Cisco ASA 5505 DMZ not working and site-to-site VPN not working
Hi again everyone -
So sorry to be a pest. Now that I have my ASA 5505 up and running with successful Internet access by devices on my LAN, I can't seem to get my DMZ to gain internet access. Nor can I get a simple IPSec site-to-site VPN to work. This is really frustrating as the ASA on the other side already participates in another separate site-to-site VPN (setup by me) which works just fine.
I have looked at NAT rules and access rules and can't seem to find the difference. The only thing I did differently on this VPN was try Diffe-Hellman Group 1 as group 2 settings didn't work.
Below is the sanitized config of the ASA that has a working DMZ and a working VPN as well as the non-working VPN. I have replaced my static public IP with xx.xx.xx.xx and the peer IPs in the VPNs are vv.vv.vv.vv for the one that works and ng.ng.ng.ng for the one that doesn't work.
I will return to this post momentarily and add a comment with the running configuration of the ASA at the other site.
Thanks in advance for any help.
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password /zzzzzzzzz encrypted
passwd zzzzzzz.zzzz encrypted
names
name 192.168.1.0 dmz_outside
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa825-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
object-group network obj_any
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service TCP-RDP tcp
description For Remote Desktop
port-object eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 3909
access-list outside_access_in extended permit tcp any interface outside eq 18004
access-list outside_access_in extended permit tcp any interface outside eq 9000
access-list outside_access_in extended permit tcp any interface outside eq 9001
access-list outside_access_in extended permit udp any interface outside eq 18004
access-list outside_access_in extended permit udp any interface outside eq 9000
access-list outside_access_in extended permit udp any interface outside eq 9001
access-list outside_access_in extended permit tcp any interface outside eq 3910
access-list outside_access_in extended permit tcp any interface outside eq 3920
access-list outside_access_in extended permit tcp any interface outside eq 37777
access-list outside_access_in extended permit udp any interface outside eq 37778
access-list outside_access_in extended permit tcp any interface outside eq 3980
access-list NAT-EXEMPT extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list CBC-VPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 192.168.10.96 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.10.0 255.255.255.0
access-list CBCColo_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool CBC-IP-Pool 192.168.10.100-192.168.10.
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3909 10.0.0.250 3909 netmask 255.255.255.255
static (inside,outside) tcp interface 37777 10.0.0.201 37777 netmask 255.255.255.255
static (inside,outside) udp interface 37778 10.0.0.201 37778 netmask 255.255.255.255
static (inside,outside) tcp interface 9000 10.0.0.201 9000 netmask 255.255.255.255
static (inside,outside) udp interface 9000 10.0.0.201 9000 netmask 255.255.255.255
static (inside,outside) tcp interface 9001 10.0.0.201 9001 netmask 255.255.255.255
static (inside,outside) udp interface 9001 10.0.0.201 9001 netmask 255.255.255.255
static (inside,outside) tcp interface 3910 10.0.0.240 3910 netmask 255.255.255.255
static (inside,outside) tcp interface 3920 10.0.0.205 3920 netmask 255.255.255.255
static (inside,outside) tcp interface 3980 10.0.0.40 3980 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 108.58.161.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http dmz_outside 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer vv.vv.vv.vv
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer ng.ng.ng.ng
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair CBC-VPN
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31a50357
308201cf 30820138 a0030201 02020431 a5035730 0d06092a 864886f7 0d010104
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 31363034 30353131 34343439
5a170d32 36303430 33313134 3434395a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100be f0c1daab
2fa656a0 bbe74eae b9707813 a05185e0 f49c0655 e8e894ed 0ad170c2 3175a5b6
fd9ac176 0c3a98ca 559f3087 2aa97ad5 f06fdde8 d9e0022b 5abec8cd 7f2b8531
ac860478 ee0bb22c 9da96115 01f70cf4 1e797625 8bb8119c 75205ab1 89f6767a
1110c17a 262c508f 9540fef7 c48fb098 75a5eff0 9dd46a00 ce610902 03010001
300d0609 2a864886 f70d0101 04050003 8181005d ee000c0a a2242a92 6aa84135
aac94ec2 7240d17c e8803878 b2cd39b5 3e5e2472 a80dd685 a00c9b44 02588176
5ad7dbbc aafa88ce b8f63c23 421402ff ea9dc087 fe3226ee 37885058 0a1c0cb7
62a1a99d 9b75ca06 b2c5347c 5bbd6263 1db54799 a7af8a5b 4d96d5b3 88a3286b
4cdad74f d5d94cd3 f7bd31bf 38bf6335 510ff2
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.100-10.0.0.200 inside
dhcpd dns 167.206.112.138 167.206.7.4 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.25-192.168.1.125
dhcpd dns 167.206.112.138 167.206.7.4 interface dmz
dhcpd lease 86400 interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.
