ASA VPN urgent help

Unanswered Question
Jan 10th, 2010

Guys we have a situation and i don't know what is going wrong....i have setup a ASA as a VPN server....the connection is we have a router the router terminates in checkpoint and asa is connected to one of the DMZ ports on checkpoint....checkpoint is again connected to 4500 switch and that has some servers like lotus notes....now we have recently given iphones to executives to use 3G to VPN into the network and they can use there lotus notes.....i have attached the config so kindly have a look.....i have done couple of test on iphone vpn is established but when i do sh crypto isakmp sa it show me AM_ACTIVE state can someone tell me what is that shd'nt it suppose to be QM_IDLE state???? i am new to ASA anyways second thing is  that pool of ip addresses shd the subnet mask shd be all 255 (kindly see the config) i have seen this config on the internet is it right or wrong......guys another thing is that when i try to setup the vpn from iphone i enabled debugging and i also did term monitor but nothing comes up why is that???? i have already pointed the static routes to the checkpoint as only one interface of ASA has been used......i checked the routing on checkpoint as well as on 4500 nothing is erong but we are unable to connect to the notes server.....guy please help me out as i am getting nuts. the config is as under:

iPHONE-VPN# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname iPHONE-VPN
enable password XXXX encrypted
passwd XXXXX encrypted
names
name 1.7.0.4 server1
name 1.7.2.9 DNS-Server
dns-guard
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif OUTSIDE
security-level 100
ip address X.X.30.22 255.255.255.224
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level

!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list OUTSIDE-IN extended permit icmp any any
access-list OUTSIDE-IN extended permit ip any any
access-list INSIDE-OUT extended permit icmp any any
access-list INSIDE-OUT extended permit ip any any
pager lines 24
mtu OUTSIDE 1500
ip local pool iPhones_vpn_pool 72.1.22.1-72.1.22.254 mask 255.255.255.255
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
access-group OUTSIDE-IN in interface OUTSIDE
access-group INSIDE-OUT out interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 193.1.0.64 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA_VPN_SET esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RA_VPN_MAP 1 match address OUTSIDE-IN
crypto dynamic-map RA_VPN_MAP 1 set transform-set RA_VPN_SET
crypto dynamic-map RA_VPN_MAP 1 set reverse-route
crypto map RA_VPN 10 ipsec-isakmp dynamic RA_VPN_MAP
crypto map RA_VPN interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
telnet X.X.X.X 255.255.255.0 OUTSIDE
telnet timeout 600
ssh X.X.X.X 255.255.128.0 OUTSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh X.X.X.X 255.255.255.0 OUTSIDE
ssh timeout 55
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server OUTSIDE 10.200.30.16 asa821-k8.bin
group-policy RA_VPN_Policy internal
group-policy RA_VPN_Policy attributes
wins-server value X.X.X.X
dns-server value X.X.X.X
split-tunnel-policy tunnelspecified
split-dns value msdomain
username testiphone password X.X.X.X encrypted
username test1234 password X.X.X.X encrypted
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool iPhones_vpn_pool
default-group-policy RA_VPN_Policy
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:X.X.X.X
: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion