ASA 5520, VPN issues

Unanswered Question
Mar 15th, 2007

I have create a VPN with the wizard and gets connected with no problem. after connection i can only ping my internal interface of ASA but nothing else which gives me no access to my network. I think its a policy or some security issue. Can anyone help me on this please? where and how to fix this problem step by step as i m new to this ?

thanks alot.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 03/16/2007 - 06:49

If you could post the config, that would be great and would get us started in the right direction instead of guessing.

acomiskey Fri, 03/16/2007 - 07:03

Whichever you wish, but clean out passwords, public ip's etc.

hussainkhalid Fri, 03/16/2007 - 07:05

ok that sounds good. well i dont have access to the firewall right now but i will post it wen i get into it..can we chat on yahoo or msn if you dont mind?

hussainkhalid Sat, 03/17/2007 - 00:12

ASA Version 7.0(2)

names

name 192.168.0.5 Mail_server

name 192.168.0.3 ISA_server

name 192.168.0.7 AS_400

!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address XXX.XXX.XXX.XXX 255.255.255.248

!

interface GigabitEthernet0/1

nameif Inside

security-level 100

ip address 192.168.0.10 255.255.255.0

!

interface GigabitEthernet0/2

nameif Branch

security-level 50

ip address 172.16.0.15 255.255.0.0

!

interface GigabitEthernet0/3

shutdown

nameif Backup

security-level 0

ip address XXX.XXX.XXX.XXX 255.255.255.252

!

interface Management0/0

nameif management

security-level 50

ip address 1.11.100.200 255.255.255.0

!

enable password UWtN1nJ2kzYgH8NP encrypted

passwd UWtN1nJ2kzYgH8NP encrypted

hostname ciscoasa

domain-name ciscoasa.com

banner

ftp mode passive

clock timezone AST 3

dns retries 2

dns timeout 2

dns domain-lookup Outside

dns name-server XXX.XXX.XXX.XXX

object-group network PUBLIC_IPS

network-object XXX.XXX.XXX.XXX 255.255.255.255

network-object XXX.XXX.XXX.XXX 255.255.255.255

network-object XXX.XXX.XXX.XXX 255.255.255.255

network-object XXX.XXX.XXX.XXX 255.255.255.255

object-group service Messengers tcp-udp

port-object eq 5100

port-object range 5000 5001

port-object eq 5050

port-object eq 569

port-object eq 1863

port-object range 6891 6901

object-group network Yahoo_messenger

network-object XXX.XXX.XXX.XXX 255.255.255.255

network-object XXX.XXX.XXX.XXX 255.255.255.255

network-object XXX.XXX.XXX.XXX 255.255.255.255

network-object XXX.XXX.XXX.XXX 255.255.255.255

network-object XXX.XXX.XXX.XXX 255.255.255.255

hussainkhalid Sat, 03/17/2007 - 00:12

access-list outside_access_in extended permit tcp any interface Outside eq smtp

access-list outside_access_in extended permit tcp any interface Outside eq pop3

access-list outside_access_in extended permit tcp any interface Outside eq www

access-list outside_access_in extended deny tcp any any object-group Messengers

access-list outside_access_in extended deny ip object-group Yahoo_messenger any

access-list outside_access_in extended permit tcp any interface Outside eq https

access-list outside_access_in extended permit tcp any object-group PUBLIC_IPS eq www

access-list outside_access_in extended permit tcp any object-group PUBLIC_IPS eq https

access-list outside_access_in extended permit tcp any interface Backup eq https

access-list outside_access_in extended permit tcp any interface Backup eq www

access-list branch_access_in extended permit ip any host Mail_server

access-list branch_access_in extended permit ip any host 192.168.0.6

access-list branch_access_in extended permit ip any host 192.168.0.9

access-list branch_access_in extended permit ip any host 192.168.0.13

access-list Inside_nat0_outbound extended permit ip any 192.168.0.24 255.255.255.254

access-list Inside_nat0_outbound extended permit ip host AS_400 10.144.12.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip host AS_400 192.168.0.72 255.255.255.248

access-list Inside_nat0_outbound extended permit ip host AS_400 host XXX.XXX.XXX.XXX

access-list Inside_nat0_outbound extended permit ip host AS_400 XXX.XXX.XXX.XXX 255.255.255.25

2

access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 host XXX.XXX.XXX.XXX

access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 XXX.XXX.XXX.XXX 255

.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.64 25

5.255.255.252

access-list Inside_nat0_outbound extended permit ip any 192.168.0.72 255.255.255.248

access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.72 25

5.255.255.248

access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 host 192.168.0.

65

access-list Inside_nat0_outbound extended permit ip host AS_400 host 192.168.0.65

access-list Inside_nat0_outbound extended permit ip any host 192.168.0.65

access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 host 192.168.0.

75

access-list Inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.252

access-list ITMGR_splitTunnelAcl standard permit any

access-list Outside_cryptomap_dyn_20_1 extended permit ip any 192.168.0.24 255.255.255.254

access-list ITMGR_TUNNEL_splitTunnelAcl standard permit any

access-list Outside_cryptomap_dyn_40 extended permit ip any 192.168.0.24 255.255.255.254

access-list Outside_cryptomap_20_1 extended permit ip host AS_400 10.144.12.0 255.255.255.0

access-list Outside_cryptomap_20_2 extended permit ip 192.168.0.0 255.255.255.0 host 195.243.

181.2

access-list Outside_cryptomap_20_2 extended permit ip 192.168.0.0 255.255.255.0 XXX.XXX.XXX.XXX

55.255.255.0

access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.0.64 255.255.255.252

!

http-map IM_P2P

port-misuse p2p action reset

port-misuse im action reset

!

pager lines 24

logging enable

logging asdm debugging

mtu Outside 1500

mtu Inside 1500

mtu Branch 1500

mtu Backup 1500

mtu management 1500

ip verify reverse-path interface Outside

ip local pool EDP 192.168.0.65-192.168.0.66 mask 255.255.255.0

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

no failover

monitor-interface Outside

monitor-interface Inside

monitor-interface Branch

monitor-interface Backup

monitor-interface management

asdm image disk0:/asdm-502.bin

no asdm history enable

arp timeout 14400

nat-control

hussainkhalid Sat, 03/17/2007 - 00:13

global (Outside) 1 XXX.XXX.XXX.XXX -XXX.XXX.XXX.XXX netmask 255.255.255.248

global (Outside) 1 XXX.XXX.XXX.XXX netmask 255.255.255.248

global (Outside) 2 XXX.XXX.XXX.XXX netmask 255.255.255.248

global (Backup) 10 interface

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 1 ISA_server 255.255.255.255 dns

nat (Inside) 1 192.168.0.83 255.255.255.255

nat (Inside) 1 192.168.0.87 255.255.255.255

nat (Inside) 1 192.168.0.89 255.255.255.255

nat (Inside) 1 192.168.0.250 255.255.255.255

nat (Inside) 1 192.168.0.251 255.255.255.255

static (Inside,Outside) tcp interface smtp Mail_server smtp netmask 255.255.255.255 dns

static (Inside,Outside) tcp interface pop3 Mail_server pop3 netmask 255.255.255.255 dns

static (Inside,Outside) tcp interface www Mail_server www netmask 255.255.255.255 dns

static (Inside,Outside) tcp Mail_server smtp 168.187.165.77 smtp netmask 255.255.255.255 nor

andomseq

static (Inside,Outside) XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX netmask 255.255.255.255

access-group outside_access_in in interface Outside

access-group branch_access_in in interface Branch

route Outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1

route Branch 192.168.12.0 255.255.255.0 172.16.0.1 1

route Branch 192.168.11.0 255.255.255.0 172.16.0.1 1

route Branch 192.168.10.0 255.255.255.0 172.16.0.1 1

route Branch 192.168.1.0 255.255.255.0 172.16.0.1 1

route Backup 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 2

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

client-firewall none

client-access-rule none

webvpn

functions url-entry

port-forward-name value Application Access

group-policy EDP internal

group-policy EDP attributes

dns-server value 192.168.0.21 192.168.0.22

webvpn

username XXX password xxxencrypted

username XXX password xxxencrypted

username XXX password xxx encrypted privilege 15

vpn-sessiondb max-session-limit 2

hussainkhalid Sat, 03/17/2007 - 00:13

http server enable

http 192.168.0.65 255.255.255.255 Outside

http 192.168.0.89 255.255.255.255 Inside

http 192.168.0.87 255.255.255.255 Inside

http 192.168.0.83 255.255.255.255 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TUNNEL_ESP_3DES_None esp-3des esp-none

crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map Inside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map Inside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map_1 20 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map_2 20 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 20 match address Outside_cryptomap_20_1

crypto map Outside_map 20 set peer XXX.XXX.XXX.XXX

crypto map Outside_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map_2

crypto map Inside_map 65535 ipsec-isakmp dynamic Inside_dyn_map

crypto map Inside_map interface Inside

crypto map Outside_map_1 20 match address Outside_cryptomap_20_2

crypto map Outside_map_1 20 set peer XXX.XXX.XXX.XXX

crypto map Outside_map_1 20 set transform-set ESP-3DES-SHA

crypto map Outside_map_1 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map_1 interface Outside

isakmp identity address

isakmp enable Outside

isakmp enable Inside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

telnet 192.168.0.89 255.255.255.255 Inside

telnet 192.168.0.87 255.255.255.255 Inside

telnet 192.168.0.83 255.255.255.255 Inside

telnet timeout 600

ssh timeout 5

console timeout 0

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l

tunnel-group XXX.XXX.XXX.XXX ipsec-attributes

pre-shared-key *

tunnel-group EDP type ipsec-ra

tunnel-group EDP general-attributes

address-pool EDP

default-group-policy EDP

tunnel-group EDP ipsec-attributes

pre-shared-key *

tunnel-group-map default-group XXX.XXX.XXX.XXX

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

inspect pptp

policy-map global_default

class inspection_default

!

service-policy global_policy global

tftp-server Inside 192.168.0.83 /TFTP

webvpn

title VPN Service

management-access Inside

Cryptochecksum:d022d609b2d4128fe73bf18ccc09ed49

: end

ciscoasa#

ciscoasa#

ciscoasa#

ciscoasa#

acomiskey Mon, 03/19/2007 - 09:59

First of all, change your vpn pool. It should not be the same network as your inside. Post config back up after you get it changed.

hussainkhalid Mon, 03/19/2007 - 10:38

you mean i shud change the POOL to some public IP? If yes, why do u need to know my public IP? Cant u tell what is wrong in this configuration?

acomiskey Mon, 03/19/2007 - 10:48

No, the pool for your vpn clients is 192.168.0.x which is also your inside subnet. The vpn client subnet should not be the same as your inside subnet. Therefore it should be something like 192.168.2.x, not 192.168.0.x. Hope that makes more sense. This is the pool I am referring to.

ip local pool EDP 192.168.0.65-192.168.0.66 mask 255.255.255.0

hussainkhalid Mon, 03/19/2007 - 10:50

I have recently created a new IP Segment on from 192.168.0.x so can i use that? 192.168.2.x ?

acomiskey Mon, 03/19/2007 - 11:00

All the corresponding statements that reference that pool, the interesting traffic and nat 0 acl's, would need to reflect the change in the pool.

hussainkhalid Mon, 03/19/2007 - 11:04

One more question? can i give any IP to that pool or it has to be a valid IP? e.g. i dont have any ip segment with this 192.168.5.x. can i assign this segment to the pool?

hussainkhalid Mon, 03/19/2007 - 22:46

Admin,

I wants to delete this post because of some critical issue, how can i remove this post?

Actions

This Discussion