Link to home
Create AccountLog in
Avatar of itsgroupinc
itsgroupinc

asked on

Cisco ASA 5510 and VPN Client

Thanks for the help in advance.

I have a Cisco ASA 5510

I used the Wizard to configure it. I can connect to it via the Cisco VPN client but cannot see the internal network to browse shared folders.

External LAN: xxx.xxx.xxx.60
Internal LAN: 192.168.1.0
VPN address group: 192.168.3.0

Can someone please look over the configuration file and assist me correcting the issue.

ASA Version 8.2(1)
!
hostname xxxxxx-asa
domain-name xxxxxx.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.3.0 VPN-Client
!
interface Ethernet0/0
 description Internet
 nameif Outside
 security-level 10
 ip address xxx.xxx.xxx.60 255.255.255.240
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.1.253 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.10.1 255.255.255.0
 management-only
!
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 192.168.1.47
 domain-name xxxxxx.local
access-list Outside_access_in extended permit tcp any xxx.xxx.xxx.48 255.255.255.
240
access-list Inside_access_in extended permit tcp VPN-Client 255.255.255.0 192.16
8.1.0 255.255.255.0
access-list Inside_access_in extended permit udp VPN-Client 255.255.255.0 192.16
8.1.0 255.255.255.0
access-list Inside_access_in extended permit ip VPN-Client 255.255.255.0 192.168
.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool xxxxx-vpn 192.168.3.20-192.168.3.25 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access Inside
dhcpd address 192.168.10.2-192.168.10.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy xxxxx-vpn internal
group-policy xxxxx-vpn attributes
 dns-server value 192.168.1.47 66.81.1.251
 vpn-tunnel-protocol IPSec
 default-domain value xxxxx.local
username xxxxx password XHiJpMNmAdgXf1aF encrypted privilege 15
username xxxxx attributes
 vpn-group-policy xxxxx-vpn
tunnel-group xxxxx-vpn type remote-access
tunnel-group xxxxx-vpn general-attributes
 address-pool xxxxx-vpn
 default-group-policy xxxxx-vpn
tunnel-group xxxxx-vpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
!
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e7f0c1b353d70ec85e30e04fe609f8fb
: end
ASKER CERTIFIED SOLUTION
Avatar of Britt Thompson
Britt Thompson
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of itsgroupinc
itsgroupinc

ASKER

So...

Some of the items I did not do were related to passing mail through which I do not require.

Here are the ones I did:

I reset the box to factory default with the exception of the management ip address

I followed your setup down the line until the entries regarding Exchange.

Prior to this I could connect but not see the internal network. Now it does not connect at all.

Dan
post your new config
ASA Version 8.2(1)
!
hostname xxxvpn
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.253 LAN
name 192.168.1.0 LAN_SUBNET
name 192.168.3.0 VPN_SUBNET
name xxx.xxx.xxx.60 WAN
name xxx.xxx.xxx.49 WAN_GATEWAY
!
interface Ethernet0/0
 shutdown
 nameif outside
 security-level 0
 ip address WAN 255.255.255.240
!
interface Ethernet0/1
 shutdown
 nameif inside
 security-level 100
 ip address LAN 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.10.1 255.255.255.0
 management-only
!
ftp mode passive
access-list NO_NAT extended permit ip any VPN_SUBNET 255.255.255.0
access-list SPLIT_DNS standard permit LAN_SUBNET 255.255.255.0
access-list SPILT_DNS extended permit ip LAN_SUBNET 255.255.255.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPN_POOL 192.168.3.10-192.168.3.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list NO_NAT
route outside 0.0.0.0 0.0.0.0 WAN_GATEWAY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set VPN_SET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map VPN_DYNMAP 20 set transform-set VPN_SET
crypto map VPN_MAP 20 ipsec-isakmp dynamic VPN_DYNMAP
crypto map VPN_MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.2-192.168.10.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy xxx-vpn internal
group-policy xxx-vpn attributes
 dns-server value 192.168.1.47
 vpn-tunnel-protocol IPSec
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_DNS
 default-domain value xxx.local
username xxx password XHiJpMNmAdgXf1aF encrypted privilege 15
username xxx attributes
 vpn-group-policy xxx-vpn
username xxx password UztL/R2RAE3yc5A8 encrypted
username xxx attributes
 vpn-group-policy xxx-vpn
tunnel-group xxx-vpn type remote-access
tunnel-group xxx-vpn general-attributes
 address-pool VPN_POOL
 default-group-policy xxx-vpn
tunnel-group xxxx-vpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e37bf2e455ef9db8ed3f83a7ba938bee
: end
Nothing I see here throws any flags...Do  you have internet access?

