Solved

Cisco ASA5505 Client VPN

Posted on 2010-11-25
4
665 Views
Last Modified: 2012-05-10
Hi guys,

I am having some difficulty with a Cisco ASA VPN Client connection.

I configured the client VPN inbound to the ASA 5505 via the VPN wizard successfully and can connect to the ASA with the Cisco VPN client.

My problem is that we cannot reach the server inside. I've been scratching my head on this for a while and just can see where its falling down. Traffic just cannot traverse the ASA via the VPN.

the live logging says this : ( may be helpful )

3|Nov 25 2010|14:30:22|713042|||IKE Initiator unable to find policy: Intf outside, Src: 192.168.120.2, Dst: 192.168.121.1

And the full config :

_____________________
ASA Version 7.2(4)
!
hostname XXX
X
names
name 1.1.1.10 XX description XX RDP
name 2.2.2.2 party1 description 3rd Party Access
name 3.3.3.3 party2 description 3rd Party Access
name 4.4.4.4 party3 description 3rd party access
name 5.5.5.5 nmh description nmh vpn
name 6.6.6.6 nmhnetwork
name 192.168.120.0 MfNetwork
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.120.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group dsl
 ip address pppoe setroute
 ospf cost 10
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address 192.168.100.1 255.255.255.0
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name MF.local
same-security-traffic permit intra-interface
object-group service RDP tcp
 description RDP
 port-object eq 3389
object-group service SMTPINBOUND tcp
 description SMTP Inbound
 port-object eq smtp
object-group service TRILOGY tcp-udp
 description XX
 port-object eq 5721
object-group network RDP2Server
 network-object host party2
 network-object host XX
 network-object host party1
 network-object host party3
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service HTTP tcp
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_2
 network-object MfNetwork 255.255.255.0
 network-object host 192.168.120.2
access-list indide_access_out extended permit ip any any
access-list inside_access_in remark Allow Kaseya out
access-list inside_access_in extended permit object-group TCPUDP MfNetwork 255.255.255.0 any object-group XX
access-list inside_access_in remark Mail Outbound
access-list inside_access_in extended permit tcp host 192.168.120.2 any eq smtp
access-list inside_access_in remark Web Traffic Out
access-list inside_access_in extended permit tcp MfNetwork 255.255.255.0 any eq www
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 any
access-list inside_access_in extended permit tcp any host (IP) eq smtp
access-list inside_access_in extended permit tcp MfNetwork 255.255.255.0 any eq https
access-list inside_access_in extended permit ip MfNetwork 255.255.255.0 nmhnetwork 255.255.255.0
access-list inside_access_in extended permit ip nmhnetwork 255.255.255.0 MfNetwork 255.255.255.0
access-list outside_access_in extended permit tcp object-group RDP2Server host 213.79.40.81 object-group RDP
access-list outside_access_in extended permit tcp any any eq smtp
access-list inbound extended permit tcp any any eq ssh
access-list inbound extended permit tcp any any eq https
access-list inbound extended permit tcp any any eq www
access-list inbound extended permit icmp any any
access-list inbound extended permit tcp any host (IP) eq smtp
access-list outside_1_cryptomap extended permit ip MfNetwork 255.255.255.0 193.120.188.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip MfNetwork 255.255.255.0 192.168.121.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any host (IP)
access-list inside_nat0_outbound extended deny ip any nmhnetwork 255.255.255.0
access-list inside_nat0_outbound extended permit ip host MfNetwork nmhnetwork 255.255.255.0
access-list inside_nat0_outbound extended permit ip interface outside host nmh
access-list inside_nat0_outbound extended permit ip MfNetwork 255.255.255.0 host 193.120.188.1
access-list outside_nat0_outbound extended permit ip host nmh any
access-list RAVPNMF_splitTunnelAcl standard permit MfNetwork 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN-Pool 192.168.121.1-192.168.121.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list outside_1_cryptomap
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list outside_nat0_outbound
static (inside,outside) tcp interface smtp 192.168.120.2 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.120.2 3389 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http MfNetwork 255.255.255.0 inside
http authentication-certificate inside
http redirect inside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set rtpset esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear-df inside
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer nmh
crypto map outside_map 1 set transform-set rtpset
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 20
ssh MfNetwork 255.255.255.255 inside
ssh timeout 5
console timeout 0
vpdn group dsl request dialout pppoe
vpdn group dsl localname dmerrionfc@netsource.ie
vpdn group dsl ppp authentication chap
vpdn username dmerrionfc@XX password ********* store-local
dhcpd auto_config outside
!

group-policy RAVPNMF internal
group-policy RAVPNMF attributes
 wins-server value 192.168.120.2f15
 dns-server value 192.168.120.2
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RAVPNMF_splitTunnelAcl
 default-domain value MF.local
username trilogy password /XX encrypted privilege 0
username trilogy attributes
 vpn-group-policy RAVPNMF
username user_one password XX encrypted privilege 0
username user_one attributes
 vpn-group-policy RAVPNMF
username user_two password XX encrypted privilege 0
username user_two attributes
 vpn-group-policy RAVPNMF
tunnel-group 213.79.40.82 type ipsec-l2l
tunnel-group 213.79.40.82 ipsec-attributes
 pre-shared-key *
tunnel-group RAVPNMF type ipsec-ra
tunnel-group RAVPNMF general-attributes
 address-pool VPN-Pool
 default-group-policy RAVPNMF
tunnel-group RAVPNMF ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
END
______________

Any help is greatly received!!!!

Cheers..
0
Comment
Question by:itfocus
  • 2
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 34214789
0
 

Author Comment

by:itfocus
ID: 34216377
Hi Pete,

no joy I'm afraid....the problem remains.!
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 34216870
does the client connect? what error do you see?

did you tick all these box's http://www.petenetlive.com/KB/Article/0000070.htm
0
 

Author Closing Comment

by:itfocus
ID: 34248561
The offered solution was good and definitely got us to a point where we could get things flowing.

Appreciate the help Pete.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Cisco Pix/ASA hairpinning The term, hairpinning, comes from the fact that the traffic comes from one source into a router or similar device, makes a U-turn, and goes back the same way it came. Visualize this and you will see something that looks …
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now