11-25-2010 12:14 PM
I have lifted the VPN, but not going to remote networks.
I can ping the vlan inteface my remote router, but an IP from a PC can not reach. Some help
ASA Version 8.3(1)
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 190.128.234.54 255.255.255.252
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
object network NETWORK_OBJ_10.10.1.0_24
subnet 10.10.1.0 255.255.255.0
object network Aregua
subnet 10.10.5.0 255.255.255.0
description Aregua
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network Piribebuy
subnet 10.10.11.0 255.255.255.0
description Piribebuy
access-list outside_cryptomap_1 extended permit ip object NETWORK_OBJ_10.10.1.0_24 object NETWORK_OBJ_192.168.1.0_24
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.10.1.0_24 NETWORK_OBJ_10.10.1.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24
route outside 0.0.0.0 0.0.0.0 190.128.234.54 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.1.0 255.255.255.0 inside
http 10.10.1.2 255.255.255.255 inside
http 10.10.5.6 255.255.255.255 inside
http 10.10.5.6 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map0 1 match address outside_cryptomap_1
crypto map outside_map0 1 set peer 190.128.178.6
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username guillermo password gj/0bvDSV6huY49t encrypted privilege 15
tunnel-group 190.128.178.6 type ipsec-l2l
tunnel-group 190.128.178.6 ipsec-attributes
pre-shared-key *****
11-25-2010 02:23 PM
The configuration on this ASA looks correct, and if you can ping the remote router vlan interface, that means that the VPN is up and running correctly.
If you can't ping the remote PC, you might want to check if the PC has any personal firewall enabled that often blocks inbound connections from different subnets. Please try to disable the personal firewall on the PC and try to ping again. Also try to ping other devices in the network, and see if that works.
Also check the remote router configuration to see if NAT exemption has been configured and if there is any firewall features on the router itself that might be blocking the ping.
Hope that helps.
11-25-2010 04:21 PM
Hi Jennifer
Thanks for answering my question, in principle I have no NAT configuration on the remote router, I have the firewall of the PC off.
Would not have a vpn configuration example l2l between 8.3 to handle router,
Also need to handle Internet access to local networks.
My problem lies in making non-nat
11-25-2010 04:27 PM
For internet access from ASA, here is the NAT statement:
nat network obj-10.10.1.0
subnet 10.10.1.0 255.255.255.0
nat (inside,outside) dynamic interface
For VPN access between ASA LAN and router LAN, please share your router configuration.
11-25-2010 04:50 PM
Hi Jennifer
The configuration I have not now, but has set the wan interface vlan1
I have active the vpn I have only one access-list which belongs to the VPN.
Tomorrow I can pass the router configuration.
Very grateful for the help
11-26-2010 06:59 AM
Hi Jennifer
I found the the fix my problem, the router had set my default route pointing to the interface
ip route 0.0.0.0 0.0.0.0 fa4
must be configured to point to the ip of the gateway
ip route 0.0.0.0 0.0.0.0 x.x.x.x
11-26-2010 08:16 AM
hi:
What would be the procedure for transferring port with NAT (ASA 8.3)
For example:
inside inteface 10.10.1.xx in the ports 80,443 and 143 outside interface x.x.x.x
11-26-2010 03:01 PM
object network server-10.10.1.xx
host 10.10.1.xx
nat (inside,outside) static interface service tcp 80 80
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide