12-02-2009 05:52 AM
Not very experienced with Cisco and I'm trying to configure an ASA 5520 for remote access VPN.
We currently have a pair of PIX 515e's that are being replaced and I've been cheating off of their config a bit. I have the ASA here in the office and I am trying to get as much configuration done as possible before we move it into production. At the office we are behind a cable modem and the IP of that device is set as the the default route in my ASA when I do my testing.
When it's time to test I connect the cable modem to the outside interface and my laptop to the inside interface and begin testing.
I authenticate and connect with the VPN client and I can ping my laptop that I have connected directly to the inside interface on the ASA but I am unable to ping the inside interface. The log shows a build-up and and tear-down of the ICMP requests but the I still get no response on the vpn client side. It seems like the traffic isn't making it back out to the VPN tunnel.
Any help that anyone could give would be very much appreciated.
: Saved
:
ASA Version 7.0(8)
!
hostname FW-Primary
domain-name viapeople.com
enable password xxxxxxxxx encrypted
passwd xxxxxxxx encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 173.12.54.189 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
<--- More --->
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list ciscoclient extended permit ip 10.0.0.0 255.0.0.0 any
access-list PERMIT_IN extended permit tcp any host 66.150.232.166 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.166 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq smtp
access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq pop3
access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq 8484
access-list PERMIT_IN extended permit tcp any host 66.150.232.167 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.167 eq www
access-list PERMIT_IN extended permit tcp host 70.91.40.205 host 66.150.232.169 eq 990
access-list PERMIT_IN extended permit tcp host 70.91.40.205 host 66.150.232.166 eq 990
access-list PERMIT_IN extended permit tcp host 70.91.40.205 host 66.150.232.167 eq 990
access-list PERMIT_IN extended permit tcp host 70.91.40.205 host 66.150.232.167 range 25025 25030
access-list PERMIT_IN extended permit tcp host 70.91.40.205 host 66.150.232.166 range 25025 25030
access-list PERMIT_IN extended permit tcp host 70.91.40.205 host 66.150.232.169 range 25025 25030
access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq 990
access-list PERMIT_IN extended permit tcp any host 66.150.232.168 range 25025 25050
access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq ssh
access-list PERMIT_IN extended permit tcp any host 66.150.232.168 eq 2021
access-list PERMIT_IN extended permit tcp any host 66.150.232.172 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.176 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.176 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.177 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.177 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq smtp
access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq pop3
access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq 8484
access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq 990
access-list PERMIT_IN extended permit tcp any host 66.150.232.173 range 25025 25050
access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq ssh
access-list PERMIT_IN extended permit tcp any host 66.150.232.173 eq 2021
access-list PERMIT_IN extended permit tcp any host 66.150.232.179 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.179 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.180 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq smtp
access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq pop3
access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq imap4
access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq 993
access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq 8484
access-list PERMIT_IN extended permit tcp any host 66.150.232.190 range 25025 25050
access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq ssh
access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq 2021
access-list PERMIT_IN extended permit tcp any host 66.150.232.181 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.181 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.182 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.182 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.183 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.183 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq 135
access-list PERMIT_IN extended permit tcp any host 66.150.232.184 eq https
access-list PERMIT_IN extended permit tcp any host 66.150.232.184 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.180 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.185 eq www
access-list PERMIT_IN extended permit tcp any host 66.150.232.190 eq 587
access-list PERMIT_IN extended permit ip any host 66.150.232.171
access-list PERMIT_IN extended permit esp any any
access-list PERMIT_IN extended permit udp any any eq isakmp
access-list PERMIT_IN extended permit icmp any any
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.5.0 255.255.255.0
pager lines 24
logging enable
logging trap informational
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 10.0.5.1-10.0.5.254 mask 255.255.255.0
no failover
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 66.150.232.168 10.0.0.3 netmask 255.255.255.255
static (inside,outside) 66.150.232.172 10.0.0.7 netmask 255.255.255.255
static (inside,outside) 66.150.232.169 10.0.0.6 netmask 255.255.255.255
static (inside,outside) 66.150.232.179 10.0.0.52 netmask 255.255.255.255
static (inside,outside) 66.150.232.173 10.0.0.13 netmask 255.255.255.255
static (inside,outside) 66.150.232.190 10.0.0.8 netmask 255.255.255.255
static (inside,outside) 66.150.232.177 10.0.0.22 netmask 255.255.255.255
static (inside,outside) 66.150.232.182 10.0.0.21 netmask 255.255.255.255
static (inside,outside) 66.150.232.176 10.0.0.23 netmask 255.255.255.255
static (inside,outside) 66.150.232.183 10.0.0.100 netmask 255.255.255.255
static (inside,outside) 66.150.232.181 10.0.0.26 netmask 255.255.255.255
static (inside,outside) 66.150.232.184 10.0.0.27 netmask 255.255.255.255
static (inside,outside) 66.150.232.180 10.0.0.11 netmask 255.255.255.255
static (inside,outside) 66.150.232.185 10.0.0.14 netmask 255.255.255.255
static (inside,outside) 66.150.232.167 10.0.0.28 netmask 255.255.255.255
static (inside,outside) 66.150.232.166 10.0.0.29 netmask 255.255.255.255
access-group PERMIT_IN in interface outside
route outside 0.0.0.0 0.0.0.0 173.12.54.190 1
route inside 10.0.0.0 255.255.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 20
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ciscoclient
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy ciscoclient internal
group-policy ciscoclient attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ciscoclient
webvpn
username xxxxxxxx password xxxxxxxxxxxxx encrypted privilege 0
username xxxxxxxx attributes
vpn-group-policy ciscoclient
webvpn
http server enable
http 10.0.0.0 255.255.255.0 inside
http 10.0.5.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup general-attributes
authentication-server-group none
tunnel-group ciscoclient type ipsec-ra
tunnel-group ciscoclient general-attributes
address-pool vpnpool
authentication-server-group none
default-group-policy ciscoclient
tunnel-group ciscoclient ipsec-attributes
pre-shared-key *
telnet 10.0.0.0 255.255.255.0 inside
telnet 10.0.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:d535896783757491dc98bed2232b2834
: end
12-02-2009 06:52 AM
Configure "management-access inside" then you can access/ping the inside interface over a vpn tunnel.
Without this command you can only access the inside interface from the inside.
Note, apart from ping this will also enable you to telnet to the inside interface over the tunnel, and use ASDM.
hth
Herbert
12-02-2009 06:56 AM
Glancing back at the PIX config I do see that on there.
You've probably solved it. I will test later tonight and confirm!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide