Link to home
Start Free TrialLog in
Avatar of thombie
thombie

asked on

Cisco ASA remote access and site to site

I am trying to setup a ASA 5505  for client VPN and site to site VPN.
I have fixed the site site part and that works fine. I can log in to the network   from my vpn client but I cannot access network servicesI cannot ping the internal servers.
here is my config listing. Can anybody spot what I am doing wrong ?


l
:
ASA Version 7.2(4)
!
hostname xxxx
domain-name xxx.co.uk
enable password HB13YlevMtUcL7F2 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names !
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 89.x.x.x 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 speed 100
 duplex full
!
ftp mode passive
dns server-group DefaultDNS
 domain-name xxxx.co.uk
access-list inside_access_in remark any TCP out bound access-list inside_access_in extended permit tcp any any access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit udp any any access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit tcp any any access-list outside_access_in extended permit icmp any any access-list outside_access_in remark Mail In Bound to  SBS server access-list outside_access_in extended permit tcp any host 192.168.1.2 eq smtp access-list outside_access_in remark RDP to Database  server access-list outside_access_in extended permit tcp any host 192.168.1.3 eq 3389 access-list outside_access_in remark OWA https inbound access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https access-list outside_access_in remark Interwebsite access access-list outside_access_in extended permit tcp any host 192.168.1.2 eq www access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list REMOTE_SITE extended permit ip any 192.168.168.0 255.255.255.240 access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list Local_LAN_Access remark VPN Client Local Lan Access access-list Local_LAN_Access standard permit any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool PHVPNpool 192.168.168.1-192.168.168.10 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list REMOTE_SITE nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 static (inside,outside) tcp interface 987 192.168.1.2 987 netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255 static (inside,inside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255 static (inside,outside) udp interface 47 192.168.1.2 47 netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 89.145.200.49 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map OUTSIDE_MAP 20 match address REMOTE_SITE crypto map OUTSIDE_MAP 20 set pfs group1 crypto map OUTSIDE_MAP 20 set peer 94.30.92.58 crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map crypto map OUTSIDE_MAP interface outside crypto isakmp enable outside crypto isakmp policy 10  authentication pre-share  encryption aes  hash sha  group 1  lifetime 28800 crypto isakmp policy 30  authentication pre-share  encryption 3des  hash sha  group 2  lifetime 86400 telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 group-policy PHVPN internal group-policy PHVPN attributes  banner value Your are now Logged on the PH local nertwork  wins-server value 192.168.1.2  dns-server value 192.168.1.2  dhcp-network-scope none  split-tunnel-policy excludespecified  split-tunnel-network-list value Local_LAN_Access  default-domain value xxxx.local  address-pools value PHVPNpool username Tedb password hS6lM92APzTCqATf encrypted username Tedb attributes  vpn-group-policy PHVPN  vpn-tunnel-protocol IPSec l2tp-ipsec username admin password F0PP8wPBs1vO0gqV encrypted tunnel-group 94.30.92.58 type ipsec-l2l tunnel-group 94.30.92.58 ipsec-attributes  pre-shared-key * tunnel-group PHVPN type ipsec-ra tunnel-group PHVPN general-attributes  address-pool PHVPNpool  default-group-policy PHVPN tunnel-group PHVPN ipsec-attributes  pre-shared-key * !
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map  parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d0a662b45ab02d2978a1370020912c13
: end
xxx#



Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image
Avatar of gavving
gavving
Flag of United States of America image
Also make sure to have different ACLs for both the 'nat (inside) 0' and for the site-to-site tunnel.  Using the same ACL will sorta work, sometimes, but causes problems.  Create a new acl for the NAT 0 config, even if it's the exact same as before and make sure to remove the reference to the site-to-site ACL.
Avatar of thombie
thombie

ASKER

its still not working  I am getting this error  in the fw log
IKE Initiator unable to find policy intf outside, src 192.168.1.2 dst 192.168.168.1
SOLUTION
Avatar of gavving
gavving
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of thombie
thombie

ASKER

I have re posted the code  below.
: Saved
:
ASA Version 7.2(4) 
!
hostname PH-SAV-FW
domain-name pilcherhershman.co.uk
enable password HB13YlevMtUcL7F2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 89.145.200.50 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
 speed 100
 duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 speed 100
 duplex full
!
ftp mode passive
dns server-group DefaultDNS
 domain-name pilcherhershman.co.uk
access-list inside_access_in remark any TCP out bound
access-list inside_access_in extended permit tcp any any 
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit udp any any 
access-list inside_access_in extended permit ip any any 
access-list outside_access_in extended permit tcp any any 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in remark Mail In Bound to  SBS server
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq smtp 
access-list outside_access_in remark RDP to Database  server
access-list outside_access_in extended permit tcp any host 192.168.1.3 eq 3389 
access-list outside_access_in remark OWA https inbound
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https 
access-list outside_access_in remark Interwebsite access
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq www 
access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list REMOTE_SITE extended permit ip any 192.168.168.0 255.255.255.240 
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
access-list outside_nat0_outbound extended permit ip 192.168.168.0 255.255.255.0 any 
access-list Local_LAN_Access remark VPN Client Local Lan Access
access-list Local_LAN_Access standard permit 192.168.1.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool PHVPNpool 192.168.168.1-192.168.168.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list REMOTE_SITE
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound outside
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 987 192.168.1.2 987 netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255 
static (inside,inside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255 
static (inside,outside) udp interface 47 192.168.1.2 47 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 89.145.200.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 94.30.92.58 
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 1
 lifetime 28800
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0

group-policy PHVPN internal
group-policy PHVPN attributes
 banner value Your are now Logged on the PH local nertwork
 wins-server value 192.168.1.2
 dns-server value 192.168.1.2
 dhcp-network-scope none
 split-tunnel-policy excludespecified
 split-tunnel-network-list none
 default-domain value pilcherhershman.local
 address-pools value PHVPNpool
username Tedb password hS6lM92APzTCqATf encrypted
username Tedb attributes
 vpn-group-policy PHVPN
 vpn-tunnel-protocol IPSec l2tp-ipsec 
username admin password F0PP8wPBs1vO0gqV encrypted
tunnel-group 94.30.92.58 type ipsec-l2l
tunnel-group 94.30.92.58 ipsec-attributes
 pre-shared-key *
tunnel-group PHVPN type ipsec-ra
tunnel-group PHVPN general-attributes
 address-pool PHVPNpool
 default-group-policy PHVPN
tunnel-group PHVPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:f22b232eae598d365caf310b90f9b4c8
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of gavving
gavving
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of thombie
thombie

ASKER

I am away for Easter I will do the config next week and let you know
Avatar of thombie
thombie

ASKER

good  that work