Solved

VPN clients cannot access other network subnets

Posted on 2009-05-18
45
518 Views
Last Modified: 2012-05-07
When connected to my network via a Cisco VPN connection, I am unable to connect to any other network subnets.  I can connect to my corporate subnet (192.168.1.x), but not to a remote office (192.168.2.x).  

I have a Cisco ASA 5510 firewall that hands out 192.168.5.x addresses to VPN clients.  Is this a matter of a static route that needs to be added or is this an ACL issue?  
0
Comment
Question by:djhath
  • 23
  • 22
45 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24413203
If you are split tunneling, it may simply be a matter of adding 192.168.2.0/24 to the split tunnel access-list.
0
 
LVL 3

Author Comment

by:djhath
ID: 24413350
The corresponding access list I have for split tunneling in my config is this:

access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

So, I added this:

access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0

...connected to the VPN, attempted to ping anything on the .2.x subnet to no avail.
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24413371
You logged off VPN and reconnected, right?

Is the remote subnet (192.168.2.0) a site to site VPN off this ASA or is it reachable via the inside?
0
 
LVL 3

Author Comment

by:djhath
ID: 24413411
Yes, I did.

The 192.168.2.0 subnet is a site-to-site VPN off this ASA, reachable on the LAN.  I also made sure that the running config was saved on the ASA after adding the command.
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24413425
Okay, since its a VPN off the ASA, there is more to it.

The site to site access-list needs to also include the 192.168.5.0 to 192.168.2.0 subnet on this ASA.  The remove end access-list will need to be updated to include 192.168.2.0 to 192.168.5.0.  You also may need to use a NAT0 access-list on the outside for VPN to VPN traffic depending on your NAT-control policy.
0
 
LVL 3

Author Comment

by:djhath
ID: 24413562
I thought I had done so correctly, however it appears not.  I have attached a copy of my config
: Saved

:

ASA Version 7.2(4) 

!

hostname Marlboro-ASA

domain-name intranet.ceadvisors.com

enable password * encrypted

passwd * encrypted

names

name 64.18.0.0 Postini

name 216.148.212.0 RMON description All Covered RMON

name 192.168.1.13 CEADC1 description CEA Domain Controller

name 192.168.1.18 CEAFIN1 description Vision App Server

name 192.168.1.11 CEAMAIL1 description Exchange 2007 Server

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address xx.xxx.xxx.xxx 255.255.255.240 

!

interface Ethernet0/1

 nameif Inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface Ethernet0/2

 nameif Guest

 security-level 10

 ip address 192.168.10.1 255.255.255.0 

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 description Management Interface

 nameif management

 security-level 100

 ip address 192.168.0.1 255.255.255.0 

 management-only

!

boot system disk0:/asa724-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Inside

dns server-group DefaultDNS

 name-server CEADC1

 domain-name intranet.ceadvisors.com

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 

access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 

access-list outside-access-in extended permit tcp any host xx.xxx.xxx.xxx eq https 

access-list outside-access-in extended permit tcp any host xx.xxx.xxx.xxx eq www 

access-list outside-access-in extended permit tcp any host xx.xxx.xxx.xxx eq https 

access-list outside-access-in extended permit icmp any any inactive 

access-list outside-access-in extended permit tcp RMON 255.255.255.0 host 75.144.134.116 eq smtp 

access-list outside-access-in extended permit tcp Postini 255.255.0.0 host 75.144.134.116 eq smtp 

access-list outside-access-in extended permit udp any any eq isakmp 

access-list outside-access-in extended deny tcp any host xx.xxx.xxx.xxx eq www 

access-list outside-access-in extended permit icmp any any echo-reply 

access-list outside-access-in extended permit icmp any any unreachable 

access-list outside-access-in extended permit icmp any any time-exceeded 

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 

pager lines 24

logging enable

logging buffered informational

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu Guest 1500

mtu management 1500

ip local pool CEA_VPN_Pool 192.168.5.10-192.168.5.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (Outside) 10 interface

global (Guest) 20 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 10 0.0.0.0 0.0.0.0

nat (Guest) 10 0.0.0.0 0.0.0.0

nat (management) 10 0.0.0.0 0.0.0.0

static (Inside,Outside) tcp xx.xxx.xxx.xxx https CEAFIN1 https netmask 255.255.255.255 

static (Inside,Outside) xx.xxx.xxx.xxx CEAMAIL1 netmask 255.255.255.255 

static (Inside,Outside) xx.xxx.xxx.xxx CEADC1 netmask 255.255.255.255 

access-group outside-access-in in interface Outside

route Outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 1

route Inside 192.168.3.0 255.255.255.0 192.168.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server CEADC1 protocol radius

aaa-server CEADC1 (Inside) host CEADC1

 timeout 5

 key *

aaa-server CEADC2 protocol radius

aaa-server CEADC2 (Outside) host 192.168.1.14

 key *

aaa authentication enable console LOCAL 

aaa authentication ssh console LOCAL 

aaa authentication http console LOCAL 

http server enable

http 192.168.5.0 255.255.255.0 Inside

http 10.10.10.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 Inside

http 192.168.2.0 255.255.255.0 Inside

http redirect Outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 10 match address l2l_list

crypto map Outside_map 10 set peer xx.xx.xxx.xxx 

crypto map Outside_map 10 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto isakmp identity address 

crypto isakmp enable Outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet 192.168.1.0 255.255.255.0 Inside

telnet 192.168.5.0 255.255.255.0 Inside

telnet 192.168.2.0 255.255.255.0 Inside

telnet timeout 5

ssh xx.xx.xx.xxx 255.255.255.255 Outside

ssh 192.168.5.0 255.255.255.0 Inside

ssh 192.168.1.0 255.255.255.0 Inside

ssh 192.168.2.0 255.255.255.0 Inside

ssh timeout 5

console timeout 0

management-access Inside

dhcpd dns 4.2.2.1

!

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5

ssl trust-point my.godaddy.key Outside

webvpn

 enable Outside

 svc image disk0:/sslclient-win-1.1.4.179.pkg 1

 svc enable

 customization DfltCustomization

  title text Concentric Energy Advisors WebVPN

  logout-message text Your Session has been terminated.

  logo none

 url-list CEA_Servers "Z: Drive" cifs://ceafs1/ceadata 2

 url-list CEA_Servers "Vision" http://ceafin1/vision 3

 url-list CEA_Servers "Web Mail" https://mail.ceadvisors.com 4

 url-list CEA_Servers "Intranet" http://ceaforum 5

 java-trustpoint my.godaddy.key

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CEA_splitTunnelAcl

 default-domain value intranet.ceadvisors.com

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions http-proxy

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list value CEA_Servers

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy CEA internal

group-policy CEA attributes

 dns-server value 192.168.1.13 192.168.1.14

 vpn-idle-timeout 30

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CEA_splitTunnelAcl

 default-domain value intranet.ceadvisors.com

 webvpn

  functions file-access file-browsing

username support password JRI3BtDx/rKPMXJe encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *

 isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ipsec-attributes

 isakmp keepalive threshold 10 retry 2

tunnel-group DefaultWEBVPNGroup general-attributes

 authentication-server-group CEADC1

 default-group-policy CEA

 authorization-dn-attributes use-entire-name

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 nbns-server CEADC1 master timeout 2 retry 2

tunnel-group CEA type ipsec-ra

tunnel-group CEA general-attributes

 address-pool CEA_VPN_Pool

 authentication-server-group CEADC1

 default-group-policy CEA

tunnel-group CEA ipsec-attributes

 pre-shared-key *

tunnel-group xx.xx.xx.xxx type ipsec-l2l

tunnel-group xx.xx.xx.xxx ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect icmp 

!

service-policy global_policy global

smtp-server 192.168.1.11

prompt hostname context 

Cryptochecksum:efdb5a45f730ee8d0ed39ba55a56969c

: end

asdm image disk0:/asdm-524.bin

asdm location CEAFIN1 255.255.255.255 Inside

no asdm history enable

Open in new window

0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24413599
You've got it backwards.

Should be:

access-list l2l_list extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

The other end of the site to site needs the inverse rule added as well:

access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
0
 
LVL 3

Author Comment

by:djhath
ID: 24413651
Did both and still nothin' doin' ...
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24413670
Oops, forgot this.  Add this to the config:

same-security-traffic permit intra-interface
0
 
LVL 3

Author Comment

by:djhath
ID: 24413762
Applied the command to both firewalls and still can't hit anything on the .2.x subnet from the VPN.
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24413808
You added the crypto ACL entry on each side, right?

Try pinging 192.168.2.x (-t) from the VPN client and do a "show log | i 192.168.5.x"    <--where 192.168.5.x is the IP of the VPN client pinging.

Could still be a NAT issue.
0
 
LVL 3

Author Comment

by:djhath
ID: 24413973
Sure did.  I will attach the config of the remote site, as well.

%ASA-6-302021: Teardown ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302020: Built inbound ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.5.28/768 gaddr 192.168.2.2/0 laddr 192.168.2.2/0 (jhathaway)



: Saved

:

ASA Version 8.0(3) 

!

hostname concentric-DC-ASA

domain-name intranet.ceadvisors.com

enable password * encrypted

no names

name 192.168.2.0 DC-inside-block

name 192.168.1.12 CEAEXCH1 description CEA Exchange Server

name 192.168.1.13 CEADC1 description CEA Domain Controller

!

interface Vlan1

 description Inside

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0 

!

interface Vlan2

 description Outside

 nameif outside

 security-level 0

 ip address xx.xx.xxx.xxx 255.255.255.248 

!

interface Ethernet0/0

 description Inside

 switchport access vlan 2

!

interface Ethernet0/1

 description Inside

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd zX4wR0GwTwRjrWan encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EST recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.1.13

 domain-name intranet.ceadvisors.com

same-security-traffic permit intra-interface

access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list outside extended deny ip any any log 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq smtp 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq www 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq telnet 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3389 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq https 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pop3 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp-data 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq dnsix 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq domain 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq domain 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq kerberos 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq imap4 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldap 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldaps 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq netbios-ssn 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 139 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 445 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 445 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 135 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-ns 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-dgm 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq ntp 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3268 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 389 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53211 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53212 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 88 

access-list inside extended deny ip any any log 

access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 

access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply 

access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded 

pager lines 24

logging enable

logging console debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NO-NAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group OUTSIDE_IN_ACL in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xxx.xxx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server CEADC1 protocol radius

aaa-server CEADC1 host 192.168.1.13

 key Pl@sma

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

 reval-period 36000

 sq-period 300

aaa authentication ssh console LOCAL 

http server enable

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

http xx.xxx.xxx.xxx 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set THREEDES esp-3des esp-sha-hmac 

crypto map DC2BOS 1 match address l2l_list

crypto map DC2BOS 1 set peer xx.xxx.xxx.xxx

crypto map DC2BOS 1 set transform-set THREEDES

crypto map DC2BOS interface outside

crypto isakmp enable outside

crypto isakmp policy 1

 authentication pre-share

 encryption 3des

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 192.168.2.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 inside

telnet xx.xxx.xxx.xxx 255.255.255.255 outside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.2.0 255.255.255.0 inside

ssh xx.xxx.xxx.xxx 255.255.255.255 outside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection statistics access-list

ntp server 131.216.22.17 source outside

ntp server 216.204.156.2 source outside

webvpn

 enable outside

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CEA_splitTunnelAcl

 default-domain value intranet.ceadvisors.com

 nac-settings value DfltGrpPolicy-nac-framework-create

 webvpn

  url-list value CEA_Servers

  svc keepalive none

  svc dpd-interval client none

  svc dpd-interval gateway none

  customization value DfltCustomization

group-policy CEA internal

group-policy CEA attributes

 dns-server value 192.168.1.13

 vpn-idle-timeout 30

 vpn-tunnel-protocol IPSec svc webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CEA_splitTunnelAcl

 default-domain value intranet.ceadvisors.com

 webvpn

  file-entry enable

  file-browsing enable

username support password JRI3BtDx/rKPMXJe encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultWEBVPNGroup general-attributes

 authentication-server-group CEADC1

 default-group-policy CEA

 authorization-dn-attributes use-entire-name

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 nbns-server 192.168.1.12 timeout 2 retry 2

 nbns-server 192.168.1.13 timeout 2 retry 2

tunnel-group xx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xx.xxx.xxx.xxx ipsec-attributes

 pre-shared-key *

tunnel-group CEA type remote-access

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect icmp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:a8f01800f7c03666c8819760b203ab3c

: end

asdm image disk0:/asdm-603.bin

no asdm history enable

Open in new window

0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24414012
Missing this from the remote config:

access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
0
 
LVL 3

Author Comment

by:djhath
ID: 24414050
Added it, still no go...  Did see this in the Syslog:

3      May 18 2009      13:04:57      305005      192.168.2.2             No translation group found for icmp src outside:192.168.5.28 dst inside:192.168.2.2 (type 8, code 0)
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24414086
Add this:

conf t
access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (outside) 0 access-list no-outside-nat
0
 
LVL 3

Author Comment

by:djhath
ID: 24414096
To both configs?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414104
Sorry, to the remote config.
0
 
LVL 3

Author Comment

by:djhath
ID: 24414172
Still nothing...  And I am making sure that I disconnect and reconnect the VPN each time before trying.
0
 
LVL 3

Author Comment

by:djhath
ID: 24414180
Would you like updated configs attached?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414201
Yes, please.
0
 
LVL 3

Author Comment

by:djhath
ID: 24414296
Main site attached
: Saved

:

ASA Version 7.2(4) 

!

hostname Marlboro-ASA

domain-name intranet.ceadvisors.com

enable password * encrypted

passwd * encrypted

names

name 64.18.0.0 Postini

name 216.148.212.0 RMON description All Covered RMON

name 192.168.1.13 CEADC1 description CEA Domain Controller

name 192.168.1.18 CEAFIN1 description Vision App Server

name 192.168.1.11 CEAMAIL1 description Exchange 2007 Server

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address xx.xx.xx.xx 255.255.255.240 

!

interface Ethernet0/1

 nameif Inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface Ethernet0/2

 nameif Guest

 security-level 10

 ip address 192.168.10.1 255.255.255.0 

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 description Management Interface

 nameif management

 security-level 100

 ip address 192.168.0.1 255.255.255.0 

 management-only

!

boot system disk0:/asa724-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Inside

dns server-group DefaultDNS

 name-server CEADC1

 domain-name intranet.ceadvisors.com

same-security-traffic permit intra-interface

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 

access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 

access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq https 

access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq www 

access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq https 

access-list outside-access-in extended permit icmp any any inactive 

access-list outside-access-in extended permit tcp RMON 255.255.255.0 host xx.xx.xx.xx eq smtp 

access-list outside-access-in extended permit tcp Postini 255.255.0.0 host xx.xx.xx.xx eq smtp 

access-list outside-access-in extended permit udp any any eq isakmp 

access-list outside-access-in extended deny tcp any host xx.xx.xx.xx eq www 

access-list outside-access-in extended permit icmp any any echo-reply 

access-list outside-access-in extended permit icmp any any unreachable 

access-list outside-access-in extended permit icmp any any time-exceeded 

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

access-list l2l_list extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 

pager lines 24

logging enable

logging buffered informational

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu Guest 1500

mtu management 1500

ip local pool CEA_VPN_Pool 192.168.5.10-192.168.5.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (Outside) 10 interface

global (Guest) 20 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 10 0.0.0.0 0.0.0.0

nat (Guest) 10 0.0.0.0 0.0.0.0

nat (management) 10 0.0.0.0 0.0.0.0

static (Inside,Outside) tcp xx.xx.xx.xx https CEAFIN1 https netmask 255.255.255.255 

static (Inside,Outside) xx.xx.xx.xx CEAMAIL1 netmask 255.255.255.255 

static (Inside,Outside) xx.xx.xx.xx CEADC1 netmask 255.255.255.255 

access-group outside-access-in in interface Outside

route Outside 0.0.0.0 0.0.0.0 75.144.134.126 1

route Inside 192.168.3.0 255.255.255.0 192.168.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server CEADC1 protocol radius

aaa-server CEADC1 (Inside) host CEADC1

 timeout 5

 key *

aaa-server CEADC2 protocol radius

aaa-server CEADC2 (Outside) host 192.168.1.14

 key *

aaa authentication enable console LOCAL 

aaa authentication ssh console LOCAL 

aaa authentication http console LOCAL 

http server enable

http 192.168.5.0 255.255.255.0 Inside

http 10.10.10.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 Inside

http 192.168.2.0 255.255.255.0 Inside

http redirect Outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 10 match address l2l_list

crypto map Outside_map 10 set peer xx.xx.xx.xx

crypto map Outside_map 10 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto isakmp identity address 

crypto isakmp enable Outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet 192.168.1.0 255.255.255.0 Inside

telnet 192.168.5.0 255.255.255.0 Inside

telnet 192.168.2.0 255.255.255.0 Inside

telnet timeout 5

ssh xx.xx.xx.xx 255.255.255.255 Outside

ssh 192.168.5.0 255.255.255.0 Inside

ssh 192.168.1.0 255.255.255.0 Inside

ssh 192.168.2.0 255.255.255.0 Inside

ssh timeout 5

console timeout 0

management-access Inside

dhcpd dns 4.2.2.1

!

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5

ssl trust-point my.godaddy.key Outside

webvpn

 enable Outside

 svc image disk0:/sslclient-win-1.1.4.179.pkg 1

 svc enable

 customization DfltCustomization

  title text Concentric Energy Advisors WebVPN

  logout-message text Your Session has been terminated.

  logo none

 url-list CEA_Servers "Z: Drive" cifs://ceafs1/ceadata 2

 url-list CEA_Servers "Vision" http://ceafin1/vision 3

 url-list CEA_Servers "Web Mail" https://mail.ceadvisors.com 4

 url-list CEA_Servers "Intranet" http://ceaforum 5

 java-trustpoint my.godaddy.key

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CEA_splitTunnelAcl

 default-domain value intranet.ceadvisors.com

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions http-proxy

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list value CEA_Servers

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy CEA internal

group-policy CEA attributes

 dns-server value 192.168.1.13 192.168.1.14

 vpn-idle-timeout 30

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CEA_splitTunnelAcl

 default-domain value intranet.ceadvisors.com

 webvpn

  functions file-access file-browsing

username * password * encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *

 isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ipsec-attributes

 isakmp keepalive threshold 10 retry 2

tunnel-group DefaultWEBVPNGroup general-attributes

 authentication-server-group CEADC1

 default-group-policy CEA

 authorization-dn-attributes use-entire-name

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 nbns-server CEADC1 master timeout 2 retry 2

tunnel-group CEA type ipsec-ra

tunnel-group CEA general-attributes

 address-pool CEA_VPN_Pool

 authentication-server-group CEADC1

 default-group-policy CEA

tunnel-group CEA ipsec-attributes

 pre-shared-key *

tunnel-group xx.xx.xx.xx type ipsec-l2l

tunnel-group 67.62.134.115 ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect icmp 

!

service-policy global_policy global

smtp-server 192.168.1.11

prompt hostname context 

Cryptochecksum:ebbcf1fb10df0e7bd107907d326fe5f6

: end

asdm image disk0:/asdm-524.bin

asdm location CEAFIN1 255.255.255.255 Inside

no asdm history enable

Open in new window

0
 
LVL 3

Author Comment

by:djhath
ID: 24414332
Remote site attached
: Saved

:

ASA Version 8.0(3) 

!

hostname concentric-DC-ASA

domain-name intranet.ceadvisors.com

enable password * encrypted

no names

name 192.168.2.0 DC-inside-block

name 192.168.1.12 CEAEXCH1 description CEA Exchange Server

name 192.168.1.13 CEADC1 description CEA Domain Controller

!

interface Vlan1

 description Inside

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0 

!

interface Vlan2

 description Outside

 nameif outside

 security-level 0

 ip address xx.xx.xx.xx 255.255.255.248 

!

interface Ethernet0/0

 description Inside

 switchport access vlan 2

!

interface Ethernet0/1

 description Inside

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd zX4wR0GwTwRjrWan encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EST recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.1.13

 domain-name intranet.ceadvisors.com

same-security-traffic permit intra-interface

access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list outside extended deny ip any any log 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq smtp 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq www 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq telnet 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3389 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq https 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pop3 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp-data 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq dnsix 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq domain 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq domain 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq kerberos 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq imap4 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldap 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldaps 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq netbios-ssn 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 139 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 445 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 445 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 135 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-ns 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-dgm 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq ntp 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3268 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 389 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53211 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53212 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 88 

access-list inside extended deny ip any any log 

access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 

access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply 

access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded 

access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 

pager lines 24

logging enable

logging console debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NO-NAT

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list no-outside-nat

access-group OUTSIDE_IN_ACL in interface outside

route outside 0.0.0.0 0.0.0.0 67.62.134.113 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server CEADC1 protocol radius

aaa-server CEADC1 host 192.168.1.13

 key *

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

 reval-period 36000

 sq-period 300

aaa authentication ssh console LOCAL 

http server enable

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

http 192.168.2.0 255.255.255.0 inside

http xx.xx.xx.xx 255.255.255.255 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set THREEDES esp-3des esp-sha-hmac 

crypto map DC2BOS 1 match address l2l_list

crypto map DC2BOS 1 set peer xx.xx.xx.xx 

crypto map DC2BOS 1 set transform-set THREEDES

crypto map DC2BOS interface outside

crypto isakmp enable outside

crypto isakmp policy 1

 authentication pre-share

 encryption 3des

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 192.168.2.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 inside

telnet xx.xx.xx.xx 255.255.255.255 outside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.2.0 255.255.255.0 inside

ssh xx.xx.xx.xx 255.255.255.255 outside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection statistics access-list

ntp server 131.216.22.17 source outside

ntp server 216.204.156.2 source outside

webvpn

 enable outside

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CEA_splitTunnelAcl

 default-domain value intranet.ceadvisors.com

 nac-settings value DfltGrpPolicy-nac-framework-create

 webvpn

  url-list value CEA_Servers

  svc keepalive none

  svc dpd-interval client none

  svc dpd-interval gateway none

  customization value DfltCustomization

group-policy CEA internal

group-policy CEA attributes

 dns-server value 192.168.1.13

 vpn-idle-timeout 30

 vpn-tunnel-protocol IPSec svc webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CEA_splitTunnelAcl

 default-domain value intranet.ceadvisors.com

 webvpn

  file-entry enable

  file-browsing enable

username * password * encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultWEBVPNGroup general-attributes

 authentication-server-group CEADC1

 default-group-policy CEA

 authorization-dn-attributes use-entire-name

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 nbns-server 192.168.1.12 timeout 2 retry 2

 nbns-server 192.168.1.13 timeout 2 retry 2

tunnel-group xx.xx.xx.xx type ipsec-l2l

tunnel-group xx.xx.xx.xx ipsec-attributes

 pre-shared-key *

tunnel-group CEA type remote-access

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect icmp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:a8f01800f7c03666c8819760b203ab3c

: end

asdm image disk0:/asdm-603.bin

no asdm history enable

Open in new window

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414387
Try to ping something on the 192.168.2.0/24 subnet other than the ASA inside interface.  Still getting the same syslog entries?
0
 
LVL 3

Author Comment

by:djhath
ID: 24414442
192.168.2.2 is a server that resides on that site.  

I'll try pinging 192.168.2.3, which is a network printer.

From syslog:

3      May 18 2009      13:34:23      305005      192.168.2.3             No translation group found for icmp src outside:192.168.5.28 dst inside:192.168.2.3 (type 8, code 0)
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414456
Which Firewall is that syslog message from?
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24414473
Nevermind, assuming the main office based on your logging config:

Add this to the main ASA, also:

conf t
access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (Outside) 0 access-list no-outside-nat
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 500 total points
ID: 24414521
Sorry, to keep mixing things up but add this as well to the main ASA:

access-list Inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0


This may be the only thing required regarding NAT.
0
 
LVL 3

Author Comment

by:djhath
ID: 24414531
I added those commands to main office config.

Still nothing - this Syslog is from the remote site:

3      May 18 2009      13:41:16      305005      192.168.2.3             No translation group found for icmp src outside:192.168.5.28 dst inside:192.168.2.3 (type 8, code 0)
0
 
LVL 3

Author Comment

by:djhath
ID: 24414567
Just added the Inside_nat0_outbound ACL change, still nothing...

Still generating the same from the remote site syslog:

3      May 18 2009      13:44:34      305005      192.168.2.3             No translation group found for icmp src outside:192.168.5.28 dst inside:192.168.2.3 (type 8, code 0)
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414691
Can you ping the other way?
0
 
LVL 3

Author Comment

by:djhath
ID: 24414764
I can ping 192.168.5.28 (VPN client) from my main site LAN (192.168.1.x), but not from the remote site (192.168.2.x)
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24414836
Try removing the "nat (outside) 0" config from both Firewalls and try again.  I'm about stumped as this should be working.

192.168.2.1 is the default gateway for the 192.168.2.1 hosts, right? or is something else?
0
 
LVL 3

Author Comment

by:djhath
ID: 24414981
Yes, 192.168.2.1 is the default gateway for the hosts on that subnet.  

I just removed the nat (Outside) command from both firewalls and the lan-2-lan tunnel has dropped.

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415029
The nat (outside) you just added?  Nice...

Really not much to this so not sure why it's not working...see below:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml#notes

Can you post a "show cry ipsec sa" from both ASA's.
0
 
LVL 3

Author Comment

by:djhath
ID: 24415078
Alright, the tunnel dropped because I removed the wrong command.  I removed the nat (inside) 0 statement on the main site firewall, thinking I had applied it to the wrong interface.  

I removed the nat (outside) 0 statement and reapplied on both firewalls, still nothing.

Here is the result of the show cry ipsec sa from the main site:

Result of the command: "show cry ipsec sa"

interface: Outside
    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.27/255.255.255.255/0/0)
      current_peer: 209.6.174.244, username: nstandish
      dynamic allocated peer ip: 192.168.5.27

      #pkts encaps: 44379, #pkts encrypt: 44391, #pkts digest: 44391
      #pkts decaps: 50328, #pkts decrypt: 50328, #pkts verify: 50328
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 44379, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 12, #pre-frag failures: 0, #fragments created: 24
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 24
      #send errors: 0, #recv errors: 15

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 209.6.174.244/1099
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 0EA2DE6A

    inbound esp sas:
      spi: 0xE554A279 (3847529081)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 459, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 10581
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x0EA2DE6A (245554794)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 459, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 10581
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.20/255.255.255.255/0/0)
      current_peer: 66.30.186.113, username: bhevert
      dynamic allocated peer ip: 192.168.5.20

      #pkts encaps: 54343, #pkts encrypt: 54411, #pkts digest: 54411
      #pkts decaps: 47518, #pkts decrypt: 47518, #pkts verify: 47518
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 54343, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 68, #pre-frag failures: 0, #fragments created: 136
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 136
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 66.30.186.113/1117
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: C0C1C42F

    inbound esp sas:
      spi: 0xB76949A2 (3077130658)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 444, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 22151
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xC0C1C42F (3233924143)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 444, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 22151
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_map, seq num: 10, local addr: 75.144.134.114

      access-list l2l_list permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 67.62.134.115

      #pkts encaps: 41023427, #pkts encrypt: 41023427, #pkts digest: 41023427
      #pkts decaps: 36586431, #pkts decrypt: 36586431, #pkts verify: 36586431
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 41023427, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 2
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114, remote crypto endpt.: 67.62.134.115

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 25220048

    inbound esp sas:
      spi: 0x11CF477F (298796927)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 207, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4080057/10205)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x25220048 (622985288)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 207, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4034235/10205)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_map, seq num: 10, local addr: 75.144.134.114

      access-list l2l_list permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 67.62.134.115

      #pkts encaps: 640, #pkts encrypt: 640, #pkts digest: 640
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 640, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114, remote crypto endpt.: 67.62.134.115

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 6290EBC8

    inbound esp sas:
      spi: 0x24A0F22A (614527530)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 207, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4275000/21628)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x6290EBC8 (1653664712)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 207, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4274962/21628)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.28/255.255.255.255/0/0)
      current_peer: 71.233.179.11, username: jhathaway
      dynamic allocated peer ip: 192.168.5.28

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 71.233.179.11/3193
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: D69D9F8F

    inbound esp sas:
      spi: 0x32232C59 (841165913)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 482, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 28755
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xD69D9F8F (3600654223)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 482, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 28755
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.25/255.255.255.255/0/0)
      current_peer: 71.243.55.86, username: coneill
      dynamic allocated peer ip: 192.168.5.25

      #pkts encaps: 32327, #pkts encrypt: 32345, #pkts digest: 32345
      #pkts decaps: 31203, #pkts decrypt: 31203, #pkts verify: 31203
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 32327, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 18, #pre-frag failures: 0, #fragments created: 36
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 36
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 71.243.55.86/4442
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 97613F89

    inbound esp sas:
      spi: 0x617BFDC6 (1635515846)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 458, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 8586
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x97613F89 (2539732873)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 458, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 8586
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.29/255.255.255.255/0/0)
      current_peer: 76.120.2.95, username: lquilici
      dynamic allocated peer ip: 192.168.5.29

      #pkts encaps: 465, #pkts encrypt: 465, #pkts digest: 465
      #pkts decaps: 793, #pkts decrypt: 793, #pkts verify: 793
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 465, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 76.120.2.95/2344
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: D004F310

    inbound esp sas:
      spi: 0xAE114735 (2920367925)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 481, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 27993
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xD004F310 (3489985296)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 481, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 27993
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 75.144.134.114

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.26/255.255.255.255/0/0)
      current_peer: 76.179.71.136, username: bhopkins
      dynamic allocated peer ip: 192.168.5.26

      #pkts encaps: 7572, #pkts encrypt: 7593, #pkts digest: 7593
      #pkts decaps: 8968, #pkts decrypt: 8968, #pkts verify: 8968
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 7572, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 21, #pre-frag failures: 0, #fragments created: 42
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 42
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 75.144.134.114/4500, remote crypto endpt.: 76.179.71.136/2474
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 74127397

    inbound esp sas:
      spi: 0xD7F2DE8A (3623018122)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 457, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26599
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x74127397 (1947366295)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 457, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26599
         IV size: 8 bytes
         replay detection support: Y

From the remote site:

Result of the command: "sh cry ipsec sa"

interface: outside
    Crypto map tag: DC2BOS, seq num: 1, local addr: 67.62.134.115

      access-list l2l_list permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
      current_peer: 75.144.134.114

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 655, #pkts decrypt: 655, #pkts verify: 655
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.62.134.115, remote crypto endpt.: 75.144.134.114

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 24A0F22A

    inbound esp sas:
      spi: 0x6290EBC8 (1653664712)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: DC2BOS
         sa timing: remaining key lifetime (kB/sec): (3824961/21541)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x24A0F22A (614527530)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: DC2BOS
         sa timing: remaining key lifetime (kB/sec): (3825000/21541)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: DC2BOS, seq num: 1, local addr: 67.62.134.115

      access-list l2l_list permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 75.144.134.114

      #pkts encaps: 36593992, #pkts encrypt: 36593992, #pkts digest: 36593992
      #pkts decaps: 41027877, #pkts decrypt: 41027877, #pkts verify: 41027877
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 36593992, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.62.134.115, remote crypto endpt.: 75.144.134.114

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 11CF477F

    inbound esp sas:
      spi: 0x25220048 (622985288)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: DC2BOS
         sa timing: remaining key lifetime (kB/sec): (3583201/10121)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x11CF477F (298796927)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: DC2BOS
         sa timing: remaining key lifetime (kB/sec): (3629068/10121)
         IV size: 8 bytes
         replay detection support: Y
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415153
Okay, so the traffic is good to the remote Firewall (kind of already knew that) but there is no return traffic (because ASA is dropping traffic due to "no translation group".  Can you afford to "wr mem" and "reload" the remote ASA?  This should be working based on your config.
0
 
LVL 3

Author Comment

by:djhath
ID: 24415194
Well, having pulled my Joe Maddon baseball card out (from last night, in case your a baseball fan), and already dropped the tunnel on them once, I think I'll wait until this evening to reboot the remote firewall.

I will advise on how that works out after the reboot.

And before I forget, I'm very appreciative of all of your help so far!  Thank you.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24415208
No prob.  Drives me insane that it's not working <8-]
0
 
LVL 3

Author Comment

by:djhath
ID: 24417683
Alright, I rebooted the firewall and I still can't ping on the 192.168.2.x subnet from a VPN client.  I'm going to attach the current configs just for the hell of it.

Main Site:
: Saved

:

ASA Version 7.2(4) 

!

hostname Marlboro-ASA

domain-name intranet.ceadvisors.com

enable password * encrypted

passwd * encrypted

names

name 64.18.0.0 Postini

name 216.148.212.0 RMON description All Covered RMON

name 192.168.1.13 CEADC1 description CEA Domain Controller

name 192.168.1.18 CEAFIN1 description Vision App Server

name 192.168.1.11 CEAMAIL1 description Exchange 2007 Server

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address xx.xx.xx.xx 255.255.255.240 

!

interface Ethernet0/1

 nameif Inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

!

interface Ethernet0/2

 nameif Guest

 security-level 10

 ip address 192.168.10.1 255.255.255.0 

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 description Management Interface

 nameif management

 security-level 100

 ip address 192.168.0.1 255.255.255.0 

 management-only

!

boot system disk0:/asa724-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Inside

dns server-group DefaultDNS

 name-server CEADC1

 domain-name intranet.ceadvisors.com

same-security-traffic permit intra-interface

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list Inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list Inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 

access-list CEA_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 

access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 

access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq https 

access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq www 

access-list outside-access-in extended permit tcp any host xx.xx.xx.xx eq https 

access-list outside-access-in extended permit icmp any any inactive 

access-list outside-access-in extended permit tcp RMON 255.255.255.0 host xx.xx.xx.xx eq smtp 

access-list outside-access-in extended permit tcp Postini 255.255.0.0 host xx.xx.xx.xx eq smtp 

access-list outside-access-in extended permit udp any any eq isakmp 

access-list outside-access-in extended deny tcp any host xx.xx.xx.xx eq www 

access-list outside-access-in extended permit icmp any any echo-reply 

access-list outside-access-in extended permit icmp any any unreachable 

access-list outside-access-in extended permit icmp any any time-exceeded 

access-list l2l_list extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 

access-list l2l_list extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 

access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 

pager lines 24

logging enable

logging buffered informational

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu Guest 1500

mtu management 1500

ip local pool CEA_VPN_Pool 192.168.5.10-192.168.5.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (Outside) 10 interface

global (Guest) 20 interface

nat (Outside) 0 access-list no-outside-nat

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 10 0.0.0.0 0.0.0.0

nat (Guest) 10 0.0.0.0 0.0.0.0

nat (management) 10 0.0.0.0 0.0.0.0

static (Inside,Outside) tcp xx.xx.xx.xx https CEAFIN1 https netmask 255.255.255.255 

static (Inside,Outside) xx.xx.xx.xx CEAMAIL1 netmask 255.255.255.255 

static (Inside,Outside) xx.xx.xx.xx CEADC1 netmask 255.255.255.255 

access-group outside-access-in in interface Outside

route Outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

route Inside 192.168.3.0 255.255.255.0 192.168.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa-server CEADC1 protocol radius

aaa-server CEADC1 (Inside) host CEADC1

 timeout 5

 key *

aaa-server CEADC2 protocol radius

aaa-server CEADC2 (Outside) host 192.168.1.14

 key *

aaa authentication enable console LOCAL 

aaa authentication ssh console LOCAL 

aaa authentication http console LOCAL 

http server enable

http 192.168.5.0 255.255.255.0 Inside

http 10.10.10.0 255.255.255.0 management

http 192.168.1.0 255.255.255.0 Inside

http 192.168.2.0 255.255.255.0 Inside

http redirect Outside 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 10 match address l2l_list

crypto map Outside_map 10 set peer xx.xx.xx.xx 

crypto map Outside_map 10 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto isakmp identity address 

crypto isakmp enable Outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

telnet 192.168.1.0 255.255.255.0 Inside

telnet 192.168.5.0 255.255.255.0 Inside

telnet 192.168.2.0 255.255.255.0 Inside

telnet timeout 5

ssh xx.xx.xx.xx 255.255.255.255 Outside

ssh 192.168.5.0 255.255.255.0 Inside

ssh 192.168.1.0 255.255.255.0 Inside

ssh 192.168.2.0 255.255.255.0 Inside

ssh timeout 5

console timeout 0

management-access Inside

dhcpd dns 4.2.2.1

!

ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 des-sha1 rc4-md5

ssl trust-point my.godaddy.key Outside

webvpn

 enable Outside

 svc image disk0:/sslclient-win-1.1.4.179.pkg 1

 svc enable

 customization DfltCustomization

  title text Concentric Energy Advisors WebVPN

  logout-message text Your Session has been terminated.

  logo none

 url-list CEA_Servers "Z: Drive" cifs://ceafs1/ceadata 2

 url-list CEA_Servers "Vision" http://ceafin1/vision 3

 url-list CEA_Servers "Web Mail" https://mail.ceadvisors.com 4

 url-list CEA_Servers "Intranet" http://ceaforum 5

 java-trustpoint my.godaddy.key

group-policy DfltGrpPolicy attributes

 banner none

 wins-server none

 dns-server none

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 3

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec webvpn

 password-storage disable

 ip-comp disable

 re-xauth disable

 group-lock none

 pfs disable

 ipsec-udp disable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CEA_splitTunnelAcl

 default-domain value intranet.ceadvisors.com

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 smartcard-removal-disconnect enable

 client-firewall none

 client-access-rule none

 webvpn

  functions http-proxy

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list value CEA_Servers

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy CEA internal

group-policy CEA attributes

 dns-server value 192.168.1.13 192.168.1.14

 vpn-idle-timeout 30

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CEA_splitTunnelAcl

 default-domain value intranet.ceadvisors.com

 webvpn

  functions file-access file-browsing

username * encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *

 isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ipsec-attributes

 isakmp keepalive threshold 10 retry 2

tunnel-group DefaultWEBVPNGroup general-attributes

 authentication-server-group CEADC1

 default-group-policy CEA

 authorization-dn-attributes use-entire-name

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 nbns-server CEADC1 master timeout 2 retry 2

tunnel-group CEA type ipsec-ra

tunnel-group CEA general-attributes

 address-pool CEA_VPN_Pool

 authentication-server-group CEADC1

 default-group-policy CEA

tunnel-group CEA ipsec-attributes

 pre-shared-key *

tunnel-group xx.xx.xx.xx type ipsec-l2l

tunnel-group xx.xx.xx.xx ipsec-attributes

 pre-shared-key *

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny 

  inspect sunrpc 

  inspect xdmcp 

  inspect sip 

  inspect netbios 

  inspect tftp 

  inspect icmp 

!

service-policy global_policy global

smtp-server 192.168.1.11

prompt hostname context 

Cryptochecksum:ee82dc24c45f96f6b71e71f468f3b072

: end

asdm image disk0:/asdm-524.bin

asdm location CEAFIN1 255.255.255.255 Inside

no asdm history enable

Open in new window

0
 
LVL 3

Author Comment

by:djhath
ID: 24417692
Remote Site
: Saved

:

ASA Version 8.0(3) 

!

hostname concentric-DC-ASA

domain-name intranet.ceadvisors.com

enable password * encrypted

no names

name 192.168.2.0 DC-inside-block

name 192.168.1.12 CEAEXCH1 description CEA Exchange Server

name 192.168.1.13 CEADC1 description CEA Domain Controller

!

interface Vlan1

 description Inside

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0 

!

interface Vlan2

 description Outside

 nameif outside

 security-level 0

 ip address xx.xx.xx.xx 255.255.255.248 

!

interface Ethernet0/0

 description Inside

 switchport access vlan 2

!

interface Ethernet0/1

 description Inside

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd * encrypted

boot system disk0:/asa803-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EST recurring

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 192.168.1.13

 domain-name intranet.ceadvisors.com

same-security-traffic permit intra-interface

access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list NO-NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list l2l_list extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0 

access-list outside extended deny ip any any log 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq smtp 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq www 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq telnet 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3389 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq https 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pop3 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ftp-data 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq dnsix 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq domain 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq domain 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq kerberos 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq imap4 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldap 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq ldaps 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq pptp 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq netbios-ssn 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 139 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 445 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 445 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 135 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-ns 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq netbios-dgm 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq ntp 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 3268 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 389 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53211 

access-list inside extended permit tcp 192.168.2.0 255.255.255.0 any eq 53212 

access-list inside extended permit udp 192.168.2.0 255.255.255.0 any eq 88 

access-list inside extended deny ip any any log 

access-list CEA_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0 

access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply 

access-list OUTSIDE_IN_ACL extended permit icmp any any time-exceeded 

access-list no-outside-nat extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 

pager lines 24

logging enable

logging console debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NO-NAT

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 0 access-list no-outside-nat

access-group OUTSIDE_IN_ACL in interface outside

route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server CEADC1 protocol radius

aaa-server CEADC1 host 192.168.1.13

 key *

nac-policy DfltGrpPolicy-nac-framework-create nac-framework

 reval-period 36000

 sq-period 300

aaa authentication ssh console LOCAL 

http server enable

http 75.144.134.117 255.255.255.255 outside

http 192.168.2.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set THREEDES esp-3des esp-sha-hmac 

crypto map DC2BOS 1 match address l2l_list

crypto map DC2BOS 1 set peer xx.xx.xx.xx

crypto map DC2BOS 1 set transform-set THREEDES

crypto map DC2BOS interface outside

crypto isakmp enable outside

crypto isakmp policy 1

 authentication pre-share

 encryption 3des

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 192.168.2.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 inside

telnet xx.xx.xx.xx 255.255.255.255 outside

telnet timeout 5

ssh 192.168.1.0 255.255.255.0 inside

ssh 192.168.2.0 255.255.255.0 inside

ssh xx.xx.xx.xx 255.255.255.255 outside

ssh timeout 5

ssh version 2

console timeout 0

management-access inside

dhcpd auto_config outside

!
 

threat-detection basic-threat

threat-detection statistics access-list

ntp server 131.216.22.17 source outside

ntp server 216.204.156.2 source outside

webvpn

 enable outside

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol IPSec webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CEA_splitTunnelAcl

 default-domain value intranet.ceadvisors.com

 nac-settings value DfltGrpPolicy-nac-framework-create

 webvpn

  url-list value CEA_Servers

  svc keepalive none

  svc dpd-interval client none

  svc dpd-interval gateway none

  customization value DfltCustomization

group-policy CEA internal

group-policy CEA attributes

 dns-server value 192.168.1.13

 vpn-idle-timeout 30

 vpn-tunnel-protocol IPSec svc webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value CEA_splitTunnelAcl

 default-domain value intranet.ceadvisors.com

 webvpn

  file-entry enable

  file-browsing enable

username * encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultWEBVPNGroup general-attributes

 authentication-server-group CEADC1

 default-group-policy CEA

 authorization-dn-attributes use-entire-name

tunnel-group DefaultWEBVPNGroup webvpn-attributes

 nbns-server 192.168.1.12 timeout 2 retry 2

 nbns-server 192.168.1.13 timeout 2 retry 2

tunnel-group xx.xx.xx.xx type ipsec-l2l

tunnel-group xx.xx.xx.xx ipsec-attributes

 pre-shared-key *

tunnel-group CEA type remote-access

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

  inspect icmp 

!

service-policy global_policy global

prompt hostname context 

Cryptochecksum:4967fd1e78dbf91d5773d3225b01204b

: end

asdm image disk0:/asdm-603.bin

no asdm history enable

Open in new window

0
 
LVL 3

Author Comment

by:djhath
ID: 24417935
Well, here's the latest.  For the hell of it, I decided to try pinging a VPN client from a host on the remote 192.168.2.x subnet.  So, I RDP'd into a host, and was able to ping myself (192.168.5.x).  Then all of a sudden, I could ping on the remote subnet.  

So, it seems to be working.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24420730
Interesting.  If you try it again after disconnecting VPN and reconnecting, can you ping 192.168.2.x?
0
 
LVL 3

Author Comment

by:djhath
ID: 24421140
Yes, I just reconnected and it's pinging OK.  I was a little weary, because the first ping timed out, but then it came back.  The ping times were a little erratic, but seemed to settle to where I expect them to be.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24421186
Good deal.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24431992
How's it working?  Still good?  Ready to close out this question?
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now