03-15-2007 11:46 PM - edited 02-21-2020 02:55 PM
I have create a VPN with the wizard and gets connected with no problem. after connection i can only ping my internal interface of ASA but nothing else which gives me no access to my network. I think its a policy or some security issue. Can anyone help me on this please? where and how to fix this problem step by step as i m new to this ?
thanks alot.
03-16-2007 06:49 AM
If you could post the config, that would be great and would get us started in the right direction instead of guessing.
03-16-2007 06:57 AM
do you need the complete running configs? or just vpn ?
03-16-2007 07:03 AM
Whichever you wish, but clean out passwords, public ip's etc.
03-16-2007 07:05 AM
ok that sounds good. well i dont have access to the firewall right now but i will post it wen i get into it..can we chat on yahoo or msn if you dont mind?
03-17-2007 12:12 AM
ASA Version 7.0(2)
names
name 192.168.0.5 Mail_server
name 192.168.0.3 ISA_server
name 192.168.0.7 AS_400
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.248
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.0.10 255.255.255.0
!
interface GigabitEthernet0/2
nameif Branch
security-level 50
ip address 172.16.0.15 255.255.0.0
!
interface GigabitEthernet0/3
shutdown
nameif Backup
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.252
!
interface Management0/0
nameif management
security-level 50
ip address 1.11.100.200 255.255.255.0
!
enable password UWtN1nJ2kzYgH8NP encrypted
passwd UWtN1nJ2kzYgH8NP encrypted
hostname ciscoasa
domain-name ciscoasa.com
banner
ftp mode passive
clock timezone AST 3
dns retries 2
dns timeout 2
dns domain-lookup Outside
dns name-server XXX.XXX.XXX.XXX
object-group network PUBLIC_IPS
network-object XXX.XXX.XXX.XXX 255.255.255.255
network-object XXX.XXX.XXX.XXX 255.255.255.255
network-object XXX.XXX.XXX.XXX 255.255.255.255
network-object XXX.XXX.XXX.XXX 255.255.255.255
object-group service Messengers tcp-udp
port-object eq 5100
port-object range 5000 5001
port-object eq 5050
port-object eq 569
port-object eq 1863
port-object range 6891 6901
object-group network Yahoo_messenger
network-object XXX.XXX.XXX.XXX 255.255.255.255
network-object XXX.XXX.XXX.XXX 255.255.255.255
network-object XXX.XXX.XXX.XXX 255.255.255.255
network-object XXX.XXX.XXX.XXX 255.255.255.255
network-object XXX.XXX.XXX.XXX 255.255.255.255
03-17-2007 12:12 AM
access-list outside_access_in extended permit tcp any interface Outside eq smtp
access-list outside_access_in extended permit tcp any interface Outside eq pop3
access-list outside_access_in extended permit tcp any interface Outside eq www
access-list outside_access_in extended deny tcp any any object-group Messengers
access-list outside_access_in extended deny ip object-group Yahoo_messenger any
access-list outside_access_in extended permit tcp any interface Outside eq https
access-list outside_access_in extended permit tcp any object-group PUBLIC_IPS eq www
access-list outside_access_in extended permit tcp any object-group PUBLIC_IPS eq https
access-list outside_access_in extended permit tcp any interface Backup eq https
access-list outside_access_in extended permit tcp any interface Backup eq www
access-list branch_access_in extended permit ip any host Mail_server
access-list branch_access_in extended permit ip any host 192.168.0.6
access-list branch_access_in extended permit ip any host 192.168.0.9
access-list branch_access_in extended permit ip any host 192.168.0.13
access-list Inside_nat0_outbound extended permit ip any 192.168.0.24 255.255.255.254
access-list Inside_nat0_outbound extended permit ip host AS_400 10.144.12.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip host AS_400 192.168.0.72 255.255.255.248
access-list Inside_nat0_outbound extended permit ip host AS_400 host XXX.XXX.XXX.XXX
access-list Inside_nat0_outbound extended permit ip host AS_400 XXX.XXX.XXX.XXX 255.255.255.25
2
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 host XXX.XXX.XXX.XXX
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 XXX.XXX.XXX.XXX 255
.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.64 25
5.255.255.252
access-list Inside_nat0_outbound extended permit ip any 192.168.0.72 255.255.255.248
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.72 25
5.255.255.248
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 host 192.168.0.
65
access-list Inside_nat0_outbound extended permit ip host AS_400 host 192.168.0.65
access-list Inside_nat0_outbound extended permit ip any host 192.168.0.65
access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 host 192.168.0.
75
access-list Inside_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.252
access-list ITMGR_splitTunnelAcl standard permit any
access-list Outside_cryptomap_dyn_20_1 extended permit ip any 192.168.0.24 255.255.255.254
access-list ITMGR_TUNNEL_splitTunnelAcl standard permit any
access-list Outside_cryptomap_dyn_40 extended permit ip any 192.168.0.24 255.255.255.254
access-list Outside_cryptomap_20_1 extended permit ip host AS_400 10.144.12.0 255.255.255.0
access-list Outside_cryptomap_20_2 extended permit ip 192.168.0.0 255.255.255.0 host 195.243.
181.2
access-list Outside_cryptomap_20_2 extended permit ip 192.168.0.0 255.255.255.0 XXX.XXX.XXX.XXX
55.255.255.0
access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.0.64 255.255.255.252
!
http-map IM_P2P
port-misuse p2p action reset
port-misuse im action reset
!
pager lines 24
logging enable
logging asdm debugging
mtu Outside 1500
mtu Inside 1500
mtu Branch 1500
mtu Backup 1500
mtu management 1500
ip verify reverse-path interface Outside
ip local pool EDP 192.168.0.65-192.168.0.66 mask 255.255.255.0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface Branch
monitor-interface Backup
monitor-interface management
asdm image disk0:/asdm-502.bin
no asdm history enable
arp timeout 14400
nat-control
03-17-2007 12:13 AM
global (Outside) 1 XXX.XXX.XXX.XXX -XXX.XXX.XXX.XXX netmask 255.255.255.248
global (Outside) 1 XXX.XXX.XXX.XXX netmask 255.255.255.248
global (Outside) 2 XXX.XXX.XXX.XXX netmask 255.255.255.248
global (Backup) 10 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 ISA_server 255.255.255.255 dns
nat (Inside) 1 192.168.0.83 255.255.255.255
nat (Inside) 1 192.168.0.87 255.255.255.255
nat (Inside) 1 192.168.0.89 255.255.255.255
nat (Inside) 1 192.168.0.250 255.255.255.255
nat (Inside) 1 192.168.0.251 255.255.255.255
static (Inside,Outside) tcp interface smtp Mail_server smtp netmask 255.255.255.255 dns
static (Inside,Outside) tcp interface pop3 Mail_server pop3 netmask 255.255.255.255 dns
static (Inside,Outside) tcp interface www Mail_server www netmask 255.255.255.255 dns
static (Inside,Outside) tcp Mail_server smtp 168.187.165.77 smtp netmask 255.255.255.255 nor
andomseq
static (Inside,Outside) XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX netmask 255.255.255.255
access-group outside_access_in in interface Outside
access-group branch_access_in in interface Branch
route Outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
route Branch 192.168.12.0 255.255.255.0 172.16.0.1 1
route Branch 192.168.11.0 255.255.255.0 172.16.0.1 1
route Branch 192.168.10.0 255.255.255.0 172.16.0.1 1
route Branch 192.168.1.0 255.255.255.0 172.16.0.1 1
route Backup 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy EDP internal
group-policy EDP attributes
dns-server value 192.168.0.21 192.168.0.22
webvpn
username XXX password xxxencrypted
username XXX password xxxencrypted
username XXX password xxx encrypted privilege 15
vpn-sessiondb max-session-limit 2
03-17-2007 12:13 AM
http server enable
http 192.168.0.65 255.255.255.255 Outside
http 192.168.0.89 255.255.255.255 Inside
http 192.168.0.87 255.255.255.255 Inside
http 192.168.0.83 255.255.255.255 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TUNNEL_ESP_3DES_None esp-3des esp-none
crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Inside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Inside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map_1 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map_2 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 20 match address Outside_cryptomap_20_1
crypto map Outside_map 20 set peer XXX.XXX.XXX.XXX
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map_2
crypto map Inside_map 65535 ipsec-isakmp dynamic Inside_dyn_map
crypto map Inside_map interface Inside
crypto map Outside_map_1 20 match address Outside_cryptomap_20_2
crypto map Outside_map_1 20 set peer XXX.XXX.XXX.XXX
crypto map Outside_map_1 20 set transform-set ESP-3DES-SHA
crypto map Outside_map_1 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map_1 interface Outside
isakmp identity address
isakmp enable Outside
isakmp enable Inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
telnet 192.168.0.89 255.255.255.255 Inside
telnet 192.168.0.87 255.255.255.255 Inside
telnet 192.168.0.83 255.255.255.255 Inside
telnet timeout 600
ssh timeout 5
console timeout 0
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key *
tunnel-group EDP type ipsec-ra
tunnel-group EDP general-attributes
address-pool EDP
default-group-policy EDP
tunnel-group EDP ipsec-attributes
pre-shared-key *
tunnel-group-map default-group XXX.XXX.XXX.XXX
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
inspect pptp
policy-map global_default
class inspection_default
!
service-policy global_policy global
tftp-server Inside 192.168.0.83 /TFTP
webvpn
title VPN Service
management-access Inside
Cryptochecksum:d022d609b2d4128fe73bf18ccc09ed49
: end
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
03-19-2007 07:52 AM
Is there any expert available who can help me on this???
03-19-2007 09:59 AM
First of all, change your vpn pool. It should not be the same network as your inside. Post config back up after you get it changed.
03-19-2007 10:38 AM
you mean i shud change the POOL to some public IP? If yes, why do u need to know my public IP? Cant u tell what is wrong in this configuration?
03-19-2007 10:48 AM
No, the pool for your vpn clients is 192.168.0.x which is also your inside subnet. The vpn client subnet should not be the same as your inside subnet. Therefore it should be something like 192.168.2.x, not 192.168.0.x. Hope that makes more sense. This is the pool I am referring to.
ip local pool EDP 192.168.0.65-192.168.0.66 mask 255.255.255.0
03-19-2007 10:50 AM
I have recently created a new IP Segment on from 192.168.0.x so can i use that? 192.168.2.x ?
03-19-2007 10:55 AM
do you think that is the only mistake as per current configs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide