09-10-2008 09:51 AM - edited 02-21-2020 03:56 PM
I have a Cisco 5510 deployed and it's connected to a 1 Mbps leased internet line. I need to configure it for remote VPN users to access internal Exchange server and sync with email system. And they should be able to access LAn servers using the VPN. I have tried this several scenarios but still I didn't get access to to local LAN servers via VPN at any cost :( (it's connecting well and also can ping to the inside interface IP address only)
Any help would be highly appreciated.
Below is my config;
LAN is 192.168.134.0
!
passwd xxx
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
access-list abc-primary-tunnel_splitTunnelAcl standard permit 192.168.134.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.128
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool primary-vpn-pool 192.168.166.1-192.168.166.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 59.133.230.21 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.134.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy abc-primary-tunnel internal
group-policy abc-primary-tunnel attributes
dns-server value 192.168.134.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value abc-primary-tunnel_splitTunnelAcl
default-domain value domain.local
username user1 password xxxencrypted privilege 0
username user1 attributes
vpn-group-policy abc-primary-tunnel
tunnel-group abc-primary-tunnel type remote-access
tunnel-group abc-primary-tunnel general-attributes
address-pool primary-vpn-pool
default-group-policy abc-primary-tunnel
tunnel-group abc-primary-tunnel ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
09-10-2008 09:58 AM
Hello,
your NAT 0 access-list has wrong subnet mask for the vpn pool subnet and your vpn pool has 255.255.255.0
nat 0 acl has "192.168.166.0 255.255.255.128"
access-list inside_nat0_outbound extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.128
ip local pool primary-vpn-pool 192.168.166.1-192.168.166.100 mask 255.255.255.0
change the subnet mask on NAT 0 access-list to 255.255.255.0 and then check .
HTH
Saju
Pls rate if it helps
09-10-2008 10:08 AM
Also add...
crypto isakmp nat-traversal
09-10-2008 10:12 AM
tnx for the replied, I'll post the results within next few minuets !!!
09-10-2008 10:23 AM
still not working !!! :(
Please advice, any help would be highly appreciated !!!
09-10-2008 10:30 AM
Can we see new config?
09-10-2008 10:37 AM
abc-fire(config)# sh run
: Saved
:
ASA Version 8.0(3)
!
hostname abc-fire
domain-name abcsoft.local
enable password ogafcUzB/QZE6nv9 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 89.183.250.42 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.134.125 255.255.255.128
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
09-10-2008 10:38 AM
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name abcsoft.local
access-list abc-primary-tunnel_splitTunnelAcl standard permit 192.168.134.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 192.168.134.0 255.255.255.128 192.168.166.0 255.255.255.128
pager lines 24
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool vpn-primary-pool 192.168.166.1-192.168.166.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 89.183.250.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy abc-primary-tunnel internal
group-policy abc-primary-tunnel attributes
dns-server value 192.168.134.1
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value abc-primary-tunnel_splitTunnelAcl
default-domain value abcsoft.local
username user1 password yhK1oj.zZzQLnCkB encrypted privilege 0
username user1 attributes
vpn-group-policy abc-primary-tunnel
tunnel-group abc-primary-tunnel type remote-access
tunnel-group abc-primary-tunnel general-attributes
address-pool vpn-primary-pool
default-group-policy abc-primary-tunnel
tunnel-group abc-primary-tunnel ipsec-attributes
pre-shared-key *
09-10-2008 10:38 AM
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:xxx
: end
abc-fire(config)#
09-10-2008 10:40 AM
in the new config you have still not changed the subnet mask in the Nat0 access-list that i asked earlier.
09-10-2008 10:47 AM
changed mask to 255.255.255.0 it just now !!! but still no luck !
09-10-2008 10:33 AM
Do you see "hitcounts" increasing on access-list inside_nat0_outbound ?
check and post result of
show access-list inside_nat0_outbound
09-10-2008 10:43 AM
abc-fire(config)# show access-list inside_nat0_outbound
access-list inside_nat0_outbound; 1 elements
access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.128 192.168.166.0 255.255.255.128 (hitcnt=0) 0x1eaae319
09-10-2008 10:51 AM
Your access-list still does not reflect the change , also why have you changed 192.168.134.0 's subnet mask to 255.255.255.128 ??
your access-list should look as following:
access-list inside_nat0_outbound line 1 extended permit ip 192.168.134.0 255.255.255.0 192.168.166.0 255.255.255.0
09-10-2008 11:00 AM
ok i have removed 128 subnets and now it's all coming with 255.255.255.0 mask !!
but still no luck ! :( but i can ping 192.168.134.125 which inside interface ...!!!
???
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: