?
Solved

Cisco ASA  remote access and site to site

Posted on 2010-03-31
8
Medium Priority
?
364 Views
Last Modified: 2012-05-09
I am trying to setup a ASA 5505  for client VPN and site to site VPN.
I have fixed the site site part and that works fine. I can log in to the network   from my vpn client but I cannot access network servicesI cannot ping the internal servers.
here is my config listing. Can anybody spot what I am doing wrong ?


l
:
ASA Version 7.2(4)
!
hostname xxxx
domain-name xxx.co.uk
enable password HB13YlevMtUcL7F2 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names !
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 89.x.x.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 speed 100
 duplex full
!
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxx.co.uk
access-list inside_access_in remark any TCP out bound access-list inside_access_in extended permit tcp any any access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit udp any any access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit tcp any any access-list outside_access_in extended permit icmp any any access-list outside_access_in remark Mail In Bound to  SBS server access-list outside_access_in extended permit tcp any host 192.168.1.2 eq smtp access-list outside_access_in remark RDP to Database  server access-list outside_access_in extended permit tcp any host 192.168.1.3 eq 3389 access-list outside_access_in remark OWA https inbound access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https access-list outside_access_in remark Interwebsite access access-list outside_access_in extended permit tcp any host 192.168.1.2 eq www access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list REMOTE_SITE extended permit ip any 192.168.168.0 255.255.255.240 access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list Local_LAN_Access remark VPN Client Local Lan Access access-list Local_LAN_Access standard permit any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool PHVPNpool 192.168.168.1-192.168.168.10 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list REMOTE_SITE nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 static (inside,outside) tcp interface 987 192.168.1.2 987 netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255 static (inside,inside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255 static (inside,outside) udp interface 47 192.168.1.2 47 netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 89.145.200.49 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map OUTSIDE_MAP 20 match address REMOTE_SITE crypto map OUTSIDE_MAP 20 set pfs group1 crypto map OUTSIDE_MAP 20 set peer 94.30.92.58 crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map crypto map OUTSIDE_MAP interface outside crypto isakmp enable outside crypto isakmp policy 10  authentication pre-share  encryption aes  hash sha  group 1  lifetime 28800 crypto isakmp policy 30  authentication pre-share  encryption 3des  hash sha  group 2  lifetime 86400 telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 group-policy PHVPN internal group-policy PHVPN attributes  banner value Your are now Logged on the PH local nertwork  wins-server value 192.168.1.2  dns-server value 192.168.1.2  dhcp-network-scope none  split-tunnel-policy excludespecified  split-tunnel-network-list value Local_LAN_Access  default-domain value xxxx.local  address-pools value PHVPNpool username Tedb password hS6lM92APzTCqATf encrypted username Tedb attributes  vpn-group-policy PHVPN  vpn-tunnel-protocol IPSec l2tp-ipsec username admin password F0PP8wPBs1vO0gqV encrypted tunnel-group 94.30.92.58 type ipsec-l2l tunnel-group 94.30.92.58 ipsec-attributes  pre-shared-key * tunnel-group PHVPN type ipsec-ra tunnel-group PHVPN general-attributes  address-pool PHVPNpool  default-group-policy PHVPN tunnel-group PHVPN ipsec-attributes  pre-shared-key * !
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map  parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d0a662b45ab02d2978a1370020912c13
: end
xxx#



0
Comment
Question by:thombie
  • 4
  • 3
8 Comments
 
LVL 58

Expert Comment

by:Pete Long
ID: 29191391
0
 
LVL 9

Expert Comment

by:gavving
ID: 29209834
Also make sure to have different ACLs for both the 'nat (inside) 0' and for the site-to-site tunnel.  Using the same ACL will sorta work, sometimes, but causes problems.  Create a new acl for the NAT 0 config, even if it's the exact same as before and make sure to remove the reference to the site-to-site ACL.
0
 

Author Comment

by:thombie
ID: 29237197
its still not working  I am getting this error  in the fw log
IKE Initiator unable to find policy intf outside, src 192.168.1.2 dst 192.168.168.1
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 9

Assisted Solution

by:gavving
gavving earned 2000 total points
ID: 29253421
Unfortunately the pasted config lost all of the line breaks and it's very hard to read.  Can you repost it using the "Code" function so that it's readable?  Thanks.
0
 

