blunted1
asked on
Cisco ASA VPN Probs
I'm having a problem getting my little 5505 to pass VPN traffic into my internal network. Currently I'm authenticating successfully with the ASA using a Win7 Cisco client (5.0.0.7.x) and the firewall rule shows permit for VPN-Clients in ADSM. My network is as follows:
- 69.x (Primary Internet)
- 65.x (Backup Internet T1)
- ASA - Both Internet Interfaces above and Internal 10.x network, which tosses to Our 3750 core switch (total of three active interfaces)
- Core 3750 switch routes all traffic out the ASA through a single connection 10.10.254.25x/30
So I'm connecting in through the primary internet connection using the 5.0.0.7.x client on Win7 x64 (I've even tried on an XP client before). The firewall rule is permitting me through the ASA, I'm getting an IP in the VPN Pool. I can't ping my router 10.10.20.1 (which should be the 3750 switch), but I figured ICMP may be disabled by default. I only have one nat rule in place and simple static routes on everything. I still can't reach anything, ssh, RDP, etc.
Where do I go from here? How do I get myself on the internal network for RDP purposes?
Thanks,
blunted1
- 69.x (Primary Internet)
- 65.x (Backup Internet T1)
- ASA - Both Internet Interfaces above and Internal 10.x network, which tosses to Our 3750 core switch (total of three active interfaces)
- Core 3750 switch routes all traffic out the ASA through a single connection 10.10.254.25x/30
So I'm connecting in through the primary internet connection using the 5.0.0.7.x client on Win7 x64 (I've even tried on an XP client before). The firewall rule is permitting me through the ASA, I'm getting an IP in the VPN Pool. I can't ping my router 10.10.20.1 (which should be the 3750 switch), but I figured ICMP may be disabled by default. I only have one nat rule in place and simple static routes on everything. I still can't reach anything, ssh, RDP, etc.
Where do I go from here? How do I get myself on the internal network for RDP purposes?
Thanks,
blunted1
ASKER
The config is as follows on the 5505... I'll follow up shortly with a quick diagram of the network. I'm very close, but close isn't good enough :-)
ASA Version 8.2(1)
!
hostname gatekeeper
domain-name XXXXXX.com
names
name 10.10.20.0 VPN-Clients
!
interface Vlan2
backup interface Vlan3
nameif outside-XXX
security-level 0
ip address 69.XXX.XXX.XXX 255.255.255.248
!
interface Vlan3
nameif outside-XXX
security-level 1
ip address 65.XXX.XXX.XXX 255.255.255.248
!
interface Vlan254
nameif inside
security-level 100
ip address 10.10.254.254 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 254
speed 100
duplex full
!
interface Ethernet0/2
switchport access vlan 3
speed 100
duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside-XXX
dns domain-lookup outside-XXX
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.10.5
domain-name XXXXXXX.com
access-list 10 standard permit 10.0.0.0 255.0.0.0
access-list 10 standard deny any
access-list inbound extended permit ip any any
access-list outside-XXX_access_in extended permit ip VPN-Clients 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside-XXX 1500
mtu outside-XXX 1500
mtu inside 1500
ip local pool XXX-VPN 10.10.20.2-10.10.20.20 mask 255.255.255.0
ip local pool 10.10.1.0/24 10.10.1.20-10.10.1.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside-XXX) 20 interface
global (outside-XXX) 10 interface
nat (inside) 20 0.0.0.0 0.0.0.0
access-group outside-XXX_access_in in interface outside-XXX
!
router eigrp 1
no auto-summary
network 10.0.0.0 255.0.0.0
network 65.XXX.XXX.XXX 255.255.255.252
!
route outside-XXX 0.0.0.0 0.0.0.0 69.XXX.XXX.XXX 1
route outside-XXX 0.0.0.0 0.0.0.0 65.XXX.XXX.XXX 20
route inside 10.0.0.0 255.0.0.0 10.10.254.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
network-acl outside-XXX_access_in
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 10.10.10.20 community XXXXX
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside-XXX_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-XXX_map interface outside-XXX
crypto map outside-XXX_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-XXX_map interface outside-XXX
crypto isakmp enable outside-XXX
crypto isakmp enable outside-XXX
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside-XXX
group-policy XXX-Remote internal
group-policy XXX-Remote attributes
wins-server value 10.10.10.5
dns-server value 10.10.10.5
vpn-tunnel-protocol IPSec svc webvpn
default-domain value XXXXXX.com
address-pools value XXX-VPN
tunnel-group XXX-Remote type remote-access
tunnel-group XXX-Remote general-attributes
address-pool XXX-VPN
default-group-policy XXX-Remote
tunnel-group XXX-Remote ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:df1c32460f4
: end
ASA Version 8.2(1)
!
hostname gatekeeper
domain-name XXXXXX.com
names
name 10.10.20.0 VPN-Clients
!
interface Vlan2
backup interface Vlan3
nameif outside-XXX
security-level 0
ip address 69.XXX.XXX.XXX 255.255.255.248
!
interface Vlan3
nameif outside-XXX
security-level 1
ip address 65.XXX.XXX.XXX 255.255.255.248
!
interface Vlan254
nameif inside
security-level 100
ip address 10.10.254.254 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 254
speed 100
duplex full
!
interface Ethernet0/2
switchport access vlan 3
speed 100
duplex full
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside-XXX
dns domain-lookup outside-XXX
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.10.10.5
domain-name XXXXXXX.com
access-list 10 standard permit 10.0.0.0 255.0.0.0
access-list 10 standard deny any
access-list inbound extended permit ip any any
access-list outside-XXX_access_in extended permit ip VPN-Clients 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu outside-XXX 1500
mtu outside-XXX 1500
mtu inside 1500
ip local pool XXX-VPN 10.10.20.2-10.10.20.20 mask 255.255.255.0
ip local pool 10.10.1.0/24 10.10.1.20-10.10.1.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
global (outside-XXX) 20 interface
global (outside-XXX) 10 interface
nat (inside) 20 0.0.0.0 0.0.0.0
access-group outside-XXX_access_in in interface outside-XXX
!
router eigrp 1
no auto-summary
network 10.0.0.0 255.0.0.0
network 65.XXX.XXX.XXX 255.255.255.252
!
route outside-XXX 0.0.0.0 0.0.0.0 69.XXX.XXX.XXX 1
route outside-XXX 0.0.0.0 0.0.0.0 65.XXX.XXX.XXX 20
route inside 10.0.0.0 255.0.0.0 10.10.254.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
network-acl outside-XXX_access_in
http server enable
http 0.0.0.0 0.0.0.0 inside
snmp-server host inside 10.10.10.20 community XXXXX
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside-XXX_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-XXX_map interface outside-XXX
crypto map outside-XXX_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-XXX_map interface outside-XXX
crypto isakmp enable outside-XXX
crypto isakmp enable outside-XXX
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside-XXX
group-policy XXX-Remote internal
group-policy XXX-Remote attributes
wins-server value 10.10.10.5
dns-server value 10.10.10.5
vpn-tunnel-protocol IPSec svc webvpn
default-domain value XXXXXX.com
address-pools value XXX-VPN
tunnel-group XXX-Remote type remote-access
tunnel-group XXX-Remote general-attributes
address-pool XXX-VPN
default-group-policy XXX-Remote
tunnel-group XXX-Remote ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:df1c32460f4
: end
ASKER
Here is a quick overview of the network in question. The VPN clients come in on 10.10.20.x and are unable to reach clients on 10.10.1.x/24 client subnet.
Where am I going wrong here?
Thanks,
blunted1
VPN-ASA-5505.jpg
Where am I going wrong here?
Thanks,
blunted1
VPN-ASA-5505.jpg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Boilermaker85,
Ok, so let me get this straight...
1. I need the NoNAT statement for my 10.10.20.x network
2. I should remove the vlan for 10.10.20.x from my core switch, I can only ping the 10.10.20.1 when I have host plugged into a port that has that vlan anyway
3. Put a route in place on the ASA route inside 10.10.20.1 255.255.255.255 10.10.254.253 1, so I can ping the host.
4. Add the ICMP permit line to allow ping traffic.
Did I understand you correctly? The main thing I was missing was the NoNAT statement for traffic to flow properly, right?
Thanks,
blunted1
Ok, so let me get this straight...
1. I need the NoNAT statement for my 10.10.20.x network
2. I should remove the vlan for 10.10.20.x from my core switch, I can only ping the 10.10.20.1 when I have host plugged into a port that has that vlan anyway
3. Put a route in place on the ASA route inside 10.10.20.1 255.255.255.255 10.10.254.253 1, so I can ping the host.
4. Add the ICMP permit line to allow ping traffic.
Did I understand you correctly? The main thing I was missing was the NoNAT statement for traffic to flow properly, right?
Thanks,
blunted1
Whoops, let me retype that no nat rule:
nat (inside) 0 access-list nonat
nat (inside) 0 access-list nonat
right. and if you do your number 2, you dont need #3, cause now you'll probably be pinging 10.10.254.253 or one of the other vlan IP's
ASKER
I updated the config this afternoon and have been successfully connected for hours now. Works like a charm, thanks!
peace,
blunted1
peace,
blunted1
ASKER
Right on point
is VPN pool ip subnet routed in internal network...