Trouble configuring ASA 5505 for VPN access, unable to get ICMP Reply from outside, etc.
I have a ASA 5505 that was recently moved from one phicical site to another. I am having trouble getting VPN access to work, and am also unable to get ICMP replies. Internet and all other access from inside the network is fine. Any help would be greatly appreciated! Here is my current config (I am sure there is much garbage in there that doesn't need to be, as I have been kind of stabbing around hoping I'd hit the problem on the head - instead I feel like my head on the wall!)
Result of the command: "sh run"
: Saved
:
ASA Version 8.0(2)
!
hostname PINNACLE-ASA
domain-name pinnacle.local
enable password Vcn8uAzrKx1tjbpj encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.12.75.135 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 65.210.142.233 255.255.255.240
!
interface Vlan5
nameif dmz
security-level 50
ip address 10.0.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd Vcn8uAzrKx1tjbpj encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name pinnacle.local
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object 65.210.142.224 255.255.255.240
access-list Pinnacle_splitTunnelAcl standard permit 10.12.75.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 0.0.0.0 host 0.0.0.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
access-list outside_access_in remark Email Server
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq smtp
access-list outside_access_in remark OWAs
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq https
access-list outside_access_in remark OWA
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq www
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any host 24.75.66.181 eq 3389 inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 65.210.142.233
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list from_outside extended permit icmp any any echo
access-list from_outside extended permit ip any any
access-list Pinnacle2_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 10.12.75.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool1 192.168.0.100-192.168.0.20
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.12.75.0 255.255.255.0
static (inside,outside) interface 0.0.0.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65.210.142.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
network-acl from_outside
network-acl outside_access_in
http server enable
http 10.12.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.12.75.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 30
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
inspect icmp error
!
service-policy global_policy global
webvpn
enable outside
svc image disk0:/anyconnect-win-2.0.
svc enable
group-policy DfltGrpPolicy attributes
split-dns value pinnacle.local
group-policy Pinnacle internal
group-policy Pinnacle attributes
wins-server value 10.12.75.5
dns-server value 10.12.75.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pinnacle_splitTunnelAcl
default-domain value pinnacle.local
tunnel-group Pinnacle type remote-access
tunnel-group Pinnacle general-attributes
address-pool vpnpool1
default-group-policy Pinnacle
tunnel-group Pinnacle ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:72a50e5398f
: end
Result of the command: "sh run"
: Saved
:
ASA Version 8.0(2)
!
hostname PINNACLE-ASA
domain-name pinnacle.local
enable password Vcn8uAzrKx1tjbpj encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.12.75.135 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 65.210.142.233 255.255.255.240
!
interface Vlan5
nameif dmz
security-level 50
ip address 10.0.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd Vcn8uAzrKx1tjbpj encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name pinnacle.local
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object 65.210.142.224 255.255.255.240
access-list Pinnacle_splitTunnelAcl standard permit 10.12.75.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 0.0.0.0 host 0.0.0.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
access-list outside_access_in remark Email Server
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq smtp
access-list outside_access_in remark OWAs
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq https
access-list outside_access_in remark OWA
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq www
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any host 24.75.66.181 eq 3389 inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 65.210.142.233
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list from_outside extended permit icmp any any echo
access-list from_outside extended permit ip any any
access-list Pinnacle2_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 10.12.75.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool1 192.168.0.100-192.168.0.20
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.12.75.0 255.255.255.0
static (inside,outside) interface 0.0.0.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65.210.142.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
network-acl from_outside
network-acl outside_access_in
http server enable
http 10.12.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.12.75.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 30
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
inspect icmp error
!
service-policy global_policy global
webvpn
enable outside
svc image disk0:/anyconnect-win-2.0.
svc enable
group-policy DfltGrpPolicy attributes
split-dns value pinnacle.local
group-policy Pinnacle internal
group-policy Pinnacle attributes
wins-server value 10.12.75.5
dns-server value 10.12.75.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pinnacle_splitTunnelAcl
default-domain value pinnacle.local
tunnel-group Pinnacle type remote-access
tunnel-group Pinnacle general-attributes
address-pool vpnpool1
default-group-policy Pinnacle
tunnel-group Pinnacle ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:72a50e5398f
: end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
just fire up the adsm it is easier to do few things with the gui in cisco.
and yes remove the static entry first.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Routerdude, I really appreciate your help with this. I made the changes you suggested, but no different result. I Saved the changes to flash and reloaded the device.
