thombie
asked on
Cisco ASA remote access and site to site
I am trying to setup a ASA 5505 for client VPN and site to site VPN.
I have fixed the site site part and that works fine. I can log in to the network from my vpn client but I cannot access network servicesI cannot ping the internal servers.
here is my config listing. Can anybody spot what I am doing wrong ?
l
:
ASA Version 7.2(4)
!
hostname xxxx
domain-name xxx.co.uk
enable password HB13YlevMtUcL7F2 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names !
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 89.x.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
speed 100
duplex full
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxx.co.uk
access-list inside_access_in remark any TCP out bound access-list inside_access_in extended permit tcp any any access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit udp any any access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit tcp any any access-list outside_access_in extended permit icmp any any access-list outside_access_in remark Mail In Bound to SBS server access-list outside_access_in extended permit tcp any host 192.168.1.2 eq smtp access-list outside_access_in remark RDP to Database server access-list outside_access_in extended permit tcp any host 192.168.1.3 eq 3389 access-list outside_access_in remark OWA https inbound access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https access-list outside_access_in remark Interwebsite access access-list outside_access_in extended permit tcp any host 192.168.1.2 eq www access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list REMOTE_SITE extended permit ip any 192.168.168.0 255.255.255.240 access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list Local_LAN_Access remark VPN Client Local Lan Access access-list Local_LAN_Access standard permit any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool PHVPNpool 192.168.168.1-192.168.168. 10 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list REMOTE_SITE nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255 static (inside,outside) tcp interface 987 192.168.1.2 987 netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255 static (inside,inside) tcp interface www 192.168.1.2 www netmask 255.255.255.255 static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255 static (inside,outside) udp interface 47 192.168.1.2 47 netmask 255.255.255.255 access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 89.145.200.49 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa authentication ssh console LOCAL http server enable http 192.168.1.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map OUTSIDE_MAP 20 match address REMOTE_SITE crypto map OUTSIDE_MAP 20 set pfs group1 crypto map OUTSIDE_MAP 20 set peer 94.30.92.58 crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map crypto map OUTSIDE_MAP interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 1 lifetime 28800 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 console timeout 0 group-policy PHVPN internal group-policy PHVPN attributes banner value Your are now Logged on the PH local nertwork wins-server value 192.168.1.2 dns-server value 192.168.1.2 dhcp-network-scope none split-tunnel-policy excludespecified split-tunnel-network-list value Local_LAN_Access default-domain value xxxx.local address-pools value PHVPNpool username Tedb password hS6lM92APzTCqATf encrypted username Tedb attributes vpn-group-policy PHVPN vpn-tunnel-protocol IPSec l2tp-ipsec username admin password F0PP8wPBs1vO0gqV encrypted tunnel-group 94.30.92.58 type ipsec-l2l tunnel-group 94.30.92.58 ipsec-attributes pre-shared-key * tunnel-group PHVPN type ipsec-ra tunnel-group PHVPN general-attributes address-pool PHVPNpool default-group-policy PHVPN tunnel-group PHVPN ipsec-attributes pre-shared-key * !
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d0a662b45ab 02d2978a13 70020912c1 3
: end
xxx#
I have fixed the site site part and that works fine. I can log in to the network from my vpn client but I cannot access network servicesI cannot ping the internal servers.
here is my config listing. Can anybody spot what I am doing wrong ?
l
:
ASA Version 7.2(4)
!
hostname xxxx
domain-name xxx.co.uk
enable password HB13YlevMtUcL7F2 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names !
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 89.x.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
speed 100
duplex full
!
ftp mode passive
dns server-group DefaultDNS
domain-name xxxx.co.uk
access-list inside_access_in remark any TCP out bound access-list inside_access_in extended permit tcp any any access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit udp any any access-list inside_access_in extended permit ip any any access-list outside_access_in extended permit tcp any any access-list outside_access_in extended permit icmp any any access-list outside_access_in remark Mail In Bound to SBS server access-list outside_access_in extended permit tcp any host 192.168.1.2 eq smtp access-list outside_access_in remark RDP to Database server access-list outside_access_in extended permit tcp any host 192.168.1.3 eq 3389 access-list outside_access_in remark OWA https inbound access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https access-list outside_access_in remark Interwebsite access access-list outside_access_in extended permit tcp any host 192.168.1.2 eq www access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list REMOTE_SITE extended permit ip any 192.168.168.0 255.255.255.240 access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list Local_LAN_Access remark VPN Client Local Lan Access access-list Local_LAN_Access standard permit any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool PHVPNpool 192.168.168.1-192.168.168.
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d0a662b45ab
: end
xxx#
http://www.petenetlive.com/KB/Article/0000199.htm
Also make sure to have different ACLs for both the 'nat (inside) 0' and for the site-to-site tunnel. Using the same ACL will sorta work, sometimes, but causes problems. Create a new acl for the NAT 0 config, even if it's the exact same as before and make sure to remove the reference to the site-to-site ACL.
ASKER
its still not working I am getting this error in the fw log
IKE Initiator unable to find policy intf outside, src 192.168.1.2 dst 192.168.168.1
IKE Initiator unable to find policy intf outside, src 192.168.1.2 dst 192.168.168.1
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have re posted the code below.
: Saved
:
ASA Version 7.2(4)
!
hostname PH-SAV-FW
domain-name pilcherhershman.co.uk
enable password HB13YlevMtUcL7F2 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 89.145.200.50 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
speed 100
duplex full
!
ftp mode passive
dns server-group DefaultDNS
domain-name pilcherhershman.co.uk
access-list inside_access_in remark any TCP out bound
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in remark Mail In Bound to SBS server
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq smtp
access-list outside_access_in remark RDP to Database server
access-list outside_access_in extended permit tcp any host 192.168.1.3 eq 3389
access-list outside_access_in remark OWA https inbound
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq https
access-list outside_access_in remark Interwebsite access
access-list outside_access_in extended permit tcp any host 192.168.1.2 eq www
access-list REMOTE_SITE extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list REMOTE_SITE extended permit ip any 192.168.168.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip 192.168.168.0 255.255.255.0 any
access-list Local_LAN_Access remark VPN Client Local Lan Access
access-list Local_LAN_Access standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool PHVPNpool 192.168.168.1-192.168.168.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list REMOTE_SITE
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound outside
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 987 192.168.1.2 987 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.3 3389 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.2 https netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.1.2 www netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.1.2 pptp netmask 255.255.255.255
static (inside,outside) udp interface 47 192.168.1.2 47 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 89.145.200.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 94.30.92.58
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
group-policy PHVPN internal
group-policy PHVPN attributes
banner value Your are now Logged on the PH local nertwork
wins-server value 192.168.1.2
dns-server value 192.168.1.2
dhcp-network-scope none
split-tunnel-policy excludespecified
split-tunnel-network-list none
default-domain value pilcherhershman.local
address-pools value PHVPNpool
username Tedb password hS6lM92APzTCqATf encrypted
username Tedb attributes
vpn-group-policy PHVPN
vpn-tunnel-protocol IPSec l2tp-ipsec
username admin password F0PP8wPBs1vO0gqV encrypted
tunnel-group 94.30.92.58 type ipsec-l2l
tunnel-group 94.30.92.58 ipsec-attributes
pre-shared-key *
tunnel-group PHVPN type ipsec-ra
tunnel-group PHVPN general-attributes
address-pool PHVPNpool
default-group-policy PHVPN
tunnel-group PHVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f22b232eae598d365caf310b90f9b4c8
: end
asdm image disk0:/asdm-524.bin
no asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am away for Easter I will do the config next week and let you know
ASKER
good that work