Solved

Cisco ASDM 5.2 for ASA configire VPN

Posted on 2011-09-13
17
1,468 Views
Last Modified: 2012-05-12
We have Cisco ASDM 5.2 for ASA that I am trying to setup to allow traffic to vpn to a public IP address. From my 3G I can VPN to the IP address but somehow from the network the firewall is blocking me. I've attached how I've set the firewall up. Can you advice where I might be going wrong. When I try to connect I get error 800
vpn3.PNG
vpn1.png
vpn-error.png
0
Comment
Question by:xpandit
  • 10
  • 6
17 Comments
 
LVL 33

Expert Comment

by:MikeKane
Comment Utility
Could you post a sanitized config of the ASA here?  

It seems that you are allowing the protocols in the ACL you posted, but I don't know how or where this ACL is applied.    

If you think the ASA is blocking traffic, you can review the syslog or ASDM log for dropped packets, or do a 'show logging' from command line for recent messages.    Any drops will be recorded there.

0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Are you trying to connect from the inside network? If so, that won't work. If not then, like MikeKane said, could you post a sanitized version of your config?
0
 

Author Comment

by:xpandit
Comment Utility
Yes. It is from the inside network to an IP on the outside network. Why won't it work?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ah, then I slightly misunderstood. Ok, in that case could you check if there is something like:

policy-map global_policy
 class inspection_default
  inspect ipsec-pass-thru

In your config? If not, try adding that and see if that helps.
0
 

Author Comment

by:xpandit
Comment Utility
tried ernibeek suggestion now when I try to vpn I don't get error 800 but rather error 619 as attached
vpn-error2.png
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Do you have a firewall running on that pc?
And (oncemore) could you post a sanitized config of the ASA over here?
0
 

Author Comment

by:xpandit
Comment Utility
There you are. Thank you for your assistance.
Result of the command: "show running-config"

: Saved
:
ASA Version 7.2(4) 
!
hostname firewall
domain-name xxxxxxxxxxxxxxxxxxxxxxx.co.za
enable password xxxxxxxxxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxxx encrypted
names
name 192.168.0.10 accountssrv
name 192.168.0.16 backupserver
name 192.168.0.247 firewall
name 192.168.0.17 qradserver
name 192.168.0.11 qslnx01
name 192.168.0.15 softservpc
name 192.168.0.33 KONICA description KONICA MINOLTA 350/250/200 PCL
name 192.168.0.31 peter
name 192.168.0.95 Russel description Russel
name 192.168.0.140 fransnotebook1
name 192.168.0.159 fransnotebook2
name 192.168.0.84 Justin description Justin
name 192.168.0.103 Zimbratestmail description Zimbra test mail
name 192.168.0.127 Derick
name 192.168.0.40 KM1A3102 description Kyocera
name 192.168.0.139 Continental description Continental 139
name 192.168.0.96 Temp2 description Temp2
name 192.168.0.164 MACPC description MACPC
name 192.168.0.90 FTP description 90
name 192.168.0.141 Chris141 description Chris 141
name 192.168.0.92 printer36 description 36
name 192.168.2.25 XXX-ACC01-internal
name 192.168.2.14 XXX-BCK01-internal
name 192.168.2.21 XXX-DC01-internal
name 192.168.2.22 XXX-DC02-internal
name 192.168.2.23 XXX-EXC01-internal
name 192.168.2.24 XXX-FP01-internal
name 192.168.2.11 XXX-HV01-internal
name 192.168.2.12 XXX-HV02-internal
name 172.0.0.11 XXX-MSH01-internal
name 192.168.2.26 XXX-PST01-internal
name 192.168.2.27 XXX-SFT01-internal
name 192.168.2.28 XXX-SFT02-internal
name 192.168.2.13 XXX-VMM01-internal
name 172.31.24.95 XXX-ACC01-external
name 172.31.24.84 XXX-BCK01-external
name 172.31.24.91 XXX-DC01-external
name 172.31.24.92 XXX-DC02-external
name 172.31.24.93 XXX-EXC01-external
name 172.31.24.94 XXX-FP01-external
name 172.31.24.81 XXX-HV01-external
name 172.31.24.82 XXX-HV02-external
name 172.31.24.96 XXX-PST01-external
name 172.31.24.97 XXX-SFT01-external
name 172.31.24.98 XXX-SFT02-external
name 172.31.24.83 XXX-VMM01-external
name 172.31.24.111 XXX-MSH01-external
name 172.31.24.72 XXX-Hawk-external
name 192.168.10.12 XXX-Hawk-internal
name 172.31.24.73 XXX-Kestrel-external
name 192.168.10.13 XXX-Kestrel-internal
name 172.31.24.74 XXX-Owl-external
name 192.168.10.14 XXX-Owl-internal
name 172.31.24.67 accountssrv-external
name 172.31.24.69 backupserver-external
name 172.31.24.71 qradserver-external
name 172.31.24.70 qslnx01-external
name 172.31.24.68 softservpc-external
name 192.168.0.83 Chris83 description Chris83
name 192.168.0.79 Temp79 description 79
name 192.168.0.118 DanielEberli
name 192.168.0.91 Martinftp description Martin
name 192.168.0.147 Continental147 description Continental147
name 192.168.0.150 Continental150 description Continental150
name 192.168.10.10 XXX-Falcon-Internal
name 172.31.24.76 XXX-Falcon-external
name 192.168.0.151 DarrenFTP
name 192.168.0.119 OliverSteffan
name 192.168.0.113 justin113 description Justin
name 192.168.0.42 TrevorWifi description TervorWiFi
name 192.168.0.116 Vlad description Vlad
name 192.168.0.108 Continental89 description Continental80
name 192.168.0.136 Sobi description Sobi
name 192.168.2.61 Trevor description Trevor
name xxx.xxx.xxx.FHG_Software
name xxx.xxx.xxx.240 XXXXXX
name xxx.xxx.xxx.212 JRA
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
 ospf cost 10
!
interface Vlan3
 nameif dmz
 security-level 50
 ip address 172.0.0.1 255.255.255.0 
 ospf cost 10
!
interface Vlan4
 nameif management
 security-level 75
 ip address 192.168.1.1 255.255.255.0 
 ospf cost 10
!
interface Vlan5
 nameif production
 security-level 75
 ip address 192.168.2.1 255.255.254.0 
 ospf cost 10
!
interface Vlan6
 nameif bob
 security-level 75
 ip address 192.168.10.254 255.255.255.0 
!
interface Vlan7
 nameif loadbalance
 security-level 0
 ip address 10.0.0.2 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 7
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 4
!
interface Ethernet0/3
 switchport access vlan 5
!
interface Ethernet0/4
 switchport access vlan 6
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 3
!
interface Ethernet0/7
 switchport access vlan 7
 speed 100
 duplex full
!
ftp mode passive
clock timezone SAST 2
dns server-group DefaultDNS
 domain-name xxxxxxxx.xxxxxxxxxx.co.za
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Servers
 network-object host accountssrv
 network-object host qslnx01
 network-object host softservpc
 network-object host backupserver
 network-object host qradserver
 network-object host firewall
object-group service OWL_Peter tcp
 port-object eq 465
 port-object eq 995
 port-object eq pop3
 port-object eq smtp
object-group service VPN_tcp tcp
 port-object eq https
 port-object eq pptp
object-group protocol VPN_protocols
 protocol-object gre
 protocol-object esp
object-group service VPN_UDP udp
 port-object eq 4500
 port-object eq isakmp
 port-object eq 1701
object-group network DM_INLINE_NETWORK_1
 network-object 192.168.0.0 255.255.255.0
 network-object 192.168.2.0 255.255.254.0
 network-object 192.168.10.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object host XXX-DC01-internal
 network-object host XXX-DC02-internal
object-group network DM_INLINE_NETWORK_4
 network-object 192.168.0.0 255.255.255.0
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.2.0 255.255.254.0
object-group network DM_INLINE_NETWORK_5
 network-object host XXX-DC01-internal
 network-object host XXX-DC02-internal
object-group service ActiveDirectoryTCP tcp
 port-object eq 135
 port-object eq 3268