What does the client log when you try to connect?
My local LAN does not use this box as a gateway. I was only trying to get VPN users into my LAN.

I can ping the address from outside.

The log says:

Unable to establish Phase1 SA with server xxx.xxx.xxx60 because DEL_REASON_PEER_NOT_RESONDING
1      13:35:34.515  12/30/10  Sev=Info/4      CM/0x63100002
Begin connection process

2      13:35:34.515  12/30/10  Sev=Info/4      CM/0x63100004
Establish secure connection

3      13:35:34.515  12/30/10  Sev=Info/4      CM/0x63100024
Attempt connection with server "xx.x.xxx.60"

4      13:35:34.515  12/30/10  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with xxx.xxx.xxx.60.

5      13:35:34.515  12/30/10  Sev=Info/4      IKE/0x63000001
Starting IKE Phase 1 Negotiation

6      13:35:34.531  12/30/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Unity)) to xxx.xxx.xxx.60

7      13:35:34.562  12/30/10  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

8      13:35:34.562  12/30/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

9      13:35:39.562  12/30/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

10     13:35:39.562  12/30/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.60

11     13:35:44.562  12/30/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

12     13:35:44.562  12/30/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.60

13     13:35:49.562  12/30/10  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

14     13:35:49.562  12/30/10  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to xxx.xxx.xxx.60

15     13:35:54.562  12/30/10  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=454F0759DFA48632 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

16     13:35:55.062  12/30/10  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=454F0759DFA48632 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

17     13:35:55.062  12/30/10  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "xxx.xxx.xxx.60" because of "DEL_REASON_PEER_NOT_RESPONDING"

18     13:35:55.062  12/30/10  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

19     13:35:55.062  12/30/10  Sev=Info/6      CM/0x63100046
Set tunnel established flag in registry to 0.

20     13:35:55.062  12/30/10  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

21     13:35:55.062  12/30/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

22     13:35:55.062  12/30/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

23     13:35:55.062  12/30/10  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

24     13:35:55.062  12/30/10  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
Sounds like there is no internet... if you log into the ASA using telnet you should be able to ping external ip addresses.  If not,  verify you have aasigned the correct ip, gateway and subnet mask on the outside interface. Also, make sure the internet is plugged into the correct ethernet port.
also, you must be outside of the office or on a different network for this vpn client connection to work properly.
getting closer!

Found a bad cable from the asa to internet connection.

VPN connects now and prompts correctly for user name and password.

I can ping outside ie. www.discovery.com

I cannot ping any internal addresses on the 192.168.1.0 LAN_SUBNET

Dan
However, I can ping from my LAN network to the ASA 192.168.1.253

Dan
Do the clients on the 192.168.1.0 subnet use the asa as their gateway? If not, these machines will require a static route so they can talk to the clients on the vpn subnet.

https://www.experts-exchange.com/A_4286.html
The 192.168.1.0 clients do NOT use the ASA for the gateway. The only thing the ASA is used for at this time is to allow VPN users to access an application on a machine on the 192.168.1.0 LAN via Remote Desk Top.

This was all working at one time with a PIX 501. The power connector in the 501 cracked at the circuit board and would not stay powered up.

Since the 501 is end of life I thought I would upgrade. LOL

Dan
If I run ipconfig from my laptop connected via VPN, I get an address from the ASA of 192.168.3.10 but no gateway listed
That's normal... i'm talking about the machine you're trying to ping on the 192.168.1.0 subnet.  The computers on the LAN either need to use the ASA as their gateway or the need static routes entered.
So in that case....

From a Windows XP Pro machine on the LAN I used:

route add 192.168.3.0 mask 255.255.255.0 192.168.1.5 -p

I then should be able to see the machine from a VPN connection?

Dan

Route add 192.168.3.0 mask 255.255.255.0 192.168.1.253 -p

the last address is the internal interface ip of the asa

!@#$%^&*()!!!!!!!!!

SCORE!

You da man!

Thanks for all your help today! Your tutorial is great!

Have a great New Years!

Dan
Been looking for this!

Great job!

Dan