Cisco ASA remote access and site to site

I am trying to setup a ASA 5505  for client VPN and site to site VPN.
I have fixed the site site part and that works fine. I can log in to the network   from my vpn client but I cannot access network servicesI cannot ping the internal servers.
here is my config listing. Can anybody spot what I am doing wrong ?


l
:
ASA Version 7.2(4)
!
hostname xxxx
domain-name xxx.co.uk
enable password HB13YlevMtUcL7F2 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names !
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 89.x.x.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 speed 100
 duplex full
!
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxx.co.uk
access-list inside_access_in remark any TCP out bound access-list inside_access_in extended permit tcp any any access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit udp any any access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit tcp any any access-list outside_access_in extended permit icmp any any access-list outside_access_in remark Mail In Bound to  SBS server access-list outside_access_in extended permit tcp any host 192.168.1.2 eq smtp access-list outside_access_in remark RDP to Database  server access-list outside_access_in extended permit tcp any host 192.168.1.3 eq 3389 access-list outside_access_in remark OWA https inbound access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https access-list outside_access_in remark Interwebsite access access-list outside_access_in extended permit tcp any host 192.168.1.2 eq www access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list REMOTE_SITE extended permit ip any 192.168.168.0 255.255.255.240 access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list Local_LAN_Access remark VPN Client Local Lan Access access-list Local_LAN_Access standard permit any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool PHVPNpool 192.168.168.1-192.168.168.10 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list REMOTE_SITE nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 static (inside,outside) tcp interface 987 192.168.1.2 987 netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255 static (inside,inside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255 static (inside,outside) udp interface 47 192.168.1.2 47 netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 89.145.200.49 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map OUTSIDE_MAP 20 match address REMOTE_SITE crypto map OUTSIDE_MAP 20 set pfs group1 crypto map OUTSIDE_MAP 20 set peer 94.30.92.58 crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map crypto map OUTSIDE_MAP interface outside crypto isakmp enable outside crypto isakmp policy 10  authentication pre-share  encryption aes  hash sha  group 1  lifetime 28800 crypto isakmp policy 30  authentication pre-share  encryption 3des  hash sha  group 2  lifetime 86400 telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 group-policy PHVPN internal group-policy PHVPN attributes  banner value Your are now Logged on the PH local nertwork  wins-server value 192.168.1.2  dns-server value 192.168.1.2  dhcp-network-scope none  split-tunnel-policy excludespecified  split-tunnel-network-list value Local_LAN_Access  default-domain value xxxx.local  address-pools value PHVPNpool username Tedb password hS6lM92APzTCqATf encrypted username Tedb attributes  vpn-group-policy PHVPN  vpn-tunnel-protocol IPSec l2tp-ipsec username admin password F0PP8wPBs1vO0gqV encrypted tunnel-group 94.30.92.58 type ipsec-l2l tunnel-group 94.30.92.58 ipsec-attributes  pre-shared-key * tunnel-group PHVPN type ipsec-ra tunnel-group PHVPN general-attributes  address-pool PHVPNpool  default-group-policy PHVPN tunnel-group PHVPN ipsec-attributes  pre-shared-key * !
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map  parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d0a662b45ab02d2978a1370020912c13
: end
xxx#



thombieAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
0
gavvingCommented:
Also make sure to have different ACLs for both the 'nat (inside) 0' and for the site-to-site tunnel.  Using the same ACL will sorta work, sometimes, but causes problems.  Create a new acl for the NAT 0 config, even if it's the exact same as before and make sure to remove the reference to the site-to-site ACL.
0
thombieAuthor Commented:
its still not working  I am getting this error  in the fw log
IKE Initiator unable to find policy intf outside, src 192.168.1.2 dst 192.168.168.1
0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

gavvingCommented:
Unfortunately the pasted config lost all of the line breaks and it's very hard to read.  Can you repost it using the "Code" function so that it's readable?  Thanks.
0
thombieAuthor Commented:
I have re posted the code  below.
: Saved
:
ASA Version 7.2(4) 
!
hostname PH-SAV-FW
domain-name pilcherhershman.co.uk
enable password HB13YlevMtUcL7F2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 89.145.200.50 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 speed 100
 duplex full
!
ftp mode passive
dns server-group DefaultDNS
 domain-name pilcherhershman.co.uk
access-list inside_access_in remark any TCP out bound
access-list inside_access_in extended permit tcp any any 
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit udp any any 
access-list inside_access_in extended permit ip any any 
access-list outside_access_in extended permit tcp any any 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in remark Mail In Bound to  SBS server
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq smtp 
access-list outside_access_in remark RDP to Database  server
access-list outside_access_in extended permit tcp any host 192.168.1.3 eq 3389 
access-list outside_access_in remark OWA https inbound
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https 
access-list outside_access_in remark Interwebsite access
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq www 
access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list REMOTE_SITE extended permit ip any 192.168.168.0 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list outside_nat0_outbound extended permit ip 192.168.168.0 255.255.255.0 any 
access-list Local_LAN_Access remark VPN Client Local Lan Access
access-list Local_LAN_Access standard permit 192.168.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool PHVPNpool 192.168.168.1-192.168.168.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list REMOTE_SITE
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound outside
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 987 192.168.1.2 987 netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255 
static (inside,inside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255 
static (inside,outside) udp interface 47 192.168.1.2 47 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 89.145.200.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 94.30.92.58 
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 1
 lifetime 28800
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

group-policy PHVPN internal
group-policy PHVPN attributes
 banner value Your are now Logged on the PH local nertwork
 wins-server value 192.168.1.2
 dns-server value 192.168.1.2
 dhcp-network-scope none
 split-tunnel-policy excludespecified
 split-tunnel-network-list none
 default-domain value pilcherhershman.local
 address-pools value PHVPNpool
username Tedb password hS6lM92APzTCqATf encrypted
username Tedb attributes
 vpn-group-policy PHVPN
 vpn-tunnel-protocol IPSec l2tp-ipsec 
username admin password F0PP8wPBs1vO0gqV encrypted
tunnel-group 94.30.92.58 type ipsec-l2l
tunnel-group 94.30.92.58 ipsec-attributes
 pre-shared-key *
tunnel-group PHVPN type ipsec-ra
tunnel-group PHVPN general-attributes
 address-pool PHVPNpool
 default-group-policy PHVPN
tunnel-group PHVPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:f22b232eae598d365caf310b90f9b4c8
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Open in new window

0
gavvingCommented:
Lets try cleaning some things up, try the following commands in config mode:

no nat (inside) 0 access-list REMOTE_SITE
no nat (outside) 0 access-list outside_nat0_outbound outside
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0

That should fix the NATing config, be warned when pasting the settings it might effect your site-to-site tunnel, but if you past them all in at the same time it will be a short interruption.

Now lets do a split-tunnel config:

access-list splittun standard permit 192.168.1.0 255.255.255.0
group-policy PHVPN attributes
split-tunnel-policy tunnel-specified
split-tunnel-network-list value splittun

I think that should fix it.  Be warned as well that when you test it, make sure the network the remote workstation is on is not 192.168.1.x.  That will cause problems.  Since that network is so heavily used by default for many consumer routers, I generally don't recommend using it as the internal network IP number for VPN endpoints.  
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
thombieAuthor Commented:
I am away for Easter I will do the config next week and let you know
0
thombieAuthor Commented:
good  that work
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.