ASA 5510 vlan cannot reach wan

Answered Question
May 28th, 2012

Hi everyone,

i'm setting up vlan and inter-vlan routing in my lab. My vlan work well (routing between them and dhcp relay) on the LAN side of the ASA but they cannot reach internet trough the ASA.

I read a lot about this issue and tried different configurations but i can't solve it...

Exemple of what i read and tried

Here my ASA settings :

Note : I know that the physical interface musn't have an @IP but my present network needs one to work. I'll fix this during my next tests.

: Saved

:

ASA Version 8.2(1)

!

hostname CISCOASA

domain-name MEDIAMEETING

enable password *********** encrypted

passwd ********** encrypted

names

name 192.168.0.2 mediaserv

name 192.168.2.200 Routeur-Fullsave description Routeur Fullsave

name 91.197.164.8 Serveur-streaming description Serveur de streaming distant

name 193.252.220.135 FM47

name 79.174.207.220 SNCF

name 80.13.227.86 TLSEFM

name 79.174.204.201 ALTITUDE

name 212.234.48.67 BDX

name 192.168.4.254 Freebox description Freebox

dns-guard

!

interface Ethernet0/0

nameif WAN_FREE

security-level 10

ip address 192.168.4.253 255.255.255.0 standby 192.168.4.250

!

interface Ethernet0/1

description connexion vers le LAN via switch cisco

nameif LAN

security-level 100

ip address 192.168.0.4 255.255.255.0 standby 192.168.0.6

!

interface Ethernet0/1.31

vlan 31

nameif vlan_postes

security-level 100

ip address 192.168.31.254 255.255.255.0

!

interface Ethernet0/1.200

vlan 200

nameif vlan_winradio

security-level 100

ip address 192.168.200.250 255.255.255.0

!

interface Ethernet0/2

description Connexion Free et fibre

speed 100

duplex full

nameif WAN_Fibre

security-level 10

  ip address 192.168.2.253 255.255.255.0 standby 192.168.2.250

!

interface Ethernet0/3

description LAN Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system tftp://192.168.0.2/modifpass

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name MEDIAMEETING

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network Acces-distant

network-object host FM47

network-object host SNCF

network-object host TLSEFM

network-object host BDX

object-group network MM-Acces-distant

network-object 192.168.0.0 255.255.255.0

object-group service RAdmin tcp

description Port RAdmin

port-object eq 4899

access-list LAN_pnat_outbound extended permit ip host 192.168.0.56 171.16.135.216 255.255.255.248

access-list LAN_nat0_outbound extended permit ip 192.168.97.80 255.255.255.248 171.16.135.216 255.255.255.248

access-list LAN_nat0_outbound extended permit ip any 192.168.0.128 255.255.255.128

access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.128 255.255.255.128

access-list LAN_nat0_outbound extended permit ip host 192.168.0.187 192.168.248.0 255.255.255.0 inactive

access-list LAN_nat0_outbound extended permit ip host 192.168.0.56 192.168.248.0 255.255.255.0 inactive

access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.128

access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list LAN_nat0_inbound extended permit ip any 192.168.0.128 255.255.255.128

access-list Mediameet_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

access-list Mediameet_splitTunnelAcl standard permit 192.168.31.0 255.255.255.0

access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 3389 inactive

access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 3390 inactive

access-list WAN_Access_In2 remark Acces RAdmin Principal

access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 4899

access-list WAN_Access_In2 remark Acces RAdmin Principal

access-list LAN_nat0_inbound.20 extended permit ip any 192.168.3.0 255.255.255.128

access-list global_mpc_1 remark exemple priorisation Prise de main à distance

access-list global_mpc_1 extended permit ip object-group MM-Acces-distant object-group Acces-distant

access-list global_mpc_1 remark exemple priorisation Prise de main à distance

access-list streaming extended permit ip any host Serveur-streaming

access-list Mediameet_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.255.0

access-list WAN_FREE_access_in_1 remark Acces RAdmin de secours

access-list WAN_FREE_access_in_1 extended permit tcp any host 192.168.4.253 eq 4899

access-list WAN_FREE_access_in_1 remark Acces RAdmin de secours

pager lines 24

logging enable

logging asdm informational

logging from-address ******

logging recipient-address ******

mtu WAN_FREE 1500

mtu LAN 1500

mtu WAN_Fibre 1500

mtu vlan_postes 1500

mtu vlan_winradio 1500

mtu management 1500

ip local pool RemoteConn 192.168.3.1-192.168.3.128 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface STATEFUL Ethernet0/3

failover replication http

failover interface ip STATEFUL 10.0.0.1 255.255.255.252 standby 10.0.0.2

no monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

global (WAN_FREE) 1 interface

global (WAN_Fibre) 1 interface

nat (LAN) 0 access-list LAN_nat0_outbound

nat (LAN) 0 access-list LAN_nat0_inbound outside

nat (LAN) 1 0.0.0.0 0.0.0.0

nat (vlan_postes) 1 192.168.31.0 255.255.255.0

nat (vlan_postes) 1 0.0.0.0 0.0.0.0

static (LAN,WAN_Fibre) tcp interface 4899 192.168.0.56 4899 netmask 255.255.255.255

static (vlan_postes,WAN_Fibre) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

static (WAN_Fibre,vlan_postes) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

access-group WAN_FREE_access_in_1 in interface WAN_FREE

access-group WAN_Access_In2 in interface WAN_Fibre

route WAN_Fibre 0.0.0.0 0.0.0.0 Routeur-Fullsave 64 track 1

route WAN_FREE 0.0.0.0 0.0.0.0 Freebox 62

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.0.0 LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

type echo protocol ipIcmpEcho Routeur-Fullsave interface WAN_Fibre

sla monitor schedule 1 life forever start-time now

service resetoutside

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map WAN_dyn_map 20 set pfs group1

crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map WAN_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map WAN_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 60 set security-association lifetime seconds 28800

crypto dynamic-map WAN_dyn_map 60 set security-association lifetime kilobytes 4608000

crypto dynamic-map FREE_dyn_map 20 match address LAN_nat0_inbound.20

crypto dynamic-map FREE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map FREE_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map FREE_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map WAN_map_FREE 20 ipsec-isakmp dynamic FREE_dyn_map

crypto map WAN_map_FREE interface WAN_Fibre

!

crypto ca trustpoint ASDM_SSLMM

enrollment terminal

subject-name CN=CISCOASA

  crl configure

crypto ca trustpoint localtrust_Free

  [...]

crypto ca trustpoint localtrust_Fibre

[...]

!

crypto ca certificate chain localtrust_Free

[...]

  quit

crypto ca certificate chain localtrust_Fibre

[...]

  quit

crypto isakmp identity hostname

crypto isakmp enable WAN_Fibre

crypto isakmp enable management

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 1 reachability

client-update enable

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 192.168.0.0 255.255.255.0 LAN

telnet 192.168.3.0 255.255.255.128 LAN

telnet timeout 10

ssh timeout 5

console timeout 0

management-access LAN

dhcpd address 192.168.1.2-192.168.1.254 management

!

dhcprelay server 192.168.0.1 LAN

dhcprelay enable vlan_postes

dhcprelay enable vlan_winradio

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point localtrust_Fibre WAN_Fibre

ssl trust-point localtrust_Free WAN_FREE

webvpn

[...]

group-policy DfltGrpPolicy attributes

[...]

group-policy Mediameet internal

group-policy Mediameet attributes

  [...]

group-policy Mediameet_1 internal

group-policy Mediameet_1 attributes

  [...]

group-policy MediaSSL internal

group-policy MediaSSL attributes

  [...]

username ******* password ****** encrypted privilege 0

username ********* attributes

vpn-group-policy Mediameet

[...]

!

class-map WinRadio-class

description limitation bande Passante à 1Mbits/s

match any

class-map global-class

match default-inspection-traffic

class-map Streaming-class

match any

class-map SITES-DISTANTS

description exemple priorisation Prise de main à distance

match access-list global_mpc_1

class-map global-class1

description exemple priorisation Prise de main à distance

match port tcp range 3389 3390

class-map global-class2

description Préparation streaming 2mbps

match port tcp range 9252 9256

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

  message-length maximum client auto

policy-map global-policy

description default_inspection

class global-class1

  priority

class global-class2

  police input 2097000 1500

  police output 2097000 1500

class SITES-DISTANTS

  priority

class global-class

  inspect dns migrated_dns_map_1

  inspect esmtp

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect icmp

  inspect netbios

  inspect pptp

  inspect rsh

  inspect rtsp

  inspect sip

  inspect skinny

  inspect sqlnet

  inspect sunrpc

   inspect tftp

  inspect xdmcp

policy-map WinRadio-policy

class WinRadio-class

  police input 1024000 1500

  police output 1024000 1500

policy-map Streaming-policy

class Streaming-class

  police input 1024000 1500

  police output 3072000 1536

!

prompt hostname priority state

Cryptochecksum:*************

: end

I apologize for my english and thank you for your interest.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 1 year 10 months ago

The reason why you can't ping is because you have the following configured:

static (vlan_postes,WAN_Fibre) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

static (WAN_Fibre,vlan_postes) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

I believe that you need that for your VPN, so please configure Nonat instead:

access-list vlan_postes_nonat permit ip 192.168.31.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (vlan_postes) 0 access-list vlan_postes_nonat

And remove the above static NAT statements.

Then "clear xlate". Ping should work after the above changes.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Jennifer Halim Mon, 05/28/2012 - 00:56

which particular vlan can't access the Internet?

you would need to have a NAT statement for those vlans so it gets PATed to the WAN_FREE interface IP Address (public IP) to be able to reach the internet.

So far, only the following interface will have access to the internet:

LAN and vlan_postes:

nat (LAN) 1 0.0.0.0 0.0.0.0

nat (vlan_postes) 1 192.168.31.0 255.255.255.0

nat (vlan_postes) 1 0.0.0.0 0.0.0.0

Mediadeshaies Mon, 05/28/2012 - 01:19

Hello Jennifer Halim,

Actually, only vlan_postes needs to access the internet. So i set the NAT but it doesn't work.

I don't understand very well what you mean by

so it gets PATed to the WAN_FREE interface IP Address (public IP) to be able to reach the internet.

Do i have to set something more than

nat (LAN) 1 0.0.0.0 0.0.0.0

nat (vlan_postes) 1 192.168.31.0 255.255.255.0

nat (vlan_postes) 1 0.0.0.0 0.0.0.0


?

Or may my ACL be the problem ?

Jennifer Halim Mon, 05/28/2012 - 02:29

you have not applied the global-policy yet:

service-policy global-policy global

Then try to ping 4.2.2.2 and see if you get a reply.

Mediadeshaies Mon, 05/28/2012 - 05:12

Hello Jennifer Halim,

i tried to apply what you said, it displayed this message:

ERROR: Class global-class1 has 'priority' set without 'priority-queue' in any interface


So i tried this :

CISCOASA/pri/act(config)# policy-map global-policy

CISCOASA/pri/act(config)# no class global-cass1

And it displayed :

ERROR: % class-map global-class1 is being used

My knowledge about ASA and policy in general is really poor. So i'm a bit lost

Do you have any idea?

Thank you

Jennifer Halim Mon, 05/28/2012 - 05:18

Just create a new policy and apply it as follows:

policy-map global_policy

class global-class

  inspect dns migrated_dns_map_1

  inspect esmtp

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect icmp

  inspect netbios

  inspect pptp

  inspect rsh

  inspect rtsp

  inspect sip

  inspect skinny

  inspect sqlnet

  inspect sunrpc

   inspect tftp

  inspect xdmcp

service-policy global_policy global

Mediadeshaies Tue, 05/29/2012 - 02:13

Hello Jennifer Halim,

here the configuration after i tried your solution. New lines appeared but ping still not working (4.2.2.2 or 8.8.8.8).

Note : i removed the @IP from the physical interface ethernet 0/1 before to do the test

: Saved

: Written by enable_15 at 10:19:52.898 CEDT Tue May 29 2012

!

ASA Version 8.2(1)

!

hostname CISCOASA

domain-name MEDIAMEETING

enable password *********** encrypted

passwd *********** encrypted

names

name 192.168.0.2 mediaserv

name 192.168.2.200 Routeur-Fullsave description Routeur Fullsave

name 91.197.164.8 Serveur-streaming description Serveur de streaming distant

name 193.252.220.135 FM47

name 79.174.207.220 SNCF

name 80.13.227.86 TLSEFM

name 79.174.204.201 ALTITUDE

name 212.234.48.67 BDX

name 192.168.4.254 Freebox description Freebox

dns-guard

!

interface Ethernet0/0

description Ex liaison Altitude Telecom

nameif WAN_FREE

security-level 10

ip address 192.168.4.253 255.255.255.0 standby 192.168.4.250

!

interface Ethernet0/1

description connexion vers le LAN via switch cisco

nameif LAN

security-level 100

no ip address

!

interface Ethernet0/1.31

vlan 31

nameif vlan_postes

security-level 100

ip address 192.168.31.254 255.255.255.0

!

interface Ethernet0/1.200

vlan 200

nameif vlan_winradio

security-level 100

ip address 192.168.200.250 255.255.255.0

!

