Solved

Cisco asa 5505 Remote access vpn connects but won't ping

Posted on 2009-07-01
16
554 Views
Last Modified: 2012-05-07
I posted help a couple days ago and the help was awesome to setup site to site vpn. and it works perfect.

now I'm looking to setup remote access. I am probally just missing something simple.

I appreciate your help in assisting me.
Result of the command: "show running-config"

: Saved

:

ASA Version 8.0(2)

!

hostname officeasa5505

domain-name vancesmithmd.local

enable password 8Ry2YjIyt7RRXU24 encrypted

names

name 192.168.15.0 VPNPool

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.0.5 255.255.255.0

!

interface Vlan2

 mac-address 0022.6b6d.8e0f

 nameif outside

 security-level 0

 ip address x.x.x.25 255.255.255.252

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 192.168.0.9

 domain-name vancesmithmd.local

object-group service rdp tcp

 port-object eq 3389

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

access-list l2l_list extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list l2l_list extended permit ip 192.168.0.0 255.255.255.0 VPNPool 255.255.255.0

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in remark VPN RA & site to site

access-list outside_access_in extended permit esp any 75.145.237.24 255.255.255.252

access-list outside_access_in remark VPN RA, site-to-site

access-list outside_access_in extended permit udp any 75.145.237.24 255.255.255.252 eq isakmp

access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 object-group rdp

access-list outside_access_in remark Incoming mail serer smtp on ex

access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 eq smtp

access-list outside_access_in remark Company portal site on EX

access-list outside_access_in extended permit object-group TCPUDP any 75.145.237.24 255.255.255.252 eq www

access-list outside_access_in remark Exchange OWA on EX

access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 eq https

access-list outside_access_in extended permit ip any any

access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any echo

access-list inside_access_in extended permit icmp any any echo-reply

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 VPNPool 255.255.255.0

access-list vancevpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNpool 192.168.15.5-192.168.15.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.0.9 3389 netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.0.9 smtp netmask 255.255.255.255

static (inside,outside) tcp interface www 192.168.0.9 www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.0.9 https netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 75.145.237.26 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

 network-acl nonat

aaa-server ldap protocol ldap

aaa-server ldap host 192.168.0.9

 ldap-base-dn cn=users,dc=ex,dc=vancesmithmd,dc=local

 ldap-scope subtree

 ldap-naming-attribute cn

 ldap-login-password *

 ldap-login-dn cn=administrator,cn=users,ou=people,dc=ex,dc=vancesmithmd,dc=local

 server-type microsoft

http server enable

http 192.168.0.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map abcmap 2 match address l2l_list

crypto map abcmap 2 set peer x.x.x.17

crypto map abcmap 2 set transform-set ESP-3DES-SHA

crypto map abcmap 2 set phase1-mode aggressive

crypto map abcmap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 43200

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 192.168.0.9

dhcpd auto_config outside

dhcpd update dns both

!

dhcpd address 192.168.0.100-192.168.0.131 inside

dhcpd dns 192.168.0.9 interface inside

dhcpd wins 192.168.0.9 interface inside

dhcpd domain vancesmithmd.local interface inside

dhcpd update dns both interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

ntp server 64.90.182.55 source outside

ntp server 208.66.175.36 source outside prefer

group-policy vancevpnclient internal

group-policy vancevpnclient attributes

 wins-server value 192.168.0.9

 dns-server value 192.168.0.9

 vpn-tunnel-protocol IPSec l2tp-ipsec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value vancevpnclient_splitTunnelAcl

group-policy ldapgp external server-group ldap

username admin password 8ygkQIM8NP8kwEXT encrypted privilege 15

username vancevpnclient password 5CzbTT1pdB2jQCuZ encrypted privilege 0

username vancevpnclient attributes

 vpn-group-policy vancevpnclient

tunnel-group vancevpnclient type remote-access

tunnel-group vancevpnclient general-attributes

 address-pool VPNpool

 authentication-server-group ldap LOCAL

 default-group-policy vancevpnclient

tunnel-group vancevpnclient ipsec-attributes

 pre-shared-key *

tunnel-group x.x.x.17 type ipsec-l2l

tunnel-group x.x.x.17 ipsec-attributes

 pre-shared-key *

prompt hostname context

Cryptochecksum:e27ce274cb07ed41adc164fa7f379cd0

: end

Open in new window

0
Comment
Question by:SasDev
  • 9
  • 7
16 Comments
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
What are you attempting to ping?

3nerds
0
 
LVL 1

Author Comment

by:SasDev
Comment Utility
a local server which is 192.168.0.9 and i've tried pinging 192.168.1.1 which is across the site to site vpn
0
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
Did you create this VPN through the wizard?

When you added this line to the acl did you get and error of any kind?

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 VPNPool 255.255.255.0

Sometimes you have to do a:

no nat (inside) 0 access-list nonat

nat (inside) 0 access-list nonat

or Just reboot the ASA to get the no nat rules to apply.

The rest looks good.

Regards,

3nerds
0
 
LVL 1

Author Comment

by:SasDev
Comment Utility
Yes I created this through the wizard. I do not recall if I got an error on creating the vpn pool.

I tried both of your suggestions either allowed me to ping either side.
0
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
OK going to step back for a second.

The ip address of your PC that is connecting to the VPN is what?
The ip address you are getting when you connect to the VPN is what?
What do show for routes in the cisco vpn client when connected to the vpn?


also the simple things...
The server/PC you are pinging on the 192.168.0.0 network is not firewalled or anything like that?

The reason for all this is your config looks good to me!


Regards,

3nerds



0
 
LVL 1

Author Comment

by:SasDev
Comment Utility
my pc is on a 10.2.x.x network
dhcpvpnpool: 192.168.15.x

from vpn client.
Local LAN Routes: blank
Secured Routes: 192.168.0.0 255.255.255.0
0
 
LVL 1

Author Comment

by:SasDev
Comment Utility
additional info:

server doesn't have a software firewall just the asa.
my PC's firewall is disabled.

Thank you for your help!
0
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
dhcpvpnpool: 192.168.15.x --> i saw in your config that is the pool I was looking for the actual address you are pulling. If you don;t want to post it that is fine please just confirm it is in the range of 192.168.15.5-50


Going to dump your config in my 5510 and will let you know how it goes.

3nerds
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:SasDev
Comment Utility
I'm getting 192.168.15.5 as an ip address.
0
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
Do this:

no access-list l2l_list extended permit ip 192.168.0.0 255.255.255.0 VPNPool 255.255.255.0

This will fix the problem

Regards,

3nerds
0
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
The only other thing I did to get it to work was to do:

sysopt connection permit-vpn

But I did this before I removed the ACL it may already be in your config I typed the line again to make sure.

Also you will need to add the following if you want to be able to get to the 192.168.1.0 network:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

add the additional NO_NAT statments for that connection along with your additional splittunnel rules.

This will be helpful to you going forward

Good Luck,

3nerds
0
 
LVL 1

Author Comment

by:SasDev
Comment Utility
I applied your suggestions and I seem to get the same result, here is my latest config.
Result of the command: "show running-config"

: Saved

:

ASA Version 8.0(2) 

!

hostname officeasa5505

domain-name vancesmithmd.local

enable password 8Ry2YjIyt7RRXU24 encrypted

names

name 192.168.15.0 VPNPool

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.0.5 255.255.255.0 

!

interface Vlan2

 mac-address 0022.6b6d.8e0f

 nameif outside

 security-level 0

 ip address x.x.x.25 255.255.255.252 

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

 name-server 192.168.0.9

 domain-name vancesmithmd.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service rdp tcp

 port-object eq 3389

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

access-list l2l_list extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list outside_access_in extended permit icmp any any echo 

access-list outside_access_in extended permit icmp any any echo-reply 

access-list outside_access_in remark VPN RA & site to site

access-list outside_access_in extended permit esp any 75.145.237.24 255.255.255.252 

access-list outside_access_in remark VPN RA, site-to-site

access-list outside_access_in extended permit udp any 75.145.237.24 255.255.255.252 eq isakmp 

access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 object-group rdp 

access-list outside_access_in remark Incoming mail serer smtp on ex

access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 eq smtp 

access-list outside_access_in remark Company portal site on EX

access-list outside_access_in extended permit object-group TCPUDP any 75.145.237.24 255.255.255.252 eq www 

access-list outside_access_in remark Exchange OWA on EX

access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 eq https 

access-list outside_access_in extended permit ip any any 

access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 any 

access-list inside_access_in extended permit ip any any 

access-list inside_access_in extended permit icmp any any echo 

access-list inside_access_in extended permit icmp any any echo-reply 

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 

access-list nonat extended permit ip 192.168.0.0 255.255.255.0 VPNPool 255.255.255.0 

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 VPNPool 255.255.255.0 

access-list vancevpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 

access-list vancevpnclient_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPNpool 192.168.15.5-192.168.15.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-611.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 192.168.0.9 3389 netmask 255.255.255.255 

static (inside,outside) tcp interface smtp 192.168.0.9 smtp netmask 255.255.255.255 

static (inside,outside) tcp interface www 192.168.0.9 www netmask 255.255.255.255 

static (inside,outside) tcp interface https 192.168.0.9 https netmask 255.255.255.255 

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 75.145.237.26 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

 network-acl nonat

aaa-server ldap protocol ldap

aaa-server ldap host 192.168.0.9

 ldap-base-dn cn=users,dc=ex,dc=vancesmithmd,dc=local

 ldap-scope subtree

 ldap-naming-attribute cn

 ldap-login-password *

 ldap-login-dn cn=administrator,cn=users,ou=people,dc=ex,dc=vancesmithmd,dc=local

 server-type microsoft

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map abcmap 2 match address l2l_list

crypto map abcmap 2 set peer 68.61.220.17 

crypto map abcmap 2 set transform-set ESP-3DES-SHA

crypto map abcmap 2 set phase1-mode aggressive 

crypto map abcmap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 43200

no crypto isakmp nat-traversal

telnet 192.168.1.0 255.255.255.0 inside

telnet 192.168.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 192.168.0.9

dhcpd auto_config outside

dhcpd update dns both 

!

dhcpd address 192.168.0.100-192.168.0.131 inside

dhcpd dns 192.168.0.9 interface inside

dhcpd wins 192.168.0.9 interface inside

dhcpd domain vancesmithmd.local interface inside

dhcpd update dns both interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

ntp server 64.90.182.55 source outside

ntp server 208.66.175.36 source outside prefer

group-policy vancevpnclient internal

group-policy vancevpnclient attributes

 wins-server value 192.168.0.9

 dns-server value 192.168.0.9

 vpn-tunnel-protocol IPSec l2tp-ipsec 

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value vancevpnclient_splitTunnelAcl

group-policy ldapgp external server-group ldap

username admin password 8ygkQIM8NP8kwEXT encrypted privilege 15

username vancevpnclient password 5CzbTT1pdB2jQCuZ encrypted privilege 0

username vancevpnclient attributes

 vpn-group-policy vancevpnclient

tunnel-group vancevpnclient type remote-access

tunnel-group vancevpnclient general-attributes

 address-pool VPNpool

 authentication-server-group ldap LOCAL

 default-group-policy vancevpnclient

tunnel-group vancevpnclient ipsec-attributes

 pre-shared-key *

tunnel-group x.x.x.17 type ipsec-l2l

tunnel-group x.x.x.17 ipsec-attributes

 pre-shared-key *

prompt hostname context 

Cryptochecksum:211ebc7c6e6ff24e3356c8d5a1eb19ee

: end

Open in new window

0
 
LVL 13

Accepted Solution

by:
3nerds earned 500 total points
Comment Utility
No time to look it over right now. Here is my working config. Working meaning from VPN clinet I can ping a PC in you DHCP range that happened to be 192.168.0.100. Also if you log into the ASDM and look at the log message they will help you greatly.

: Saved
:
ASA Version 8.0(3)
!
hostname officeasa5505
domain-name vancesmithmd.local
enable password 94oQsPrcgLhOEFMu encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 75.145.237.25 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.0.5 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
<--- More --->
             
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 94oQsPrcgLhOEFMu encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.0.9
 domain-name vancesmithmd.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
<--- More --->
             
object-group service rdp tcp
 port-object eq 3389
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list l2l_list extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in remark VPN RA & site to site
access-list outside_access_in extended permit esp any 75.145.237.24 255.255.255.252
access-list outside_access_in remark VPN RA, site-to-site
access-list outside_access_in extended permit udp any 75.145.237.24 255.255.255.252 eq isakmp
access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 object-group rdp
access-list outside_access_in remark Incoming mail serer smtp on ex
access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 eq smtp
access-list outside_access_in remark Company portal site on EX
access-list outside_access_in extended permit object-group TCPUDP any 75.145.237.24 255.255.255.252 eq www
access-list outside_access_in remark Exchange OWA on EX
access-list outside_access_in extended permit tcp any 75.145.237.24 255.255.255.252 eq https
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside_access_in remark VPN RA & site to site
access-list outside_access_in remark VPN RA, site-to-site
access-list outside_access_in remark Incoming mail serer smtp on ex
<--- More --->
             
access-list outside_access_in remark Company portal site on EX
access-list outside_access_in remark Exchange OWA on EX
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in extended permit icmp any any echo-reply
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.15.0 255.255.255.0
access-list nonat extended permit ip any 192.168.15.0 255.255.255.192
access-list nonat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vancevpnclient_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list newclientvpn_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool VPNpool 192.168.15.5-192.168.15.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
<--- More --->
             
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 75.145.237.26 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 network-acl nonat
aaa-server ldap protocol ldap
aaa-server ldap host 192.168.0.9
 ldap-base-dn cn=users,dc=ex,dc=vancesmithmd,dc=local
 ldap-scope subtree
 ldap-naming-attribute cn
 ldap-login-password *
 ldap-login-dn cn=administrator,cn=users,ou=people,dc=ex,dc=vancesmithmd,dc=local
 server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
<--- More --->
             
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map abcmap 2 match address l2l_list
crypto map abcmap 2 set peer 1.1.1.17
crypto map abcmap 2 set transform-set ESP-3DES-SHA
crypto map abcmap 2 set phase1-mode aggressive
crypto map abcmap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
<--- More --->
             
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 192.168.0.9
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 192.168.0.100-192.168.0.131 inside
dhcpd dns 192.168.0.9 interface inside
dhcpd wins 192.168.0.9 interface inside
dhcpd domain vancesmithmd.local interface inside
dhcpd update dns both interface inside
dhcpd enable inside
!
<--- More --->
             
threat-detection basic-threat
threat-detection statistics access-list
ntp server 64.90.182.55 source outside
ntp server 208.66.175.36 source outside prefer
ssl encryption rc4-sha1
group-policy vancevpnclient internal
group-policy vancevpnclient attributes
 wins-server value 192.168.0.9
 dns-server value 192.168.0.9
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vancevpnclient_splitTunnelAcl
username admin password 8ygkQIM8NP8kwEXT encrypted privilege 15
username vancevpnclient password 5CzbTT1pdB2jQCuZ encrypted privilege 0
username vancevpnclient attributes
 vpn-group-policy vancevpnclient
username wiretech password ..NfYJF6du5rfYf/ encrypted privilege 15
tunnel-group vancevpnclient type remote-access
tunnel-group vancevpnclient general-attributes
 address-pool VPNpool
 default-group-policy vancevpnclient
tunnel-group vancevpnclient ipsec-attributes
 pre-shared-key *
tunnel-group 1.1.1.17 type ipsec-l2l
<--- More --->
             
tunnel-group 1.1.1.17 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
<--- More --->
             
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end

Good Luck,

3nerds
0
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
one other thing!

You currently have this:
dynamic-access-policy-record DfltAccessPolicy
 network-acl nonat

Change it to this:
dynamic-access-policy-record DfltAccessPolicy
 network-acl inside_access_in

Sorry for any confusion.

Good Luck,

3nerds

0
 
LVL 1

Author Comment

by:SasDev
Comment Utility
Perfect! I can ping the server now. now it won't ping across to the other subnet though. at first it didn't show it as a route in cisco vpn client. so I added the 192.168.1.0 to the split tunnel which did the trick. but I'm still not getting through. I know I'm close.

Thanks for all your help, it's greatly appreciated.
0
 
LVL 13

Expert Comment

by:3nerds
Comment Utility
You have to add the proper no nat statements to both ends.


Here is the best example I can find.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

You have the inside to VPN:
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.15.0 255.255.255.0

You have vpn to other location:
access-list nonat extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0

You need vpn to this location as well location:
access-list nonat extended permit ip 192.168.15.0 255.255.255.0 192.168.0.0 255.255.255.0

Now you also have to duplicate this in reverse on the other end of your site to site vpn.
You are also going to have to tell the crypto map what is interesting traffic:
access-list l2l_list extended permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0

Read through the document I linked here it is very good and explains exactly what you are doing. You are going to have to figure out the no nat's on the other end. Look for this heading "Add a Remote Access VPN to the Configuration"


Good Luck,

3nerds
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now