xpandit
asked on
Cisco ASDM 5.2 for ASA configire VPN
We have Cisco ASDM 5.2 for ASA that I am trying to setup to allow traffic to vpn to a public IP address. From my 3G I can VPN to the IP address but somehow from the network the firewall is blocking me. I've attached how I've set the firewall up. Can you advice where I might be going wrong. When I try to connect I get error 800
vpn3.PNG
vpn1.png
vpn-error.png
vpn3.PNG
vpn1.png
vpn-error.png
Are you trying to connect from the inside network? If so, that won't work. If not then, like MikeKane said, could you post a sanitized version of your config?
ASKER
Yes. It is from the inside network to an IP on the outside network. Why won't it work?
Ah, then I slightly misunderstood. Ok, in that case could you check if there is something like:
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
In your config? If not, try adding that and see if that helps.
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
In your config? If not, try adding that and see if that helps.
ASKER
tried ernibeek suggestion now when I try to vpn I don't get error 800 but rather error 619 as attached
vpn-error2.png
vpn-error2.png
Do you have a firewall running on that pc?
And (oncemore) could you post a sanitized config of the ASA over here?
And (oncemore) could you post a sanitized config of the ASA over here?
ASKER
There you are. Thank you for your assistance.
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname firewall
domain-name xxxxxxxxxxxxxxxxxxxxxxx.co.za
enable password xxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxxx encrypted
names
name 192.168.0.10 accountssrv
name 192.168.0.16 backupserver
name 192.168.0.247 firewall
name 192.168.0.17 qradserver
name 192.168.0.11 qslnx01
name 192.168.0.15 softservpc
name 192.168.0.33 KONICA description KONICA MINOLTA 350/250/200 PCL
name 192.168.0.31 peter
name 192.168.0.95 Russel description Russel
name 192.168.0.140 fransnotebook1
name 192.168.0.159 fransnotebook2
name 192.168.0.84 Justin description Justin
name 192.168.0.103 Zimbratestmail description Zimbra test mail
name 192.168.0.127 Derick
name 192.168.0.40 KM1A3102 description Kyocera
name 192.168.0.139 Continental description Continental 139
name 192.168.0.96 Temp2 description Temp2
name 192.168.0.164 MACPC description MACPC
name 192.168.0.90 FTP description 90
name 192.168.0.141 Chris141 description Chris 141
name 192.168.0.92 printer36 description 36
name 192.168.2.25 XXX-ACC01-internal
name 192.168.2.14 XXX-BCK01-internal
name 192.168.2.21 XXX-DC01-internal
name 192.168.2.22 XXX-DC02-internal
name 192.168.2.23 XXX-EXC01-internal
name 192.168.2.24 XXX-FP01-internal
name 192.168.2.11 XXX-HV01-internal
name 192.168.2.12 XXX-HV02-internal
name 172.0.0.11 XXX-MSH01-internal
name 192.168.2.26 XXX-PST01-internal
name 192.168.2.27 XXX-SFT01-internal
name 192.168.2.28 XXX-SFT02-internal
name 192.168.2.13 XXX-VMM01-internal
name 172.31.24.95 XXX-ACC01-external
name 172.31.24.84 XXX-BCK01-external
name 172.31.24.91 XXX-DC01-external
name 172.31.24.92 XXX-DC02-external
name 172.31.24.93 XXX-EXC01-external
name 172.31.24.94 XXX-FP01-external
name 172.31.24.81 XXX-HV01-external
name 172.31.24.82 XXX-HV02-external
name 172.31.24.96 XXX-PST01-external
name 172.31.24.97 XXX-SFT01-external
name 172.31.24.98 XXX-SFT02-external
name 172.31.24.83 XXX-VMM01-external
name 172.31.24.111 XXX-MSH01-external
name 172.31.24.72 XXX-Hawk-external
name 192.168.10.12 XXX-Hawk-internal
name 172.31.24.73 XXX-Kestrel-external
name 192.168.10.13 XXX-Kestrel-internal
name 172.31.24.74 XXX-Owl-external
name 192.168.10.14 XXX-Owl-internal
name 172.31.24.67 accountssrv-external
name 172.31.24.69 backupserver-external
name 172.31.24.71 qradserver-external
name 172.31.24.70 qslnx01-external
name 172.31.24.68 softservpc-external
name 192.168.0.83 Chris83 description Chris83
name 192.168.0.79 Temp79 description 79
name 192.168.0.118 DanielEberli
name 192.168.0.91 Martinftp description Martin
name 192.168.0.147 Continental147 description Continental147
name 192.168.0.150 Continental150 description Continental150
name 192.168.10.10 XXX-Falcon-Internal
name 172.31.24.76 XXX-Falcon-external
name 192.168.0.151 DarrenFTP
name 192.168.0.119 OliverSteffan
name 192.168.0.113 justin113 description Justin
name 192.168.0.42 TrevorWifi description TervorWiFi
name 192.168.0.116 Vlad description Vlad
name 192.168.0.108 Continental89 description Continental80
name 192.168.0.136 Sobi description Sobi
name 192.168.2.61 Trevor description Trevor
name xxx.xxx.xxx.FHG_Software
name xxx.xxx.xxx.240 XXXXXX
name xxx.xxx.xxx.212 JRA
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ospf cost 10
!
interface Vlan3
nameif dmz
security-level 50
ip address 172.0.0.1 255.255.255.0
ospf cost 10
!
interface Vlan4
nameif management
security-level 75
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan5
nameif production
security-level 75
ip address 192.168.2.1 255.255.254.0
ospf cost 10
!
interface Vlan6
nameif bob
security-level 75
ip address 192.168.10.254 255.255.255.0
!
interface Vlan7
nameif loadbalance
security-level 0
ip address 10.0.0.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 7
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 4
!
interface Ethernet0/3
switchport access vlan 5
!
interface Ethernet0/4
switchport access vlan 6
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 7
speed 100
duplex full
!
ftp mode passive
clock timezone SAST 2
dns server-group DefaultDNS
domain-name xxxxxxxx.xxxxxxxxxx.co.za
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Servers
network-object host accountssrv
network-object host qslnx01
network-object host softservpc
network-object host backupserver
network-object host qradserver
network-object host firewall
object-group service OWL_Peter tcp
port-object eq 465
port-object eq 995
port-object eq pop3
port-object eq smtp
object-group service VPN_tcp tcp
port-object eq https
port-object eq pptp
object-group protocol VPN_protocols
protocol-object gre
protocol-object esp
object-group service VPN_UDP udp
port-object eq 4500
port-object eq isakmp
port-object eq 1701
object-group network DM_INLINE_NETWORK_1
network-object 192.168.0.0 255.255.255.0
network-object 192.168.2.0 255.255.254.0
network-object 192.168.10.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object host XXX-DC01-internal
network-object host XXX-DC02-internal
object-group network DM_INLINE_NETWORK_4
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.254.0
object-group network DM_INLINE_NETWORK_5
network-object host XXX-DC01-internal
network-object host XXX-DC02-internal
object-group service ActiveDirectoryTCP tcp
port-object eq 135
port-object eq 3268
port-object eq 3269
port-object eq 445
port-object eq 88
port-object eq domain
port-object eq ldap
port-object eq ldaps
object-group service ActiveDirectoryUDP udp
port-object eq 88
port-object eq domain
object-group service DM_INLINE_TCP_1 tcp
port-object eq pop3
port-object eq smtp
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq 8080
port-object eq 8443
port-object eq ftp
port-object eq www
object-group network XXX-SERVERS-internal
network-object host XXX-MSH01-internal
network-object host XXX-HV01-internal
network-object host XXX-HV02-internal
network-object host XXX-VMM01-internal
network-object host XXX-BCK01-internal
network-object host XXX-DC01-internal
network-object host XXX-DC02-internal
network-object host XXX-EXC01-internal
network-object host XXX-FP01-internal
network-object host XXX-ACC01-internal
network-object host XXX-PST01-internal
network-object host XXX-SFT01-internal
network-object host XXX-SFT02-internal
object-group network XXX-SERVERS-external
network-object host XXX-MSH01-external
network-object host XXX-HV01-external
network-object host XXX-HV02-external
network-object host XXX-VMM01-external
network-object host XXX-BCK01-external
network-object host XXX-DC01-external
network-object host XXX-DC02-external
network-object host XXX-EXC01-external
network-object host XXX-FP01-external
network-object host XXX-ACC01-external
network-object host XXX-PST01-external
network-object host XXX-SFT01-external
network-object host XXX-SFT02-external
object-group service DM_INLINE_TCP_3 tcp
port-object eq 3389
port-object eq 5666
object-group network OLD-SERVERS-external
network-object host accountssrv-external
network-object host softservpc-external
network-object host backupserver-external
network-object host qslnx01-external
network-object host qradserver-external
object-group network XXX-SERVERS-external
network-object host XXX-Hawk-external
network-object host XXX-Kestrel-external
network-object host XXX-Owl-external
network-object host XXX-Falcon-external
object-group network XXX-SERVERS-internal
network-object host XXX-Hawk-internal
network-object host XXX-Kestrel-internal
network-object host XXX-Owl-internal
network-object host XXX-Falcon-Internal
object-group service DM_INLINE_TCP_4 tcp
port-object eq pptp
port-object eq smtp
object-group service DM_INLINE_TCP_5 tcp
port-object eq 3389
port-object eq 8080
port-object eq ftp
port-object eq smtp
object-group service DM_INLINE_TCP_6 tcp
port-object eq 1433
port-object eq 3389
object-group service DM_INLINE_TCP_7 tcp
port-object eq 3389
port-object eq 5666
object-group network DM_INLINE_NETWORK_2
network-object host XXX-MSH01-internal
network-object host XXX-HV01-internal
network-object host XXX-HV02-internal
network-object host XXX-VMM01-internal
network-object host XXX-BCK01-internal
network-object host XXX-DC01-internal
network-object host XXX-DC02-internal
network-object host XXX-EXC01-internal
network-object host XXX-FP01-internal
network-object host XXX-ACC01-internal
network-object host XXX-PST01-internal
network-object host XXX-SFT01-internal
network-object host XXX-SFT02-internal
object-group network DM_INLINE_NETWORK_6
network-object host XXX-MSH01-internal
network-object host XXX-HV01-internal
network-object host XXX-HV02-internal
network-object host XXX-VMM01-internal
network-object host XXX-BCK01-internal
network-object host XXX-DC01-internal
network-object host XXX-DC02-internal
network-object host XXX-EXC01-internal
network-object host XXX-FP01-internal
network-object host XXX-ACC01-internal
network-object host XXX-PST01-internal
network-object host XXX-SFT01-internal
network-object host XXX-SFT02-internal
object-group service DM_INLINE_TCP_10 tcp
port-object eq pptp
port-object eq smtp
port-object eq ftp
object-group service DM_INLINE_TCP_8 tcp
port-object eq 3389
port-object eq 5666
object-group service DM_INLINE_TCP_9 tcp
port-object eq https
port-object eq pop3
object-group service DM_INLINE_TCP_11 tcp
port-object eq 8443
port-object eq https
port-object eq 4443
port-object eq 5061
port-object eq 8080
object-group network DM_INLINE_NETWORK_7
network-object host xxx.xxx.xxx.125
network-object XXXXXX 255.255.255.240
object-group service DM_INLINE_TCP_12 tcp
port-object eq 1433
port-object eq 3389
port-object eq 5666
object-group service DM_INLINE_TCP_14 tcp
port-object eq 8080
port-object eq 8443
port-object eq ftp
port-object eq www
object-group network DM_INLINE_NETWORK_8
network-object host 192.168.2.221
network-object host 192.168.2.222
network-object host 192.168.2.223
network-object host 192.168.2.224
network-object host 192.168.2.225
network-object host 192.168.2.226
network-object host 192.168.2.227
network-object host 192.168.2.228
network-object host 192.168.2.229
network-object host 192.168.2.230
network-object host 192.168.2.231
network-object host 192.168.2.232
network-object host 192.168.2.233
network-object host 192.168.2.234
network-object host 192.168.2.235
network-object host 192.168.2.236
network-object host 192.168.2.237
network-object host 192.168.2.238
network-object host 192.168.2.239
network-object host 192.168.2.240
network-object host 192.168.3.221
network-object host 192.168.3.222
network-object host 192.168.3.223
network-object host 192.168.3.224
network-object host 192.168.3.225
network-object host 192.168.3.226
network-object host 192.168.3.227
network-object host 192.168.3.228
network-object host 192.168.3.229
network-object host 192.168.3.230
network-object host 192.168.3.231
network-object host 192.168.3.232
network-object host 192.168.3.233
network-object host 192.168.3.234
network-object host 192.168.3.235
network-object host 192.168.3.236
network-object host 192.168.3.237
network-object host 192.168.3.238
network-object host 192.168.3.239
network-object host 192.168.3.240
object-group network DM_INLINE_NETWORK_9
network-object host xxx.xxx.xxx.124
network-object XXXXXX 255.255.255.240
object-group service DM_INLINE_TCP_13 tcp
port-object eq 10000
port-object eq 17990
port-object eq 17992
port-object eq 50000
port-object eq www
port-object eq https
port-object eq 17991
port-object eq 17995
object-group service XXXXXX udp
port-object range 50000 65535
object-group network DM_INLINE_NETWORK_10
network-object host xxx.xxx.xxx.20
network-object host xxx.xxx.xxx.81
object-group network DM_INLINE_NETWORK_11
network-object host xxx.xxx.xxx.154
network-object host xxx.xxx.xxx.120
network-object host xxx.xxx.xxx.66
network-object host xxx.xxx.xxx.12
object-group network DM_INLINE_NETWORK_12
network-object host xxx.xxx.xxx.154
network-object host xxx.xxx.xxx.120
network-object host xxx.xxx.xxx.66
network-object host 172.0.0.12
object-group service DM_INLINE_TCP_15 tcp
port-object eq 10000
port-object eq 17990
port-object eq 17991
port-object eq 17992
port-object eq 17995
port-object eq 50000
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_13
network-object host XXX-MSH01-internal
network-object host 172.0.0.12
access-list incoming_traffic_inside extended permit tcp any host accountssrv-external eq 3389
access-list incoming_traffic_inside extended permit icmp any host accountssrv-external
access-list incoming_traffic_inside extended permit tcp any host softservpc-external eq 3389
access-list incoming_traffic_inside extended permit icmp any host softservpc-external
access-list incoming_traffic_inside extended permit tcp any host backupserver-external eq 3389
access-list incoming_traffic_inside extended permit icmp any host backupserver-external
access-list incoming_traffic_inside extended permit tcp any host qslnx01-external eq ssh
access-list incoming_traffic_inside extended permit icmp any host qslnx01-external
access-list incoming_traffic_inside extended permit tcp any host qradserver-external eq 3389
access-list incoming_traffic_inside extended permit icmp any host qradserver-external
access-list incoming_traffic_bob extended permit tcp any host XXX-Hawk-external eq 8700
access-list incoming_traffic_bob extended permit icmp any host XXX-Hawk-external
access-list incoming_traffic_bob extended permit tcp any host XXX-Kestrel-external eq 6000
access-list incoming_traffic_bob extended permit icmp any host XXX-Kestrel-external
access-list incoming_traffic_bob extended permit tcp any host XXX-Owl-external eq ftp
access-list incoming_traffic_bob extended permit tcp any host XXX-Owl-external eq www
access-list incoming_traffic_bob extended permit tcp any host XXX-Owl-external eq 8080
access-list incoming_traffic_bob extended permit tcp any host XXX-Owl-external eq 8443
access-list incoming_traffic_bob extended permit icmp any host XXX-Owl-external
access-list incoming_traffic extended permit tcp XXXXXX 255.255.255.240 object-group XXX-SERVERS-external object-group DM_INLINE_TCP_7
access-list incoming_traffic extended permit icmp any object-group XXX-SERVERS-external
access-list incoming_traffic extended permit tcp any host XXX-Hawk-external eq 8700
access-list incoming_traffic extended permit tcp any host XXX-Falcon-external object-group DM_INLINE_TCP_6
access-list incoming_traffic extended permit tcp any host XXX-Kestrel-external eq 6000
access-list incoming_traffic extended permit tcp any host XXX-Owl-external object-group DM_INLINE_TCP_2
access-list incoming_traffic extended permit tcp any host XXX-EXC01-external object-group DM_INLINE_TCP_1
access-list incoming_traffic extended permit tcp any host XXX-MSH01-external object-group DM_INLINE_TCP_4
access-list incoming_traffic extended permit gre any host XXX-MSH01-external
access-list incoming_traffic extended permit icmp XXXXXX 255.255.255.240 object-group OLD-SERVERS-external inactive
access-list incoming_traffic extended permit tcp XXXXXX 255.255.255.240 object-group OLD-SERVERS-external eq 3389 inactive
access-list incoming_traffic extended permit tcp XXXXXX 255.255.255.240 host qslnx01-external eq ssh inactive
access-list incoming_traffic extended permit icmp XXXXXX 255.255.255.240 object-group XXX-SERVERS-external
access-list incoming_traffic extended permit tcp XXXXXX 255.255.255.240 object-group XXX-SERVERS-external object-group DM_INLINE_TCP_3
access-list incoming_traffic extended permit tcp any host XXX-MSH01-external eq ftp
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host XXX-MSH01-internal object-group DM_INLINE_TCP_5
access-list dmz_access_in extended permit udp host XXX-MSH01-internal object-group DM_INLINE_NETWORK_5 object-group ActiveDirectoryUDP
access-list dmz_access_in extended permit tcp host XXX-MSH01-internal object-group DM_INLINE_NETWORK_3 object-group ActiveDirectoryTCP
access-list dmz_access_in extended deny ip 172.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 inactive
access-list dmz_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any
access-list dmz_access_in extended permit ip 172.0.0.0 255.255.255.0 192.168.2.0 255.255.254.0
access-list production_access_in extended permit ip any 10.0.0.0 255.255.255.0
access-list production_access_in extended permit ip any 172.0.0.0 255.255.255.0
access-list production_access_in extended permit ip any 192.168.10.0 255.255.255.0
access-list production_access_in extended permit ip object-group XXX-SERVERS-internal any
access-list production_access_in extended permit gre any XXXXXX 255.255.255.240
access-list production_access_in extended permit tcp any XXXXXX 255.255.255.240 eq pptp
access-list production_access_in extended permit tcp any object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_TCP_11
access-list production_access_in extended permit ip host 192.168.2.116 any
access-list production_access_in extended permit tcp any host xxx.xxx.xxx.125 eq 3389
access-list production_access_in extended permit ip host Trevor any
access-list production_access_in extended permit ip object-group DM_INLINE_NETWORK_8 any
access-list production_access_in extended permit udp any object-group DM_INLINE_NETWORK_11 object-group XXXXXX
access-list production_access_in extended permit tcp any object-group DM_INLINE_NETWORK_12 object-group DM_INLINE_TCP_13
access-list production_access_in extended permit ip any object-group DM_INLINE_NETWORK_10
access-list production_access_in extended permit tcp any host JRA object-group VPN_tcp
access-list production_access_in extended permit object-group VPN_protocols any host JRA
access-list production_access_in extended permit udp any host JRA object-group VPN_UDP
access-list production_access_in extended permit ip any host JRA
access-list loadbalance_access_in extended permit icmp XXXXXX 255.255.255.240 object-group DM_INLINE_NETWORK_6
access-list loadbalance_access_in extended permit tcp host FHG_Software host XXX-PST01-internal eq 3389
access-list loadbalance_access_in extended permit tcp XXXXXX 255.255.255.240 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_8
access-list loadbalance_access_in extended permit tcp any host XXX-EXC01-internal object-group DM_INLINE_TCP_9
access-list loadbalance_access_in extended permit gre any host XXX-MSH01-internal
access-list loadbalance_access_in extended permit tcp any host XXX-MSH01-internal object-group DM_INLINE_TCP_10
access-list loadbalance_access_in extended permit icmp any object-group XXX-SERVERS-internal
access-list loadbalance_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 object-group XXX-SERVERS-internal object-group DM_INLINE_TCP_12
access-list loadbalance_access_in extended permit tcp any host XXX-Falcon-Internal eq 3389
access-list loadbalance_access_in extended permit tcp any host XXX-Kestrel-internal eq 6000
access-list loadbalance_access_in extended permit tcp any host XXX-Hawk-internal eq 8700
access-list loadbalance_access_in extended permit tcp any host XXX-Owl-internal object-group DM_INLINE_TCP_14
access-list loadbalance_access_in extended permit udp any host 172.0.0.12 object-group XXXXXX
access-list loadbalance_access_in extended permit tcp any host 172.0.0.12 object-group DM_INLINE_TCP_15
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu production 1500
mtu bob 1500
mtu loadbalance 1500
no failover
monitor-interface inside
monitor-interface dmz
monitor-interface management
monitor-interface production
monitor-interface bob
monitor-interface loadbalance
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
static (management,production) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (dmz,inside) 172.0.0.0 172.0.0.0 netmask 255.255.255.0
static (production,inside) 192.168.2.0 192.168.2.0 netmask 255.255.254.0
static (dmz,management) 172.0.0.0 172.0.0.0 netmask 255.255.255.0
static (dmz,bob) 172.0.0.0 172.0.0.0 netmask 255.255.255.0
static (bob,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (dmz,loadbalance) 172.0.0.0 172.0.0.0 netmask 255.255.255.0
static (dmz,production) 172.0.0.0 172.0.0.0 netmask 255.255.255.0
static (inside,loadbalance) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (inside,production) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
static (production,loadbalance) 192.168.2.0 192.168.2.0 netmask 255.255.254.0
static (production,management) 192.168.2.0 192.168.2.0 netmask 255.255.254.0
static (production,bob) 192.168.2.0 192.168.2.0 netmask 255.255.254.0
static (production,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.254.0
static (bob,loadbalance) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (bob,production) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
access-group dmz_access_in in interface dmz
access-group production_access_in in interface production
access-group loadbalance_access_in in interface loadbalance
route loadbalance 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http XXXXXX 255.255.255.240 loadbalance
http 192.168.0.0 255.255.255.0 inside
http 192.168.2.0 255.255.254.0 production
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
group-policy xxxxxxxxxx internal
group-policy xxxxxxxxxx attributes
dns-server value 192.168.2.21 192.168.2.22
vpn-tunnel-protocol IPSec
username Salaries password xxxxxxxxxxxxxxxxxxxxxxxxxx
username Salaries attributes
vpn-framed-ip-address 192.168.0.200 255.255.255.0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context
no compression svc http-comp
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
Question, is there a reason you enabled isakmp on the inside?
crypto isakmp enable inside
crypto isakmp enable inside
ASKER
To be honest, I don't even know what that is... We did try and setup external to internal VPN at some stage but never succeeded. We settled on inbound PPTP to a windows server as a solution.
Then let's remove that to see if that helps (for starters)
ASKER
Ok, just to check: you're trying to set this up from the 192.168.0.x network, right?
Second, when you look at the (asdm) logs when you try to connect, does anything show up in there?
Second, when you look at the (asdm) logs when you try to connect, does anything show up in there?
ASKER
From the 192.168.2.x network (production).
Will check the logs.
Will check the logs.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
PPTP goes out…
GRE 47 needs to come in…
VPN is resolved.
GRE 47 needs to come in…
VPN is resolved.
ASKER
We added GRE on inbound connections and it resolved.
It seems that you are allowing the protocols in the ACL you posted, but I don't know how or where this ACL is applied.
If you think the ASA is blocking traffic, you can review the syslog or ASDM log for dropped packets, or do a 'show logging' from command line for recent messages. Any drops will be recorded there.