Solved

VPN clients cannot access other network subnets

Posted on 2009-05-18
45
523 Views
Last Modified: 2012-05-07
When connected to my network via a Cisco VPN connection, I am unable to connect to any other network subnets.  I can connect to my corporate subnet (192.168.1.x), but not to a remote office (192.168.2.x).  

I have a Cisco ASA 5510 firewall that hands out 192.168.5.x addresses to VPN clients.  Is this a matter of a static route that needs to be added or is this an ACL issue?  
0
Comment
Question by:djhath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 23
  • 22
45 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24413203
If you are split tunneling, it may simply be a matter of adding 192.168.2.0/24 to the split tunnel access-list.
0
 
LVL 3

Author Comment

by:djhath
ID: 24413350
The corresponding access list I have for split tunneling in my config is this:

access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

So, I added this:

access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

...connected to the VPN, attempted to ping anything on the .2.x subnet to no avail.
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24413371
You logged off VPN and reconnected, right?

Is the remote subnet (192.168.2.0) a site to site VPN off this ASA or is it reachable via the inside?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:djhath
ID: 24413411
Yes, I did.

The 192.168.2.0 subnet is a site-to-site VPN off this ASA, reachable on the LAN.  I also made sure that the running config was saved on the ASA after adding the command.
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24413425
Okay, since its a VPN off the ASA, there is more to it.

The site to site access-list needs to also include the 192.168.5.0 to 192.168.2.0 subnet on this ASA.  The remove end access-list will need to be updated to include 192.168.2.0 to 192.168.5.0.  You also may need to use a NAT0 access-list on the outside for VPN to VPN traffic depending on your NAT-control policy.
0
 
LVL 3

Author Comment

by:djhath
ID: 24413562
I thought I had done so correctly, however it appears not.  I have attached a copy of my config
: Saved
:
ASA Version 7.2(4) 
!
hostname Marlboro-ASA
domain-name intranet.ceadvisors.com
enable password * encrypted
passwd * encrypted
names
name 64.18.0.0 Postini
name 216.148.212.0 RMON description All Covered RMON
name 192.168.1.13 CEADC1 description CEA Domain Controller
name 192.168.1.18 CEAFIN1 description Vision App Server
name 192.168.1.11 CEAMAIL1 description Exchange 2007 Server
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address xx.xxx.xxx.xxx 255.255.255.240 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/2
 nameif Guest
 security-level 10
 ip address 192.168.10.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description Management Interface
 nameif management
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
 management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server CEADC1
 domain-name intranet.ceadvisors.com
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list outside-access-in extended permit tcp any host xx.xxx.xxx.xxx eq https 
access-list outside-access-in extended permit tcp any host xx.xxx.xxx.xxx eq www 
access-list outside-access-in extended permit tcp any host xx.xxx.xxx.xxx eq https 
access-list outside-access-in extended permit icmp any any inactive 
access-list outside-access-in extended permit tcp RMON 255.255.255.0 host 75.144.134.116 eq smtp 
access-list outside-access-in extended permit tcp Postini 255.255.0.0 host 75.144.134.116 eq smtp 
access-list outside-access-in extended permit udp any any eq isakmp 
access-list outside-access-in extended deny tcp any host xx.xxx.xxx.xxx eq www 
access-list outside-access-in extended permit icmp any any echo-reply 
access-list outside-access-in extended permit icmp any any unreachable 
access-list outside-access-in extended permit icmp any any time-exceeded 
access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Guest 1500
mtu management 1500
ip local pool CEA_VPN_Pool 192.168.5.10-192.168.5.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
global (Guest) 20 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (Guest) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp xx.xxx.xxx.xxx https CEAFIN1 https netmask 255.255.255.255 
static (Inside,Outside) xx.xxx.xxx.xxx CEAMAIL1 netmask 255.255.255.255 
static (Inside,Outside) xx.xxx.xxx.xxx CEADC1 netmask 255.255.255.255 
access-group outside-access-in in interface Outside
route Outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 1
route Inside 192.168.3.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server CEADC1 protocol radius
aaa-server CEADC1 (Inside) host CEADC1
 timeout 5
 key *
aaa-server CEADC2 protocol radius
aaa-server CEADC2 (Outside) host 192.168.1.14
 key *
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 192.168.5.0 255.255.255.0 Inside
http 10.10.10.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Inside
http 192.168.2.0 255.255.255.0 Inside
http redirect Outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 match address l2l_list
crypto map Outside_map 10 set peer xx.xx.xxx.xxx 
crypto map Outside_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity address 
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 Inside
telnet 192.168.5.0 255.255.255.0 Inside
telnet 192.168.2.0 255.255.255.0 Inside
telnet timeout 5
ssh xx.xx.xx.xxx 255.255.255.255 Outside
ssh 192.168.5.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Inside
ssh 192.168.2.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd dns 4.2.2.1
!
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5
ssl trust-point my.godaddy.key Outside
webvpn
 enable Outside
 svc image disk0:/sslclient-win-1.1.4.179.pkg 1
 svc enable
 customization DfltCustomization
  title text Concentric Energy Advisors WebVPN
  logout-message text Your Session has been terminated.
  logo none
 url-list CEA_Servers "Z: Drive" cifs://ceafs1/ceadata 2
 url-list CEA_Servers "Vision" http://ceafin1/vision 3
 url-list CEA_Servers "Web Mail" https://mail.ceadvisors.com 4
 url-list CEA_Servers "Intranet" http://ceaforum 5
 java-trustpoint my.godaddy.key
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions http-proxy
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list value CEA_Servers
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13 192.168.1.14
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  functions file-access file-browsing
username support password JRI3BtDx/rKPMXJe encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server CEADC1 master timeout 2 retry 2
tunnel-group CEA type ipsec-ra
tunnel-group CEA general-attributes
 address-pool CEA_VPN_Pool
 authentication-server-group CEADC1
 default-group-policy CEA
tunnel-group CEA ipsec-attributes
 pre-shared-key *
tunnel-group xx.xx.xx.xxx type ipsec-l2l
tunnel-group xx.xx.xx.xxx ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 192.168.1.11
prompt hostname context 
Cryptochecksum:efdb5a45f730ee8d0ed39ba55a56969c
: end
asdm image disk0:/asdm-524.bin
asdm location CEAFIN1 255.255.255.255 Inside
no asdm history enable

Open in new window

0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24413599
You've got it backwards.

Should be:

access-list l2l_list extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

The other end of the site to site needs the inverse rule added as well:

access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
0
 
LVL 3

Author Comment

by:djhath
ID: 24413651
Did both and still nothin' doin' ...
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24413670
Oops, forgot this.  Add this to the config:

same-security-traffic permit intra-interface
0
 
LVL 3

Author Comment

by:djhath
ID: 24413762
Applied the command to both firewalls and still can't hit anything on the .2.x subnet from the VPN.
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24413808
You added the crypto ACL entry on each side, right?

Try pinging 192.168.2.x (-t) from the VPN client and do a "show log | i 192.168.5.x"    <--where 192.168.5.x is the IP of the VPN client pinging.

Could still be a NAT issue.
0
 
LVL 3

Author Comment

by:djhath
ID: 24413973
Sure did.  I will attach the config of the remote site, as well.

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)



: Saved
:
ASA Version 8.0(3) 
!
hostname concentric-DC-ASA
domain-name intranet.ceadvisors.com
enable password * encrypted
no names
name 192.168.2.0 DC-inside-block
name 192.168.1.12 CEAEXCH1 description CEA Exchange Server
name 192.168.1.13 CEADC1 description CEA Domain Controller
!
interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 description Outside
 nameif outside
 security-level 0
 ip address xx.xx.xxx.xxx 255.255.255.248 
!
interface Ethernet0/0
 description Inside
 switchport access vlan 2
!
interface Ethernet0/1
 description Inside
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd zX4wR0GwTwRjrWan encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.13
 domain-name intranet.ceadvisors.com
same-security-traffic permit intra-interface
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside extended deny ip any any log 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq smtp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq www 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq telnet 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3389 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq https 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pop3 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp-data 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq dnsix 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq domain 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq domain 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq kerberos 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq imap4 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldap 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldaps 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq netbios-ssn 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 139 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 445 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 445 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 135 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-ns 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-dgm 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq ntp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3268 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 389 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53211 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53212 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 88 
access-list inside extended deny ip any any log 
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply 
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded 
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE_IN_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server CEADC1 protocol radius
aaa-server CEADC1 host 192.168.1.13
 key Pl@sma
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http xx.xxx.xxx.xxx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THREEDES esp-3des esp-sha-hmac 
crypto map DC2BOS 1 match address l2l_list
crypto map DC2BOS 1 set peer xx.xxx.xxx.xxx
crypto map DC2BOS 1 set transform-set THREEDES
crypto map DC2BOS interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet xx.xxx.xxx.xxx 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh xx.xxx.xxx.xxx 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
ntp server 131.216.22.17 source outside
ntp server 216.204.156.2 source outside
webvpn
 enable outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  url-list value CEA_Servers
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  file-entry enable
  file-browsing enable
username support password JRI3BtDx/rKPMXJe encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 192.168.1.12 timeout 2 retry 2
 nbns-server 192.168.1.13 timeout 2 retry 2
tunnel-group xx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
tunnel-group CEA type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:a8f01800f7c03666c8819760b203ab3c
: end
asdm image disk0:/asdm-603.bin
no asdm history enable

Open in new window

0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24414012
Missing this from the remote config:

access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
0
 
LVL 3

Author Comment

by:djhath
ID: 24414050
Added it, still no go...  Did see this in the Syslog:

3      May 18 2009      13:04:57      305005      192.168.2.2             No translation group found for icmp src outside:192.168.5.28 dst inside:192.168.2.2 (type 8, code 0)
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24414086
Add this:

conf t
access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (outside) 0 access-list no-outside-nat
0
 
LVL 3

Author Comment

by:djhath
ID: 24414096
To both configs?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414104
Sorry, to the remote config.
0
 
LVL 3

Author Comment

by:djhath
ID: 24414172
Still nothing...  And I am making sure that I disconnect and reconnect the VPN each time before trying.
0
 
LVL 3

Author Comment

by:djhath
ID: 24414180
Would you like updated configs attached?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414201
Yes, please.
0
 
LVL 3

Author Comment

by:djhath
ID: 24414296
Main site attached
: Saved
:
ASA Version 7.2(4) 
!
hostname Marlboro-ASA
domain-name intranet.ceadvisors.com
enable password * encrypted
passwd * encrypted
names
name 64.18.0.0 Postini
name 216.148.212.0 RMON description All Covered RMON
name 192.168.1.13 CEADC1 description CEA Domain Controller
name 192.168.1.18 CEAFIN1 description Vision App Server
name 192.168.1.11 CEAMAIL1 description Exchange 2007 Server
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.240 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/2
 nameif Guest
 security-level 10
 ip address 192.168.10.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description Management Interface
 nameif management
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
 management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server CEADC1
 domain-name intranet.ceadvisors.com
same-security-traffic permit intra-interface
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq https 
access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq www 
access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq https 
access-list outside-access-in extended permit icmp any any inactive 
access-list outside-access-in extended permit tcp RMON 255.255.255.0 host xx.xx.xx.xx eq smtp 
access-list outside-access-in extended permit tcp Postini 255.255.0.0 host xx.xx.xx.xx eq smtp 
access-list outside-access-in extended permit udp any any eq isakmp 
access-list outside-access-in extended deny tcp any host xx.xx.xx.xx eq www 
access-list outside-access-in extended permit icmp any any echo-reply 
access-list outside-access-in extended permit icmp any any unreachable 
access-list outside-access-in extended permit icmp any any time-exceeded 
access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Guest 1500
mtu management 1500
ip local pool CEA_VPN_Pool 192.168.5.10-192.168.5.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
global (Guest) 20 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (Guest) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp xx.xx.xx.xx https CEAFIN1 https netmask 255.255.255.255 
static (Inside,Outside) xx.xx.xx.xx CEAMAIL1 netmask 255.255.255.255 
static (Inside,Outside) xx.xx.xx.xx CEADC1 netmask 255.255.255.255 
access-group outside-access-in in interface Outside
route Outside 0.0.0.0 0.0.0.0 75.144.134.126 1
route Inside 192.168.3.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server CEADC1 protocol radius
aaa-server CEADC1 (Inside) host CEADC1
 timeout 5
 key *
aaa-server CEADC2 protocol radius
aaa-server CEADC2 (Outside) host 192.168.1.14
 key *
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 192.168.5.0 255.255.255.0 Inside
http 10.10.10.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Inside
http 192.168.2.0 255.255.255.0 Inside
http redirect Outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 match address l2l_list
crypto map Outside_map 10 set peer xx.xx.xx.xx
crypto map Outside_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity address 
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 Inside
telnet 192.168.5.0 255.255.255.0 Inside
telnet 192.168.2.0 255.255.255.0 Inside
telnet timeout 5
ssh xx.xx.xx.xx 255.255.255.255 Outside
ssh 192.168.5.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Inside
ssh 192.168.2.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd dns 4.2.2.1
!
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5
ssl trust-point my.godaddy.key Outside
webvpn
 enable Outside
 svc image disk0:/sslclient-win-1.1.4.179.pkg 1
 svc enable
 customization DfltCustomization
  title text Concentric Energy Advisors WebVPN
  logout-message text Your Session has been terminated.
  logo none
 url-list CEA_Servers "Z: Drive" cifs://ceafs1/ceadata 2
 url-list CEA_Servers "Vision" http://ceafin1/vision 3
 url-list CEA_Servers "Web Mail" https://mail.ceadvisors.com 4
 url-list CEA_Servers "Intranet" http://ceaforum 5
 java-trustpoint my.godaddy.key
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions http-proxy
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list value CEA_Servers
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13 192.168.1.14
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  functions file-access file-browsing
username * password * encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server CEADC1 master timeout 2 retry 2
tunnel-group CEA type ipsec-ra
tunnel-group CEA general-attributes
 address-pool CEA_VPN_Pool
 authentication-server-group CEADC1
 default-group-policy CEA
tunnel-group CEA ipsec-attributes
 pre-shared-key *
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group 67.62.134.115 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 192.168.1.11
prompt hostname context 
Cryptochecksum:ebbcf1fb10df0e7bd107907d326fe5f6
: end
asdm image disk0:/asdm-524.bin
asdm location CEAFIN1 255.255.255.255 Inside
no asdm history enable

Open in new window

0
 
LVL 3

Author Comment

by:djhath
ID: 24414332
Remote site attached
: Saved
:
ASA Version 8.0(3) 
!
hostname concentric-DC-ASA
domain-name intranet.ceadvisors.com
enable password * encrypted
no names
name 192.168.2.0 DC-inside-block
name 192.168.1.12 CEAEXCH1 description CEA Exchange Server
name 192.168.1.13 CEADC1 description CEA Domain Controller
!
interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 description Outside
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.248 
!
interface Ethernet0/0
 description Inside
 switchport access vlan 2
!
interface Ethernet0/1
 description Inside
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd zX4wR0GwTwRjrWan encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.13
 domain-name intranet.ceadvisors.com
same-security-traffic permit intra-interface
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside extended deny ip any any log 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq smtp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq www 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq telnet 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3389 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq https 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pop3 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp-data 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq dnsix 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq domain 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq domain 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq kerberos 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq imap4 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldap 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldaps 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq netbios-ssn 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 139 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 445 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 445 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 135 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-ns 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-dgm 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq ntp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3268 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 389 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53211 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53212 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 88 
access-list inside extended deny ip any any log 
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply 
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded 
access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list no-outside-nat
access-group OUTSIDE_IN_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 67.62.134.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server CEADC1 protocol radius
aaa-server CEADC1 host 192.168.1.13
 key *
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
http xx.xx.xx.xx 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THREEDES esp-3des esp-sha-hmac 
crypto map DC2BOS 1 match address l2l_list
crypto map DC2BOS 1 set peer xx.xx.xx.xx 
crypto map DC2BOS 1 set transform-set THREEDES
crypto map DC2BOS interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet xx.xx.xx.xx 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
ntp server 131.216.22.17 source outside
ntp server 216.204.156.2 source outside
webvpn
 enable outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  url-list value CEA_Servers
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  file-entry enable
  file-browsing enable
username * password * encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 192.168.1.12 timeout 2 retry 2
 nbns-server 192.168.1.13 timeout 2 retry 2
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
 pre-shared-key *
tunnel-group CEA type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:a8f01800f7c03666c8819760b203ab3c
: end
asdm image disk0:/asdm-603.bin
no asdm history enable

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414387
Try to ping something on the 192.168.2.0/24 subnet other than the ASA inside interface.  Still getting the same syslog entries?
0
 
LVL 3

Author Comment

by:djhath
ID: 24414442
192.168.2.2 is a server that resides on that site.  

I'll try pinging 192.168.2.3, which is a network printer.

From syslog:

3      May 18 2009      13:34:23      305005      192.168.2.3             No translation group found for icmp src outside:192.168.5.28 dst inside:192.168.2.3 (type 8, code 0)
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414456
Which Firewall is that syslog message from?
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24414473
Nevermind, assuming the main office based on your logging config:

Add this to the main ASA, also:

conf t
access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (Outside) 0 access-list no-outside-nat
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24414521
Sorry, to keep mixing things up but add this as well to the main ASA:

access-list Inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0


This may be the only thing required regarding NAT.
0
 
LVL 3

Author Comment

by:djhath
ID: 24414531
I added those commands to main office config.

Still nothing - this Syslog is from the remote site:

3      May 18 2009      13:41:16      305005      192.168.2.3             No translation group found for icmp src outside:192.168.5.28 dst inside:192.168.2.3 (type 8, code 0)
0
 
LVL 3

Author Comment

by:djhath
ID: 24414567
Just added the Inside_nat0_outbound ACL change, still nothing...

Still generating the same from the remote site syslog:

3      May 18 2009      13:44:34      305005      192.168.2.3             No translation group found for icmp src outside:192.168.5.28 dst inside:192.168.2.3 (type 8, code 0)
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414691
Can you ping the other way?
0
 
LVL 3

Author Comment

by:djhath
ID: 24414764
I can ping 192.168.5.28 (VPN client) from my main site LAN (192.168.1.x), but not from the remote site (192.168.2.x)
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414836
Try removing the "nat (outside) 0" config from both Firewalls and try again.  I'm about stumped as this should be working.

192.168.2.1 is the default gateway for the 192.168.2.1 hosts, right? or is something else?
0
 
LVL 3

Author Comment

by:djhath
ID: 24414981
Yes, 192.168.2.1 is the default gateway for the hosts on that subnet.  

I just removed the nat (Outside) command from both firewalls and the lan-2-lan tunnel has dropped.

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415029
The nat (outside) you just added?  Nice...

Really not much to this so not sure why it's not working...see below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml#notes

Can you post a "show cry ipsec sa" from both ASA's.
0
 
LVL 3

Author Comment

by:djhath
ID: 24415078
Alright, the tunnel dropped because I removed the wrong command.  I removed the nat (inside) 0 statement on the main site firewall, thinking I had applied it to the wrong interface.  

I removed the nat (outside) 0 statement and reapplied on both firewalls, still nothing.

Here is the result of the show cry ipsec sa from the main site:

Result of the command: "show cry ipsec sa"

interface: Outside
    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.27/255.255.255.255/0/0)
      current_peer: 209.6.174.244, username: nstandish
      dynamic allocated peer ip: 192.168.5.27

      #pkts encaps: 44379, #pkts encrypt: 44391, #pkts digest: 44391
      #pkts decaps: 50328, #pkts decrypt: 50328, #pkts verify: 50328
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 44379, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 12, #pre-frag failures: 0, #fragments created: 24
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 24
      #send errors: 0, #recv errors: 15

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 209.6.174.244/1099
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 0EA2DE6A

    inbound esp sas:
      spi: 0xE554A279 (3847529081)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 459, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 10581
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x0EA2DE6A (245554794)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 459, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 10581
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.20/255.255.255.255/0/0)
      current_peer: 66.30.186.113, username: bhevert
      dynamic allocated peer ip: 192.168.5.20

      #pkts encaps: 54343, #pkts encrypt: 54411, #pkts digest: 54411
      #pkts decaps: 47518, #pkts decrypt: 47518, #pkts verify: 47518
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 54343, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 68, #pre-frag failures: 0, #fragments created: 136
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 136
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 66.30.186.113/1117
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: C0C1C42F

    inbound esp sas:
      spi: 0xB76949A2 (3077130658)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 444, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 22151
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xC0C1C42F (3233924143)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 444, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 22151
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_map, seq num: 10, local addr: 75.144.134.114

      access-list l2l_list permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 67.62.134.115

      #pkts encaps: 41023427, #pkts encrypt: 41023427, #pkts digest: 41023427
      #pkts decaps: 36586431, #pkts decrypt: 36586431, #pkts verify: 36586431
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 41023427, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 2
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114, remote crypto endpt.: 67.62.134.115

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 25220048

    inbound esp sas:
      spi: 0x11CF477F (298796927)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 207, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4080057/10205)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x25220048 (622985288)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 207, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4034235/10205)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_map, seq num: 10, local addr: 75.144.134.114

      access-list l2l_list permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 67.62.134.115

      #pkts encaps: 640, #pkts encrypt: 640, #pkts digest: 640
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 640, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114, remote crypto endpt.: 67.62.134.115

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 6290EBC8

    inbound esp sas:
      spi: 0x24A0F22A (614527530)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 207, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4275000/21628)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x6290EBC8 (1653664712)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 207, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4274962/21628)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.28/255.255.255.255/0/0)
      current_peer: 71.233.179.11, username: jhathaway
      dynamic allocated peer ip: 192.168.5.28

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 71.233.179.11/3193
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: D69D9F8F

    inbound esp sas:
      spi: 0x32232C59 (841165913)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 482, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 28755
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xD69D9F8F (3600654223)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 482, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 28755
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.25/255.255.255.255/0/0)
      current_peer: 71.243.55.86, username: coneill
      dynamic allocated peer ip: 192.168.5.25

      #pkts encaps: 32327, #pkts encrypt: 32345, #pkts digest: 32345
      #pkts decaps: 31203, #pkts decrypt: 31203, #pkts verify: 31203
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 32327, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 18, #pre-frag failures: 0, #fragments created: 36
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 36
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 71.243.55.86/4442
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 97613F89

    inbound esp sas:
      spi: 0x617BFDC6 (1635515846)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 458, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 8586
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x97613F89 (2539732873)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 458, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 8586
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.29/255.255.255.255/0/0)
      current_peer: 76.120.2.95, username: lquilici
      dynamic allocated peer ip: 192.168.5.29

      #pkts encaps: 465, #pkts encrypt: 465, #pkts digest: 465
      #pkts decaps: 793, #pkts decrypt: 793, #pkts verify: 793
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 465, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 76.120.2.95/2344
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: D004F310

    inbound esp sas:
      spi: 0xAE114735 (2920367925)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 481, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 27993
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xD004F310 (3489985296)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 481, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 27993
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.26/255.255.255.255/0/0)
      current_peer: 76.179.71.136, username: bhopkins
      dynamic allocated peer ip: 192.168.5.26

      #pkts encaps: 7572, #pkts encrypt: 7593, #pkts digest: 7593
      #pkts decaps: 8968, #pkts decrypt: 8968, #pkts verify: 8968
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 7572, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 21, #pre-frag failures: 0, #fragments created: 42
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 42
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 76.179.71.136/2474
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 74127397

    inbound esp sas:
      spi: 0xD7F2DE8A (3623018122)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 457, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26599
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x74127397 (1947366295)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 457, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26599
         IV size: 8 bytes
         replay detection support: Y

From the remote site:

Result of the command: "sh cry ipsec sa"

interface: outside
    Crypto map tag: DC2BOS, seq num: 1, local addr: 67.62.134.115

      access-list l2l_list permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
      current_peer: 75.144.134.114

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 655, #pkts decrypt: 655, #pkts verify: 655
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.62.134.115, remote crypto endpt.: 75.144.134.114

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 24A0F22A

    inbound esp sas:
      spi: 0x6290EBC8 (1653664712)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: DC2BOS
         sa timing: remaining key lifetime (kB/sec): (3824961/21541)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x24A0F22A (614527530)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: DC2BOS
         sa timing: remaining key lifetime (kB/sec): (3825000/21541)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: DC2BOS, seq num: 1, local addr: 67.62.134.115

      access-list l2l_list permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 75.144.134.114

      #pkts encaps: 36593992, #pkts encrypt: 36593992, #pkts digest: 36593992
      #pkts decaps: 41027877, #pkts decrypt: 41027877, #pkts verify: 41027877
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 36593992, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.62.134.115, remote crypto endpt.: 75.144.134.114

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 11CF477F

    inbound esp sas:
      spi: 0x25220048 (622985288)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: DC2BOS
         sa timing: remaining key lifetime (kB/sec): (3583201/10121)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x11CF477F (298796927)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: DC2BOS
         sa timing: remaining key lifetime (kB/sec): (3629068/10121)
         IV size: 8 bytes
         replay detection support: Y
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415153
Okay, so the traffic is good to the remote Firewall (kind of already knew that) but there is no return traffic (because ASA is dropping traffic due to "no translation group".  Can you afford to "wr mem" and "reload" the remote ASA?  This should be working based on your config.
0
 
LVL 3

Author Comment

by:djhath
ID: 24415194
Well, having pulled my Joe Maddon baseball card out (from last night, in case your a baseball fan), and already dropped the tunnel on them once, I think I'll wait until this evening to reboot the remote firewall.

I will advise on how that works out after the reboot.