 port-object eq 3269
 port-object eq 445
 port-object eq 88
 port-object eq domain
 port-object eq ldap
 port-object eq ldaps
object-group service ActiveDirectoryUDP udp
 port-object eq 88
 port-object eq domain
object-group service DM_INLINE_TCP_1 tcp
 port-object eq pop3
 port-object eq smtp
 port-object eq https
object-group service DM_INLINE_TCP_2 tcp
 port-object eq 8080
 port-object eq 8443
 port-object eq ftp
 port-object eq www
object-group network XXX-SERVERS-internal
 network-object host XXX-MSH01-internal
 network-object host XXX-HV01-internal
 network-object host XXX-HV02-internal
 network-object host XXX-VMM01-internal
 network-object host XXX-BCK01-internal
 network-object host XXX-DC01-internal
 network-object host XXX-DC02-internal
 network-object host XXX-EXC01-internal
 network-object host XXX-FP01-internal
 network-object host XXX-ACC01-internal
 network-object host XXX-PST01-internal
 network-object host XXX-SFT01-internal
 network-object host XXX-SFT02-internal
object-group network XXX-SERVERS-external
 network-object host XXX-MSH01-external
 network-object host XXX-HV01-external
 network-object host XXX-HV02-external
 network-object host XXX-VMM01-external
 network-object host XXX-BCK01-external
 network-object host XXX-DC01-external
 network-object host XXX-DC02-external
 network-object host XXX-EXC01-external
 network-object host XXX-FP01-external
 network-object host XXX-ACC01-external
 network-object host XXX-PST01-external
 network-object host XXX-SFT01-external
 network-object host XXX-SFT02-external
object-group service DM_INLINE_TCP_3 tcp
 port-object eq 3389
 port-object eq 5666
object-group network OLD-SERVERS-external
 network-object host accountssrv-external
 network-object host softservpc-external
 network-object host backupserver-external
 network-object host qslnx01-external
 network-object host qradserver-external
object-group network XXX-SERVERS-external
 network-object host XXX-Hawk-external
 network-object host XXX-Kestrel-external
 network-object host XXX-Owl-external
 network-object host XXX-Falcon-external
object-group network XXX-SERVERS-internal
 network-object host XXX-Hawk-internal
 network-object host XXX-Kestrel-internal
 network-object host XXX-Owl-internal
 network-object host XXX-Falcon-Internal
object-group service DM_INLINE_TCP_4 tcp
 port-object eq pptp
 port-object eq smtp
object-group service DM_INLINE_TCP_5 tcp
 port-object eq 3389
 port-object eq 8080
 port-object eq ftp
 port-object eq smtp
object-group service DM_INLINE_TCP_6 tcp
 port-object eq 1433
 port-object eq 3389
object-group service DM_INLINE_TCP_7 tcp
 port-object eq 3389
 port-object eq 5666
object-group network DM_INLINE_NETWORK_2
 network-object host XXX-MSH01-internal
 network-object host XXX-HV01-internal
 network-object host XXX-HV02-internal
 network-object host XXX-VMM01-internal
 network-object host XXX-BCK01-internal
 network-object host XXX-DC01-internal
 network-object host XXX-DC02-internal
 network-object host XXX-EXC01-internal
 network-object host XXX-FP01-internal
 network-object host XXX-ACC01-internal
 network-object host XXX-PST01-internal
 network-object host XXX-SFT01-internal
 network-object host XXX-SFT02-internal
object-group network DM_INLINE_NETWORK_6
 network-object host XXX-MSH01-internal
 network-object host XXX-HV01-internal
 network-object host XXX-HV02-internal
 network-object host XXX-VMM01-internal
 network-object host XXX-BCK01-internal
 network-object host XXX-DC01-internal
 network-object host XXX-DC02-internal
 network-object host XXX-EXC01-internal
 network-object host XXX-FP01-internal
 network-object host XXX-ACC01-internal
 network-object host XXX-PST01-internal
 network-object host XXX-SFT01-internal
 network-object host XXX-SFT02-internal
object-group service DM_INLINE_TCP_10 tcp
 port-object eq pptp
 port-object eq smtp
 port-object eq ftp
object-group service DM_INLINE_TCP_8 tcp
 port-object eq 3389
 port-object eq 5666
object-group service DM_INLINE_TCP_9 tcp
 port-object eq https
 port-object eq pop3
object-group service DM_INLINE_TCP_11 tcp
 port-object eq 8443
 port-object eq https
 port-object eq 4443
 port-object eq 5061
 port-object eq 8080
object-group network DM_INLINE_NETWORK_7
 network-object host xxx.xxx.xxx.125
 network-object XXXXXX 255.255.255.240
object-group service DM_INLINE_TCP_12 tcp
 port-object eq 1433
 port-object eq 3389
 port-object eq 5666
object-group service DM_INLINE_TCP_14 tcp
 port-object eq 8080
 port-object eq 8443
 port-object eq ftp
 port-object eq www
object-group network DM_INLINE_NETWORK_8
 network-object host 192.168.2.221
 network-object host 192.168.2.222
 network-object host 192.168.2.223
 network-object host 192.168.2.224
 network-object host 192.168.2.225
 network-object host 192.168.2.226
 network-object host 192.168.2.227
 network-object host 192.168.2.228
 network-object host 192.168.2.229
 network-object host 192.168.2.230
 network-object host 192.168.2.231
 network-object host 192.168.2.232
 network-object host 192.168.2.233
 network-object host 192.168.2.234
 network-object host 192.168.2.235
 network-object host 192.168.2.236
 network-object host 192.168.2.237
 network-object host 192.168.2.238
 network-object host 192.168.2.239
 network-object host 192.168.2.240
 network-object host 192.168.3.221
 network-object host 192.168.3.222
 network-object host 192.168.3.223
 network-object host 192.168.3.224
 network-object host 192.168.3.225
 network-object host 192.168.3.226
 network-object host 192.168.3.227
 network-object host 192.168.3.228
 network-object host 192.168.3.229
 network-object host 192.168.3.230
 network-object host 192.168.3.231
 network-object host 192.168.3.232
 network-object host 192.168.3.233
 network-object host 192.168.3.234
 network-object host 192.168.3.235
 network-object host 192.168.3.236
 network-object host 192.168.3.237
 network-object host 192.168.3.238
 network-object host 192.168.3.239
 network-object host 192.168.3.240
object-group network DM_INLINE_NETWORK_9
 network-object host xxx.xxx.xxx.124
 network-object XXXXXX 255.255.255.240
object-group service DM_INLINE_TCP_13 tcp
 port-object eq 10000
 port-object eq 17990
 port-object eq 17992
 port-object eq 50000
 port-object eq www
 port-object eq https
 port-object eq 17991
 port-object eq 17995
object-group service XXXXXX udp
 port-object range 50000 65535
object-group network DM_INLINE_NETWORK_10
 network-object host xxx.xxx.xxx.20
 network-object host xxx.xxx.xxx.81
object-group network DM_INLINE_NETWORK_11
 network-object host xxx.xxx.xxx.154
 network-object host xxx.xxx.xxx.120
 network-object host xxx.xxx.xxx.66
 network-object host xxx.xxx.xxx.12
object-group network DM_INLINE_NETWORK_12
 network-object host xxx.xxx.xxx.154
 network-object host xxx.xxx.xxx.120
 network-object host xxx.xxx.xxx.66
 network-object host 172.0.0.12
object-group service DM_INLINE_TCP_15 tcp
 port-object eq 10000
 port-object eq 17990
 port-object eq 17991
 port-object eq 17992
 port-object eq 17995
 port-object eq 50000
 port-object eq www
 port-object eq https
object-group network DM_INLINE_NETWORK_13
 network-object host XXX-MSH01-internal
 network-object host 172.0.0.12
access-list incoming_traffic_inside extended permit tcp any host accountssrv-external eq 3389 
access-list incoming_traffic_inside extended permit icmp any host accountssrv-external 
access-list incoming_traffic_inside extended permit tcp any host softservpc-external eq 3389 
access-list incoming_traffic_inside extended permit icmp any host softservpc-external 
access-list incoming_traffic_inside extended permit tcp any host backupserver-external eq 3389 
access-list incoming_traffic_inside extended permit icmp any host backupserver-external 
access-list incoming_traffic_inside extended permit tcp any host qslnx01-external eq ssh 
access-list incoming_traffic_inside extended permit icmp any host qslnx01-external 
access-list incoming_traffic_inside extended permit tcp any host qradserver-external eq 3389 
access-list incoming_traffic_inside extended permit icmp any host qradserver-external 
access-list incoming_traffic_bob extended permit tcp any host XXX-Hawk-external eq 8700 
access-list incoming_traffic_bob extended permit icmp any host XXX-Hawk-external 
access-list incoming_traffic_bob extended permit tcp any host XXX-Kestrel-external eq 6000 
access-list incoming_traffic_bob extended permit icmp any host XXX-Kestrel-external 
access-list incoming_traffic_bob extended permit tcp any host XXX-Owl-external eq ftp 
access-list incoming_traffic_bob extended permit tcp any host XXX-Owl-external eq www 
access-list incoming_traffic_bob extended permit tcp any host XXX-Owl-external eq 8080 
access-list incoming_traffic_bob extended permit tcp any host XXX-Owl-external eq 8443 
access-list incoming_traffic_bob extended permit icmp any host XXX-Owl-external 
access-list incoming_traffic extended permit tcp XXXXXX 255.255.255.240 object-group XXX-SERVERS-external object-group DM_INLINE_TCP_7 
access-list incoming_traffic extended permit icmp any object-group XXX-SERVERS-external 
access-list incoming_traffic extended permit tcp any host XXX-Hawk-external eq 8700 
access-list incoming_traffic extended permit tcp any host XXX-Falcon-external object-group DM_INLINE_TCP_6 
access-list incoming_traffic extended permit tcp any host XXX-Kestrel-external eq 6000 
access-list incoming_traffic extended permit tcp any host XXX-Owl-external object-group DM_INLINE_TCP_2 
access-list incoming_traffic extended permit tcp any host XXX-EXC01-external object-group DM_INLINE_TCP_1 
access-list incoming_traffic extended permit tcp any host XXX-MSH01-external object-group DM_INLINE_TCP_4 
access-list incoming_traffic extended permit gre any host XXX-MSH01-external 
access-list incoming_traffic extended permit icmp XXXXXX 255.255.255.240 object-group OLD-SERVERS-external inactive 
access-list incoming_traffic extended permit tcp XXXXXX 255.255.255.240 object-group OLD-SERVERS-external eq 3389 inactive 
access-list incoming_traffic extended permit tcp XXXXXX 255.255.255.240 host qslnx01-external eq ssh inactive 
access-list incoming_traffic extended permit icmp XXXXXX 255.255.255.240 object-group XXX-SERVERS-external 
access-list incoming_traffic extended permit tcp XXXXXX 255.255.255.240 object-group XXX-SERVERS-external object-group DM_INLINE_TCP_3 
access-list incoming_traffic extended permit tcp any host XXX-MSH01-external eq ftp 
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 host XXX-MSH01-internal object-group DM_INLINE_TCP_5 
access-list dmz_access_in extended permit udp host XXX-MSH01-internal object-group DM_INLINE_NETWORK_5 object-group ActiveDirectoryUDP 
access-list dmz_access_in extended permit tcp host XXX-MSH01-internal object-group DM_INLINE_NETWORK_3 object-group ActiveDirectoryTCP 
access-list dmz_access_in extended deny ip 172.0.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 inactive 
access-list dmz_access_in extended permit ip object-group DM_INLINE_NETWORK_13 any 
access-list dmz_access_in extended permit ip 172.0.0.0 255.255.255.0 192.168.2.0 255.255.254.0 
access-list production_access_in extended permit ip any 10.0.0.0 255.255.255.0 
access-list production_access_in extended permit ip any 172.0.0.0 255.255.255.0 
access-list production_access_in extended permit ip any 192.168.10.0 255.255.255.0 
access-list production_access_in extended permit ip object-group XXX-SERVERS-internal any 
access-list production_access_in extended permit gre any XXXXXX 255.255.255.240 
access-list production_access_in extended permit tcp any XXXXXX 255.255.255.240 eq pptp 
access-list production_access_in extended permit tcp any object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_TCP_11 
access-list production_access_in extended permit ip host 192.168.2.116 any 
access-list production_access_in extended permit tcp any host xxx.xxx.xxx.125 eq 3389 
access-list production_access_in extended permit ip host Trevor any 
access-list production_access_in extended permit ip object-group DM_INLINE_NETWORK_8 any 
access-list production_access_in extended permit udp any object-group DM_INLINE_NETWORK_11 object-group XXXXXX 
access-list production_access_in extended permit tcp any object-group DM_INLINE_NETWORK_12 object-group DM_INLINE_TCP_13 
access-list production_access_in extended permit ip any object-group DM_INLINE_NETWORK_10 
access-list production_access_in extended permit tcp any host JRA object-group VPN_tcp 
access-list production_access_in extended permit object-group VPN_protocols any host JRA 
access-list production_access_in extended permit udp any host JRA object-group VPN_UDP 
access-list production_access_in extended permit ip any host JRA 
access-list loadbalance_access_in extended permit icmp XXXXXX 255.255.255.240 object-group DM_INLINE_NETWORK_6 
access-list loadbalance_access_in extended permit tcp host FHG_Software host XXX-PST01-internal eq 3389 
access-list loadbalance_access_in extended permit tcp XXXXXX 255.255.255.240 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_TCP_8 
access-list loadbalance_access_in extended permit tcp any host XXX-EXC01-internal object-group DM_INLINE_TCP_9 
access-list loadbalance_access_in extended permit gre any host XXX-MSH01-internal 
access-list loadbalance_access_in extended permit tcp any host XXX-MSH01-internal object-group DM_INLINE_TCP_10 
access-list loadbalance_access_in extended permit icmp any object-group XXX-SERVERS-internal 
access-list loadbalance_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 object-group XXX-SERVERS-internal object-group DM_INLINE_TCP_12 
access-list loadbalance_access_in extended permit tcp any host XXX-Falcon-Internal eq 3389 
access-list loadbalance_access_in extended permit tcp any host XXX-Kestrel-internal eq 6000 
access-list loadbalance_access_in extended permit tcp any host XXX-Hawk-internal eq 8700 
access-list loadbalance_access_in extended permit tcp any host XXX-Owl-internal object-group DM_INLINE_TCP_14 
access-list loadbalance_access_in extended permit udp any host 172.0.0.12 object-group XXXXXX 
access-list loadbalance_access_in extended permit tcp any host 172.0.0.12 object-group DM_INLINE_TCP_15 
pager lines 24
logging enable
logging timestamp
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu management 1500
mtu production 1500
mtu bob 1500
mtu loadbalance 1500
no failover
monitor-interface inside
monitor-interface dmz
monitor-interface management
monitor-interface production
monitor-interface bob
monitor-interface loadbalance
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
static (management,production) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 
static (dmz,inside) 172.0.0.0 172.0.0.0 netmask 255.255.255.0 
static (production,inside) 192.168.2.0 192.168.2.0 netmask 255.255.254.0 
static (dmz,management) 172.0.0.0 172.0.0.0 netmask 255.255.255.0 
static (dmz,bob) 172.0.0.0 172.0.0.0 netmask 255.255.255.0 
static (bob,dmz) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 
static (dmz,loadbalance) 172.0.0.0 172.0.0.0 netmask 255.255.255.0 
static (dmz,production) 172.0.0.0 172.0.0.0 netmask 255.255.255.0 
static (inside,loadbalance) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
static (inside,production) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
static (inside,dmz) 192.168.0.0 192.168.0.0 netmask 255.255.255.0 
static (production,loadbalance) 192.168.2.0 192.168.2.0 netmask 255.255.254.0 
static (production,management) 192.168.2.0 192.168.2.0 netmask 255.255.254.0 
static (production,bob) 192.168.2.0 192.168.2.0 netmask 255.255.254.0 
static (production,dmz) 192.168.2.0 192.168.2.0 netmask 255.255.254.0 
static (bob,loadbalance) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 
static (bob,production) 192.168.10.0 192.168.10.0 netmask 255.255.255.0 
access-group dmz_access_in in interface dmz
access-group production_access_in in interface production
access-group loadbalance_access_in in interface loadbalance
route loadbalance 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http XXXXXX 255.255.255.240 loadbalance
http 192.168.0.0 255.255.255.0 inside
http 192.168.2.0 255.255.254.0 production
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
telnet timeout 5
ssh timeout 5
console timeout 0

