remmett70
asked on
Cisco ASA 5505 l2l connection problem, can only connect to 1 IP address
I have inherited a network with my new job. I have 1 small main office 192.168.100.X and two branch offices 192.168.101.x and 102.x. Right now both branches are able to connect to my SBS2003 server at the main location (192.168.100.10). The main office is unable to (ping, rdp, or connect to shares) of the branches.
We have just installed a new server in the main office that needs to be accessed from the branches. I am now unable to (ping, RDP, connect to shares) of this new server 192.168.100.50.
I have no experience with routers even though I am able to get around the CLI from working with switches. Here are the running configs from the main office and 1 branch. The branch configs are duplicates except for IPs.
Main office
MainASA5505(config)# show running-config
: Saved
:
ASA Version 7.2(3)
!
hostname MainASA5505
enable password xxxxxxxxxxxxx encrypted
names
name 192.168.100.0 InternalNet
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address OutsideIP.6 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXXXXXX encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp any any source-quench
access-list acl_out extended permit icmp any any unreachable
access-list acl_out extended permit icmp any any time-exceeded
access-list nonat extended permit ip InternalNet 255.255.255.0 172.17.3.0 255.255.255.0
access-list nonat extended permit ip InternalNet 255.255.255.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip InternalNet 255.255.255.0 192.168.102.0 255.255.255.0
access-list s_tunnel extended permit ip InternalNet 255.255.255.0 172.17.3.0 255.255.255.0
access-list s_tunnel extended permit tcp interface outside eq ssh 172.17.3.0 255.255.255.0
access-list l2l_Remote1 extended permit ip InternalNet 255.255.255.0 192.168.102.0 255.255.255.0
access-list l2l_Remote2 extended permit ip InternalNet 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.17.3.1-172.17.3.50
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 OutsideIP.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 inside
http 172.17.3.0 255.255.255.0 outside
snmp-server host outside xxx.xxx.xxx.xxx poll community XXXXXXXXXXXX
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-aes esp-sha-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 20 match address l2l_Remote1
crypto map mymap 20 set peer Remote1IP.194
crypto map mymap 20 set transform-set FirstSet
crypto map mymap 30 match address l2l_Remote2
crypto map mymap 30 set peer Remote2IP.200
crypto map mymap 30 set transform-set FirstSet
crypto map mymap 100 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 25
telnet timeout 5
ssh InternalNet 255.255.255.0 inside
ssh 172.17.3.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx
group-policy vpnclients internal
group-policy vpnclients attributes
dns-server value 192.168.100.10
split-tunnel-policy tunnelspecified
split-tunnel-network-list value s_tunnel
default-domain value xxxxxxxxxxxxxxxxx
username xxxxx password xxxxxxxxxxxxx encrypted privilege 15
tunnel-group vpnclients type ipsec-ra
tunnel-group vpnclients general-attributes
address-pool vpnpool
default-group-policy vpnclients
tunnel-group vpnclients ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group Remote1IP.194 type ipsec-l2l
tunnel-group Remote1IP.194 ipsec-attributes
pre-shared-key *
tunnel-group Remote2IP.200 type ipsec-l2l
tunnel-group Remote2IP.200 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:5c6b472a7f9 60bcf332ba 33fd3f0960 b
Remote Config
remote1asa5505(config)# show run
: Saved
:
ASA Version 7.2(4)
!
hostname remote1asa5505
enable password XXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
name 192.168.102.0 InternalNet
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.102.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address IPaddress.194 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp any any source-quench
access-list acl_out extended permit icmp any any unreachable
access-list acl_out extended permit icmp any any time-exceeded
access-list nonat extended permit ip InternalNet 255.255.255.0 172.17.3.0 255.25
5.255.0
access-list nonat extended permit ip Inte
.255.255.0
access-list s_tunnel extended permit ip InternalNet 255.255.255.0 172.17.3.0 255
.255.255.0
access-list s_tunnel extended permit tcp interface outside eq ssh 172.17.3.0 255
.255.255.0
access-list l2l_list extended permit ip InternalNet 255.255.255.0 192.168.100.0
255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.17.3.1-172.17.3.50
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 IPaddress.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 inside
http 172.17.3.0 255.255.255.0 outside
snmp-server host outside xxx.xxx.xxx.xxx poll community xxxxxxxxxxx
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-aes esp-sha-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 20 match address l2l_list
crypto map mymap 20 set peer MainIPxx.6
crypto map mymap 20 set transform-set FirstSet
crypto map mymap 100 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 25
telnet InternalNet 255.255.255.0 inside
telnet timeout 5
ssh InternalNet 255.255.255.0 inside
ssh 172.17.3.0 255.255.255.0 outside
ssh 24.197.227.42 255.255.255.255 outside
ssh MainIPxx.6 255.255.255.255 outside
ssh timeout 30
console timeout 0
dhcpd dns 192.168.100.10
dhcpd domain domainname.invalid
dhcpd auto_config outside
!
dhcpd address 192.168.102.100-192.168.10 2.125 inside
dhcpd enable inside
!
ntp server 192.43.244.18
ntp server 207.46.232.189
group-policy vpnclients internal
group-policy vpnclients attributes
dns-server value 192.168.100.10
split-tunnel-policy
split-tunnel-network-list value s_tunnel
default-domain value domainname.invalid
username admin password xxxxxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group vpnclients type ipsec-ra
tunnel-group vpnclients general-attributes
address-pool vpnpool
default-group-policy vpnclients
tunnel-group vpnclients ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group MainIPxx.6 type ipsec-l2l
tunnel-group mainIPxx.6 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:772ac8d35a2 341c0bbfdc da0ea92de8 a
We have just installed a new server in the main office that needs to be accessed from the branches. I am now unable to (ping, RDP, connect to shares) of this new server 192.168.100.50.
I have no experience with routers even though I am able to get around the CLI from working with switches. Here are the running configs from the main office and 1 branch. The branch configs are duplicates except for IPs.
Main office
MainASA5505(config)# show running-config
: Saved
:
ASA Version 7.2(3)
!
hostname MainASA5505
enable password xxxxxxxxxxxxx encrypted
names
name 192.168.100.0 InternalNet
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address OutsideIP.6 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd XXXXXXXXXX encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp any any source-quench
access-list acl_out extended permit icmp any any unreachable
access-list acl_out extended permit icmp any any time-exceeded
access-list nonat extended permit ip InternalNet 255.255.255.0 172.17.3.0 255.255.255.0
access-list nonat extended permit ip InternalNet 255.255.255.0 192.168.101.0 255.255.255.0
access-list nonat extended permit ip InternalNet 255.255.255.0 192.168.102.0 255.255.255.0
access-list s_tunnel extended permit ip InternalNet 255.255.255.0 172.17.3.0 255.255.255.0
access-list s_tunnel extended permit tcp interface outside eq ssh 172.17.3.0 255.255.255.0
access-list l2l_Remote1 extended permit ip InternalNet 255.255.255.0 192.168.102.0 255.255.255.0
access-list l2l_Remote2 extended permit ip InternalNet 255.255.255.0 192.168.101.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.17.3.1-172.17.3.50
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 OutsideIP.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 inside
http 172.17.3.0 255.255.255.0 outside
snmp-server host outside xxx.xxx.xxx.xxx poll community XXXXXXXXXXXX
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-aes esp-sha-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 20 match address l2l_Remote1
crypto map mymap 20 set peer Remote1IP.194
crypto map mymap 20 set transform-set FirstSet
crypto map mymap 30 match address l2l_Remote2
crypto map mymap 30 set peer Remote2IP.200
crypto map mymap 30 set transform-set FirstSet
crypto map mymap 100 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 25
telnet timeout 5
ssh InternalNet 255.255.255.0 inside
ssh 172.17.3.0 255.255.255.0 outside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx
group-policy vpnclients internal
group-policy vpnclients attributes
dns-server value 192.168.100.10
split-tunnel-policy tunnelspecified
split-tunnel-network-list value s_tunnel
default-domain value xxxxxxxxxxxxxxxxx
username xxxxx password xxxxxxxxxxxxx encrypted privilege 15
tunnel-group vpnclients type ipsec-ra
tunnel-group vpnclients general-attributes
address-pool vpnpool
default-group-policy vpnclients
tunnel-group vpnclients ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group Remote1IP.194 type ipsec-l2l
tunnel-group Remote1IP.194 ipsec-attributes
pre-shared-key *
tunnel-group Remote2IP.200 type ipsec-l2l
tunnel-group Remote2IP.200 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:5c6b472a7f9
Remote Config
remote1asa5505(config)# show run
: Saved
:
ASA Version 7.2(4)
!
hostname remote1asa5505
enable password XXXXXXXXX encrypted
passwd XXXXXXXXXX encrypted
names
name 192.168.102.0 InternalNet
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.102.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address IPaddress.194 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list acl_out extended permit icmp any any echo-reply
access-list acl_out extended permit icmp any any source-quench
access-list acl_out extended permit icmp any any unreachable
access-list acl_out extended permit icmp any any time-exceeded
access-list nonat extended permit ip InternalNet 255.255.255.0 172.17.3.0 255.25
5.255.0
access-list nonat extended permit ip Inte
.255.255.0
access-list s_tunnel extended permit ip InternalNet 255.255.255.0 172.17.3.0 255
.255.255.0
access-list s_tunnel extended permit tcp interface outside eq ssh 172.17.3.0 255
.255.255.0
access-list l2l_list extended permit ip InternalNet 255.255.255.0 192.168.100.0
255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 172.17.3.1-172.17.3.50
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 IPaddress.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 inside
http 172.17.3.0 255.255.255.0 outside
snmp-server host outside xxx.xxx.xxx.xxx poll community xxxxxxxxxxx
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-aes esp-sha-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 20 match address l2l_list
crypto map mymap 20 set peer MainIPxx.6
crypto map mymap 20 set transform-set FirstSet
crypto map mymap 100 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 25
telnet InternalNet 255.255.255.0 inside
telnet timeout 5
ssh InternalNet 255.255.255.0 inside
ssh 172.17.3.0 255.255.255.0 outside
ssh 24.197.227.42 255.255.255.255 outside
ssh MainIPxx.6 255.255.255.255 outside
ssh timeout 30
console timeout 0
dhcpd dns 192.168.100.10
dhcpd domain domainname.invalid
dhcpd auto_config outside
!
dhcpd address 192.168.102.100-192.168.10
dhcpd enable inside
!
ntp server 192.43.244.18
ntp server 207.46.232.189
group-policy vpnclients internal
group-policy vpnclients attributes
dns-server value 192.168.100.10
split-tunnel-policy
split-tunnel-network-list value s_tunnel
default-domain value domainname.invalid
username admin password xxxxxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group vpnclients type ipsec-ra
tunnel-group vpnclients general-attributes
address-pool vpnpool
default-group-policy vpnclients
tunnel-group vpnclients ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group MainIPxx.6 type ipsec-l2l
tunnel-group mainIPxx.6 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:772ac8d35a2
Probably a stupid question, but have you double checked the firewall on the SBS server?
ASKER
The firewall on both the SBS server and the new 2003 server are disabled.
ASKER
Additional info on issue.
Each branch has 3 computers. Each of the computers at the branches has no problem authenticating against the DC in the main office through the tunnel. The branch computers are able to remote desktop to the DC, connect to shares, and Outlook is able to get email from the SBS domain controller.
Since I know next to nothing about these configurations (yet). If the configs look good, then I need to search other possibilities. To me since the branch computers have no problem to one device, I cannot figure what would be stopping them from connecting to the new member server when name resolution is fine. Just seems to point to the VPN configuration.
I am working against a deadline and would appreciate anything.
Each branch has 3 computers. Each of the computers at the branches has no problem authenticating against the DC in the main office through the tunnel. The branch computers are able to remote desktop to the DC, connect to shares, and Outlook is able to get email from the SBS domain controller.
Since I know next to nothing about these configurations (yet). If the configs look good, then I need to search other possibilities. To me since the branch computers have no problem to one device, I cannot figure what would be stopping them from connecting to the new member server when name resolution is fine. Just seems to point to the VPN configuration.
I am working against a deadline and would appreciate anything.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad to hear this problem is solved.