• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1752
  • Last Modified:

Trouble configuring ASA 5505 for VPN access, unable to get ICMP Reply from outside, etc.

I have a ASA 5505 that was recently moved from one phicical site to another.  I am having trouble getting VPN access to work, and am also unable to get ICMP replies.  Internet and all other access from inside the network is fine.  Any help would be greatly appreciated!  Here is my current config (I am sure there is much garbage in there that doesn't need to be, as I have been kind of stabbing around hoping I'd hit the problem on the head - instead I feel like my head on the wall!)

Result of the command: "sh run"

: Saved
:
ASA Version 8.0(2)
!
hostname PINNACLE-ASA
domain-name pinnacle.local
enable password Vcn8uAzrKx1tjbpj encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.12.75.135 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.210.142.233 255.255.255.240
!
interface Vlan5
 nameif dmz
 security-level 50
 ip address 10.0.10.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd Vcn8uAzrKx1tjbpj encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name pinnacle.local
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
 network-object 0.0.0.0 0.0.0.0
 network-object 65.210.142.224 255.255.255.240
access-list Pinnacle_splitTunnelAcl standard permit 10.12.75.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 0.0.0.0 host 0.0.0.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
access-list outside_access_in remark Email Server
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq smtp
access-list outside_access_in remark OWAs
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq https
access-list outside_access_in remark OWA
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq www
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any host 24.75.66.181 eq 3389 inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 65.210.142.233
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list from_outside extended permit icmp any any echo
access-list from_outside extended permit ip any any
access-list Pinnacle2_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 10.12.75.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool1 192.168.0.100-192.168.0.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.12.75.0 255.255.255.0
static (inside,outside) interface 0.0.0.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65.210.142.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 network-acl from_outside
 network-acl outside_access_in
http server enable
http 10.12.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet 10.12.75.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 30

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect http
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 split-dns value pinnacle.local
group-policy Pinnacle internal
group-policy Pinnacle attributes
 wins-server value 10.12.75.5
 dns-server value 10.12.75.5
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Pinnacle_splitTunnelAcl
 default-domain value pinnacle.local

tunnel-group Pinnacle type remote-access
tunnel-group Pinnacle general-attributes
 address-pool vpnpool1
 default-group-policy Pinnacle
tunnel-group Pinnacle ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:72a50e5398f59962502549ec05e21364
: end
0
smccurnin
Asked:
smccurnin
  • 4
  • 3
  • 2
  • +1
2 Solutions
 
lrmooreCommented:
First, remove this static
>static (inside,outside) interface 0.0.0.0 netmask 255.255.255.255

And remove the acl from the interface:
 no access-group inside_access_in in interface inside

0
 
alisafiaCommented:
just fire up the adsm it is easier to do few things with the gui in cisco.
0
 
alisafiaCommented:
and yes remove the static entry first.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
RouterDudeCommented:
Remove these lines, You are telling the ASA to not nat anything with the first one, and not very specific with the second one. You only need to nonat traffic sourced inside to the VPN IP's, and nat all else.

access-list inside_nat0_outbound extended permit ip host 0.0.0.0 host 0.0.0.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0

Replace the second line with


access-list inside_nat0_outbound extended permit ip 10.12.75.0 255.255.255.0 192.168.0.0 255.255.255.0

add icmp permit any inside, this may help with your pings over VPN.

As mentioned above, remove the inside access ACL and access-group, then you may want to reload the ASA afterwards to clear it, I have found on occasion once you apply an access-group to an interface, and then remove it, stuff stops working until you reload after writing.

Remove the following, doesn't make sense having two identical policies for isakmp

crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

and finally, turn nat traversal on, this will set up the VPN for a NATTED address and make things a bit easier for you in the future when someone is behind another firewall.

crypto isakmp nat-traversal 30


As to the other poster, he did use the ASDM, can't you tell by all the junk that was added? :)  I find the ASDM a pain when configuring an ASA but very very helpful when troubleshooting an issue.  I can also tell when someone has used it when a previously clean configuration has 10 lines of unneeded crypto transform sets.

Like WHOA This isn't neccesary!

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

You only need to use one transform set when using Cisco VPN clients, AES-256,  If they cant connect, they should upgrade to the newest release so they can. Makes your job easier, and the connections more secure.

One last thing, drop the telnet and use SSH, Telnet is clear text, SSH is encrypted, and even though you are only accessing it internally, why take the chance.

Good luck, let us know if it worked.
0
 
smccurninAuthor Commented:
Routerdude, I really appreciate your help with this.  I made the changes you suggested, but no different result.  I Saved the changes to flash and reloaded the device.

Here are the events logged on the ASA during an attempt to VPN:
6      Apr 15 2010      03:49:32      110003      98.140.60.37      0.0.0.0       Routing failed to locate next hop for UDP from outside:98.140.60.37/61935 to inside:0.0.0.0/500

And here are the events logged when I try to ping the device from outside:
6      Apr 15 2010      03:52:45      110003      98.140.60.37      0.0.0.0       Routing failed to locate next hop for ICMP from outside:98.140.60.37/1 to inside:0.0.0.0/0

6      Apr 15 2010      03:52:49      302021      98.140.60.37      0.0.0.0       Teardown ICMP connection for faddr 98.140.60.37/1 gaddr 65.210.142.233/0 laddr 0.0.0.0/0

And here is the config after I made your changes (I only excluded the users section):

Result of the command: "sh run"

: Saved
:
ASA Version 8.0(2)
!
hostname PINNACLE-ASA
domain-name pinnacle.local
enable password Vcn8uAzrKx1tjbpj encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.12.75.135 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 65.210.142.233 255.255.255.240
!
interface Vlan5
 nameif dmz
 security-level 50
 ip address 10.0.10.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd Vcn8uAzrKx1tjbpj encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name pinnacle.local
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object tcp
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object icmp echo-reply
object-group network DM_INLINE_NETWORK_1
 network-object 0.0.0.0 0.0.0.0
 network-object 65.210.142.224 255.255.255.240
access-list Pinnacle_splitTunnelAcl standard permit 10.12.75.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.12.75.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_access_in remark Email Server
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq smtp
access-list outside_access_in remark OWAs
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq https
access-list outside_access_in remark OWA
access-list outside_access_in extended permit tcp any 65.21.142.224 255.255.255.240 eq www
access-list outside_access_in remark RDP
access-list outside_access_in extended permit tcp any host 24.75.66.181 eq 3389 inactive
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host 65.210.142.233
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any object-group DM_INLINE_NETWORK_1
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list from_outside extended permit icmp any any echo
access-list from_outside extended permit ip any any
access-list Pinnacle2_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 10.12.75.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool1 192.168.0.100-192.168.0.200 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-602.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 10.12.75.0 255.255.255.0
static (inside,outside) interface 0.0.0.0 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 65.210.142.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
 network-acl from_outside
 network-acl outside_access_in
http server enable
http 10.12.75.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 30
telnet 10.12.75.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 30

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect http
  inspect icmp
  inspect icmp error
!
service-policy global_policy global
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.0.0343-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 split-dns value pinnacle.local
group-policy Pinnacle internal
group-policy Pinnacle attributes
 wins-server value 10.12.75.5
 dns-server value 10.12.75.5
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Pinnacle_splitTunnelAcl
 default-domain value pinnacle.local
tunnel-group Pinnacle type remote-access
tunnel-group Pinnacle general-attributes
 address-pool vpnpool1
 default-group-policy Pinnacle
tunnel-group Pinnacle ipsec-attributes
 pre-shared-key *
prompt hostname context
Cryptochecksum:d7eb2558e2619facee16501fabb4d490
: end


Thanks again for everyone's help.
0
 
RouterDudeCommented:
You still need to remove this line as suggested by lmoore

static (inside,outside) interface 0.0.0.0 netmask 255.255.255.255

After you do that , do a show route and post it.
0
 
smccurninAuthor Commented:
Okay, looks like we're making progress, but not quite there yet.

After removing the static line, I am able to establish the VPN connection, and receive ping replies from the outside interface of the ASA.  However, once vpn connected, am unable to remote desktop to the servers inside the network.  I also am not getting ping replies when I ping the names or IP addresses of the internal devices.

Here is the result of the Show Route command:
Result of the command: "show route"

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 65.210.142.225 to network 0.0.0.0

C    65.210.142.224 255.255.255.240 is directly connected, outside
C    127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C    10.12.75.0 255.255.255.0 is directly connected, inside
S    192.168.0.100 255.255.255.255 [1/0] via 65.210.142.225, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 65.210.142.225, outside

Once again, thanks!
0
 
RouterDudeCommented:
You still need to nonat the internal to VPN networks.
access-list NoNat extended permit ip 10.12.75.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list NoNat
0
 
smccurninAuthor Commented:
RouterDude, you are the SHIZZIT!!!  It's all good now, thanks so much for getting me through this!
0
 
RouterDudeCommented:
You're welcome, glad to help. I've been there, done that, have the scars to prove it! :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now