VPN cient only working on one of two interfaces

Unanswered Question
Feb 18th, 2010

I have two interfaces "Outside" "Backup" and "Inside" (being ym inside netwoek

I can use the VPN client to access the inside network when I dial in using the "Outside" inteface - but cannot get it to work so that I can dial in using the "Backup interface"

It does not even get as far as Phase 1 and let me enter the login details as far as I can see, It is probably somthing obvious - can you have a look at config and let me know.

: Saved

:

ASA Version 7.2(2)

!

hostname thetford-firewall

domain-name thet.staceys.co.uk

enable password tXq1SIELZygvD6dc encrypted

names

name 192.4.0.254 Admin_host description Admin_Host

name 192.4.0.1 Thetserver description Thetford File Server

name 192.4.0.2 ThetTSserver description Thetford TS Server

name 192.1.0.0 Bury_LAN description Bury Local Area Network

name 192.2.0.0 Newmarket_LAN description Newmarket Local Area Network

name 192.4.0.0 Thetford_LAN description Thetford Local Area Network

name 192.168.1.0 Sudbury_LAN description Sudbury LAN

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 216.36.180.46 255.255.255.248

ospf cost 10

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.0.0.100 255.255.255.0

ospf cost 10

!

interface Ethernet0/2

nameif backup

security-level 0

ip address 192.168.28.2 255.255.255.0

ospf cost 10

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name thet.staceys.co.uk

object-group service WebAccess tcp

description Allowed protocols to Outside world

port-object eq ftp

port-object eq ftp-data

port-object eq www

port-object eq https

object-group network MAWHome

description MAWHome

network-object 192.168.0.0 255.255.255.0

access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any object-group WebAccess

access-list inside_access_in extended permit tcp host Thetserver any eq domain

access-list inside_access_in extended permit udp host Thetserver any eq domain

access-list inside_access_in extended permit tcp host Thetserver any eq smtp

access-list inside_access_in extended permit tcp host Thetserver any eq pop3

access-list inside_access_in extended permit udp host Thetserver any eq ntp

access-list inside_access_in extended permit ip Thetford_LAN 255.255.255.0 Bury_LAN 255.255.255.0

access-list inside_access_in extended permit ip Thetford_LAN 255.255.255.0 Newmarket_LAN 255.255.255.0

access-list inside_access_in extended permit tcp host ThetTSserver any eq pop3

access-list inside_access_in extended permit tcp host ThetTSserver any eq smtp

access-list inside_access_in extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0

access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any eq 465

access-list inside_access_in extended permit tcp Thetford_LAN 255.255.255.0 any eq 995

access-list inside_access_in extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 Bury_LAN 255.255.255.0

access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 Newmarket_LAN 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.21.0.0 255.255.255.224

access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0

access-list inside_nat0_outbound extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_40_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Bury_LAN 255.255.255.0

access-list outside_60_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Newmarket_LAN 255.255.255.0

access-list outside_80_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0

access-list outside_80_cryptomap_1 extended permit ip Thetford_LAN 255.255.255.0 Sudbury_LAN 255.255.255.0

access-list http-list2 extended permit tcp any host 62.189.96.209

access-list http-list2 extended permit tcp any host 213.120.81.201

access-list outside_100_cryptomap extended permit ip Thetford_LAN 255.255.255.0 192.168.0.0 255.255.255.0

access-list backup_20_cryptomap extended permit ip Thetford_LAN 255.255.255.0 Bury_LAN 255.255.255.0

access-list outside_nat0_outbound extended permit ip any 172.21.0.0 255.255.255.224

!

tcp-map mss-map

  exceed-mss allow

!

pager lines 24

logging enable

logging trap notifications

logging asdm informational

logging host inside Thetserver

mtu outside 1500

mtu inside 1500

mtu backup 1500

ip local pool VPNUsers 172.21.0.1-172.21.0.25 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

global (backup) 1 interface

nat (outside) 0 access-list outside_nat0_outbound

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 Thetford_LAN 255.255.255.0

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 216.36.180.41 1 track 1

route outside 81.179.236.186 255.255.255.255 216.36.180.41 1

route backup 0.0.0.0 0.0.0.0 192.168.28.1 2

route backup 88.96.71.198 255.255.255.255 192.168.28.1 1

!

router ospf 10

network Thetford_LAN 255.255.255.0 area 0

log-adj-changes

redistribute static subnets

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 4

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelall

split-tunnel-network-list none

default-domain none

split-dns none

intercept-dhcp 255.255.255.255 disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools none

client-firewall none

client-access-rule none

webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy VPNUsers internal

group-policy VPNUsers attributes

wins-server value 192.0.0.1

dns-server value 192.0.0.1

vpn-tunnel-protocol IPSec

group-policy VPNUsersbackup internal

group-policy VPNUsersbackup attributes

wins-server value 192.0.0.1

dns-server value 192.0.0.1

vpn-tunnel-protocol IPSec

username abc123s password Ml encrypted

username 234567 password NC1e encrypted

username 67890 password 8BJ encrypted privilege 15

username 12334567 password Nqt/C0 encrypted privilege 15

http server enable

http Admin_host 255.255.255.255 inside

http Thetserver 255.255.255.255 inside

http ThetTSserver 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 1300

sla monitor 1

type echo protocol ipIcmpEcho 81.134.64.1 interface outside

num-packets 3

frequency 10

sla monitor schedule 1 life forever start-time now

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5

crypto dynamic-map backup_dyn_map 20 set pfs

crypto dynamic-map backup_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 40 match address outside_40_cryptomap

crypto map outside_map 40 set connection-type answer-only

crypto map outside_map 40 set peer 81.179.236.186

crypto map outside_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map 40 set reverse-route

crypto map outside_map 60 match address outside_60_cryptomap

crypto map outside_map 60 set peer 216.36.175.6

crypto map outside_map 60 set transform-set ESP-3DES-MD5

crypto map outside_map 60 set reverse-route

crypto map outside_map 80 match address outside_80_cryptomap_1

crypto map outside_map 80 set pfs

crypto map outside_map 80 set peer 83.104.158.217

crypto map outside_map 80 set transform-set ESP-3DES-SHA

crypto map outside_map 80 set reverse-route

crypto map outside_map 100 match address outside_100_cryptomap

crypto map outside_map 100 set peer 80.177.219.168

crypto map outside_map 100 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map backup_map 20 match address backup_20_cryptomap

crypto map backup_map 20 set connection-type answer-only

crypto map backup_map 20 set peer 88.96.71.198

crypto map backup_map 20 set transform-set ESP-3DES-MD5

crypto map backup_map 20 set reverse-route

crypto map backup_map 65535 ipsec-isakmp dynamic backup_dyn_map

crypto map backup_map interface backup

crypto isakmp enable outside

crypto isakmp enable backup

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 70

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal  20

!

track 1 rtr 1 reachability

tunnel-group 216.42.83.86 type ipsec-l2l

tunnel-group 216.42.83.86 ipsec-attributes

pre-shared-key *

tunnel-group 216.36.175.6 type ipsec-l2l

tunnel-group 216.36.175.6 ipsec-attributes

pre-shared-key *

tunnel-group VPNUsers type ipsec-ra

tunnel-group VPNUsers general-attributes

address-pool (inside) VPNUsers

address-pool VPNUsers

default-group-policy VPNUsers

tunnel-group VPNUsers ipsec-attributes

pre-shared-key *

tunnel-group 79.104.158.217 type ipsec-l2l

tunnel-group 79.104.158.217 ipsec-attributes

pre-shared-key *

tunnel-group 85.179.236.186 type ipsec-l2l

tunnel-group 85.179.236.186 ipsec-attributes

pre-shared-key *

tunnel-group 86.177.219.168 type ipsec-l2l

tunnel-group 86.177.219.168 ipsec-attributes

pre-shared-key *

tunnel-group 90.96.71.198 type ipsec-l2l

tunnel-group 90.96.71.198 ipsec-attributes

pre-shared-key *

tunnel-group VPNUsersbackup type ipsec-ra

tunnel-group VPNUsersbackup general-attributes

address-pool (inside) VPNUsers

default-group-policy VPNUsers

tunnel-group VPNUsersbackup ipsec-attributes

pre-shared-key *

telnet 192.0.0.16 255.255.255.255 inside

telnet timeout 5

ssh Admin_host 255.255.255.255 inside

ssh Thetserver 255.255.255.255 inside

ssh 192.0.0.16 255.255.255.255 inside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

!

class-map http-mapl

match access-list http-list2

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

policy-map http-mapl

class http-mapl

  set connection advanced-options mss-map

policy-map http-map1

!

service-policy global_policy global

service-policy http-mapl interface outside

ntp authenticate

ntp server 192.43.244.18

prompt hostname context

Cryptochecksum:15eac169386ef67f578a83d068c4cb2b

: end

asdm image disk0:/asdm522.bin

no asdm history enable

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion