• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1363
  • Last Modified:

Configure VPN between two ASA 5505

I am trying to configure two cisco ASA 5505 devices for Site to Site VPN connectivity.  I have managed to get a VPN tunnel up between the two devices, but am unable to pass any data from each site.  I would like to have this setup to pretty much permit all traffic from site A to Site B and vice versa.  I have attached the running-cfg for both SITEA and SITEB devices.
SITEA.txt
SITEB.txt
0
fluidiqsit
Asked:
fluidiqsit
  • 24
  • 22
1 Solution
 
JFrederick29Commented:
The config looks good.  For siteA, is the ASA (192.168.74.1) the default gateway for the hosts or something else since DHCP isn't enabled on the SiteA ASA.  If you want DHCP enabled on the SiteA ASA, add this:

conf t
dhcpd enable inside

Verify clients on both sites have the ASA inside IP address as their default gateway if not other routers exist at each site.

If still not working, leave an extended ping running from a SiteA PC to a SiteB PC and then post a "show cry ipsec sa" from both ASA's.
0
 
fluidiqsitAuthor Commented:
J so I came into work today and for some reason it works for the most part.  I can ping from SITEA PC to SITEB PC as well as RDP from one to the other; however I cannot ping the gateway of each (SITEA and SITEB) from the opposite LAN ie from SITEA ping the gateway of SITEB.  In that same respect I also cannot access the ASA via telnet or ASDM from the opposite LAN.  Can you point out where this is getting blocked or how I can open it up so I am not dropping this traffic.
0
 
JFrederick29Commented:
Add this to both ASA's to resolve that:

conf t
management-access inside
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
fluidiqsitAuthor Commented:
Awesome that worked.  Last thing - I would like to add Remote Access VPN to one of the sites so that users can access the LAN from their remote location.  I've tried numerous times using the Remote Access VPN wizard, but each time am unalbe to get it to work.  Again it connects no problem, but no access across the tunnel.  When using the wizard  what should i be inputing into the IP Address pool and NAT (remote network/host) entries to make this work properly.
0
 
JFrederick29Commented:
The IP address pool should be a different/unique subnet and there should be no-NAT rules applied.
0
 
fluidiqsitAuthor Commented:
Ok tried that with the same results.  I could be missing something though using the wizard to configure this.  I have attached the config for this for reference.
SITEB-wPeerVPN.txt
0
 
JFrederick29Commented:
The config looks good.  So, you can connect with the client but not access anything?  If so, what are you trying to access?

Can you ping 192.168.72.1?
0
 
fluidiqsitAuthor Commented:
No cannot ping 192.168.72.1 or a host 192.168.72.10.
0
 
JFrederick29Commented:
Under the statistics tab in the VPN client, do you see traffic inbound and outbound?  Can you post a "show cry ipsec sa" from the ASA when connected...
0
 
fluidiqsitAuthor Commented:
Sorry JFred fro the late response.  Ok i now have the routers onsite and can access the router from the outside interface.  How do i permit internet traffic from the inside interfaces to simply be able to browse the web.
0
 
JFrederick29Commented:
Is this unrelated to the VPN?

This is really all you need to get Internet on the ASA.

global (outside) 1 interface
nat (inside) 1 0 0
0
 
fluidiqsitAuthor Commented:
I thought so and have that already in the config.  Check out this config am i missing something?
Result of the command: "show running-config"
 
: Saved
:
ASA Version 7.2(4) 
!
hostname EDINBOROWWTP
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.72.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 66.211.240.142 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner login EDINBORO
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 66.211.211.21
 name-server 66.211.211.22
 domain-name default.domain.invalid
access-list 100 remark ****** Link to EDINBOROTOWNHALL ******
access-list 100 extended permit ip 192.168.72.0 255.255.255.0 192.168.74.0 255.255.255.0 
access-list nonat extended permit ip 192.168.72.0 255.255.255.0 192.168.74.0 255.255.255.0 
access-list nonat extended permit ip any 10.21.72.0 255.255.255.224 
access-list inside_access_in extended permit ip any any 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 10.21.72.1-10.21.72.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.72.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 66.211.240.141 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.72.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set edbset esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map mymap 1 match address 100
crypto map mymap 1 set pfs 
crypto map mymap 1 set peer 66.211.240.90 
crypto map mymap 1 set transform-set edbset
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.72.2-192.168.72.254 inside
!
 
