Remote access VPN can't access inside devices.

Here's a weird one...

I have to install a Cisco 5506 ASA at a location that had a Cisco 5505 ASA.  The old 5505 will be moved to a branch site.  Both ASA's will be accepting remote access VPN connections and a site-to-site VPN between the ASA's.

Since I'm doing all this remotely, I had the new 5506 shipped to me.  I took a spare 5505 that I had and connected everything to a 3750 switch that I configured to act as the internet.  I got both ASA's configured so that I could establish remote access VPN sessions from "the outside" and access devices on the inside.  The site-to-site VPN came up fine as well.  

I boxed up the 5506 and shipped it to the main office where the existing 5505 was removed and the 5506 was installed in it's place.  Worked perfectly.

The 5505 was then given the new config that I created in the lab environment.  It was then installed in the branch site.  The 5505 came up fine, inside users have internet access, site-to-site VPN works fine and remote access VPN sessions can be established.  But... remote access VPN users can't access any inside devices.  And I can't establish an SSH session to the ASA.

I compared the running 5505 config with the one that works in the lab.  They are identical.  I then setup my spare 5505 on the lab environment with the exact same config.  I can establish a remote access VPN connection, access inside devices and get an SSH session to the ASA working.

The question is: why is it not working on the live site with the same config???

Here the sanitized config:
ASA Version 8.2(5)26
!
hostname xxxx
domain-name xxx.com
enable password 
passwd 
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.10 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address w.x.y.z 255.255.255.248
!
boot system disk0:/asa825-26-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name xxx
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list vpn-split-tunnel standard permit 192.168.0.0 255.255.0.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip any 192.168.254.0 255.255.255.0
pager lines 24
logging buffer-size 65536
logging buffered informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 192.168.254.1-192.168.254.30 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.2.0 255.255.255.0
nat (outside) 1 192.168.254.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 h.i.j.k 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authentication ssh console LOCAL
http server enable
http 192.168.254.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA
crypto map outside_map 20 match address 100
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer a.b.c.d
crypto map outside_map 20 set transform-set myset
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint Self_Signed_TP
 enrollment self
 subject-name xxxxxxxx
 crl configure
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.254.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.2.64-192.168.2.128 inside
dhcpd dns 75.75.75.75 8.8.8.8 interface inside
dhcpd domain xxxxxxxx interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 165.193.126.229 source outside prefer
webvpn
group-policy DfltGrpPolicy attributes
 dns-server value 8.8.8.8
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn-split-tunnel
 default-domain value 
 nac-settings value DfltGrpPolicy-nac-framework-create
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  customization value DfltCustomization
username xxxx password ffffff
username xxxx attributes
 vpn-idle-timeout 30
username zzzz password yyyyyy encrypted privilege 15
tunnel-group a.b.c.d type ipsec-l2l
tunnel-group a.b.c.d ipsec-attributes
 pre-shared-key *****
tunnel-group PSK-Users type remote-access
tunnel-group PSK-Users general-attributes
 address-pool VPN_Pool
tunnel-group PSK-Users ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect ip-options
  inspect icmp

Open in new window

LVL 50
Don JohnstonInstructorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
IPSEC Remote VPN? Works on the bench but not in production? Connects but no traffic passes?
If so the its probably NAT-Traversal

SSH  - did you 'cry key gen isa most 2048 ' on the one you shipped ? if not SSH will disconnect immediately with no error.

And - put some memory in the 5505 and upgrade it to version 9, you can get a chip of eBay for about 5 dollars?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Don JohnstonInstructorAuthor Commented:
If so the its probably NAT-Traversal
You nailed it (as usual).  NAT-traversal was disabled. I still don't get why it worked in the lab but not in production. :-(

SSH  - did you 'cry key gen isa most 2048 ' on the one you shipped ?
Yeah, gen'd a new key.  SSH worked fine from inside.  Should have mentioned that.

And - put some memory in the 5505 and upgrade it to version 9, you can get a chip of eBay for about 5 dollars?
It's not my 5505.  Customer's wishes.  And the customer is always right if you want to keep getting the business.  I make recommendations and sometimes they heed them.  Other times, not so much.

Thanks!
0
Don JohnstonInstructorAuthor Commented:
Thanks Pete!!!
0
Pete LongTechnical ConsultantCommented:
>>You nailed it (as usual).  NAT-traversal was disabled. I still don't get why it worked in the lab but not in production. :-(

Because in production the remote client was behind a NAT device :)

P
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.