Solved

Cisco ASA 5505 VPN established, but not working?

Posted on 2009-06-28
22
1,687 Views
Last Modified: 2012-05-07
I can establish a VPN connection to a Cisco ASA 5505 with no issues, but cannot communicate on the network. Cannot ping the gateway or any address inside. I've checked everything I can think of and nothing stands out, but I am getting the following in the log after I've connected.

1      20:05:18.578  06/28/09  Sev=Warning/2      CVPND/0xE3400013
AddRoute failed to add a route: code 87
      Destination      192.168.2.255
      Netmask      255.255.255.255
      Gateway      192.168.1.1
      Interface      192.168.1.125

2      20:05:18.578  06/28/09  Sev=Warning/2      CM/0xA3100024
Unable to add route. Network: c0a802ff, Netmask: ffffffff, Interface: c0a8017d, Gateway: c0a80101.
0
Comment
Question by:cwelectric
  • 13
  • 9
22 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 24733232
Can you post your ASA config?
Looks like split-tunnel config, nat0 config, or overlapping IP subnets, or nat-traversal
0
 

Author Comment

by:cwelectric
ID: 24742000
Config is basicaly default. The only thing I modified would have been the DHCP scope and configuring the VPN via the wizard. Here it is, anyway.







: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN-Pool2 192.168.1.125-192.168.1.130 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.50-192.168.1.100 inside
dhcpd enable inside
!

group-policy Home internal
group-policy Home attributes
 vpn-tunnel-protocol IPSec
username xxxx password yGJT5lXsKVS8LE9b encrypted privilege 0
username xxxx attributes
 vpn-group-policy Home
tunnel-group Home type ipsec-ra
tunnel-group Home general-attributes
 address-pool VPN-Pool2
 default-group-policy Home
tunnel-group Home ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1df0eb0de4897d309b4ebc32d2854a0c
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
0
 

Author Comment

by:cwelectric
ID: 24757772
Anyone?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24759656
Sorry about the delay..

>ip local pool VPN-Pool2 192.168.1.125-192.168.1.130 mask 255.255.255.0
Make the ip address pool different from the local LAN...

   ip local pool VPN-Pool3 192.168.11.125-192.168.11.130 mask 255.255.255.0
Then create a nat-bypass access list and apply it:

   access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
   nat (inside) 0 access-list NONAT
  tunnel-group Home general-attributes
    address-pool VPN-Pool3

Then add these lines
   crypto isakmp nat-traversal 25
   crypto isakmp identity address

Also, since you are using 192.168.1.x inside the ASA, make sure that your home LAN is not also 192.168.1.x..

BTW, get rid of this line:
 >access-group inside_access_in in interface inside
  no access-group inside_access_in in interface inside




0
 

Author Comment

by:cwelectric
ID: 24763315
I'm not trying to dispute your post and I will certainly try, but why does the VPN pool have to be on a different subnet entirely? Every other VPN device I've ever worked with (including the Cisco PIX), was fine with allocating a block of IP addresses from the LAN subnet for VPN use.

Shouldn't the VPN pretty much work by default? That's what I'm not understanding here. I've used the ASA 5505 in the past to setup VPN's and they worked right out of the box, after completing the wizard and going through the same steps I'm going through now.

Like I said, I will certainly try what you posted, as I can always reset the ASA if needed.

By the way, I've seen this line referenced a lot with this particular issue and I actually tried applying it last night, to no avail. " crypto isakmp nat-traversal 25". What does the 25 after the statement indicate?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24763669
Easy one first..
>What does the 25 after the statement indicate
25 second timeout. The default is 20 seconds. Often the default commands do not show up in the config at all, so changing the default from 20 to 25 is such a minor change, but should make it show up in the config so we can see that it is infact there.

The VPN ip address pool does not "have" to be a different IP subnet. It is best practice and it is highly recommended. All of the documented, TAC written Cisco examples use a separate subnet. Yes, it usually works with a sub-set of the internal LAN, but then you have to worry about overlaps internally, dhcp scopes, etc.
Using a different subnet also makes the access-lists make sense. You need the nat0 acl, and typically will use a split-tunnel acl.
Using a range of the same internal subnet also requires enabling proxyarp on the inside interface of the firewall. This alone can cause some unusual network behavior for the LAN. Disabling proxyarp on the inside interface is best practice, especially with fairly large networks.

Yes, the VPN should work with simply a few mouse clicks with the VPN wizard. However, you may not have checked the box to bypass NAT for this traffic (NONAT acl applied to nat0) and therefore you cannot communicate between the local lan and the client.
0
 

Author Comment

by:cwelectric
ID: 24765617
I appreciate the detailed explanation of everything, it all makes sense. I wasn't aware that the "official" recommendation from Cisco was to use a different subnet, then route between the subnets, but it makes sense.

I'll try those config changes when I get home and post back with the results. Thanks for the help, I'm really wanting to get this issue solved so I can remote into my lab equipment!
0
 

Author Comment

by:cwelectric
ID: 24769284
I tried sending all of those commands to the ASA and changed around the DHCP pool to the new pool, confirmed that I got an IP address from the pool, but still was unable to ping anything on the LAN, including the default gateway acquired via DHCP.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24772045
Can you post your new config?
0
 

Author Comment

by:cwelectric
ID: 24775071
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list Home2_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN-Pool2 192.168.1.125-192.168.1.130 mask 255.255.255.0
ip local pool VPN-Pool3 192.168.11.125-192.168.11.130 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.1.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  25
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.50-192.168.1.100 inside
dhcpd enable inside
!

group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value VPN-Pool2
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc none
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy Home internal
group-policy Home attributes
 vpn-tunnel-protocol IPSec
group-policy Home2 internal
group-policy Home2 attributes
 dns-server value 68.87.68.166 68.87.74.166
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Home2_splitTunnelAcl
username xxxx password yGJT5lXsKVS8LE9b encrypted privilege 0
username xxxx attributes
 vpn-group-policy Home
tunnel-group Home type ipsec-ra
tunnel-group Home general-attributes
 address-pool VPN-Pool2
 default-group-policy Home
tunnel-group Home ipsec-attributes
 pre-shared-key *
tunnel-group Home2 type ipsec-ra
tunnel-group Home2 general-attributes
 address-pool VPN-Pool2
 default-group-policy Home2
tunnel-group Home2 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:33d71a82b4637013a7f21f1ac24d2027
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24776877

>split-tunnel-network-list value Home2_splitTunnelAcl
Change the access-list from:
 >access-list Home2_splitTunnelAcl standard permit any
to
  access-list Home2_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

Somewhere in the default group policy there is a checkbox to re-enable udp. You can also try enabling TCP over port 10000 and checking that box in the client connections tab.
 >  ipsec-udp disable
 >  ipsec-udp-port 10000

What is the LAN IP address of your VPN client when you are connecting to this ASA?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:cwelectric
ID: 24831264
So I went ahead and reset my ASA to factory defaults, then tried going through the VPN wizard again, just in case. Again, the same issue. I am able to connect and get an IP address from my phone and laptop on another network, but unable to access the internet and unable to ping any hosts or even the ASA itself.

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list CiscoHome_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.1.48 255.255.255.248
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN-DHCP 192.168.1.51-192.168.1.55 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.25-192.168.1.50 inside
dhcpd enable inside
!

group-policy CiscoHome internal
group-policy CiscoHome attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CiscoHome_splitTunnelAcl
username xxxx password yGJT5lXsKVS8LE9b encrypted privilege 0
username xxxx attributes
 vpn-group-policy CiscoHome
tunnel-group CiscoHome type ipsec-ra
tunnel-group CiscoHome general-attributes
 address-pool VPN-DHCP
 default-group-policy CiscoHome
tunnel-group CiscoHome ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0c70d807c312b6cbef334f082c2b0743
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
0
 

Author Comment

by:cwelectric
ID: 24831381
For what it's worth, I've been playing around some more. I initiated a VPN connection to the ASA from my laptop, then monitored the syslog on my desktop. I can see my client connecting and being assigned an IP address.

6      Jul 11 2009      08:41:13      713228                   Group = CiscoHome, Username = xxxx, IP = 141.153.58.143, Assigned private IP address 192.168.1.52 to remote user

When I try to ping the ASA, I see the following entries.

6      Jul 11 2009      08:41:33      302020      192.168.1.52      192.168.1.1       Built inbound ICMP connection for faddr 192.168.1.52/1024 gaddr 192.168.1.1/0 laddr 192.168.1.1/0 (xxxx)

6      Jul 11 2009      08:41:35      302021      192.168.1.52      192.168.1.1       Teardown ICMP connection for faddr 192.168.1.52/1024 gaddr 192.168.1.1/0 laddr 192.168.1.1/0 (xxxx)

So I mean, I can tell my pings are getting to the ASA, it just looks like the ASA is ignoring my traffic?


Also, here's a couple entries from when I am connected via VPN and try to access the ASA. It's basically the same entries over and over.

6      Jul 11 2009      08:49:20      302013      192.168.1.52      192.168.1.1       Built inbound TCP connection 8233 for outside:192.168.1.52/25231 (192.168.1.52/25231) to NP Identity Ifc:192.168.1.1/443 (192.168.1.1/443) (xxxx)

6      Jul 11 2009      08:49:20      302014      192.168.1.52      192.168.1.1       Teardown TCP connection 8233 for outside:192.168.1.52/25231 to NP Identity Ifc:192.168.1.1/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept (xxxx)
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 24832044
If you are trying to access the inside IP of the ASA through the VPN tunnel, you have to first designate the inside for management-access
 management-access inside

Now you can access the inside IP with ASDM over the VPN
0
 

Author Comment

by:cwelectric
ID: 24832617
It actually appears to be working now. In all honesty, it may have been working before. This entire time, I haven't been trying to access any actual hosts on the network. I can manage the ASA and get a ping response from an inside host, as well as RDP into a machine.

However, I still can't access the internet when connected to the VPN. Any idea what I can do to fix this?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24835474
>split-tunnel-network-list value CiscoHome_splitTunnelAcl
Change the acl from "any" to the inside LAN only


no access-list CiscoHome_splitTunnelAcl
access-list CiscoHome_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
0
 

Author Comment

by:cwelectric
ID: 24836682
I don't mean to keep dragging this out and it will be the last question I have. If I assign an IP address to an interface and put it in a different subnet, how can I setup the ASA to allow me to pass all traffic between the two? I've tried putting a firewall rule in place, but that didn't work.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24836925
All you should need is that subnet added to the split-tunnel acl and to the nat0 acl

Example:
interface Vlan3
 nameif DMZ
 security-level 70
 ip address 192.168.100.1 255.255.255.0
!
access-list CiscoHome_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.1.48 255.255.255.248
nat (DMZ) 0 access-list DMZ_nat0_outbound
0
 

Author Closing Comment

by:cwelectric
ID: 31597756
You were an extreme help with this issue. Thanks a ton!
0
 

Author Comment

by:cwelectric
ID: 24845206
Is there any way you could help me get this last issue resolved?

I applied this command, but still can't ping between the two interface IP's.

access-list CiscoHome_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list lab_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.48 255.255.255.248
nat (lab) 0 access-list lab_nat0_outbound
0
 

Author Comment

by:cwelectric
ID: 24845208
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan12
 nameif lab
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list CiscoHome_splitTunnelAcl standard permit any
access-list CiscoHome_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.1.48 255.255.255.248
access-list lab_access_in extended permit ip any any
access-list inside_access_in extended permit ip 192.168.2.0 255.255.255.0 any
access-list inside_access_in extended permit ip any any
access-list lab_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.48 255.255.255.248
pager lines 24
logging enable
logging asdm-buffer-size 500
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu lab 1500
ip local pool VPN-DHCP 192.168.1.51-192.168.1.55 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface lab
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (lab) 0 access-list lab_nat0_outbound
access-group inside_access_in in interface inside
access-group lab_access_in in interface lab
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.25-192.168.1.50 inside
dhcpd enable inside
!

group-policy CiscoHome internal
group-policy CiscoHome attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value CiscoHome_splitTunnelAcl
username jcoyan password yGJT5lXsKVS8LE9b encrypted privilege 0
username jcoyan attributes
 vpn-group-policy CiscoHome
tunnel-group CiscoHome type ipsec-ra
tunnel-group CiscoHome general-attributes
 address-pool VPN-DHCP
 default-group-policy CiscoHome
tunnel-group CiscoHome ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fa0f83659b8ce17b1935f8b5f5e894f3
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 24845294
How about if you post a related question? That way we can keep the issues separated in the solutions database.
Thanks!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now