troubleshooting Question

Cisco ASA, Site to Site and Client VPN Connections

Avatar of Matthew Galiano
Matthew GalianoFlag for United States of America asked on
VPNHardware FirewallsCisco
3 Comments1 Solution554 ViewsLast Modified:
I have a Cisco ASA 5505, we had the Client VPN Connection setup first then we setup a site to site.  Now the client vpn wont work.  We can connect, however we cant ping any ip or machine name.  Attached is our Config
ASA Version 7.2(4)
!
hostname AIGASA
domain-name HQ
enable password clvHsSR0QwMVNd7D encrypted
passwd clvHsSR0QwMVNd7D encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.146 255.255.255.248
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name HQ
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any interface outside eq 5909 log
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any interface outside eq smtp log
access-list outside_access_in extended permit tcp any interface outside eq 8080 log
access-list outside_access_in extended permit tcp any interface outside eq https log
access-list outside_access_in extended permit tcp any interface outside eq www log
access-list outside_access_in extended permit tcp any interface outside eq 3389 log
access-list outside_access_in extended permit tcp any interface outside eq 4000 log
access-list outside_access_in extended permit tcp any interface outside eq 4001 log
access-list outside_access_in extended permit tcp any interface outside eq 4002 log
access-list outside_access_in extended permit tcp any interface outside eq 4003 log
access-list outside_access_in extended permit tcp any interface outside eq 4004 log
access-list outside_access_in extended permit tcp any interface outside eq 4005 log
access-list outside_access_in extended permit tcp any interface outside eq 4006 log
access-list outside_access_in extended permit tcp any interface outside eq 4010 log
access-list outside_access_out extended permit icmp any any
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list RemoteVPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 10.10.100.0 255.255.255.0
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemotePool 192.168.10.1-192.168.10.30 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 5909 192.168.1.10 5909 netmask 255.255.255.255
static (inside,outside) tcp interface 4002 192.168.1.200 4002 netmask 255.255.255.255
static (inside,outside) tcp interface 4003 192.168.1.201 4003 netmask 255.255.255.255
static (inside,outside) tcp interface 4000 192.168.1.10 4000 netmask 255.255.255.255
static (inside,outside) tcp interface 4001 192.168.1.11 4001 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.1.5 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4004 192.168.1.202 4004 netmask 255.255.255.255
static (inside,outside) tcp interface 4005 192.168.1.203 4005 netmask 255.255.255.255
static (inside,outside) tcp interface 4006 192.168.1.204 4006 netmask 255.255.255.255
static (inside,outside) tcp interface 4010 192.168.1.205 4010 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.10.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set EFGI-Strong esp-3des esp-none
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Orl-LI 10 match address VPN
crypto map Orl-LI 10 set peer 96.57.1.115
crypto map Orl-LI 10 set transform-set EFGI-Strong
crypto map Orl-LI 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map Orl-LI interface outside
crypto isakmp enable outside
crypto isakmp policy 9
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 5
console timeout 30
dhcpd auto_config outside
!

group-policy RemoteVPN internal
group-policy RemoteVPN attributes
 dns-server value 192.168.1.10
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteVPN_splitTunnelAcl
username TCIIT password ./BL0GBMVUah5z5f encrypted privilege 0
username TCIIT attributes
 vpn-group-policy RemoteVPN
tunnel-group 2.2.2.115 type ipsec-l2l
tunnel-group 2.2.2.115 ipsec-attributes
 pre-shared-key *
tunnel-group RemoteVPN type ipsec-ra
tunnel-group RemoteVPN general-attributes
 address-pool RemotePool
 default-group-policy RemoteVPN
tunnel-group RemoteVPN ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
prompt hostname context
Cryptochecksum:328d304e36e7bb4231829b18141dd5d1
: end
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 3 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros