Avatar of dsrumer
Flag for United States of America asked on

Cisco ASA VPN attaches but no traffic

Hello Experts!

I have a Cisco ASA5510 and am trying to set up a VPN.  I connect fine but am unable to ping hosts on another interface.  The VPN is coming in on the wireless interface and I am trying to contact a host on the patron interface.  Here is the config.  I cannot find what is blocking the traffic.  Any help is appreciated.
ASA Version 7.2(3)
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxx encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address dhcp setroute
interface Ethernet0/1
 nameif patrons
 security-level 50
 ip address
interface Ethernet0/2
 nameif wireless
 security-level 50
 ip address
interface Ethernet0/3
 nameif citynetwork
 security-level 100
 ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd xxxxxxxxxx encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service EnvisionWaareUDP udp
 port-object range 1969 1969
object-group service EnvisionWareTCP tcp
 description test
 port-object range 11958 11958
 port-object range 11960 11960
 port-object range 1969 1970
 port-object range 1978 1978
 port-object range 21326 21326
 port-object range 30044 30044
 port-object range 6987 6987
 port-object range 7383 7384
access-list wireless_mpc extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any 255.255.25
access-list patrons_access_in extended permit tcp any host object
-group EnvisionWareTCP
access-list patrons_access_in extended permit udp any host object
-group EnvisionWaareUDP
access-list patrons_access_in extended deny ip 10.0.0
access-list patrons_access_in extended permit ip any any
access-list wireless_cryptomap_65535.20 extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu patrons 1500
mtu wireless 1500
mtu citynetwork 1500
mtu management 1500
ip local pool Gobi7 mask
ip verify reverse-path interface outside
ip verify reverse-path interface patrons
ip verify reverse-path interface wireless
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (patrons) 0 access-list inside_nat0_outbound
nat (patrons) 1
nat (wireless) 1
static (citynetwork,patrons) netmask
access-group outside_access_in in interface outside
access-group patrons_access_in in interface patrons
route citynetwork 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http citynetwork
http patrons
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map wireless_dyn_map 20 match address wireless_cryptomap_65535.20
crypto dynamic-map wireless_dyn_map 20 set pfs
crypto dynamic-map wireless_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map wireless_map 65535 ipsec-isakmp dynamic wireless_dyn_map
crypto map wireless_map interface wireless
crypto isakmp enable wireless
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet patrons
telnet citynetwork
telnet management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd address patrons
dhcpd dns interface patrons
dhcpd enable patrons
dhcpd address wireless
dhcpd dns interface wireless
dhcpd lease 21600 interface wireless
dhcpd enable wireless
dhcpd address management
dhcpd enable management
class-map wireless-class
 match access-list wireless_mpc
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
policy-map wireless-policy
 class wireless-class
  police output 3000000 1500
service-policy global_policy global
service-policy wireless-policy interface wireless
group-policy cvpl internal
group-policy cvpl attributes
 vpn-tunnel-protocol IPSec
username cvpl password xxxxxxxxxxxxxxxx encrypted privilege 0
username cvpl attributes
 vpn-group-policy cvpl
tunnel-group cvpl type ipsec-ra
tunnel-group cvpl general-attributes
 address-pool Gobi7
 default-group-policy cvpl
tunnel-group cvpl ipsec-attributes
 pre-shared-key xxxxxxxxxxxxxxx
prompt hostname context
: end

Open in new window

Hardware Firewalls

Avatar of undefined
Last Comment

8/22/2022 - Mon

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Thanks for the fast reply.  This makes sense as I have never set a VPN up on same security level interfaces.  I left that customer office and will go back tomorrow to try.  I will post back then.

Oddly enough, the command did not work however, by changing the security level of the wireless network to 25, the traffic started flowing.  Thanks for the lead JFrederick29!
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes