We help IT Professionals succeed at work.
Get Started

Cisco ASA VPN attaches but no traffic

dsrumer
dsrumer asked
on
874 Views
Last Modified: 2012-05-06
Hello Experts!

I have a Cisco ASA5510 and am trying to set up a VPN.  I connect fine but am unable to ping hosts on another interface.  The VPN is coming in on the wireless interface and I am trying to contact a host on the patron interface.  Here is the config.  I cannot find what is blocking the traffic.  Any help is appreciated.
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/1
 nameif patrons
 security-level 50
 ip address 192.168.99.1 255.255.255.0
!
interface Ethernet0/2
 nameif wireless
 security-level 50
 ip address 192.168.197.1 255.255.255.0
!
interface Ethernet0/3
 nameif citynetwork
 security-level 100
 ip address 10.1.7.5 255.255.255.0
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd xxxxxxxxxx encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service EnvisionWaareUDP udp
 port-object range 1969 1969
object-group service EnvisionWareTCP tcp
 description test
 port-object range 11958 11958
 port-object range 11960 11960
 port-object range 1969 1970
 port-object range 1978 1978
 port-object range 21326 21326
 port-object range 30044 30044
 port-object range 6987 6987
 port-object range 7383 7384
access-list wireless_mpc extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any 192.168.198.0 255.255.25
5.0
access-list patrons_access_in extended permit tcp any host 192.168.99.250 object
-group EnvisionWareTCP
access-list patrons_access_in extended permit udp any host 192.168.99.250 object
-group EnvisionWaareUDP
access-list patrons_access_in extended deny ip 192.168.99.0 255.255.255.0 10.0.0
.0 255.0.0.0
access-list patrons_access_in extended permit ip any any
access-list wireless_cryptomap_65535.20 extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu patrons 1500
mtu wireless 1500
mtu citynetwork 1500
mtu management 1500
ip local pool Gobi7 192.168.198.100-192.168.198.150 mask 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface patrons
ip verify reverse-path interface wireless
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (patrons) 0 access-list inside_nat0_outbound
nat (patrons) 1 0.0.0.0 0.0.0.0
nat (wireless) 1 0.0.0.0 0.0.0.0
static (citynetwork,patrons) 192.168.99.250 10.1.7.212 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group patrons_access_in in interface patrons
route citynetwork 10.1.0.0 255.255.0.0 10.1.7.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.1.0.0 255.255.0.0 citynetwork
http 192.168.99.0 255.255.255.0 patrons
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map wireless_dyn_map 20 match address wireless_cryptomap_65535.20
crypto dynamic-map wireless_dyn_map 20 set pfs
crypto dynamic-map wireless_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map wireless_map 65535 ipsec-isakmp dynamic wireless_dyn_map
crypto map wireless_map interface wireless
crypto isakmp enable wireless
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet 192.168.99.0 255.255.255.0 patrons
telnet 10.1.0.0 255.255.0.0 citynetwork
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd address 192.168.99.50-192.168.99.225 patrons
dhcpd dns 12.207.234.29 12.207.235.32 interface patrons
dhcpd enable patrons
!
dhcpd address 192.168.197.100-192.168.197.200 wireless
dhcpd dns 12.207.234.29 12.207.235.32 interface wireless
dhcpd lease 21600 interface wireless
dhcpd enable wireless
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map wireless-class
 match access-list wireless_mpc
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
policy-map wireless-policy
 class wireless-class
  police output 3000000 1500
!
service-policy global_policy global
service-policy wireless-policy interface wireless
group-policy cvpl internal
group-policy cvpl attributes
 vpn-tunnel-protocol IPSec
username cvpl password xxxxxxxxxxxxxxxx encrypted privilege 0
username cvpl attributes
 vpn-group-policy cvpl
tunnel-group cvpl type ipsec-ra
tunnel-group cvpl general-attributes
 address-pool Gobi7
 default-group-policy cvpl
tunnel-group cvpl ipsec-attributes
 pre-shared-key xxxxxxxxxxxxxxx
prompt hostname context
: end
ciscoasa#

Open in new window

Comment
Watch Question
Top Expert 2009
Commented:
This problem has been solved!
Unlock 1 Answer and 3 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE