Remote Access VPN Connects, but can't access PC behind VPN

I've been trying for many hours trying to establish a working Remote Access VPN, but i can't get it to work.

I've used the Remote Access VPN Wizard on the ASA5505 to set up a Remote Access VPN at my office.  Using the VPN Client software from home, I'm able to connect to the VPN at the office, but I am unable to access the workstation behind the ASA.  My remote PC is assigned a remote ip from the RemoteClientPool, but I'm still unable to ping the workstation behind the VPN.  Specifically, I need to access the workstation, 192.168.1.100, on port 104.

What's missing from my configuration??

Thanks for your help!
ron

Result of the command: "show running-config"
 
: Saved
:
ASA Version 7.2(4) 
!
hostname asa1
domain-name default.domain.invalid
enable password 7esAUjZmKQSFDCZX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address OUTSIDE_IP 255.255.240.0 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
!
access-list outside_access_in extended permit tcp any host OUTSIDE_IP eq 2762 
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.192 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.192 
!
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool RemoteClientPool 192.168.3.3-192.168.3.33
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
!
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2762 192.168.1.100 2762 netmask 255.255.255.255 
access-group outside_access_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 69.50.208.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.22 inside
dhcpd dns 68.2.16.30 68.2.16.25 interface inside
dhcpd enable inside
!
 
group-policy myTunnelGroup internal
group-policy myTunnelGroup attributes
 dns-server value 68.2.16.30 68.2.16.25
 vpn-tunnel-protocol IPSec 
username user password hPAbvpuC2wFCeaM4 encrypted privilege 0
username user attributes
 vpn-group-policy myTunnelGroup
tunnel-group myTunnelGroup type ipsec-ra
tunnel-group myTunnelGroup general-attributes
 address-pool RemoteClientPool
 default-group-policy myTunnelGroup
tunnel-group myTunnelGroup ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:1cf0464eb017090f92fea126df22a191
: end 
Open in New Window Select All

Open in new window

ron2468Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RPPreacherCommented:
Turn off the Windows Firewall on 192.168.1.100
0
ron2468Author Commented:
I just checked - it is already OFF.

That would have been so perfect!

0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
And ASA is your default gateway on the 192.168.1.x network?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

ron2468Author Commented:
Yes, the default gateway for the 192.168.1.0 network is the ASA itself, with IP 192.168.1.1.
0
RPPreacherCommented:
Can you ping anything (printer, switch) on the inside?
0
ron2468Author Commented:
No - absolutely not - i can not ping anything.

Does it matter that my remote PC that i'm using to establish the connection, is also behind an ASA 5505?  It shouldn't matter, right?
0
RPPreacherCommented:
Shouldn't.

Are you sure that you are making a connection?

While connected do, look for your connection

show crypto ipsec sa

0
ron2468Author Commented:
i haven't looked for it using 'show crypto ipsec sa'

I've only seen that the remote VPN client software that i'm using to connect shows 'Connected', and when i perform an 'ipconfig /all' on my remote PC, i see that a correct pool IP has been assigned to me, and i also see that IKE & IPSEC are set to 1 on the VPN Tunnels info area on the ASDM application on the VPN box.
0
ron2468Author Commented:
Here is the result of "show crypto ipsec sa"


Result of the command: "show crypto ipsec sa"

interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 69.50.216.47

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.3.3/255.255.255.255/0/0)
      current_peer: 98.191.100.227, username: user
      dynamic allocated peer ip: 192.168.3.3

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 69.50.216.47, remote crypto endpt.: 98.191.100.227

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 6A02B993

    inbound esp sas:
      spi: 0x619B6527 (1637573927)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28768
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x6A02B993 (1778563475)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 4, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28768
         IV size: 8 bytes
         replay detection support: Y
0
RPPreacherCommented:
No traffic is going across


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

I'm stumped.

Maybe the other ASA is interrupting communications?  Do you manage that one also?  Can you test without the second ASA?
0
ron2468Author Commented:
yes, i've tested the connection from another remote location, and that hasn't worked either.

I don't think i have, but do u think i may have made some type of error with the coding?  But i used the VPN wizard, so i don't see why it wouldn't work??
0
JFrederick29Commented:
The config looks good.

For grins, add this just to be sure:

conf t
crypto isakmp nat-traversal

Also make sure in the Cisco VPN client, UDP encapsulation is selected under the Transport tab.  Is there an access-list applied to the inside interface of the ASA at the remote location (the client location) that is blocking it?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ron2468Author Commented:
Hey!!!  I think we did it!!!   It looks like with that last command, "crypto isakmp nat-traversal" the traffic is now flowing!  Here's the connection info now:

Result of the command: "show crypto ipsec sa"
interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 69.50.216.47

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.3.3/255.255.255.255/0/0)
      current_peer: 98.191.100.227, username: user
      dynamic allocated peer ip: 192.168.3.3

      #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
      #pkts decaps: 101, #pkts decrypt: 101, #pkts verify: 101
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 13, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 69.50.216.47/4500, remote crypto endpt.: 98.191.100.227/17354
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 237A67F2

    inbound esp sas:
      spi: 0x6E902AA2 (1854941858)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 1, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28658
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x237A67F2 (595224562)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 1, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28658
         IV size: 8 bytes
         replay detection support: Y


Why was it necessary to explicitly state that command?
0
ron2468Author Commented:
Thank you very much for your help.
So that i can understand, why was it necessary to include the "crypto isakmp nat-traversal" command in the code?  If it is such an important line of code, as it certainly was in my case, then why isn't it automatiaclly generated with the VPN wizard?
0
JFrederick29Commented:
I would venture to guess this is a bug as in 7.2(4), NAT-T is enabled by default. Glad to hear it is working.
0
ron2468Author Commented:
Thanks again, very much!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.