5510 not handing out IP's to ASA 5505

Unanswered Question
Sep 24th, 2007
User Badges:

Good Morning NetPro Community,

I'm new to configuring the 5510/5505 for VPN. I have the VPN nailed up between the 5505 and 5510, but I can't get the 5510 to hand out IP's to the 5505. Any ideas what I'm missing? My config for the 5505 is below. I will paste the 5510 config in my next post due to character limit. Any help would be appreciated!!! I'm banging my head up against the wall on this;-)


5505 Config:

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name default.domain.invalid

encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.80.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username ntta password ZhOtHfugWPDCYwqX encrypted privilege 15

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

vpnclient server 129.250.40.240

vpnclient mode network-extension-mode

vpnclient nem-st-autoconnect

vpnclient vpngroup ErikVPNHardwareClient password ********

vpnclient username ehoehne password ********

vpnclient enable

!

class-map inspection_default

match default-inspection-traffic

!


policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context



Thanks!

Erik

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
erikhoehne Mon, 09/24/2007 - 05:54
User Badges:

Here's the 5510 Config. Please keep in mind the 5510 has a VPN configured to our Nokia FW as well. 10.80.0.0/24 is what I'm trying to send to the 5505. That traffic will then be sent to our Nokia when going to the 129.250.161.0/25 network. I'm trying to get that working too;-)



5510 Config:

!

interface Ethernet0/0

nameif outsideinterface

security-level 0

ip address 129.250.40.240 255.255.255.224

!

same-security-traffic permit intra-interface

object-group network TelcoNetwork

description Signaing Server Network Space

network-object 129.250.161.0 255.255.255.128

access-list outsideinterface_nat0_outbound extended permit ip any 10.80.0.0 255.255.255.0

access-list management_nat0_outbound extended permit ip 10.80.0.0 255.255.255.0 object-group TelcoNetwork

access-list outsideinterface_1_cryptomap extended permit ip 10.80.0.0 255.255.255.0 object-group TelcoNetwork

access-list outsideinterface_cryptomap_65535.65535 extended permit ip any any

ip local pool HardwareClientPool 10.80.0.0-10.80.0.255 mask 255.255.255.0

!

global (outsideinterface) 1 interface

nat (outsideinterface) 1 10.80.0.0 255.255.255.0

route outsideinterface 0.0.0.0 0.0.0.0 129.250.40.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

!

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address outsideinterface_cryptomap_65535.65535

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outsideinterface_map 1 match address outsideinterface_1_cryptomap

crypto map outsideinterface_map 1 set pfs

crypto map outsideinterface_map 1 set peer 129.250.40.241

crypto map outsideinterface_map 1 set transform-set ESP-3DES-SHA

crypto map outsideinterface_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outsideinterface_map interface outsideinterface

crypto isakmp identity address

crypto isakmp enable outsideinterface

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

threat-detection basic-threat

threat-detection statistics access-list

!

group-policy ErikVPNHardwareClient internal

group-policy ErikVPNHardwareClient attributes

dns-server value 10.51.200.251 129.250.161.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelall

nem enable

encrypted privilege 0

username ntta attributes

service-type admin

username ehoehne attributes

vpn-group-policy ErikVPNHardwareClient

tunnel-group ErikVPNHardwareClient type remote-access

tunnel-group ErikVPNHardwareClient general-attributes

address-pool HardwareClientPool

default-group-policy ErikVPNHardwareClient

tunnel-group ErikVPNHardwareClient ipsec-attributes

pre-shared-key *

tunnel-group VPNToDallasFW type ipsec-l2l

tunnel-group VPNToDallasFW ipsec-attributes

pre-shared-key *



Thanks,

Erik

erikhoehne Mon, 09/24/2007 - 11:44
User Badges:

I just noticed I have an IP on the VLAN 1 interface; please ignore that. I hardcoded that on there to troubleshoot.

kelvindam Sat, 09/29/2007 - 02:00
User Badges:

Your client 5505 is running in Network Extension mode. So the 5505 is assuming that his own network is to be used as remote net, and not expecting a dhcp address.


Kelvin

erikhoehne Mon, 10/01/2007 - 06:51
User Badges:

Good Morning Kevin,

Ahhhhh; I see. Wow, I thought NEM was what is needed. I figured it was something simple I was doing wrong. Let me give this a try.




Thanks for the response!!



Take Care,

Erik

Actions

This Discussion