Solved

Cisco ASA 5505 l2l connection problem, can only connect to 1 IP address

Posted on 2009-07-09
6
584 Views
Last Modified: 2012-06-27
I have inherited a network with my new job.  I have 1 small main office 192.168.100.X and two branch offices 192.168.101.x and 102.x.  Right now both branches are able to connect to my SBS2003 server at the main location (192.168.100.10).  The main office is unable to (ping, rdp, or connect to shares) of the branches.

We have just installed a new server in the main office that needs to be accessed from the branches.  I am now unable to (ping, RDP, connect to shares) of this new server 192.168.100.50.

I have no experience with routers even though I am able to get around the CLI from working with switches.  Here are the running configs from the main office and 1 branch.  The branch configs are duplicates except for IPs.

Main office
MainASA5505(config)# show running-config
: Saved
:
ASA Version 7.2(3)
!
hostname MainASA5505
enable password xxxxxxxxxxxxx encrypted
names
name 192.168.100.0 InternalNet
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address OutsideIP.6 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXXXXXX encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp any any source-quench
access-list acl_out extended permit icmp any any unreachable
access-list acl_out extended permit icmp any any time-exceeded
access-list nonat extended permit ip InternalNet 255.255.255.0 172.17.3.0 255.255.255.0
access-list nonat extended permit ip InternalNet 255.255.255.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip InternalNet 255.255.255.0 192.168.102.0 255.255.255.0
access-list s_tunnel extended permit ip InternalNet 255.255.255.0 172.17.3.0 255.255.255.0
access-list s_tunnel extended permit tcp interface outside eq ssh 172.17.3.0 255.255.255.0
access-list l2l_Remote1 extended permit ip InternalNet 255.255.255.0 192.168.102.0 255.255.255.0
access-list l2l_Remote2 extended permit ip InternalNet 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.17.3.1-172.17.3.50
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 OutsideIP.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 inside
http 172.17.3.0 255.255.255.0 outside
snmp-server host outside xxx.xxx.xxx.xxx poll community XXXXXXXXXXXX
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-aes esp-sha-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 20 match address l2l_Remote1
crypto map mymap 20 set peer Remote1IP.194
crypto map mymap 20 set transform-set FirstSet
crypto map mymap 30 match address l2l_Remote2
crypto map mymap 30 set peer Remote2IP.200
crypto map mymap 30 set transform-set FirstSet
crypto map mymap 100 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  25
telnet timeout 5
ssh InternalNet 255.255.255.0 inside
ssh 172.17.3.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 1024
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx
group-policy vpnclients internal
group-policy vpnclients attributes
 dns-server value 192.168.100.10
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value s_tunnel
 default-domain value xxxxxxxxxxxxxxxxx
username xxxxx password xxxxxxxxxxxxx encrypted privilege 15
tunnel-group vpnclients type ipsec-ra
tunnel-group vpnclients general-attributes
 address-pool vpnpool
 default-group-policy vpnclients
tunnel-group vpnclients ipsec-attributes
 pre-shared-key *
 isakmp ikev1-user-authentication none
tunnel-group Remote1IP.194 type ipsec-l2l
tunnel-group Remote1IP.194 ipsec-attributes
 pre-shared-key *
tunnel-group Remote2IP.200 type ipsec-l2l
tunnel-group Remote2IP.200 ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:5c6b472a7f960bcf332ba33fd3f0960b

Remote Config
remote1asa5505(config)# show run                            
: Saved      
:
ASA Version 7.2(4)                  
!
hostname remote1asa5505                    
enable password XXXXXXXXX encrypted                                          
passwd XXXXXXXXXX encrypted                                
names    
name 192.168.102.0 InternalNet                              
!
interface Vlan1              
 nameif inside              
 security-level 100                  
 ip address 192.168.102.1 255.255.255.0                                      
!
interface Vlan2              
 nameif outside              
 security-level 0                
 ip address IPaddress.194 255.255.255.0                                      
!
interface Ethernet0/0                    
 switchport access vlan 2                        
!
interface Ethernet0/1                    
!
interface Ethernet0/2                    
!
interface Ethernet0/3                    
!
interface Ethernet0/4                    
!
interface Ethernet0/5                    
!
interface Ethernet0/6                    
!
interface Ethernet0/7                    
!
ftp mode passive                
clock timezone CST -6                    
clock summer-time CDT recurring                              
access-list acl_out extended permit icmp any any echo-reply                                                          
access-list acl_out extended permit icmp any any source-quench                                                              
access-list acl_out extended permit icmp any any unreachable                                                            
access-list acl_out extended permit icmp any any time-exceeded                                                              
access-list nonat extended permit ip InternalNet 255.255.255.0 172.17.3.0 255.25                                                                                
5.255.0      
access-list nonat extended permit ip Inte                                      
.255.255.0          
access-list s_tunnel extended permit ip InternalNet 255.255.255.0 172.17.3.0 255                                                                                
.255.255.0          
access-list s_tunnel extended permit tcp interface outside eq ssh 172.17.3.0 255                                                                                
.255.255.0          
access-list l2l_list extended permit ip InternalNet 255.255.255.0 192.168.100.0                                                                              
255.255.255.0            
pager lines 24              
logging asdm informational                          
mtu inside 1500              
mtu outside 1500                
ip local pool vpnpool 172.17.3.1-172.17.3.50                                            
no failover          
icmp unreachable rate-limit 1 burst-size 1                                          
asdm image disk0:/asdm-524.bin                              
no asdm history enable                      
arp timeout 14400                
global (outside) 1 interface                            
nat (inside) 0 access-list nonat                                
nat (inside) 1 0.0.0.0 0.0.0.0                              
access-group acl_out in interface outside                                        
route outside 0.0.0.0 0.0.0.0 IPaddress.1 1                                          
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                            
aaa authentication serial console LOCAL                                      
aaa authentication ssh console LOCAL                                    
aaa authentication http console LOCAL                                    
http server enable 444                      
http 192.168.1.0 255.255.255.0 inside                                    
http 172.17.3.0 255.255.255.0 outside                                    
snmp-server host outside xxx.xxx.xxx.xxx poll community xxxxxxxxxxx                                                                  
no snmp-server location                      
no snmp-server contact                      
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                      
crypto ipsec transform-set FirstSet esp-aes esp-sha-hmac                                                        
crypto dynamic-map dyn1 1 set transform-set FirstSet                                                    
crypto dynamic-map dyn1 1 set reverse-route                                          
crypto map mymap 20 match address l2l_list                                          
crypto map mymap 20 set peer MainIPxx.6                                          
crypto map mymap 20 set transform-set FirstSet                                              
crypto map mymap 100 ipsec-isakmp dynamic dyn1                                              
crypto map mymap interface outside                                  
crypto isakmp identity address                              
crypto isakmp enable outside                            
crypto isakmp policy 1                      
 authentication pre-share                        
 encryption aes              
 hash sha        
 group 2        
 lifetime 86400              
crypto isakmp nat-traversal  25                              
telnet InternalNet 255.255.255.0 inside                                      
telnet timeout 5                
ssh InternalNet 255.255.255.0 inside                                    
ssh 172.17.3.0 255.255.255.0 outside                                    
ssh 24.197.227.42 255.255.255.255 outside                                        
ssh MainIPxx.6 255.255.255.255 outside                                        
ssh timeout 30              
console timeout 0                
dhcpd dns 192.168.100.10                        
dhcpd domain domainname.invalid                            
dhcpd auto_config outside                        
!
dhcpd address 192.168.102.100-192.168.102.125 inside                                                    
dhcpd enable inside                  
!

ntp server 192.43.244.18                        
ntp server 207.46.232.189                        
group-policy vpnclients internal                                
group-policy vpnclients attributes                                  
 dns-server value 192.168.100.10                                
 split-tunnel-policy                  
 split-tunnel-network-list value s_tunnel                                        
 default-domain value domainname.invalid                                      
username admin password xxxxxxxxxxxxxxxxxx encrypted privilege 15                                                              
tunnel-group vpnclients type ipsec-ra                                    
tunnel-group vpnclients general-attributes                                          
 address-pool vpnpool                    
 default-group-policy vpnclients                                
tunnel-group vpnclients ipsec-attributes                                        
 pre-shared-key *                
 isakmp ikev1-user-authentication none                                      
tunnel-group MainIPxx.6 type ipsec-l2l                                        
tunnel-group mainIPxx.6 ipsec-attributes                                          
 pre-shared-key *                
!
class-map inspection_default                            
 match default-inspection-traffic                                
!
!
policy-map type inspect dns preset_dns_map                                      
 parameters
  message-length maximum 1024
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:772ac8d35a2341c0bbfdcda0ea92de8a
0
Comment
Question by:remmett70
  • 3
  • 3
6 Comments
 
LVL 6

Expert Comment

by:tgtcat69
ID: 24817745
Probably a stupid question, but have you double checked the firewall on the SBS server?
0
 
LVL 10

Author Comment

by:remmett70
ID: 24817790
The firewall on both the SBS server and the new 2003 server are disabled.
0
 
LVL 10

Author Comment

by:remmett70
ID: 24819966
Additional info on issue.

Each branch has 3 computers.  Each of the computers at the branches has no problem authenticating against the DC in the main office through the tunnel.  The branch computers are able to remote desktop to the DC, connect to shares, and Outlook is able to get email from the SBS domain controller.

Since I know next to nothing about these configurations (yet).  If the configs look good, then I need to search other possibilities.  To me since the branch computers have no problem to one device, I cannot figure what would be stopping them from connecting to the new member server when name resolution is fine.  Just seems to point to the VPN configuration.

I am working against a deadline and would appreciate anything.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 6

Assisted Solution

by:tgtcat69
tgtcat69 earned 250 total points
ID: 24823230
I personally do not see anything in the configs that would prevent your traffic from flowing properly.  At this time, I would look into other avenues unless someone else can find a problem with your config listed above.
0
 
LVL 10

Accepted Solution

by:
remmett70 earned 0 total points
ID: 24827438
Turns our that there is nothing wrong with the configurations in the ASA.  

The problem was that for some reason the company has two internet connections and two routers at the main office.  1 through DSL that is used to connect the tree locations.  The second through a Business Cable solution.  The problem was that the old SBS server had a static route that needed to be duplicated on the new server so the server knew which router to try to pass its traffic through.
0
 
LVL 6

Expert Comment

by:tgtcat69
ID: 24827669
Glad to hear this problem is solved.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now