Solved

Cisco ASA IPSEC VPN Troubleshooting

Posted on 2014-07-20
5
587 Views
Last Modified: 2014-08-09
Hello all..I've set up 100 of these before but I cannot figure this out for the life of me.

I can get VPN client to connect fine. I cannot ping through the VPN from the outside VPN client.

I can however, ping from inside the network to the VPN client on the other end.

Here's the config


: Saved
:
ASA Version 8.3(1)
!
hostname XXXXXXXXXXXXXXXXXXXXXXXXXX
enable password password di7P1TO level 0 encrypted
enable password gM7M1 e level 1 encrypted
enable password di7P1TObTEsgM7M1 encrypted
passwd dTlFQE/VXBER7Fmp encrypted
names
name 172.16.2.5 UPSDC
name 172.16.1.15 ABYSS
name 172.16.1.13 ABACUS
name 172.16.1.12 ACCOUNTING
name 172.16.2.7 UPSDC2
name 172.16.1.219 LynnR
name 172.16.1.218 HeatherM
name 172.16.1.212 MINIDESIGN
name 172.16.1.211 DESIGNUSER
name 172.16.1.210 KimT
name 172.16.1.208 designasst
name 172.16.1.207 JoDDesign
name 172.16.1.205 GraphicsMac2
name 172.16.1.204 GraphicsMac1
name 172.16.1.200 Gateway
name 172.16.1.250 BobWilson
name 172.16.1.249 TheresaM
name 172.16.1.248 CPugh
name 172.16.1.247 ABONSERDESK
name 172.16.1.246 KJones
name 172.16.1.245 KevinP
name 172.16.1.243 RickS
name 172.16.1.242 RobinB
name 172.16.1.241 Valerie
name 172.16.1.240 designoffice
name 172.16.1.239 PATTEXEC
name 172.16.1.238 NormaT
name 172.16.1.237 SewMgr
name 172.16.1.199 HQKIOSK
name 172.16.1.198 Maintenance
name 172.16.1.196 UPSUP
name 172.16.1.195 ITAndrewOffice
name 172.16.1.194 LisaBramesWired
name 172.16.1.193 LisaBramesWireless
name 172.16.1.229 April
name 172.16.1.228 GaryW
name 172.16.1.227 Phyllis
name 172.16.1.225 Missy
name 172.16.1.224 GINADESKTOP
name 172.16.1.222 Karen
name 172.16.1.220 EmilyW
name 172.16.1.186 Travel1laptop
name 172.16.1.184 LewBLaptop
name 172.16.1.183 LewB
name 172.16.1.17 BACKUP
name 172.16.1.10 ABBIE
name 172.16.1.40 PitneyBowes
name 172.16.1.251 Jenni
name 172.16.1.182 LynnLaptopWired
name 172.16.1.181 LynnLaptopWireless
name 172.16.1.108 StephanieR
name 172.16.1.106 MicahW
name 172.16.1.103 Purchase
name 172.16.1.102 Sujei
name 172.16.2.8 UPSDCWired
name 172.16.1.110 Webpass
name 172.16.1.192 AbonserLaptop
name 172.16.1.191 AbonserLaptopWireless
name 172.16.1.28 WebServerNIC2
name 172.16.1.109 Webpass2
name 172.16.1.178 BobCorpLaptopWireless
name 172.16.1.177 BobCorpLaptopWired
name 172.16.1.185 Travel1Wireless
name 172.16.1.235 Pass6
name 172.16.1.234 Pass5
name 172.16.1.233 Pass4
name 172.16.1.232 Pass3
name 172.16.1.203 GraphicsIMAC
name 172.16.1.226 GX270CSR
name 172.16.2.11 DCDBSERVER
name 172.16.2.88 CarouselPC
name 172.16.1.120 Kitte
name 172.16.1.189 Smartcut
name 172.16.2.80 WebPassDC
name 172.16.1.221 CService
name 172.16.1.133 LectraWeb
name 172.16.1.217 Tony
name 172.16.1.244 Tpounds
name 172.16.2.9 UPSDC2wired
name 172.16.1.209 EmbGraphics
name 172.16.1.197 HQCafeKiosk
name 65.99.255.0 ExchangeDefender2
name 65.99.192.0 ExchangeDefender1
name 64.182.164.0 ExchangeDefender3
name 64.182.140.0 ExchangeDefender9
name 216.123.109.0 ExchangeDefender7
name 70.84.106.0 ExchangeDefender5
name 72.29.99.0 ExchangeDefender6
name 64.182.139.0 ExchangeDefender8
name 64.182.133.0 ExchangeDefender4
name 206.125.40.0 ExchangeDefender10
name 172.16.1.21 MWHQTS
name 172.16.1.18 MWHQDC1
name 172.16.1.27 MWMailSRV2
name 172.16.1.26 MWMailSRV1
name XXXXXX VPN
name 172.16.1.202 OptitexPC2
name 172.16.1.201 OptitexPC1
name 172.16.1.16 MWWEBDEV
name 172.16.2.87 SewingOffice
name 172.16.2.85 LauraS
name 172.16.1.20 MWNEWVIEWS
name 172.16.1.230 Lectra3
name 172.16.1.216 TOMW
name 172.16.1.223 VIDEOPC
name 172.16.1.231 Pass2
name 172.16.1.127 Radiant
name 76.224.209.97 rods_home
name 70.228.181.0 rod_server_farm
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.254 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XXXXXXXXXXXXXXXXXX 255.255.255.224
!
interface Vlan12
 description guest wireless
 no forward interface Vlan1
 nameif guest
 security-level 50
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 12
!
!
time-range WeekdayInternet
 periodic weekdays 5:00 to 18:00
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network DC_LAN
 subnet 172.16.2.0 255.255.255.0
object network inside_LAN
 subnet 172.16.1.0 255.255.255.0
object network Public_RDP
 host XXXXX71
object network Private_RDP
 host 172.16.1.21
object network Public_MAIL
 host XXXXX68
object network Private_MAIL
 host 172.16.1.26
object network Public_WEB_Server
 host XXXXX80
object network Private_WEB_Server
 host 172.16.1.28
object network Public_VPN
 host XXXXX69
object network Private_VPN
 host 172.16.1.27

object network AliciaDesktop
 host 172.16.1.213
 description AliciaDesktop  
object network ITAndrewOffice
 host 172.16.1.196
 description ITAndrewOffice  
object network MWNEWVIEWS
 host 172.16.1.20
 description MWNEWVIEWS  
object network MWWEBDEV
 host 172.16.1.16
 description MWWEBDEV  
object network LectraWestCut
 host 172.16.1.214
 description Lectra West Cutter  
object network LectraEastCut
 host 172.16.1.215
 description Lectra East Cutter  
object network GraphicsIMAC2
 host 172.16.1.206
 description GraphicsIMAC2  
object network AlysPlot
 host 172.16.1.187
 description Lectra Alys Plotter Workstation  
object network GraphicsDes2
 host 172.16.1.190
 description Graphics Design Workstation  
object network SwannDVR
 host 172.16.1.49
 description SwannDVR  
object network JasonWalterPC
 host 172.16.1.188
 
object network Pip01
 host 172.16.2.89
 description Pip01  
object network NewWestCut
 host 172.16.1.180
 description NewWestCut  
object network AndrewMPhone
 host 172.16.1.252
 description AndrewM Galaxy Phone  
object network TMasonNetBookWireless
 host 172.16.1.175
 description TMasonNetBookWireless  
object network AndrewMGalaxyDC
 host 172.16.2.250
 description AndrewM Galaxy Smartphone DC  
object network CSMworkstation
 host 172.16.1.179
 description CSM-Pip08 workstation  
object network DCScreenprint
 host 172.16.2.248
 description DC Screenprint Workstation  
object network mwworkstation04
 host 172.16.1.176
 description mwworkstation04  
object network mwworkstation03
 host 172.16.2.84
 description mwworkstation03  
object network pickcarousel
 host 172.16.2.83
 description pickcarousel workstation  
object network saleslaptop01
 host 172.16.1.174
 description saleslaptop01  
object network ACCTGSTATION01
 host 172.16.1.173
 description Accounting Workstation 01  
object network saleslaptop01wireless
 host 172.16.1.172
 description saleslaptop01wireless  
object network mwworkstation05
 host 172.16.1.171
 description mwworkstation05  
object network MWBACKUP
 host 172.16.1.11
 description MWBACKUP  
object network UbuntuServer
 host 172.16.1.19
 description UbuntuServer  
object network EMBPRODUCTION01
 host 172.16.2.86
 description EMBPRODUCTION01  
object network acctgstation02
 host 172.16.1.171
 description acctgstation02  
object network HRDesktop01
 host 172.16.1.199
 description HRDesktop01  
object network TurkeyLinuxJoomla
 host 172.16.1.24
 description Turnkey Linux Joomla Host  
object network Abacus
 host 172.16.1.23
 description Abacus  
object network AccountingServer
 host 172.16.1.22
 description AccountingServer  
object network ITAndrewPC
 host 172.16.1.170
 description ITAndrewPC  
object network designstation02
 host 172.16.1.169
 description designstation02  
object network PCDBSVR
 host 172.16.2.82
 description PSDBSVR  
object network workstation01
 host 172.16.1.168
 description workstation01  
object network mwpcdesk01
 host 172.16.1.167
 description mwpcdesk01  
object network CheerPIP02
 host 172.16.1.166
 description CheerPIP02  
object network TurnkeyLinuxCollabtiveTest
 host 172.16.1.29
 description Turnkey Linux Collabtive Test  
object network mwdesktop02
 host 172.16.1.165
 description MWDESKTOP02  
object network PattExecPC
 host 172.16.1.107
 description PattExecPC  
object network judyh
 host 172.16.1.164
 description judyh.XXXXX.net  
object network jodigym
 host 172.16.1.163
 description jodigym  
object network micahw
 host 172.16.1.162
 description micahw  
object network Maintenance
 host 172.16.1.198
 description Maintenance Room PC  
object network MWLAPTOP2-wired
 host 172.16.1.160
 description MWLAPTOP2-wired  
object network MWLAPTOP2-wireless
 host 172.16.1.161
 description MWLAPTOP2-wireless  
object network ACCTGSTATION03
 host 172.16.1.159
 description Acctgstation03  
object network ScaleNode1
 host 172.16.1.52
 description ScaleNode1  
object network ScaleNode2
 host 172.16.1.53
 description ScaleNode2  
object network ScaleNode3
 host 172.16.1.54
 description ScaleNode3  
object network ScaleNode4
 host 172.16.1.55
 description ScaleNode4  
object network MWSQLSvr
 host 172.16.1.29
 description SQL 2012 Server  
object network V2KAppSvr
 host 172.16.1.31
 description V2KAppSvr  
object network Public_V2Kappsvr_RDP
 host XXXXX75
 description Public_V2Kappsvr_RDP  
object network Public_MWSQLSvr_RDP
 host XXXXX85
 description Public_MWSQLSvr_RDP  
object network Private_MWSQLSvr_RDP
 host 172.16.1.29
 description Private_MWSQLSvr_RDP  
object network Private_V2Kappsvr_RDP
 host 172.16.1.31
 description Private_V2Kappsvr_RDP  
object network TrainingPC1
 host 172.16.1.155
 description TrainingPC1  
object network TrainingPC2
 host 172.16.1.156
 description TrainingPC2  
object network TrainingPC3
 host 172.16.1.157
 description TrainingPC3  
object network TrainingPC4
 host 172.16.1.158
 description TrainingPC4  
object network Redbox1
 host 172.16.1.236
 description Redbox1  
object network Purchase
 host 172.16.1.154
 description Purchase workstation  
object network redbox2
 host 172.16.1.153
 description redbox2  
object network PurchasingWS
 host 172.16.1.152
 description Purchasing Workstation  
object network mwwkstn1
 host 172.16.1.150
 description mwwkstn1  
object network MWCSRWKSTN1
 host 172.16.1.149
 description MWCSRWKSTN1  
object network MWWKSTN02
 host 172.16.1.148
 description MWWKSTN02  
object network NEWDCUPS
 host 172.16.2.90
 description NEWDCUPS  
object network mwm7laptop1wireless
 host 172.16.1.145
 description mww7laptop1 wireless  
object network mwm7laptop2wired
 host 172.16.1.146
 description mww7laptop2 wired  
object network mww7laptop1wired
 host 172.16.1.144
 description mww7laptop1 wired  
object network mww7laptop2wireless
 host 172.16.1.147
 description mww7laptop1 wireless  
object network MWSPICEWORKS
 host 172.16.1.104
 description MWSPICEWORKS VM  
object network USERPC
 host 172.16.1.121
 description IT Contractor  
object network NETWORK_OBJ_172.16.1.0_24
 subnet 172.16.1.0 255.255.255.0
object network NETWORK_OBJ_172.16.1.13
 host 172.16.1.13
object network VisualVPNPool
 subnet 172.16.4.0 255.255.255.0
 description Visual2000 VPN POOL  
object network MXLOGIC1
 subnet 208.65.144.0 255.255.248.0
 description AT&T SEG Subnet  
object network MXLOGIC2
 subnet 208.81.64.0 255.255.248.0
 description AT&T SEG  
object network NETWORK_OBJ_10.16.17.0_24
 subnet 10.16.17.0 255.255.255.0
object-group service pptptcp tcp
 port-object eq pptp
object-group service Mail tcp
 description Email
 port-object eq smtp
object-group service httppop tcp
 port-object eq pop3
 port-object eq www
object-group network Servers
 network-object ACCOUNTING 255.255.255.255
 network-object ABACUS 255.255.255.255
 network-object ABYSS 255.255.255.255
 network-object ABBIE 255.255.255.255
 network-object BACKUP 255.255.255.255
 network-object DCDBSERVER 255.255.255.255
 network-object MWHQDC1 255.255.255.255
 network-object MWHQTS 255.255.255.255
 network-object MWMailSRV1 255.255.255.255
 network-object MWMailSRV2 255.255.255.255
 network-object WebServerNIC2 255.255.255.255
 network-object object MWNEWVIEWS
 network-object object MWWEBDEV
 network-object object MWBACKUP
 network-object object UbuntuServer
 network-object object Abacus
 network-object object AccountingServer
 network-object object ScaleNode1
 network-object object ScaleNode2
 network-object object ScaleNode3
 network-object object ScaleNode4
 network-object object MWSQLSvr
 network-object object V2KAppSvr
object-group network Executive
 network-object BobWilson 255.255.255.255
 network-object SewMgr 255.255.255.255
 network-object NormaT 255.255.255.255
 network-object PATTEXEC 255.255.255.255
 network-object designoffice 255.255.255.255
 network-object Valerie 255.255.255.255
 network-object RobinB 255.255.255.255
 network-object RickS 255.255.255.255
 network-object KevinP 255.255.255.255
 network-object KJones 255.255.255.255
 network-object ABONSERDESK 255.255.255.255
 network-object CPugh 255.255.255.255
 network-object TheresaM 255.255.255.255
