.168.197.1 255.255.255.0
!
interface Ethernet0/3
 nameif citynetwork
 security-level 100
 ip address 10.1.7.5 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd xxxxxxxxxx encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service EnvisionWaareUDP udp
 port-object range 1969 1969
object-group service EnvisionWareTCP tcp
 description test
 port-object range 11958 11958
 port-object range 11960 11960
 port-object range 1969 1970
 port-object range 1978 1978
 port-object range 21326 21326
 port-object range 30044 30044
 port-object range 6987 6987
 port-object range 7383 7384
access-list wireless_mpc extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any 192.168.198.0 255.255.25
5.0
access-list patrons_access_in extended permit tcp any host 192.168.99.250 object
-group EnvisionWareTCP
access-list patrons_access_in extended permit udp any host 192.168.99.250 object
-group EnvisionWaareUDP
access-list patrons_access_in extended deny ip 192.168.99.0 255.255.255.0 10.0.0
.0 255.0.0.0
access-list patrons_access_in extended permit ip any any
access-list wireless_cryptomap_65535.20 extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu patrons 1500
mtu wireless 1500
mtu citynetwork 1500
mtu management 1500
ip local pool Gobi7 192.168.198.100-192.168.198.150 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface patrons
ip verify reverse-path interface wireless
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (patrons) 0 access-list inside_nat0_outbound
nat (patrons) 1 0.0.0.0 0.0.0.0
nat (wireless) 1 0.0.0.0 0.0.0.0
static (citynetwork,patrons) 192.168.99.250 10.1.7.212 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group patrons_access_in in interface patrons
route citynetwork 10.1.0.0 255.255.0.0 10.1.7.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.0.0 255.255.0.0 citynetwork
http 192.168.99.0 255.255.255.0 patrons
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map wireless_dyn_map 20 match address wireless_cryptomap_65535.20
crypto dynamic-map wireless_dyn_map 20 set pfs
crypto dynamic-map wireless_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map wireless_map 65535 ipsec-isakmp dynamic wireless_dyn_map
crypto map wireless_map interface wireless
crypto isakmp enable wireless
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.99.0 255.255.255.0 patrons
telnet 10.1.0.0 255.255.0.0 citynetwork
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd address 192.168.99.50-192.168.99.225 patrons
dhcpd dns 12.207.234.29 12.207.235.32 interface patrons
dhcpd enable patrons
!
dhcpd address 192.168.197.100-192.168.197.200 wireless
dhcpd dns 12.207.234.29 12.207.235.32 interface wireless
dhcpd lease 21600 interface wireless
dhcpd enable wireless
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map wireless-class
 match access-list wireless_mpc
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
policy-map wireless-policy
 class wireless-class
  police output 3000000 1500
!
service-policy global_policy global
service-policy wireless-policy interface wireless
group-policy cvpl internal
group-policy cvpl attributes
 vpn-tunnel-protocol IPSec
username cvpl password xxxxxxxxxxxxxxxx encrypted privilege 0
username cvpl attributes
 vpn-group-policy cvpl
tunnel-group cvpl type ipsec-ra
tunnel-group cvpl general-attributes
 address-pool Gobi7
 default-group-policy cvpl
tunnel-group cvpl ipsec-attributes
 pre-shared-key xxxxxxxxxxxxxxx
prompt hostname context
: end
ciscoasa#

Open in new window

Hardware Firewalls
Avatar of undefined
Last Comment
dsrumer
8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
JFrederick29
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
dsrumer
ASKER
Thanks for the fast reply.  This makes sense as I have never set a VPN up on same security level interfaces.  I left that customer office and will go back tomorrow to try.  I will post back then.
dsrumer
ASKER
Oddly enough, the command did not work however, by changing the security level of the wireless network to 25, the traffic started flowing.  Thanks for the lead JFrederick29!
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Plans and Pricing
Resources
Product
Podcasts
Careers
Contact Us
Teams
Certified Expert Program
Credly Partnership
Udemy Partnership
Privacy Policy
Terms of Use

© 1996-2023 Experts Exchange, LLC. All rights reserved. Covered by US Patent