Solved

Cisco ASA 5505 no traffic trough VPN

Posted on 2013-02-05
8
772 Views
Last Modified: 2013-02-23
Dear Experts,

I have a Cisco ASA 5505 8.4.3. Everything is working properly but when I connect using Cisco VPN client all goes well but when i'm connected i cant ping or RDP to any client or server. I cant figer out what i'm doing wrong.

Below is my running config:

Result of the command: "show run"

: Saved
:
ASA Version 8.4(3)
!
hostname Datec
enable password ******** encrypted
passwd ******** encrypted
names
!
interface Ethernet0/0
 speed 100
!
interface Ethernet0/1
 switchport access vlan 2
 speed 100
!
interface Ethernet0/2
 switchport access vlan 2
 speed 100
!
interface Ethernet0/3
 switchport access vlan 2
 speed 100
!
interface Ethernet0/4
 switchport access vlan 2
 speed 100
!
interface Ethernet0/5
 switchport access vlan 2
 speed 100
!
interface Ethernet0/6
 switchport access vlan 2
 speed 100
!
interface Ethernet0/7
 switchport access vlan 2
 speed 100
!
interface Vlan1
 description internet verbinding
 nameif OUTSIDE
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 description lokaal netwerk
 nameif INSIDE
 security-level 100
 ip address 192.168.20.254 255.255.255.0
!
ftp mode passive
object network NAT
 subnet 0.0.0.0 0.0.0.0
object network RDP
 host 192.168.20.1
 description RDP naar server
object network NETWORK_OBJ_192.168.19.0_28
 subnet 192.168.19.0 255.255.255.240
object network NETWORK_OBJ_192.168.20.0_24
 subnet 192.168.20.0 255.255.255.0
object network HTTPS
 host 192.168.20.1
 description HTTPS naar server
object network HTTP
 host 192.168.20.1
 description HTTP naar server
object network SMTP
 host 192.168.20.1
 description SMTP naar server
access-list OUTSIDE_access_INSIDE extended permit tcp any any eq https
access-list OUTSIDE_access_INSIDE extended permit tcp any any eq www
access-list OUTSIDE_access_INSIDE extended permit tcp any any eq 3389
access-list OUTSIDE_access_INSIDE extended permit tcp any any eq smtp
access-list OUTSIDE_access_INSIDE extended permit icmp any any
access-list OUTSIDE_access_INSIDE extended permit tcp any object RDP eq smtp
access-list OUTSIDE_access_INSIDE extended permit tcp any object RDP eq www
access-list OUTSIDE_access_INSIDE extended permit tcp any object RDP eq https
access-list OUTSIDE_access_INSIDE extended permit tcp any object RDP eq 3389
access-list Datec_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
ip local pool DatecVPN 192.168.19.1-192.168.19.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.19.0_28 NETWORK_OBJ_192.168.19.0_28 no-proxy-arp route-lookup
!
object network NAT
 nat (INSIDE,OUTSIDE) dynamic interface
object network RDP
 nat (INSIDE,OUTSIDE) static interface service tcp 3389 3389
object network HTTPS
 nat (INSIDE,OUTSIDE) static interface service tcp https https
object network HTTP
 nat (INSIDE,OUTSIDE) static interface service tcp www www
object network SMTP
 nat (INSIDE,OUTSIDE) static interface service tcp smtp smtp
access-group OUTSIDE_access_INSIDE in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 192.168.1.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 62.58.146.42 255.255.255.255 OUTSIDE
http 192.168.20.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 62.58.146.42 255.255.255.255 OUTSIDE
telnet 192.168.20.0 255.255.255.0 INSIDE
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy Datec internal
group-policy Datec attributes
 dns-server value 192.168.20.1
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Datec_splitTunnelAcl
username edodas password ******** encrypted privilege 0
username edodas attributes
 vpn-group-policy Datec
username francbieleveldt password ******** encrypted privilege 0
username francbieleveldt attributes
 vpn-group-policy Datec
username liliang password ******** encrypted privilege 0
username liliang attributes
 vpn-group-policy Datec
username robdas password ******** encrypted privilege 0
username robdas attributes
 vpn-group-policy Datec
username robbeishuizen password ******** encrypted privilege 0
username robbeishuizen attributes
 vpn-group-policy Datec
tunnel-group Datec type remote-access
tunnel-group Datec general-attributes
 address-pool DatecVPN
 default-group-policy Datec
tunnel-group Datec ipsec-attributes
 ikev1 pre-shared-key ************
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:658ce8d9757aace76ce1ad218ccf11d6
: end
0
Comment
Question by:mspren
  • 5
  • 2
8 Comments
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38855251
from a quick look...

the VPN pool

ip local pool DatecVPN 192.168.19.1-192.168.19.10 mask 255.255.255.0

Open in new window


has a subnet mask of 255.255.255.0

which does not match

object network NETWORK_OBJ_192.168.19.0_28  subnet 192.168.19.0 255.255.255.240

Open in new window

0
 

Author Comment

by:mspren
ID: 38855441
Thank you for your reply, but when i connect with the VPN Client i get the correct ip and subnet masker.

192.168.19.1
255.255.255.0
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38855667
yes, but the ACL for the double NAT is for a different subnet mask, change the ACL for the double NAT.
0
 

Author Comment

by:mspren
ID: 38858338
I changed it but still no luck.

object network NETWORK_OBJ_192.168.19.0_24
 subnet 192.168.19.0 255.255.255.0

nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.19.0_24 NETWORK_OBJ_192.168.19.0_24 no-proxy-arp route-lookup
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 17

Expert Comment

by:lruiz52
ID: 38860865
Try command;
clear xlates

also try running a trace and post back

Packet-tracer input inside icmp 192.168.20.* 8 0 192.168.19.*
0
 

Author Comment

by:mspren
ID: 38862838
Result of the command: "Packet-tracer input inside icmp 192.168.20.1 8 0 192.168.19.2"

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.19.2    255.255.255.255 OUTSIDE

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.19.0_24 NETWORK_OBJ_192.168.19.0_24 no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.20.1/0 to 192.168.20.1/0

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 41477, packet dispatched to next module

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow
0
 

Accepted Solution

by:
mspren earned 0 total points
ID: 38901447
ok i feel myself very stupid now. the reason why it did not work was because my nic had multiple ip addresses.

Thank you all anyway for the input.
0
 

Author Closing Comment

by:mspren
ID: 38920817
i found it myself
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now