Trouble w/ ASA 5510 and R-VPN

Unanswered Question
Jan 30th, 2008
User Badges:

I'm having a tough time getting remote VPN to work with my ASA 5510.


I know there may be some problems with this config... Any advice would be greatly appreciated.


!

interface Ethernet0/0

nameif outside

security-level 2

ip address 238.198.111.178 255.255.255.248

rip send version 1

!

interface Ethernet0/1

nameif inside

security-level 90

ip address 10.100.1.1 255.255.255.0

!

boot system disk0:/asa721-k8.bin

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service Morbo_Services tcp

port-object eq ftp-data

port-object eq ftp

port-object eq ssh

port-object eq www

access-list buzznetRA_splitTunnelAcl standard permit any

access-list outside_access_in extended permit ip interface outside 10.100.1.0 255.255.255.0

access-list inside_access_in extended permit ip any any

access-list DefaultRAGroup2_splitTunnelAcl standard permit any

access-list outside_cryptomap extended permit ip any 10.100.1.48 255.255.255.240

ip local pool BNVPN_IP_Pool 10.100.1.50-10.100.1.60 mask 255.255.255.255

nat-control

global (outside) 200 interface

nat (inside) 200 10.100.1.0 255.255.255.0

nat (management) 0 access-list management_nat0_outbound

static (inside,outside) 38.98.11.179 10.100.1.2 netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group inside_access_in_1 in interface inside

route outside 0.0.0.0 0.0.0.0 38.98.11.177 1

!

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server value 10.100.1.2

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value buzznetRA_splitTunnelAcl

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools value BNVPN_IP_Pool

client-firewall none

client-access-rule none

username asadowsky password ****== nt-encrypted privilege 0

username john password ****== nt-encrypted privilege 0

username john attributes

vpn-group-policy DfltGrpPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.100.1.0 255.255.255.0 inside

crypto ipsec transform-set VPNTRANS esp-3des esp-sha-hmac

crypto ipsec transform-set VPNTRANS mode transport

crypto dynamic-map outside_dyn_map 20 set transform-set VPNTRANS

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map inside_map interface inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

crypto isakmp ipsec-over-tcp port 10000

tunnel-group DefaultRAGroup general-attributes

address-pool BNVPN_IP_Pool

authorization-server-group LOCAL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

peer-id-validate cert

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

authorization-server-group LOCAL

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

service-policy global_policy global



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
skint Fri, 02/01/2008 - 13:50
User Badges:

access-list inside-nonat permit ip 10.100.1.0 255.255.255.0 10.100.1.0 255.255.255.0

nat (inside) 0 access-list inside-nonat


Your vpn range is on the same network, which should work fine, but you could just as easily use an internal DHCP server at that point.


This is under the assumption that you're even authenticating. Are you? You should probably turn on logging and post the results of that as well.

adamsadowsky Fri, 02/01/2008 - 20:22
User Badges:

I figured it out! I had been trying to authenticate against a PSK *AND* a cert. That was keeping me from successfully authenticating. And, as if that wasn't enough, my IP pool was in the same subnet as my internal network - something I learned that was incorrect.


Many thanks for checking in!


Adam

Actions

This Discussion