Author Comment

by:thombie
ID: 29312429
I have re posted the code  below.
: Saved
:
ASA Version 7.2(4) 
!
hostname PH-SAV-FW
domain-name pilcherhershman.co.uk
enable password HB13YlevMtUcL7F2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 89.145.200.50 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 speed 100
 duplex full
!
ftp mode passive
dns server-group DefaultDNS
 domain-name pilcherhershman.co.uk
access-list inside_access_in remark any TCP out bound
access-list inside_access_in extended permit tcp any any 
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit udp any any 
access-list inside_access_in extended permit ip any any 
access-list outside_access_in extended permit tcp any any 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in remark Mail In Bound to  SBS server
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq smtp 
access-list outside_access_in remark RDP to Database  server
access-list outside_access_in extended permit tcp any host 192.168.1.3 eq 3389 
access-list outside_access_in remark OWA https inbound
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https 
access-list outside_access_in remark Interwebsite access
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq www 
access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list REMOTE_SITE extended permit ip any 192.168.168.0 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list outside_nat0_outbound extended permit ip 192.168.168.0 255.255.255.0 any 
access-list Local_LAN_Access remark VPN Client Local Lan Access
access-list Local_LAN_Access standard permit 192.168.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool PHVPNpool 192.168.168.1-192.168.168.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list REMOTE_SITE
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound outside
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 987 192.168.1.2 987 netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255 
static (inside,inside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255 
static (inside,outside) udp interface 47 192.168.1.2 47 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 89.145.200.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 94.30.92.58 
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 1
 lifetime 28800
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

group-policy PHVPN internal
group-policy PHVPN attributes
 banner value Your are now Logged on the PH local nertwork
 wins-server value 192.168.1.2
 dns-server value 192.168.1.2
 dhcp-network-scope none
 split-tunnel-policy excludespecified
 split-tunnel-network-list none
 default-domain value pilcherhershman.local
 address-pools value PHVPNpool
username Tedb password hS6lM92APzTCqATf encrypted
username Tedb attributes
 vpn-group-policy PHVPN
 vpn-tunnel-protocol IPSec l2tp-ipsec 
username admin password F0PP8wPBs1vO0gqV encrypted
tunnel-group 94.30.92.58 type ipsec-l2l
tunnel-group 94.30.92.58 ipsec-attributes
 pre-shared-key *
tunnel-group PHVPN type ipsec-ra
tunnel-group PHVPN general-attributes
 address-pool PHVPNpool
 default-group-policy PHVPN
tunnel-group PHVPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:f22b232eae598d365caf310b90f9b4c8
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Open in new window

0
 
LVL 9

Accepted Solution

by:
gavving earned 2000 total points
ID: 29336452
Lets try cleaning some things up, try the following commands in config mode:

no nat (inside) 0 access-list REMOTE_SITE
no nat (outside) 0 access-list outside_nat0_outbound outside
nat (inside) 0 access-list inside_nat0_outbound
access-list inside_nat0_outbound permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0

That should fix the NATing config, be warned when pasting the settings it might effect your site-to-site tunnel, but if you past them all in at the same time it will be a short interruption.

Now lets do a split-tunnel config:

access-list splittun standard permit 192.168.1.0 255.255.255.0
group-policy PHVPN attributes
split-tunnel-policy tunnel-specified
split-tunnel-network-list value splittun

I think that should fix it.  Be warned as well that when you test it, make sure the network the remote workstation is on is not 192.168.1.x.  That will cause problems.  Since that network is so heavily used by default for many consumer routers, I generally don't recommend using it as the internal network IP number for VPN endpoints.  
0
 

Author Comment

by:thombie
ID: 29368060
I am away for Easter I will do the config next week and let you know
0
 

Author Closing Comment

by:thombie
ID: 31709334
good  that work
0

Featured Post

[Webinar] Kill tickets & tabs using PowerShell

Are you tired of cycling through the same browser tabs everyday to close the same repetitive tickets? In this webinar JumpCloud will show how you can leverage RESTful APIs to build your own PowerShell modules to kill tickets & tabs using the PowerShell command Invoke-RestMethod.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses
Course of the Month7 days, 9 hours left to enroll

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question