Link to home
Start Free TrialLog in
Avatar of Eric Greene
Eric GreeneFlag for United States of America

asked on

Single host traffic only allowed through ASA--strange.

I have a strange problem. My ASA 5505 has a 10-user license.  I have, at most, seven devices on this side (the remote side) that would be communicating across the L2L VPN I have established with our main building.  When I do a show conn count I see 139 connections. That baffles me.  I'm not a router jockey or Cisco IOS guy, so I'm struggling. Are some of those connections likely to be coming from the main building to here? Either way, here is the real problem.

There are two people who have computers in this office. The first one to establish an internet connection is the only one to be able to use it from that point forward.  Once one of them shuts down, or logs off, then the other machine is able to get out to the internet or across the tunnel.  Otherwise, it's one-at-a-time for the PCs. I have no idea what's happening.  Can anyone help me out? There is definitely traffic going both ways.

Below is the output for sho ver.
Cisco Adaptive Security Appliance Software Version 9.1(6)
Device Manager Version 7.5(2)

Compiled on Fri 27-Feb-15 13:50 by builders
System image file is "disk0:/asa916-k8.bin"
Config file at boot was "startup-config"

ciscoasa up 4 days 17 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2_05
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.09
                             Number of accelerators: 1

 0: Int: Internal-Data0/0    : address is 0081.c45e.ff72, irq 11
 1: Ext: Ethernet0/0         : address is 0081.c45e.ff6a, irq 255
 2: Ext: Ethernet0/1         : address is 0081.c45e.ff6b, irq 255
 3: Ext: Ethernet0/2         : address is 0081.c45e.ff6c, irq 255
 4: Ext: Ethernet0/3         : address is 0081.c45e.ff6d, irq 255
 5: Ext: Ethernet0/4         : address is 0081.c45e.ff6e, irq 255
 6: Ext: Ethernet0/5         : address is 0081.c45e.ff6f, irq 255
 7: Ext: Ethernet0/6         : address is 0081.c45e.ff70, irq 255
 8: Ext: Ethernet0/7         : address is 0081.c45e.ff71, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces       : 8              perpetual
VLANs                             : 3              DMZ Restricted
Dual ISPs                         : Disabled       perpetual
VLAN Trunk Ports                  : 0              perpetual
Inside Hosts                      : 10             perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Serial Number: XXXXXXXXXXX
Running Permanent Activation Key: XXXXXXXXXXXX XXXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX
Configuration register is 0x1
Configuration last modified by enable_15 at 13:19:47.259 UTC Fri Nov 25 2016

Open in new window

sho cryp ipsec sa
interface: outside
    Crypto map tag: CRYPTOMAP, seq num: 10, local addr: 74.xxx.xxx.xxx

      access-list LIBRARY extended permit ip 172.16.128.0 255.255.255.0 172.16.0.0 255.255.252.0
      local ident (addr/mask/prot/port): (172.16.128.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.0.0/255.255.252.0/0/0)
      current_peer: 12.xxx.xxx.xxx


      #pkts encaps: 54866, #pkts encrypt: 54866, #pkts digest: 54866
      #pkts decaps: 72740, #pkts decrypt: 72740, #pkts verify: 72740
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 54866, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 74.xxx.xxx.xxx/0, remote crypto endpt.: 12.xxx.xxx.xxx/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 902BD566
      current inbound spi : 10E582CB

    inbound esp sas:
      spi: 0x10E582CB (283476683)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 8192, crypto-map: CRYPTOMAP
         sa timing: remaining key lifetime (kB/sec): (4353537/11312)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x902BD566 (2418791782)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 8192, crypto-map: CRYPTOMAP
         sa timing: remaining key lifetime (kB/sec): (4371809/11312)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Open in new window

sho cryp ikev1 sa
IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 12.xxx.xxx.xxx
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Open in new window


Here is the config:
: Saved
: 
: Serial Number: XXXXXXX
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
: Written by enable_15 at 07:02:06.570 UTC Wed Nov 30 2016
!
ASA Version 9.1(6) 
!
hostname MYASA
enable password EUfKAz4sNC/DZq4. encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool RAPOOL 172.16.129.1-172.16.129.10 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.128.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 74.xxx.xxx.xxx 255.255.255.252 
!
ftp mode passive
object network INSIDENET
 subnet 172.16.128.0 255.255.255.0
object network REMOTENET
 subnet 172.16.128.0 255.255.255.0
object network MAINNET
 subnet 172.16.0.0 255.255.252.0
access-list MAIN extended permit ip object REMOTENET object MAINNET 
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static REMOTENET REMOTENET destination static MAINNET MAINNET no-proxy-arp route-lookup
!
nat (inside,outside) after-auto source dynamic INSIDENET interface
route outside 0.0.0.0 0.0.0.0 74.xxx.xxx.yyy 1 
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable
http 172.16.128.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set TRANSFORMSET esp-3des esp-md5-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 65535 set ikev1 transform-set TRANSFORMSET
crypto dynamic-map dynmap 65535 set reverse-route
crypto map CRYPTOMAP 10 match address MAIN
crypto map CRYPTOMAP 10 set peer 12.xxx.xxx.xxx 
crypto map CRYPTOMAP 10 set ikev1 transform-set TRANSFORMSET
crypto map CRYPTOMAP 10 set reverse-route
crypto map CRYPTOMAP 65535 ipsec-isakmp dynamic dynmap
crypto map CRYPTOMAP interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
 certificate ca 6exxxxxxxxxxxxxxxxxxxxxxd491
    <MASKED KEY>
  quit
crypto isakmp identity address 
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 172.16.128.0 255.255.255.0 inside
ssh 172.16.0.0 255.255.252.0 outside
ssh timeout 20
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd dns 172.16.3.254 172.16.3.241
dhcpd domain mydomain.lan
!
dhcpd address 172.16.128.33-172.16.128.64 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username anotheradmin password xxxxxxxxxxxxxx encrypted
username adminuser password xxxxxxxxxxxxxxxxxxx encrypted privilege 15
tunnel-group 12.xxx.xxx.xxx type ipsec-l2l
tunnel-group 12.xxx.xxx.xxx ipsec-attributes
 ikev1 pre-shared-key 3f1Ix@pqzl
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous

Open in new window

Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Theres nothing wrong with your VPN config?

When someone can't get on, issue a 'show conn' command and see how many connections you have (not how many people) count the source IPs

P
ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
These 2 PC's dont have the same IP address do they?
Avatar of Eric Greene

ASKER

Pete,
Thank you again! I had somewhere around 136 listed, but I don't have NEAR that many devices on that end of the tunnel.  Is it counting connections coming across the tunnel from the other side? If so, I'm upgrading to unlimited.