svc enable
group-policy CBCColo internal
group-policy CBCColo attributes
dns-server value 167.206.112.138 167.206.7.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CBCColo_splitTunnelAcl
group-policy CBC-VPN internal
group-policy CBC-VPN attributes
dns-server value 167.206.112.138 4.2.2.2
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CBC-VPN_splitTunnelAcl
username Knick password 8fU15clIKy2LMdDA encrypted
username Knick attributes
vpn-group-policy CBC-VPN
username Karen password eZXo.kyQ86Z8Q0M1 encrypted
username Karen attributes
vpn-group-policy CBC-VPN
username Chris password WaHJvjGgsU52H0ec encrypted privilege 0
username Chris attributes
vpn-group-policy CBC-VPN
tunnel-group CBC-VPN type remote-access
tunnel-group CBC-VPN general-attributes
address-pool CBC-IP-Pool
default-group-policy CBC-VPN
tunnel-group CBC-VPN ipsec-attributes
pre-shared-key *
tunnel-group vv.vv.vv.vv type ipsec-l2l
tunnel-group vv.vv.vv.vv ipsec-attributes
pre-shared-key *
tunnel-group CBCColo type remote-access
tunnel-group CBCColo general-attributes
address-pool CBC-IP-Pool
default-group-policy CBCColo
tunnel-group CBCColo ipsec-attributes
pre-shared-key *
tunnel-group ng.ng.ng.ng type ipsec-l2l
tunnel-group ng.ng.ng.ng ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:edb66806680
: end
So sorry to be a pest. Now that I have my ASA 5505 up and running with successful Internet access by devices on my LAN, I can't seem to get my DMZ to gain internet access. Nor can I get a simple IPSec site-to-site VPN to work. This is really frustrating as the ASA on the other side already participates in another separate site-to-site VPN (setup by me) which works just fine.
I have looked at NAT rules and access rules and can't seem to find the difference. The only thing I did differently on this VPN was try Diffe-Hellman Group 1 as group 2 settings didn't work.
Below is the sanitized config of the ASA that has a working DMZ and a working VPN as well as the non-working VPN. I have replaced my static public IP with xx.xx.xx.xx and the peer IPs in the VPNs are vv.vv.vv.vv for the one that works and ng.ng.ng.ng for the one that doesn't work.
I will return to this post momentarily and add a comment with the running configuration of the ASA at the other site.
Thanks in advance for any help.
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password /zzzzzzzzz encrypted
passwd zzzzzzz.zzzz encrypted
names
name 192.168.1.0 dmz_outside
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa825-k8.bin
boot system disk0:/asa821-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup dmz
object-group network obj_any
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service TCP-RDP tcp
description For Remote Desktop
port-object eq 3389
access-list outside_access_in extended permit tcp any interface outside eq 3909
access-list outside_access_in extended permit tcp any interface outside eq 18004
access-list outside_access_in extended permit tcp any interface outside eq 9000
access-list outside_access_in extended permit tcp any interface outside eq 9001
access-list outside_access_in extended permit udp any interface outside eq 18004
access-list outside_access_in extended permit udp any interface outside eq 9000
access-list outside_access_in extended permit udp any interface outside eq 9001
access-list outside_access_in extended permit tcp any interface outside eq 3910
access-list outside_access_in extended permit tcp any interface outside eq 3920
access-list outside_access_in extended permit tcp any interface outside eq 37777
access-list outside_access_in extended permit udp any interface outside eq 37778
access-list outside_access_in extended permit tcp any interface outside eq 3980
access-list NAT-EXEMPT extended permit ip 10.0.0.0 255.0.0.0 192.168.10.0 255.255.255.0
access-list CBC-VPN_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 192.168.10.96 255.255.255.240
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.0.10.0 255.255.255.0
access-list CBCColo_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list outside_2_cryptomap extended permit ip 10.0.0.0 255.0.0.0 10.0.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool CBC-IP-Pool 192.168.10.100-192.168.10.
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (dmz) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3909 10.0.0.250 3909 netmask 255.255.255.255
static (inside,outside) tcp interface 37777 10.0.0.201 37777 netmask 255.255.255.255
static (inside,outside) udp interface 37778 10.0.0.201 37778 netmask 255.255.255.255
static (inside,outside) tcp interface 9000 10.0.0.201 9000 netmask 255.255.255.255
static (inside,outside) udp interface 9000 10.0.0.201 9000 netmask 255.255.255.255
static (inside,outside) tcp interface 9001 10.0.0.201 9001 netmask 255.255.255.255
static (inside,outside) udp interface 9001 10.0.0.201 9001 netmask 255.255.255.255
static (inside,outside) tcp interface 3910 10.0.0.240 3910 netmask 255.255.255.255
static (inside,outside) tcp interface 3920 10.0.0.205 3920 netmask 255.255.255.255
static (inside,outside) tcp interface 3980 10.0.0.40 3980 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 108.58.161.137 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http dmz_outside 255.255.255.0 inside
http 10.0.0.0 255.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer vv.vv.vv.vv
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer ng.ng.ng.ng
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair CBC-VPN
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 31a50357
308201cf 30820138 a0030201 02020431 a5035730 0d06092a 864886f7 0d010104
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 31363034 30353131 34343439
5a170d32 36303430 33313134 3434395a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100be f0c1daab
2fa656a0 bbe74eae b9707813 a05185e0 f49c0655 e8e894ed 0ad170c2 3175a5b6
fd9ac176 0c3a98ca 559f3087 2aa97ad5 f06fdde8 d9e0022b 5abec8cd 7f2b8531
ac860478 ee0bb22c 9da96115 01f70cf4 1e797625 8bb8119c 75205ab1 89f6767a
1110c17a 262c508f 9540fef7 c48fb098 75a5eff0 9dd46a00 ce610902 03010001
300d0609 2a864886 f70d0101 04050003 8181005d ee000c0a a2242a92 6aa84135
aac94ec2 7240d17c e8803878 b2cd39b5 3e5e2472 a80dd685 a00c9b44 02588176
5ad7dbbc aafa88ce b8f63c23 421402ff ea9dc087 fe3226ee 37885058 0a1c0cb7
62a1a99d 9b75ca06 b2c5347c 5bbd6263 1db54799 a7af8a5b 4d96d5b3 88a3286b
4cdad74f d5d94cd3 f7bd31bf 38bf6335 510ff2
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.0.0.100-10.0.0.200 inside
dhcpd dns 167.206.112.138 167.206.7.4 interface inside
dhcpd lease 86400 interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.25-192.168.1.125
dhcpd dns 167.206.112.138 167.206.7.4 interface dmz
dhcpd lease 86400 interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.
svc enable
group-policy CBCColo internal
group-policy CBCColo attributes
dns-server value 167.206.112.138 167.206.7.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CBCColo_splitTunnelAcl
group-policy CBC-VPN internal
group-policy CBC-VPN attributes
dns-server value 167.206.112.138 4.2.2.2
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CBC-VPN_splitTunnelAcl
username Knick password 8fU15clIKy2LMdDA encrypted
username Knick attributes
vpn-group-policy CBC-VPN
username Karen password eZXo.kyQ86Z8Q0M1 encrypted
username Karen attributes
vpn-group-policy CBC-VPN
username Chris password WaHJvjGgsU52H0ec encrypted privilege 0
username Chris attributes
vpn-group-policy CBC-VPN
tunnel-group CBC-VPN type remote-access
tunnel-group CBC-VPN general-attributes
address-pool CBC-IP-Pool
default-group-policy CBC-VPN
tunnel-group CBC-VPN ipsec-attributes
pre-shared-key *
tunnel-group vv.vv.vv.vv type ipsec-l2l
tunnel-group vv.vv.vv.vv ipsec-attributes
pre-shared-key *
tunnel-group CBCColo type remote-access
tunnel-group CBCColo general-attributes
address-pool CBC-IP-Pool
default-group-policy CBCColo
tunnel-group CBCColo ipsec-attributes
pre-shared-key *
tunnel-group ng.ng.ng.ng type ipsec-l2l
tunnel-group ng.ng.ng.ng ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:edb66806680
: end
What system is supposed to be in the DMZ? You do not have a single access-list that deals with allowing traffic to the dmz section 192.168.1.0/24
Nor do you seem to have access-list that are permitted to access the DNS, nor what resources the DNS position system/s can connect.
You gave ethernet0/5,0/6,0/7 set to be in the dmz vlan, what is connected there? IP address?
Which config is valid for the question! 192.168.1,0/24 from the original or 192.168.10.0/24 from the second.
Defining a vlan, assigning it to an interface is just a step in many, you have set the rule are you using PAT or NAT dedicate an external IP to one DMZ system, or have multiple rules external ip:port to internal_system:service_po
......
Nor do you seem to have access-list that are permitted to access the DNS, nor what resources the DNS position system/s can connect.
You gave ethernet0/5,0/6,0/7 set to be in the dmz vlan, what is connected there? IP address?
Which config is valid for the question! 192.168.1,0/24 from the original or 192.168.10.0/24 from the second.
Defining a vlan, assigning it to an interface is just a step in many, you have set the rule are you using PAT or NAT dedicate an external IP to one DMZ system, or have multiple rules external ip:port to internal_system:service_po
......
The other issue is you might have ip overlap as 192.168.1.0/24 seems to exist as a segment on both ASAs.
ASKER
Hi Arnold -
One of my ASAs (the first one whose configuration I listed) has a DMZ that works perfectly well. There is a wireless access point and a couple of PCs in that DMZ and they all have internet access. That is the one whose address range is 192.168.1.xxx.
The other ASA was set up in a similar fashion with a DMZ on VLAN 3, assigned to interfaces 5, 6, and 7 with an IP address range of 192.168.10.xxx. there is a wireless access point connected there which does not work and cannot gain internet access.
In addition, I have tried to set up a site-to-site VPN between these two ASAs, and that is not working.
Hope this helps to clarify things.
One of my ASAs (the first one whose configuration I listed) has a DMZ that works perfectly well. There is a wireless access point and a couple of PCs in that DMZ and they all have internet access. That is the one whose address range is 192.168.1.xxx.
The other ASA was set up in a similar fashion with a DMZ on VLAN 3, assigned to interfaces 5, 6, and 7 with an IP address range of 192.168.10.xxx. there is a wireless access point connected there which does not work and cannot gain internet access.
In addition, I have tried to set up a site-to-site VPN between these two ASAs, and that is not working.
Hope this helps to clarify things.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That was it! Thank you very much.
I think you were also correct about IP overlap - I realized when analyzing my configuration more closely that the Cisco-AnyConnect VPN on the other side was using the same IP range that I was trying to use on this side in my DMZ. Once I rectified that, the site-to-site VPN also started working.
Thank you. Your help is greatly appreciated.
I think you were also correct about IP overlap - I realized when analyzing my configuration more closely that the Cisco-AnyConnect VPN on the other side was using the same IP range that I was trying to use on this side in my DMZ. Once I rectified that, the site-to-site VPN also started working.
Thank you. Your help is greatly appreciated.
ASKER
The static public IP is denoted as xx.xx.xx.xx and the non funtional peer IP for the VPN is ng.ng.ng.ng
Thanks.
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(1)
!
hostname CBCTechASA02
enable password zzzzzzzz encrypted
passwd zzzzzz.zzz encrypted
names
!
interface Vlan1
description INSIDE
nameif inside
security-level 100
ip address 10.0.10.1 255.255.255.0
!
interface Vlan2
description OUTSIDE
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
switchport access vlan 3
!
interface Ethernet0/7
switchport access vlan 3
!
ftp mode passive
access-list outside_1_cryptomap extended permit ip 10.0.10.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.10.0 255.255.255.0 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 23.24.87.214 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer ng.ng.ng.ng
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 75.75.75.75
dhcpd auto_config outside
!
dhcpd address 10.0.10.50-10.0.10.99 inside
dhcpd dns 75.75.75.75 interface inside
dhcpd enable inside
!
dhcpd address 192.168.10.50-192.168.10.6
dhcpd dns 75.75.75.75 75.75.76.76 interface dmz
dhcpd enable dmz
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group ng.ng.ng.ng type ipsec-l2l
tunnel-group ng.ng.ng.ng ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d09b50a4e71
: end