group-policy EDINWWTP internal
group-policy EDINWWTP attributes
 dns-server value 192.168.72.1
 vpn-tunnel-protocol IPSec 
username vpnuser password sfjwaYyosZCKP38A encrypted privilege 0
username vpnuser attributes
 vpn-group-policy EDINWWTP
username fluidiqsit password 6ghzNJWUxwyXE7LO encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 66.211.240.90 type ipsec-l2l
tunnel-group 66.211.240.90 ipsec-attributes
 pre-shared-key *
tunnel-group EDINWWTP type ipsec-ra
tunnel-group EDINWWTP general-attributes
 address-pool VPNPOOL
 default-group-policy EDINWWTP
tunnel-group EDINWWTP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:4728e43ad33367bbcaabc2242a8ee32c
: end

Open in new window

0
 
JFrederick29Commented:
The config looks fine.  Do your PC's have proper DNS settings?  192.168.72.1 is the default gateway for these, right?  What is doing DHCP on your network or are you statically configuring the PC's?
0
 
fluidiqsitAuthor Commented:
Statically configuring IP.  Tried setting the DNS to 192.168.72.1 as well as tried the isp's dns server 66.211.211.21.
0
 
JFrederick29Commented:
Use your ISP's DNS servers, not the ASA or try 4.2.2.2 (public DNS).

Add this:

conf t
policy-map global_policy
 class inspection_default
 inspect icmp

Then, try pinging 192.168.72.1?  Can you ping 4.2.2.2?

Can you ping 4.2.2.2 from the ASA itself?
0
 
fluidiqsitAuthor Commented:
without adding any config changes...i can ping 4.2.2.2 or any other external address.
0
 
JFrederick29Commented:
From the ASA and PC or just the ASA?
0
 
fluidiqsitAuthor Commented:
can ping it from the ASA, but not the PC.
0
 
JFrederick29Commented:
Okay, you need to add this to make it happen for the PC.

conf t
policy-map global_policy
 class inspection_default
 inspect icmp

Also double check the PC has a default gateway of 192.168.72.1.
0
 
fluidiqsitAuthor Commented:
Added the code and double checked the gateway and it is set properly.  Still cannot ping 4.2.2.2 from the PC
0
 
JFrederick29Commented:
Try this:

access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded

access-group outside_access_in in interface outside

Does this work?

telnet 72.14.205.103 80
0
 
fluidiqsitAuthor Commented:
OK added those and still no ping.  Telnet is unable to connect to host as well.
0
 
JFrederick29Commented:
Okay, can you ping 192.168.72.1 from the PC?
0
 
fluidiqsitAuthor Commented:
Yes...no problem there
0
 
JFrederick29Commented:
Strange.  Do a "wr mem" and then "reload" the ASA.

If still not working, post the latest config.
0
 
fluidiqsitAuthor Commented:
Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4)
!
hostname EDINBOROWWTP
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.72.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 66.211.240.142 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner login EDINBORO
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 66.211.211.21
 name-server 66.211.211.22
 domain-name default.domain.invalid
access-list 100 remark ****** Link to EDINBOROTOWNHALL ******
access-list 100 extended permit ip 192.168.72.0 255.255.255.0 192.168.74.0 255.255.255.0
access-list nonat extended permit ip 192.168.72.0 255.255.255.0 192.168.74.0 255.255.255.0
access-list nonat extended permit ip any 10.21.72.0 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPNPOOL 10.21.72.1-10.21.72.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 0 192.168.72.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.211.240.141 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.72.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set edbset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map mymap 1 match address 100
crypto map mymap 1 set pfs
crypto map mymap 1 set peer 66.211.240.90
crypto map mymap 1 set transform-set edbset
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.72.2-192.168.72.254 inside
!

group-policy EDINWWTP internal
group-policy EDINWWTP attributes
 dns-server value 192.168.72.1
 vpn-tunnel-protocol IPSec
username vpnuser password sfjwaYyosZCKP38A encrypted privilege 0
username vpnuser attributes
 vpn-group-policy EDINWWTP
username fluidiqsit password 6ghzNJWUxwyXE7LO encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 66.211.240.90 type ipsec-l2l
tunnel-group 66.211.240.90 ipsec-attributes
 pre-shared-key *
tunnel-group EDINWWTP type ipsec-ra
tunnel-group EDINWWTP general-attributes
 address-pool VPNPOOL
 default-group-policy EDINWWTP
tunnel-group EDINWWTP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cbc39d49eec9fab7fcd84e70f6301d79
: end
0
 
fluidiqsitAuthor Commented:
Still not working...that is the current config
0
 
fluidiqsitAuthor Commented:
JF - do you think it could be something to do with the cable modem?  Its a stretch, but just wanted to throw that out there.  We have a cable modem at the edge and that goes into 0/0 on the ASA device.
0
 
JFrederick29Commented:
Ahh hah, I see the issue (it wasn't in the first config posted but is definitely a problem).

conf t
no nat (inside) 0 192.168.72.0 255.255.255.0

This disables NAT for the 192.168.72.0/24 subnet.
0
 
fluidiqsitAuthor Commented:
That looked promising, but still no go.  How can we open it up to allow all traffic thru.  I have a feeling the ACL may be dropping the traffic.
0
 
JFrederick29Commented:
The return traffic is allowed by default.  In fact, remove this as it is not necessary.

conf t
no access-group inside_access_in in interface inside

Then post the latest config again just to double check the changes took.
0
 
fluidiqsitAuthor Commented:
OK added all that and still same results.  Here is the current running cfg.
Result of the command: "show running-config"
 
: Saved
:
ASA Version 7.2(4) 
!
hostname EDINBOROWWTP
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.72.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 66.211.240.142 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner login EDINBORO
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 66.211.211.21
 name-server 66.211.211.22
 domain-name default.domain.invalid
access-list 100 remark ****** Link to EDINBOROTOWNHALL ******
access-list 100 extended permit ip 192.168.72.0 255.255.255.0 192.168.74.0 255.255.255.0 
access-list nonat extended permit ip 192.168.72.0 255.255.255.0 192.168.74.0 255.255.255.0 
access-list nonat extended permit ip any 10.21.72.0 255.255.255.224 
access-list inside_access_in extended permit ip any any 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in extended permit icmp any any unreachable 
access-list outside_access_in extended permit icmp any any time-exceeded 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 10.21.72.1-10.21.72.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.211.240.141 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.72.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set edbset esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map mymap 1 match address 100
crypto map mymap 1 set pfs 
crypto map mymap 1 set peer 66.211.240.90 
crypto map mymap 1 set transform-set edbset
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.72.2-192.168.72.254 inside
!
 
group-policy EDINWWTP internal
group-policy EDINWWTP attributes
 dns-server value 192.168.72.1
 vpn-tunnel-protocol IPSec 
username vpnuser password sfjwaYyosZCKP38A encrypted privilege 0
username vpnuser attributes
 vpn-group-policy EDINWWTP
username fluidiqsit password 6ghzNJWUxwyXE7LO encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
tunnel-group 66.211.240.90 type ipsec-l2l
tunnel-group 66.211.240.90 ipsec-attributes
 pre-shared-key *
tunnel-group EDINWWTP type ipsec-ra
tunnel-group EDINWWTP general-attributes
 address-pool VPNPOOL
 default-group-policy EDINWWTP
tunnel-group EDINWWTP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:cbc39d49eec9fab7fcd84e70f6301d79
: end

Open in new window

0
 
JFrederick29Commented:
Okay, the config looks good.  It has to be something else.

Add this:

conf t
logging enable
logging buffer debug

Try a ping from the PC and then post a "show log" from the ASA.