And before I forget, I'm very appreciative of all of your help so far!  Thank you.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415208
No prob.  Drives me insane that it's not working <8-]
0
 
LVL 3

Author Comment

by:djhath
ID: 24417683
Alright, I rebooted the firewall and I still can't ping on the 192.168.2.x subnet from a VPN client.  I'm going to attach the current configs just for the hell of it.

Main Site:
: Saved
:
ASA Version 7.2(4) 
!
hostname Marlboro-ASA
domain-name intranet.ceadvisors.com
enable password * encrypted
passwd * encrypted
names
name 64.18.0.0 Postini
name 216.148.212.0 RMON description All Covered RMON
name 192.168.1.13 CEADC1 description CEA Domain Controller
name 192.168.1.18 CEAFIN1 description Vision App Server
name 192.168.1.11 CEAMAIL1 description Exchange 2007 Server
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.240 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/2
 nameif Guest
 security-level 10
 ip address 192.168.10.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 description Management Interface
 nameif management
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
 management-only
!
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
 name-server CEADC1
 domain-name intranet.ceadvisors.com
same-security-traffic permit intra-interface
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list Inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq https 
access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq www 
access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq https 
access-list outside-access-in extended permit icmp any any inactive 
access-list outside-access-in extended permit tcp RMON 255.255.255.0 host xx.xx.xx.xx eq smtp 
access-list outside-access-in extended permit tcp Postini 255.255.0.0 host xx.xx.xx.xx eq smtp 
access-list outside-access-in extended permit udp any any eq isakmp 
access-list outside-access-in extended deny tcp any host xx.xx.xx.xx eq www 
access-list outside-access-in extended permit icmp any any echo-reply 
access-list outside-access-in extended permit icmp any any unreachable 
access-list outside-access-in extended permit icmp any any time-exceeded 
access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu Guest 1500
mtu management 1500
ip local pool CEA_VPN_Pool 192.168.5.10-192.168.5.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (Outside) 10 interface
global (Guest) 20 interface
nat (Outside) 0 access-list no-outside-nat
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10 0.0.0.0 0.0.0.0
nat (Guest) 10 0.0.0.0 0.0.0.0
nat (management) 10 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp xx.xx.xx.xx https CEAFIN1 https netmask 255.255.255.255 
static (Inside,Outside) xx.xx.xx.xx CEAMAIL1 netmask 255.255.255.255 
static (Inside,Outside) xx.xx.xx.xx CEADC1 netmask 255.255.255.255 
access-group outside-access-in in interface Outside
route Outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route Inside 192.168.3.0 255.255.255.0 192.168.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server CEADC1 protocol radius
aaa-server CEADC1 (Inside) host CEADC1
 timeout 5
 key *
aaa-server CEADC2 protocol radius
aaa-server CEADC2 (Outside) host 192.168.1.14
 key *
aaa authentication enable console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
http server enable
http 192.168.5.0 255.255.255.0 Inside
http 10.10.10.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Inside
http 192.168.2.0 255.255.255.0 Inside
http redirect Outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 10 match address l2l_list
crypto map Outside_map 10 set peer xx.xx.xx.xx 
crypto map Outside_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity address 
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet 192.168.1.0 255.255.255.0 Inside
telnet 192.168.5.0 255.255.255.0 Inside
telnet 192.168.2.0 255.255.255.0 Inside
telnet timeout 5
ssh xx.xx.xx.xx 255.255.255.255 Outside
ssh 192.168.5.0 255.255.255.0 Inside
ssh 192.168.1.0 255.255.255.0 Inside
ssh 192.168.2.0 255.255.255.0 Inside
ssh timeout 5
console timeout 0
management-access Inside
dhcpd dns 4.2.2.1
!
ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5
ssl trust-point my.godaddy.key Outside
webvpn
 enable Outside
 svc image disk0:/sslclient-win-1.1.4.179.pkg 1
 svc enable
 customization DfltCustomization
  title text Concentric Energy Advisors WebVPN
  logout-message text Your Session has been terminated.
  logo none
 url-list CEA_Servers "Z: Drive" cifs://ceafs1/ceadata 2
 url-list CEA_Servers "Vision" http://ceafin1/vision 3
 url-list CEA_Servers "Web Mail" https://mail.ceadvisors.com 4
 url-list CEA_Servers "Intranet" http://ceaforum 5
 java-trustpoint my.godaddy.key
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools none
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions http-proxy
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list value CEA_Servers
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13 192.168.1.14
 vpn-idle-timeout 30
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  functions file-access file-browsing
username * encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server CEADC1 master timeout 2 retry 2
tunnel-group CEA type ipsec-ra
tunnel-group CEA general-attributes
 address-pool CEA_VPN_Pool
 authentication-server-group CEADC1
 default-group-policy CEA
tunnel-group CEA ipsec-attributes
 pre-shared-key *
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
smtp-server 192.168.1.11
prompt hostname context 
Cryptochecksum:ee82dc24c45f96f6b71e71f468f3b072
: end
asdm image disk0:/asdm-524.bin
asdm location CEAFIN1 255.255.255.255 Inside
no asdm history enable

Open in new window

0
 
LVL 3

Author Comment

by:djhath
ID: 24417692
Remote Site
: Saved
:
ASA Version 8.0(3) 
!
hostname concentric-DC-ASA
domain-name intranet.ceadvisors.com
enable password * encrypted
no names
name 192.168.2.0 DC-inside-block
name 192.168.1.12 CEAEXCH1 description CEA Exchange Server
name 192.168.1.13 CEADC1 description CEA Domain Controller
!
interface Vlan1
 description Inside
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0 
!
interface Vlan2
 description Outside
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.248 
!
interface Ethernet0/0
 description Inside
 switchport access vlan 2
!
interface Ethernet0/1
 description Inside
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd * encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EST recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.1.13
 domain-name intranet.ceadvisors.com
same-security-traffic permit intra-interface
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 
access-list outside extended deny ip any any log 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq smtp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq www 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq telnet 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3389 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq https 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pop3 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp-data 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq dnsix 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq domain 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq domain 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq kerberos 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq imap4 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldap 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldaps 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq netbios-ssn 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 139 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 445 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 445 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 135 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-ns 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-dgm 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq ntp 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3268 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 389 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53211 
access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53212 
access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 88 
access-list inside extended deny ip any any log 
access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply 
access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded 
access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 
pager lines 24
logging enable
logging console debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list no-outside-nat
access-group OUTSIDE_IN_ACL in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server CEADC1 protocol radius
aaa-server CEADC1 host 192.168.1.13
 key *
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL 
http server enable
http 75.144.134.117 255.255.255.255 outside
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set THREEDES esp-3des esp-sha-hmac 
crypto map DC2BOS 1 match address l2l_list
crypto map DC2BOS 1 set peer xx.xx.xx.xx
crypto map DC2BOS 1 set transform-set THREEDES
crypto map DC2BOS interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet xx.xx.xx.xx 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 inside
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
 
threat-detection basic-threat
threat-detection statistics access-list
ntp server 131.216.22.17 source outside
ntp server 216.204.156.2 source outside
webvpn
 enable outside
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  url-list value CEA_Servers
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  customization value DfltCustomization
group-policy CEA internal
group-policy CEA attributes
 dns-server value 192.168.1.13
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CEA_splitTunnelAcl
 default-domain value intranet.ceadvisors.com
 webvpn
  file-entry enable
  file-browsing enable
username * encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 authentication-server-group CEADC1
 default-group-policy CEA
 authorization-dn-attributes use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 nbns-server 192.168.1.12 timeout 2 retry 2
 nbns-server 192.168.1.13 timeout 2 retry 2
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx ipsec-attributes
 pre-shared-key *
tunnel-group CEA type remote-access
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:4967fd1e78dbf91d5773d3225b01204b
: end
asdm image disk0:/asdm-603.bin
no asdm history enable

Open in new window

0
 
LVL 3

Author Comment

by:djhath
ID: 24417935
Well, here's the latest.  For the hell of it, I decided to try pinging a VPN client from a host on the remote 192.168.2.x subnet.  So, I RDP'd into a host, and was able to ping myself (192.168.5.x).  Then all of a sudden, I could ping on the remote subnet.  

So, it seems to be working.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24420730
Interesting.  If you try it again after disconnecting VPN and reconnecting, can you ping 192.168.2.x?
0
 
LVL 3

Author Comment

by:djhath
ID: 24421140
Yes, I just reconnected and it's pinging OK.  I was a little weary, because the first ping timed out, but then it came back.  The ping times were a little erratic, but seemed to settle to where I expect them to be.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24421186
Good deal.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24431992
How's it working?  Still good?  Ready to close out this question?
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question