group-policy xxxxxxxxxx internal
group-policy xxxxxxxxxx attributes
 dns-server value 192.168.2.21 192.168.2.22
 vpn-tunnel-protocol IPSec 
username Salaries password xxxxxxxxxxxxxxxxxxxxxxxxxx
username Salaries attributes
 vpn-framed-ip-address 192.168.0.200 255.255.255.0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect icmp 
  inspect ipsec-pass-thru 
!
service-policy global_policy global
prompt hostname context 
no compression svc http-comp
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

Open in new window

0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Question, is there a reason you enabled isakmp on the inside?
crypto isakmp enable inside
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:xpandit
Comment Utility
To be honest, I don't even know what that is... We did try and setup external to internal VPN at some stage but never succeeded. We settled on inbound PPTP to a windows server as a solution.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Then let's remove that to see if that helps (for starters)
0
 

Author Comment

by:xpandit
Comment Utility
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, just to check: you're trying to set this up from the 192.168.0.x network, right?

Second, when you look at the (asdm) logs when you try to connect, does anything show up in there?
0
 

Author Comment

by:xpandit
Comment Utility
From the 192.168.2.x network (production).

Will check the logs.
0
 

Author Comment

by:xpandit
Comment Utility
log file entry
0
 

Accepted Solution

by:
xpandit earned 0 total points
Comment Utility
change made to get vpn to work
PPTP goes out…
GRE 47 needs to come in
0
 

Author Closing Comment

by:xpandit
Comment Utility
PPTP goes out…

GRE 47 needs to come in…

VPN is resolved.
0
 

Author Comment

by:xpandit
Comment Utility
We added GRE on inbound connections and it resolved.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now