Solved

cisco ASA 5520  ver 7.2

Posted on 2013-11-27
28
475 Views
Last Modified: 2013-12-05
I am trying to  to get the client VPN working  to my  network via 5520 ASA
I can connect to the VPN server but I cant ping any devices and I cant see my  servers or switches on the 10.40.226.0.
 Below is my Listing


!
hostname XXX-FW
domain-name default.domain.invalid
enable password HB13YlevMtUcL7F2 encrypted
names
name 10.40.226.60 OWA_Server description Exchange 2010
name x.x.x.x MX-External description SMTP-Iternal IP
name 10.40.226.200 MX-Server description SMTP Server
name x.x.x.x external-OWA description Web-Server
!
interface GigabitEthernet0/0
 description LAN Interface
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 description ISP Interface
 nameif Outside
 security-level 0
 ip address 195.X.X.X 255.255.255.248
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd HB13YlevMtUcL7F2 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network Northeast
 description NE
 network-object 172.16.1.0 255.255.255.0
 network-object 172.16.3.0 255.255.255.0
object-group network VPNRange
 network-object 192.168.18.0 255.255.255.0
access-list ICMP extended permit icmp any any
access-list XXXX_VPN_splitTunnelAcl standard permit 10.40.226.0 255.255.255.0
access-list RemoteVPNUsers extended permit ip any any
access-list RemoteVPNUsers extended permit tcp any any
access-list XXX_VPN_splitTunnelAcl_1 standard permit 10.40.226.0 255.255.255.0
access-list outside extended permit tcp any host MX-External eq smtp
access-list outside extended permit tcp any host external-OWA eq https
access-list outside extended permit tcp any host external-OWA eq 3389
access-list inside_access_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu Outside 1500
ip local pool remotepool 192.168.18.10-192.168.18.100
no failover
monitor-interface inside
monitor-interface Outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 195.X.X.X netmask 255.255.255.248
global (Outside) 2 195.X.X.X netmask 255.255.255.0
nat (inside) 2 10.40.226.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,Outside) tcp MX-External smtp 10.40.226.40 smtp netmask 255.255.255.255
static (inside,Outside) tcp OWA_Server https OWA_Server https netmask 255.255.255.255
access-group inside_access_in in interface inside
route inside 10.40.226.0 255.255.255.0 172.16.1.254 1
route inside 172.16.3.0 255.255.255.0 172.16.1.254 1
route inside 172.16.4.0 255.255.255.0 172.16.1.254 1
route Outside 0.0.0.0 0.0.0.0 195.40.10.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy XXX_VPN internal
group-policy XXX_VPN attributes
 dns-server value 10.40.226.56 10.40.226.58
 vpn-filter none
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value XXX_VPN_splitTunnelAcl_1
 default-domain value XXXX
username XXX password 0iTejLO.n6ldwbbu encrypted
http server enable
http 172.16.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable inside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group XXX_VPN type ipsec-ra
tunnel-group XXX_VPN general-attributes
 address-pool (Outside) remotepool
 address-pool remotepool
 default-group-policy XXX_VPN
tunnel-group XXX_VPN ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map ICMP-CMAP
 match access-list ICMP
!
!
policy-map global_policy
 class ICMP-CMAP
  inspect icmp
!
prompt hostname context
Cryptochecksum:864bfc6f118dcfd7db575fc5c1326800
: end
0
Comment
Question by:thombie
  • 14
  • 11
  • 3
28 Comments
 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
What is your default gateway on 10.40.226.0 network?

Is there a route to 192.168.18.0 subnet?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Like fgasimzade said: the machines on the 10.40.226.0 network need a route to the 192.168.18.0 network.

Second: I see you're not exempting the VPN traffic from NAT
access-list nonat extended permit ip 10.40.226.0 255.255.255.0 192.168.18.0 255.255.255.0
nat (inside) 0 access-list nonat


Third: have a look at the (ASDM) logs. They might give you a clue what's going wrong.
0
 

Author Comment

by:thombie
Comment Utility
10.40.226.1 is  the deault gateway to 10.40.226.0
so do I need to add a static route  to 192.168.18.0  ?
0
 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
Yes, you would need to add a route on 10.40.226.1
0
 

Author Comment

by:thombie
Comment Utility
what would the  syntax look like on a cisco switch
 ip route  192.168.18.0  255.255.255.0  10.40.226.1 ?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Almost, should be:
ip route  192.168.18.0  255.255.255.0 172.16.1.1

FW needs to be the gateway.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Also, like I said, check the NAT exempt. Is there a reason you're not using that?
0
 

Author Comment

by:thombie
Comment Utility
Just added  NONAT    config and I cant ping  10.40.226.1
would that be an ICMP issue ?  in fact I cant out to the to the internet  any ideas ?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
You also added the route on the intermediate switch?

And did you check the (ASDM) logs, anything showing there?
0
 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
Pls confirm you have added the static route

Also, pls remove this access list and check again

access-group inside_access_in in interface inside

and make sure you have

sysopt connection permit-ipsec

configured on ASA
0
 

Author Comment

by:thombie
Comment Utility
This my current config o thefirewall still cant  ping inside from the VPN


: Saved
:
ASA Version 7.2(2)
!
hostname xxxx-FW
domain-name default.domain.invalid
enable password HB13YlevMtUcL7F2 encrypted
names
name 10.40.226.60 OWA_Server description Exchange 2010
name 195.40.10.101 MX-External description SMTP-Iternal IP
name 10.40.226.200 MX-Server description SMTP Server
name 195.XXX external-OWA description Web-Server
!
interface GigabitEthernet0/0
 description LAN Interface
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 description ISP Interface
 nameif Outside
 security-level 0
 ip address 195.XXXX 255.255.255.248
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd HB13YlevMtUcL7F2 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network Northeast
 description NE
 network-object 172.16.1.0 255.255.255.0
 network-object 172.16.3.0 255.255.255.0
object-group network VPNRange
 network-object 192.168.18.0 255.255.255.0
access-list ICMP extended permit icmp any any
access-list XXXX_VPN_splitTunnelAcl standard permit 10.40.226.0 255.255.255.0
access-list RemoteVPNUsers extended permit ip any any
access-list RemoteVPNUsers extended permit tcp any any
access-list XXXX_VPN_splitTunnelAcl_1 standard permit 10.40.226.0 255.255.255.0
access-list outside extended permit tcp any host MX-External eq smtp
access-list outside extended permit tcp any host external-OWA eq https
access-list outside extended permit tcp any host external-OWA eq 3389
access-list nonat extended permit ip 10.40.226.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list inside_access_in remark Internal UDP
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit tcp any any
access-list Outside_access_in extended permit ip any any inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu Outside 1500
ip local pool remotepool 192.168.18.10-192.168.18.100
no failover
monitor-interface inside
monitor-interface Outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 195x.x.x netmask 255.255.255.248
global (Outside) 2 195.XXX netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 2 10.40.226.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Outside_access_in in interface Outside
route inside 10.40.226.0 255.255.255.0 172.16.1.254 1
route inside 172.16.3.0 255.255.255.0 172.16.1.254 1
route inside 172.16.4.0 255.255.255.0 172.16.1.254 1
route Outside 0.0.0.0 0.0.0.0 195.40.10.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy XXXX_VPN internal
group-policy XXXX_VPN attributes
 dns-server value 10.40.226.56 10.40.226.58
 vpn-filter none
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value XXXX_VPN_splitTunnelAcl_1
 default-domain value services.XXXXconsulting.co.uk
username jthombs password 0iTejLO.n6ldwbbu encrypted
http server enable
http 172.16.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable inside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group XXXX_VPN type ipsec-ra
tunnel-group XXXX_VPN general-attributes
 address-pool (Outside) remotepool
 address-pool remotepool
 default-group-policy XXXX_VPN
tunnel-group XXXX_VPN ipsec-attributes
 pre-shared-key *
telnet 172.16.3.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map ICMP-CMAP
 match access-list ICMP
!
!
policy-map global_policy
 class ICMP-CMAP
  inspect icmp
!
prompt hostname context
Cryptochecksum:b957f31b8c5aa62e9375a7293b3b3df9
: end
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Have a look at these:
access-list Outside_access_in extended permit ip any any inactive
access-group Outside_access_in in interface Outside


Effectively this means that nothing is allowed from the out- to the inside.
(implicit 'deny all' at the end of every ACL)
0
 

Author Comment

by:thombie
Comment Utility
What need to 192.168.18.0/24  allowed in
as well as  ports 443 25 and 80
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
If you use:
access-list Outside_access_in extended permit ip 192.168.18.0 255.255.255.0 10.40.226.0 255.255.255.0

That should take care of that. Because you allow IP, those ports are included. Or do you need those ports allowed to another host/IP?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:thombie
Comment Utility
stange still cant ping
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Anything showing in the logs?
0
 

Author Comment

by:thombie
Comment Utility
I can hit the server still no icmp though
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
You can hit (connect to) the server but not ping?
Try:
access-list Outside_access_in extended permit icmp 192.168.18.0 255.255.255.0 10.40.226.0 255.255.255.0
0
 

Author Comment

by:thombie
Comment Utility
actually i cant hit the server
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Let's check the log then.
0
 

Author Comment

by:thombie
Comment Utility
looks like its getting stopped on at NAT
nat.PNG
0
 

Author Comment

by:thombie
Comment Utility
see attached  should this rule be the other way round
0
 

Author Comment

by:thombie
Comment Utility
0
 

Author Comment

by:thombie
Comment Utility
I Have attached my rulebase
rulebase.PNG
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
That nat exempt could be the one.....

192.168.18.0 is on the outside of the firewall, not the inside.

But then, in your config it's:
access-list nonat extended permit ip 10.40.226.0 255.255.255.0 192.168.18.0 255.255.255.0
Which is ok. Or did you make some more changes after posting that?
0
 

Author Closing Comment

by:thombie
Comment Utility
Thanks for your patience  its all working now.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Good to hear :)
And thx 4 the points.

So how did you resolve it?
0
 

Author Comment

by:thombie
Comment Utility
flipping  the NAT rule around.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now