Can you also post an "ipconfig /all" from the PC just to double check.
0
 
fluidiqsitAuthor Commented:
The client WS I have been using is unavailable so i have been pinging from the ASDM using the PIng tool and setting the interface to the inside.  Here is the syslog and a screencap of the ADSM log buffer
SYSLog.txt
SyslogAsdm.jpg
0
 
JFrederick29Commented:
Ahh, okay, well, that's not a true test since the inside interface won't undergo NAT and will fail.  You really need to try from the PC which I am confident will work now since removing the NAT 0 for the 192.168.72.0/24 subnet.
0
 
fluidiqsitAuthor Commented:
Ok let me see if I can get a hold of an operator onsite.
0
 
fluidiqsitAuthor Commented:
Do you see any issues with the Remote Access VPN setup?  I am able to establish a tunnel, but unable to receive data back (VPN Clients show packets being sent, but not received).  Any idea how to fix this part.  This will give me access to other workstations onsite without getting an operator to help out.
0
 
JFrederick29Commented:
The Remote Access VPN looks good.  What are you trying to communicate with?  Can you ping 192.168.72.1?  It could be that the remote workstations don't have 192.168.72.1 as their default gateway.
0
 
fluidiqsitAuthor Commented:
When I vpn in.  I cannot ping the gateway or any other device on the LAN side (192.168.72.0/24).  I am positive the workstation is set properly with 72.1 as the gateway.    Here are the log files for the vpn traffic.
VPNClientLog.txt
SyslogAsdm-VPN.jpg
0
 
JFrederick29Commented:
Logs look good although it didn't capture the full session.  You should be able to ping 192.168.72.1 at a minimum.  When connected via VPN, please post a "show cry isa sa" and a "show crypto ipsec sa".
0
 
fluidiqsitAuthor Commented:
OK I completely reconfigured the ASA to as base of a config as I can.  Now I would like to get remote access VPN configured properly.  I have tried multiple times using the wizard in ASDM to no success.  I can always get connected, but not get any data through (PING, RDP, anything).  Here is the base config.  How should i go about added remote access vpn.
Result of the command: "show running-config"
 
: Saved
:
ASA Version 7.2(4) 
!
hostname EDINBOROWWTP
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.72.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 66.211.240.142 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 66.211.240.141 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http 192.168.72.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.72.2-192.168.72.254 inside
!
 
username edinboro password 1MSdLCgxg1aq6cOB encrypted privilege 15
username fluidiqsit password o6DNaRm3y/0kOhHS encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:d5686b2bcc989b78638e4148d217772c
: end

Open in new window

0
 
JFrederick29Commented:
So, without the VPN, does Internet work now?

Here is all you need for the VPN config:

access-list nonat extended permit ip any 10.255.255.0 255.255.255.0

ip local pool VPNPOOL 10.255.255.10-10.255.255.200 mask 255.255.255.0

nat (inside) 0 access-list nonat

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

management-access inside


group-policy EDINWWTP internal
group-policy EDINWWTP attributes
 dns-server value 192.168.72.x    <--Not the ASA
 vpn-tunnel-protocol IPSec

username vpnuser password sfjwaYyosZCKP38A encrypted privilege 0
username vpnuser attributes
 vpn-group-policy EDINWWTP

tunnel-group EDINWWTP type ipsec-ra
tunnel-group EDINWWTP general-attributes
 address-pool VPNPOOL
 default-group-policy EDINWWTP
tunnel-group EDINWWTP ipsec-attributes
 pre-shared-key <key>
0
 
fluidiqsitAuthor Commented:
OK I added that config in and still have the same problem.  I can connect no problem, but still cannot pass data through.  ON the VPN Client statistics I see data being transmitted, but nothing recieved.  Any ideas?
0
 
JFrederick29Commented:
Try adding this:

conf t
crypto isakmp nat-traversal     <--should be there by default

Still can't ping 192.168.72.1?
0
 
fluidiqsitAuthor Commented:
J - That worked out to fix all the issues.  So I would like to close this thread and award you the points.  I would like your help to configure the site to site connection now.  Can I just start a new question?
0
 
JFrederick29Commented:
Yeah, just start a new question and I'll be sure to check it out.  Thanks.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 24
  • 22
Tackle projects and never again get stuck behind a technical roadblock.
Join Now