 network-object Tony 255.255.255.255
 network-object TOMW 255.255.255.255
 network-object object TMasonNetBookWireless
 network-object object mwworkstation04
 network-object object HRDesktop01
 network-object object mwwkstn1
object-group network Accounting
 network-object Phyllis 255.255.255.255
 network-object GaryW 255.255.255.255
 network-object April 255.255.255.255
 network-object Jenni 255.255.255.255
 network-object object ACCTGSTATION01
 network-object object acctgstation02
 network-object object PurchasingWS
object-group network CustomerService
 network-object HeatherM 255.255.255.255
 network-object LynnR 255.255.255.255
 network-object EmilyW 255.255.255.255
 network-object Karen 255.255.255.255
 network-object GINADESKTOP 255.255.255.255
 network-object Missy 255.255.255.255
 network-object Sujei 255.255.255.255
 network-object GX270CSR 255.255.255.255
 network-object CService 255.255.255.255
 network-object Tpounds 255.255.255.255
 network-object HQKIOSK 255.255.255.255
 network-object VIDEOPC 255.255.255.255
 network-object object CSMworkstation
 network-object object mwworkstation05
 network-object object mwpcdesk01
 network-object object mwdesktop02
 network-object object Purchase
 network-object object MWCSRWKSTN1
 network-object object MWWKSTN02
object-group network Design
 network-object GraphicsMac1 255.255.255.255
 network-object GraphicsMac2 255.255.255.255
 network-object JoDDesign 255.255.255.255
 network-object designasst 255.255.255.255
 network-object KimT 255.255.255.255
 network-object DESIGNUSER 255.255.255.255
 network-object MINIDESIGN 255.255.255.255
 network-object StephanieR 255.255.255.255
 network-object GraphicsIMAC 255.255.255.255
 network-object EmbGraphics 255.255.255.255
 network-object object AliciaDesktop
 network-object host OptitexPC1
 network-object host OptitexPC2
 network-object object GraphicsIMAC2
 network-object object GraphicsDes2
 network-object object JasonWalterPC
 network-object object designstation02
 network-object object CheerPIP02
 network-object object PattExecPC
 network-object object judyh
 network-object object micahw
 network-object object ACCTGSTATION03
object-group network Support
 network-object ITAndrewOffice 255.255.255.255
 network-object Gateway 255.255.255.255
 network-object PitneyBowes 255.255.255.255
 network-object HQCafeKiosk 255.255.255.255
 network-object object ITAndrewOffice
 network-object object SwannDVR
 network-object object saleslaptop01
 network-object object saleslaptop01wireless
 network-object object ITAndrewPC
 network-object object workstation01
 network-object object Redbox1
 network-object object redbox2
 network-object host Purchase
 network-object object MWSPICEWORKS
 network-object object USERPC
object-group network Laptop
 network-object LewB 255.255.255.255
 network-object LewBLaptop 255.255.255.255
 network-object Travel1Wireless 255.255.255.255
 network-object Travel1laptop 255.255.255.255
 network-object AbonserLaptopWireless 255.255.255.255
 network-object AbonserLaptop 255.255.255.255
 network-object LisaBramesWireless 255.255.255.255
 network-object LisaBramesWired 255.255.255.255
 network-object LynnLaptopWireless 255.255.255.255
 network-object LynnLaptopWired 255.255.255.255
 network-object BobCorpLaptopWired 255.255.255.255
 network-object BobCorpLaptopWireless 255.255.255.255
 network-object host Smartcut
 network-object object jodigym
 network-object object MWLAPTOP2-wired
 network-object object MWLAPTOP2-wireless
 network-object object mwm7laptop1wireless
 network-object object mwm7laptop2wired
 network-object object mww7laptop1wired
 network-object object mww7laptop2wireless
object-group service Web tcp
 port-object eq www
 port-object eq ftp-data
 port-object eq https
 port-object eq ftp
object-group network WebPass
 network-object Webpass2 255.255.255.255
 network-object Webpass 255.255.255.255
 network-object Pass3 255.255.255.255
 network-object Pass4 255.255.255.255
 network-object Pass5 255.255.255.255
 network-object Pass6 255.255.255.255
 network-object WebPassDC 255.255.255.255
 network-object host Pass2
 network-object object AndrewMPhone
object-group network ExchangeDefender_All
 description All servers in exchange defender group
 network-object ExchangeDefender10 255.255.255.0
 network-object ExchangeDefender7 255.255.255.0
 network-object ExchangeDefender4 255.255.255.0
 network-object ExchangeDefender8 255.255.255.0
 network-object ExchangeDefender9 255.255.255.0
 network-object ExchangeDefender3 255.255.255.0
 network-object ExchangeDefender1 255.255.255.0
 network-object ExchangeDefender2 255.255.255.0
 network-object ExchangeDefender5 255.255.255.0
 network-object ExchangeDefender6 255.255.255.0
object-group network DistributionCenter
 description Distribution Center
 network-object host DCDBSERVER
 network-object host UPSDC
 network-object host UPSDC2
 network-object host LauraS
 network-object host CarouselPC
 network-object host UPSDCWired
 network-object host UPSDC2wired
 network-object object Pip01
 network-object host SewingOffice
 network-object object AndrewMGalaxyDC
 network-object object DCScreenprint
 network-object object mwworkstation03
 network-object object pickcarousel
 network-object object EMBPRODUCTION01
 network-object object PCDBSVR
 network-object object NEWDCUPS
object-group network Lectra
 description Lectra and Cutting Computers
 network-object host Lectra3
 network-object object LectraEastCut
 network-object object LectraWestCut
 network-object object AlysPlot
 network-object object NewWestCut
object-group network ATT_SEG
 description AT&T Secure Email Gateway Servers
 network-object 209.65.152.64 255.255.255.224
 network-object 209.65.160.64 255.255.255.224
 network-object 209.65.176.64 255.255.255.224
 network-object object MXLOGIC1
 network-object object MXLOGIC2
object-group network TrainingPCs
 description TrainingPCs
 network-object object TrainingPC1
 network-object object TrainingPC2
 network-object object TrainingPC3
 network-object object TrainingPC4
object-group network DM_INLINE_NETWORK_1
 group-object Accounting
 group-object CustomerService
 group-object Design
 group-object Executive
 group-object Laptop
 group-object Servers
 group-object Support
 group-object DistributionCenter
 group-object WebPass
 group-object Lectra
 group-object TrainingPCs
object-group service DM_INLINE_SERVICE_1
 service-object gre
 service-object tcp destination eq pptp
object-group network WeekdayInternet
 description Computers with Weekday Internet Access Only
 network-object object Maintenance
access-list inside_access_in extended permit tcp object Private_MAIL object-group ATT_SEG eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any
access-list inside_access_in remark Time Frame Restricted Internet
access-list inside_access_in extended permit ip object-group WeekdayInternet any time-range WeekdayInternet
access-list inside_access_in extended deny ip any any
access-list global_access extended permit ip any any
access-list outside_access extended permit object-group DM_INLINE_SERVICE_1 any host 172.16.1.27
access-list outside_access extended permit tcp object-group ATT_SEG host 172.16.1.26 eq smtp
access-list outside_access extended permit tcp any host 172.16.1.28 object-group Web
access-list outside_access extended permit tcp any host 172.16.1.26 object-group httppop
access-list outside_access extended permit tcp any host 172.16.1.21 eq 3389
access-list outside_access extended permit tcp any object V2KAppSvr eq 3389
access-list outside_access extended permit tcp any object MWSQLSvr eq 3389
access-list outside_access extended deny ip any any
access-list VISUALVPN_splitTunnelAcl standard permit 172.16.1.0 255.255.255.0
access-list VISUALVPN_splitTunnelAcl_1 standard permit 172.16.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
ip local pool VISUAL2000_POOL 10.16.16.2-10.16.16.10 mask 255.255.255.0
ip local pool VISUAL2000_POOL2 10.16.17.1-10.16.17.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 destination static NETWORK_OBJ_10.16.17.0_24 NETWORK_OBJ_10.16.17.0_24
!
object network Private_RDP
 nat (inside,outside) static Public_RDP
object network Private_MAIL
 nat (inside,outside) static Public_MAIL
object network Private_WEB_Server
 nat (inside,outside) static Public_WEB_Server
object network Private_VPN
 nat (inside,outside) static Public_VPN
object network Private_MWSQLSvr_RDP
 nat (inside,outside) static Public_MWSQLSvr_RDP
object network Private_V2Kappsvr_RDP
 nat (inside,outside) static Public_V2Kappsvr_RDP
!
nat (inside,outside) after-auto source dynamic any interface
nat (guest,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 XXXXX65 1
route inside 172.16.2.0 255.255.255.0 172.16.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http ACCOUNTING 255.255.255.255 inside
http MWHQDC1 255.255.255.255 inside
http ABBIE 255.255.255.255 inside
http UPSUP 255.255.255.255 inside
http 172.16.1.153 255.255.255.255 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside ABBIE community ***** version 2c
snmp-server host inside UPSUP community ***** version 2c
snmp-server location XXXXX HQ
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=XXXXX-asa
 proxy-ldc-issuer
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate afc8a64d
    3082024c 308201b5 a0030201 020204af c8a64d30 0d06092a 864886f7 0d010105
    05003038 31173015 06035504 03130e6d 6f74696f 6e776561 722d6173 61311d30
    1b06092a 864886f7 0d010902 160e6d6f 74696f6e 77656172 2d617361 301e170d
    31313034 31343131 30383038 5a170d32 31303431 31313130 3830385a 30383117
    30150603 55040313 0e6d6f74 696f6e77 6561722d 61736131 1d301b06 092a8648
    86f70d01 0902160e 6d6f7469 6f6e7765 61722d61 73613081 9f300d06 092a8648
    86f70d01 01010500 03818d00 30818902 818100e3 4ec3aa6a 5f96b798 e74752ee
    301823ab 26eadfe9 6b081108 c36d58f2 afe004a4 614cb8d4 0b409ed1 5a4ca5eb
    e5be5e99 78e3e7cd e402fc02 8e2ed871 c71242c9 a31efa91 54b2bed0 7d92e040
    fddb3779 3726b8c2 135f8a69 c494a539 19961e23 459aa27e 301723e5 5dd0b68c
    97992c5a 8b59514e 6c63dbdb 4a8b18e8 f53d8b02 03010001 a3633061 300f0603
    551d1301 01ff0405 30030101 ff300e06 03551d0f 0101ff04 04030201 86301f06
    03551d23 04183016 8014ad7c d97fb61d b2727a8c 170805a9 72c9e63a 9c0d301d
    0603551d 0e041604 14ad7cd9 7fb61db2 727a8c17 0805a972 c9e63a9c 0d300d06
    092a8648 86f70d01 01050500 03818100 42ae32a2 de9a1282 c8ce7094 75e5f658
    fdd41799 8b8f69b6 96ae51b2 4744af6d 164a6be8 4ea07dbb 07fea596 923eb446
    0e080f0c 020dd67b ab4d5e2f 4708320b 1551caf4 1475f166 f2fcf148 cf761505
    93bba115 0f0b68e2 3ffbf32e de34cefb d1f22327 7aafc491 2c4e4f5e 801d4ca6
    7a9b28a0 39fe9651 1a3ec324 2e4b8e2e
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
telnet ABBIE 255.255.255.255 inside
telnet ACCOUNTING 255.255.255.255 inside
telnet MWHQDC1 255.255.255.255 inside
telnet UPSUP 255.255.255.255 inside
telnet 172.16.1.153 255.255.255.255 inside
telnet timeout 5
ssh ABBIE 255.255.255.255 inside
ssh ACCOUNTING 255.255.255.255 inside
ssh MWHQDC1 255.255.255.255 inside
ssh UPSUP 255.255.255.255 inside
ssh 172.16.1.153 255.255.255.255 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.100-192.168.1.150 guest
dhcpd dns 208.67.222.222 208.67.220.220 interface guest
dhcpd lease 86400 interface guest
dhcpd enable guest
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside UPSUP XXXXX-asa
webvpn
group-policy VISUALVPN internal
group-policy VISUALVPN attributes
 wins-server value 172.16.1.12 172.16.1.18
 dns-server value 172.16.1.12 172.16.1.18
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VISUALVPN_splitTunnelAcl_1
 default-domain value XXXXXXXXXXXX
username visual2000 password XXXXXXXXXXXXX encrypted privilege 0
username visual2000 attributes
 vpn-group-policy VISUALVPN
tunnel-group VISUALVPN type remote-access
tunnel-group VISUALVPN general-attributes
 address-pool VISUAL2000_POOL2
 default-group-policy VISUALVPN
tunnel-group VISUALVPN ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:13123d0f02b84ff8bca7d29526daae39
: end
no asdm history enable
0
Comment
Question by:Tom-J-Lael
  • 4
5 Comments
 
LVL 19

Expert Comment

by:Patricksr1972
ID: 40207693
Hi

Clients can connect but cannot ping inside the network. Does this mean they only can connect but nothing else? or?

BTW: Please hide your privilege passwords before posting here. (cedxxx) isnt that save to begin with.
0
 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 40207945
What I mean is my laptop can succcessfully connect to the VPN from home. The VPN client gets an ip on the 10.16.17.0/24 network.

The internal subnet at work is 172.16.1.0/24

I cannot ping 172.16.1.196 from home, but 172.16.1.196 can ping my laptop 10.17.17.1 fine.
0
 
LVL 3

Author Comment

by:Tom-J-Lael
ID: 40207951
I cannot seem to edit my first post. I went through and tried best to make sure I didn't post any identifiable IP's and such.
0
 
LVL 3

Accepted Solution

by:
Tom-J-Lael earned 0 total points
ID: 40226432
@Patricksr1972

Did you have any suggestions other than don't put my enable PW's in the body of the post?
0
 
LVL 3

Author Closing Comment

by:Tom-J-Lael
ID: 40250397
VPN was fine. I was able to solve the problem by allowing ICMP thorugh firewall. For some reason ICMP wasn't allowed through the VPN.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Article by: IanTh
Hi Guys After a whole weekend getting wake on lan over the internet working, I thought I would share the experience. Your firewall has to have a port forward for port 9 udp to your local broadcast x.x.x.255 but if that doesnt work, do it to a …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now