Here are the events logged on the ASA during an attempt to VPN:
6 Apr 15 2010 03:49:32 110003 98.140.60.37 0.0.0.0 Routing failed to locate next hop for UDP from outside:98.140.60.37/61935
And here are the events logged when I try to ping the device from outside:
6 Apr 15 2010 03:52:45 110003 98.140.60.37 0.0.0.0 Routing failed to locate next hop for ICMP from outside:98.140.60.37/1 to inside:0.0.0.0/0
6 Apr 15 2010 03:52:49 302021 98.140.60.37 0.0.0.0 Teardown ICMP connection for faddr 98.140.60.37/1 gaddr 65.210.142.233/0 laddr 0.0.0.0/0
And here is the config after I made your changes (I only excluded the users section):
Result of the command: "sh run"
: Saved
:
ASA Version 8.0(2)
!
hostname PINNACLE-ASA
domain-name pinnacle.local
enable password Vcn8uAzrKx1tjbpj encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.12.75.135 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 65.210.142.233 255.255.255.240
!
interface Vlan5
nameif dmz
security-level 50
ip address 10.0.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd Vcn8uAzrKx1tjbpj encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name pinnacle.local
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object 65.210.142.224 255.255.255.240
access-list Pinnacle_splitTunnelAcl standard permit 10.12.75.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.12.75.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_access_in remark Email Server
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq smtp
access-list outside_access_in remark OWAs
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq https
access-list outside_access_in remark OWA
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq www
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any host 24.75.66.181 eq 3389 inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 65.210.142.233
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list from_outside extended permit icmp any any echo
access-list from_outside extended permit ip any any
access-list Pinnacle2_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 10.12.75.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool1 192.168.0.100-192.168.0.20
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.12.75.0 255.255.255.0
static (inside,outside) interface 0.0.0.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65.210.142.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
network-acl from_outside
network-acl outside_access_in
http server enable
http 10.12.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 10.12.75.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 30
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
inspect icmp error
!
service-policy global_policy global
webvpn
enable outside
svc image disk0:/anyconnect-win-2.0.
svc enable
group-policy DfltGrpPolicy attributes
split-dns value pinnacle.local
group-policy Pinnacle internal
group-policy Pinnacle attributes
wins-server value 10.12.75.5
dns-server value 10.12.75.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pinnacle_splitTunnelAcl
default-domain value pinnacle.local
tunnel-group Pinnacle type remote-access
tunnel-group Pinnacle general-attributes
address-pool vpnpool1
default-group-policy Pinnacle
tunnel-group Pinnacle ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:d7eb2558e26
: end
Thanks again for everyone's help.
Here are the events logged on the ASA during an attempt to VPN:
6 Apr 15 2010 03:49:32 110003 98.140.60.37 0.0.0.0 Routing failed to locate next hop for UDP from outside:98.140.60.37/61935
And here are the events logged when I try to ping the device from outside:
6 Apr 15 2010 03:52:45 110003 98.140.60.37 0.0.0.0 Routing failed to locate next hop for ICMP from outside:98.140.60.37/1 to inside:0.0.0.0/0
6 Apr 15 2010 03:52:49 302021 98.140.60.37 0.0.0.0 Teardown ICMP connection for faddr 98.140.60.37/1 gaddr 65.210.142.233/0 laddr 0.0.0.0/0
And here is the config after I made your changes (I only excluded the users section):
Result of the command: "sh run"
: Saved
:
ASA Version 8.0(2)
!
hostname PINNACLE-ASA
domain-name pinnacle.local
enable password Vcn8uAzrKx1tjbpj encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.12.75.135 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 65.210.142.233 255.255.255.240
!
interface Vlan5
nameif dmz
security-level 50
ip address 10.0.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd Vcn8uAzrKx1tjbpj encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name pinnacle.local
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
network-object 0.0.0.0 0.0.0.0
network-object 65.210.142.224 255.255.255.240
access-list Pinnacle_splitTunnelAcl standard permit 10.12.75.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.12.75.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_access_in remark Email Server
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq smtp
access-list outside_access_in remark OWAs
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq https
access-list outside_access_in remark OWA
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq www
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any host 24.75.66.181 eq 3389 inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 65.210.142.233
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list from_outside extended permit icmp any any echo
access-list from_outside extended permit ip any any
access-list Pinnacle2_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 10.12.75.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool1 192.168.0.100-192.168.0.20
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.12.75.0 255.255.255.0
static (inside,outside) interface 0.0.0.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65.210.142.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-reco
network-acl from_outside
network-acl outside_access_in
http server enable
http 10.12.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 10.12.75.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 30
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
inspect icmp error
!
service-policy global_policy global
webvpn
enable outside
svc image disk0:/anyconnect-win-2.0.
svc enable
group-policy DfltGrpPolicy attributes
split-dns value pinnacle.local
group-policy Pinnacle internal
group-policy Pinnacle attributes
wins-server value 10.12.75.5
dns-server value 10.12.75.5
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Pinnacle_splitTunnelAcl
default-domain value pinnacle.local
tunnel-group Pinnacle type remote-access
tunnel-group Pinnacle general-attributes
address-pool vpnpool1
default-group-policy Pinnacle
tunnel-group Pinnacle ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:d7eb2558e26
: end
Thanks again for everyone's help.
You still need to remove this line as suggested by lmoore
static (inside,outside) interface 0.0.0.0 netmask 255.255.255.255
After you do that , do a show route and post it.
static (inside,outside) interface 0.0.0.0 netmask 255.255.255.255
After you do that , do a show route and post it.
ASKER
Okay, looks like we're making progress, but not quite there yet.
After removing the static line, I am able to establish the VPN connection, and receive ping replies from the outside interface of the ASA. However, once vpn connected, am unable to remote desktop to the servers inside the network. I also am not getting ping replies when I ping the names or IP addresses of the internal devices.
Here is the result of the Show Route command:
Result of the command: "show route"
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 65.210.142.225 to network 0.0.0.0
C 65.210.142.224 255.255.255.240 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.12.75.0 255.255.255.0 is directly connected, inside
S 192.168.0.100 255.255.255.255 [1/0] via 65.210.142.225, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 65.210.142.225, outside
Once again, thanks!
After removing the static line, I am able to establish the VPN connection, and receive ping replies from the outside interface of the ASA. However, once vpn connected, am unable to remote desktop to the servers inside the network. I also am not getting ping replies when I ping the names or IP addresses of the internal devices.
Here is the result of the Show Route command:
Result of the command: "show route"
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 65.210.142.225 to network 0.0.0.0
C 65.210.142.224 255.255.255.240 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.12.75.0 255.255.255.0 is directly connected, inside
S 192.168.0.100 255.255.255.255 [1/0] via 65.210.142.225, outside
S* 0.0.0.0 0.0.0.0 [1/0] via 65.210.142.225, outside
Once again, thanks!
You still need to nonat the internal to VPN networks.
access-list NoNat extended permit ip 10.12.75.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list NoNat
access-list NoNat extended permit ip 10.12.75.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list NoNat
ASKER
RouterDude, you are the SHIZZIT!!! It's all good now, thanks so much for getting me through this!
You're welcome, glad to help. I've been there, done that, have the scars to prove it! :)