Solved

Cisco asa 5505 Remote access vpn connects but won't ping

Posted on 2009-07-01
16
559 Views
Last Modified: 2012-05-07
I posted help a couple days ago and the help was awesome to setup site to site vpn. and it works perfect.

now I'm looking to setup remote access. I am probally just missing something simple.

I appreciate your help in assisting me.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(2)
!
hostname officeasa5505
domain-name vancesmithmd.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 192.168.15.0 VPNPool
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.5 255.255.255.0
!
interface Vlan2
 mac-address 0022.6b6d.8e0f
 nameif outside
 security-level 0
 ip address x.x.x.25 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.0.9
 domain-name vancesmithmd.local
object-group service rdp tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list l2l_list extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list l2l_list extended permit ip 192.168.0.0 255.255.255.0 VPNPool 255.255.255.0
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in remark VPN RA & site to site
access-list outside_access_in extended permit esp any 75.145.237.24 255.255.255.252
access-list outside_access_in remark VPN RA, site-to-site
access-list outside_access_in extended permit udp any 75.145.237.24 255.255.255.252 eq isakmp
access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 object-group rdp
access-list outside_access_in remark Incoming mail serer smtp on ex
access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 eq smtp
access-list outside_access_in remark Company portal site on EX
access-list outside_access_in extended permit object-group TCPUDP any 75.145.237.24 255.255.255.252 eq www
access-list outside_access_in remark Exchange OWA on EX
access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 eq https
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in extended permit icmp any any echo-reply
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 VPNPool 255.255.255.0
access-list vancevpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.15.5-192.168.15.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.0.9 3389 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.0.9 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.0.9 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.9 https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.145.237.26 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 network-acl nonat
aaa-server ldap protocol ldap
aaa-server ldap host 192.168.0.9
 ldap-base-dn cn=users,dc=ex,dc=vancesmithmd,dc=local
 ldap-scope subtree
 ldap-naming-attribute cn
 ldap-login-password *
 ldap-login-dn cn=administrator,cn=users,ou=people,dc=ex,dc=vancesmithmd,dc=local
 server-type microsoft
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map abcmap 2 match address l2l_list
crypto map abcmap 2 set peer x.x.x.17
crypto map abcmap 2 set transform-set ESP-3DES-SHA
crypto map abcmap 2 set phase1-mode aggressive
crypto map abcmap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.9
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 192.168.0.100-192.168.0.131 inside
dhcpd dns 192.168.0.9 interface inside
dhcpd wins 192.168.0.9 interface inside
dhcpd domain vancesmithmd.local interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server 64.90.182.55 source outside
ntp server 208.66.175.36 source outside prefer
group-policy vancevpnclient internal
group-policy vancevpnclient attributes
 wins-server value 192.168.0.9
 dns-server value 192.168.0.9
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vancevpnclient_splitTunnelAcl
group-policy ldapgp external server-group ldap
username admin password 8ygkQIM8NP8kwEXT encrypted privilege 15
username vancevpnclient password 5CzbTT1pdB2jQCuZ encrypted privilege 0
username vancevpnclient attributes
 vpn-group-policy vancevpnclient
tunnel-group vancevpnclient type remote-access
tunnel-group vancevpnclient general-attributes
 address-pool VPNpool
 authentication-server-group ldap LOCAL
 default-group-policy vancevpnclient
tunnel-group vancevpnclient ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.17 type ipsec-l2l
tunnel-group x.x.x.17 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:e27ce274cb07ed41adc164fa7f379cd0
: end

Open in new window

0
Comment
Question by:SasDev
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
16 Comments
 
LVL 13

Expert Comment

by:3nerds
ID: 24754693
What are you attempting to ping?

3nerds
0
 
LVL 1

Author Comment

by:SasDev
ID: 24754840
a local server which is 192.168.0.9 and i've tried pinging 192.168.1.1 which is across the site to site vpn
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24755702
Did you create this VPN through the wizard?

When you added this line to the acl did you get and error of any kind?

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 VPNPool 255.255.255.0

Sometimes you have to do a:

no nat (inside) 0 access-list nonat

nat (inside) 0 access-list nonat

or Just reboot the ASA to get the no nat rules to apply.

The rest looks good.

Regards,

3nerds
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 1

Author Comment

by:SasDev
ID: 24756047
Yes I created this through the wizard. I do not recall if I got an error on creating the vpn pool.

I tried both of your suggestions either allowed me to ping either side.
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24756430
OK going to step back for a second.

The ip address of your PC that is connecting to the VPN is what?
The ip address you are getting when you connect to the VPN is what?
What do show for routes in the cisco vpn client when connected to the vpn?


also the simple things...
The server/PC you are pinging on the 192.168.0.0 network is not firewalled or anything like that?

The reason for all this is your config looks good to me!


Regards,

3nerds



0
 
LVL 1

Author Comment

by:SasDev
ID: 24756472
my pc is on a 10.2.x.x network
dhcpvpnpool: 192.168.15.x

from vpn client.
Local LAN Routes: blank
Secured Routes: 192.168.0.0 255.255.255.0
0
 
LVL 1

Author Comment

by:SasDev
ID: 24756491
additional info:

server doesn't have a software firewall just the asa.
my PC's firewall is disabled.

Thank you for your help!
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24757125
dhcpvpnpool: 192.168.15.x --> i saw in your config that is the pool I was looking for the actual address you are pulling. If you don;t want to post it that is fine please just confirm it is in the range of 192.168.15.5-50


Going to dump your config in my 5510 and will let you know how it goes.

3nerds
0
 
LVL 1

Author Comment

by:SasDev
ID: 24757471
I'm getting 192.168.15.5 as an ip address.
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24764122
Do this:

no access-list l2l_list extended permit ip 192.168.0.0 255.255.255.0 VPNPool 255.255.255.0

This will fix the problem

Regards,

3nerds
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24764251
The only other thing I did to get it to work was to do:

sysopt connection permit-vpn

But I did this before I removed the ACL it may already be in your config I typed the line again to make sure.

Also you will need to add the following if you want to be able to get to the 192.168.1.0 network:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

add the additional NO_NAT statments for that connection along with your additional splittunnel rules.

This will be helpful to you going forward

Good Luck,

3nerds
0
 
LVL 1

Author Comment

by:SasDev
ID: 24764739
I applied your suggestions and I seem to get the same result, here is my latest config.
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(2) 
!
hostname officeasa5505
domain-name vancesmithmd.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 192.168.15.0 VPNPool
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.5 255.255.255.0 
!
interface Vlan2
 mac-address 0022.6b6d.8e0f
 nameif outside
 security-level 0
 ip address x.x.x.25 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 192.168.0.9
 domain-name vancesmithmd.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service rdp tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list l2l_list extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list outside_access_in extended permit icmp any any echo 
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside_access_in remark VPN RA & site to site
access-list outside_access_in extended permit esp any 75.145.237.24 255.255.255.252 
access-list outside_access_in remark VPN RA, site-to-site
access-list outside_access_in extended permit udp any 75.145.237.24 255.255.255.252 eq isakmp 
access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 object-group rdp 
access-list outside_access_in remark Incoming mail serer smtp on ex
access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 eq smtp 
access-list outside_access_in remark Company portal site on EX
access-list outside_access_in extended permit object-group TCPUDP any 75.145.237.24 255.255.255.252 eq www 
access-list outside_access_in remark Exchange OWA on EX
access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 eq https 
access-list outside_access_in extended permit ip any any 
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 any 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit icmp any any echo 
access-list inside_access_in extended permit icmp any any echo-reply 
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 VPNPool 255.255.255.0 
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 VPNPool 255.255.255.0 
access-list vancevpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 
access-list vancevpnclient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNpool 192.168.15.5-192.168.15.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 192.168.0.9 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface smtp 192.168.0.9 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.0.9 www netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.0.9 https netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.145.237.26 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 network-acl nonat
aaa-server ldap protocol ldap
aaa-server ldap host 192.168.0.9
 ldap-base-dn cn=users,dc=ex,dc=vancesmithmd,dc=local
 ldap-scope subtree
 ldap-naming-attribute cn
 ldap-login-password *
 ldap-login-dn cn=administrator,cn=users,ou=people,dc=ex,dc=vancesmithmd,dc=local
 server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map abcmap 2 match address l2l_list
crypto map abcmap 2 set peer 68.61.220.17 
crypto map abcmap 2 set transform-set ESP-3DES-SHA
crypto map abcmap 2 set phase1-mode aggressive 
crypto map abcmap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.9
dhcpd auto_config outside
dhcpd update dns both 
!
dhcpd address 192.168.0.100-192.168.0.131 inside
dhcpd dns 192.168.0.9 interface inside
dhcpd wins 192.168.0.9 interface inside
dhcpd domain vancesmithmd.local interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
ntp server 64.90.182.55 source outside
ntp server 208.66.175.36 source outside prefer
group-policy vancevpnclient internal
group-policy vancevpnclient attributes
 wins-server value 192.168.0.9
 dns-server value 192.168.0.9
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vancevpnclient_splitTunnelAcl
group-policy ldapgp external server-group ldap
username admin password 8ygkQIM8NP8kwEXT encrypted privilege 15
username vancevpnclient password 5CzbTT1pdB2jQCuZ encrypted privilege 0
username vancevpnclient attributes
 vpn-group-policy vancevpnclient
tunnel-group vancevpnclient type remote-access
tunnel-group vancevpnclient general-attributes
 address-pool VPNpool
 authentication-server-group ldap LOCAL
 default-group-policy vancevpnclient
tunnel-group vancevpnclient ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.17 type ipsec-l2l
tunnel-group x.x.x.17 ipsec-attributes
 pre-shared-key *
prompt hostname context 
Cryptochecksum:211ebc7c6e6ff24e3356c8d5a1eb19ee
: end

Open in new window

0
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
ID: 24764794
No time to look it over right now. Here is my working config. Working meaning from VPN clinet I can ping a PC in you DHCP range that happened to be 192.168.0.100. Also if you log into the ASDM and look at the log message they will help you greatly.

: Saved
:
ASA Version 8.0(3)
!
hostname officeasa5505
domain-name vancesmithmd.local
enable password 94oQsPrcgLhOEFMu encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 75.145.237.25 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.5 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
<--- More --->
             
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 94oQsPrcgLhOEFMu encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.0.9
 domain-name vancesmithmd.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
<--- More --->
             
object-group service rdp tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list l2l_list extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in remark VPN RA & site to site
access-list outside_access_in extended permit esp any 75.145.237.24 255.255.255.252
access-list outside_access_in remark VPN RA, site-to-site
access-list outside_access_in extended permit udp any 75.145.237.24 255.255.255.252 eq isakmp
access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 object-group rdp
access-list outside_access_in remark Incoming mail serer smtp on ex
access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 eq smtp
access-list outside_access_in remark Company portal site on EX
access-list outside_access_in extended permit object-group TCPUDP any 75.145.237.24 255.255.255.252 eq www
access-list outside_access_in remark Exchange OWA on EX
access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 eq https
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside_access_in remark VPN RA & site to site
access-list outside_access_in remark VPN RA, site-to-site
access-list outside_access_in remark Incoming mail serer smtp on ex
<--- More --->
             
access-list outside_access_in remark Company portal site on EX
access-list outside_access_in remark Exchange OWA on EX
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in extended permit icmp any any echo-reply
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list nonat extended permit ip any 192.168.15.0 255.255.255.192
access-list nonat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vancevpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list newclientvpn_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNpool 192.168.15.5-192.168.15.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
<--- More --->
             
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.145.237.26 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 network-acl nonat
aaa-server ldap protocol ldap
aaa-server ldap host 192.168.0.9
 ldap-base-dn cn=users,dc=ex,dc=vancesmithmd,dc=local
 ldap-scope subtree
 ldap-naming-attribute cn
 ldap-login-password *
 ldap-login-dn cn=administrator,cn=users,ou=people,dc=ex,dc=vancesmithmd,dc=local
 server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
<--- More --->
             
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map abcmap 2 match address l2l_list
crypto map abcmap 2 set peer 1.1.1.17
crypto map abcmap 2 set transform-set ESP-3DES-SHA
crypto map abcmap 2 set phase1-mode aggressive
crypto map abcmap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
<--- More --->
             
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 192.168.0.9
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 192.168.0.100-192.168.0.131 inside
dhcpd dns 192.168.0.9 interface inside
dhcpd wins 192.168.0.9 interface inside
dhcpd domain vancesmithmd.local interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
<--- More --->
             
threat-detection basic-threat
threat-detection statistics access-list
ntp server 64.90.182.55 source outside
ntp server 208.66.175.36 source outside prefer
ssl encryption rc4-sha1
group-policy vancevpnclient internal
group-policy vancevpnclient attributes
 wins-server value 192.168.0.9
 dns-server value 192.168.0.9
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vancevpnclient_splitTunnelAcl
username admin password 8ygkQIM8NP8kwEXT encrypted privilege 15
username vancevpnclient password 5CzbTT1pdB2jQCuZ encrypted privilege 0
username vancevpnclient attributes
 vpn-group-policy vancevpnclient
username wiretech password ..NfYJF6du5rfYf/ encrypted privilege 15
tunnel-group vancevpnclient type remote-access
tunnel-group vancevpnclient general-attributes
 address-pool VPNpool
 default-group-policy vancevpnclient
tunnel-group vancevpnclient ipsec-attributes
 pre-shared-key *
tunnel-group 1.1.1.17 type ipsec-l2l
<--- More --->
             
tunnel-group 1.1.1.17 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
<--- More --->
             
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Good Luck,

3nerds
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24767618
one other thing!

You currently have this:
dynamic-access-policy-record DfltAccessPolicy
 network-acl nonat

Change it to this:
dynamic-access-policy-record DfltAccessPolicy
 network-acl inside_access_in

Sorry for any confusion.

Good Luck,

3nerds

0
 
LVL 1

Author Comment

by:SasDev
ID: 24775699
Perfect! I can ping the server now. now it won't ping across to the other subnet though. at first it didn't show it as a route in cisco vpn client. so I added the 192.168.1.0 to the split tunnel which did the trick. but I'm still not getting through. I know I'm close.

Thanks for all your help, it's greatly appreciated.
0
 
LVL 13

Expert Comment

by:3nerds
ID: 24784650
You have to add the proper no nat statements to both ends.


Here is the best example I can find.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

You have the inside to VPN:
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.15.0 255.255.255.0

You have vpn to other location:
access-list nonat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0

You need vpn to this location as well location:
access-list nonat extended permit ip 192.168.15.0 255.255.255.0 192.168.0.0 255.255.255.0

Now you also have to duplicate this in reverse on the other end of your site to site vpn.
You are also going to have to tell the crypto map what is interesting traffic:
access-list l2l_list extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0

Read through the document I linked here it is very good and explains exactly what you are doing. You are going to have to figure out the no nat's on the other end. Look for this heading "Add a Remote Access VPN to the Configuration"


Good Luck,

3nerds
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question