interface Ethernet0/2

description Connexion Free et fibre

speed 100

duplex full

nameif WAN_Fibre

security-level 10

ip address 192.168.2.253 255.255.255.0 standby 192.168.2.250

!

interface Ethernet0/3

description LAN Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system tftp://192.168.0.2/modifpass

boot system disk0:/asa821-k8.bin

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

dns server-group DefaultDNS

domain-name MEDIAMEETING

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network Acces-distant

network-object host FM47

network-object host SNCF

network-object host TLSEFM

network-object host BDX

object-group network MM-Acces-distant

network-object 192.168.0.0 255.255.255.0

object-group service RAdmin tcp

description Port RAdmin

port-object eq 4899

access-list LAN_pnat_outbound extended permit ip host 192.168.0.56 171.16.135.216 255.255.255.248

access-list WAN_FIBRE_access_in remark Accs RAdmin depuis WAN - Principal

access-list WAN_FIBRE_access_in remark Accs RAdmin depuis WAN - Principal

access-list LAN_nat0_outbound extended permit ip 192.168.97.80 255.255.255.248 171.16.135.216 255.255.255.248

access-list LAN_nat0_outbound extended permit ip any 192.168.0.128 255.255.255.128

access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.128 255.255.255.128

access-list LAN_nat0_outbound extended permit ip host 192.168.0.187 192.168.248.0 255.255.255.0 inactive

access-list LAN_nat0_outbound extended permit ip host 192.168.0.56 192.168.248.0 255.255.255.0 inactive

access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.128

access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list WAN_FREE_access_in remark Accs RAdmin depuis WAN - Secours

access-list WAN_FREE_access_in remark Accs RAdmin depuis WAN - Secours

access-list LAN_nat0_inbound extended permit ip any 192.168.0.128 255.255.255.128

access-list Mediameet_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

access-list Mediameet_splitTunnelAcl standard permit 192.168.31.0 255.255.255.0

access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 3389 inactive

access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 3390 inactive

access-list WAN_Access_In2 remark Acces RAdmin Principal

access-list WAN_Access_In2 extended permit tcp any host 192.168.2.253 eq 4899

access-list WAN_Access_In2 remark Acces RAdmin Principal

access-list LAN_nat0_inbound.20 extended permit ip any 192.168.3.0 255.255.255.128

access-list global_mpc_1 remark exemple priorisation Prise de main à distance

access-list global_mpc_1 extended permit ip object-group MM-Acces-distant object-group Acces-distant

access-list global_mpc_1 remark exemple priorisation Prise de main à distance

access-list streaming extended permit ip any host Serveur-streaming

access-list Mediameet_splitTunnelAcl_1 standard permit 192.168.0.0 255.255.255.0

access-list WAN_FREE_access_in_1 remark Acces RAdmin de secours

access-list WAN_FREE_access_in_1 extended permit tcp any host 192.168.4.253 eq 4899

access-list WAN_FREE_access_in_1 remark Acces RAdmin de secours

pager lines 24

logging enable

logging asdm informational

logging from-address *****************

logging recipient-address **************level emergencies

mtu WAN_FREE 1500

mtu LAN 1500

mtu vlan_postes 1500

mtu vlan_winradio 1500

mtu WAN_Fibre 1500

mtu management 1500

ip local pool RemoteConn 192.168.3.1-192.168.3.128 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface STATEFUL Ethernet0/3

failover replication http

failover interface ip STATEFUL 10.0.0.1 255.255.255.252 standby 10.0.0.2

no monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

asdm location ALTITUDE 255.255.255.255 LAN

no asdm history enable

arp timeout 14400

global (WAN_FREE) 1 interface

global (WAN_Fibre) 1 interface

nat (LAN) 0 access-list LAN_nat0_outbound

nat (LAN) 0 access-list LAN_nat0_inbound outside

nat (LAN) 1 0.0.0.0 0.0.0.0

nat (vlan_postes) 1 192.168.31.0 255.255.255.0

nat (vlan_postes) 1 0.0.0.0 0.0.0.0

static (LAN,WAN_Fibre) tcp interface 4899 192.168.0.56 4899 netmask 255.255.255.255

static (vlan_postes,WAN_Fibre) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

static (WAN_Fibre,vlan_postes) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

access-group WAN_FREE_access_in_1 in interface WAN_FREE

access-group WAN_Access_In2 in interface WAN_Fibre

route WAN_Fibre 0.0.0.0 0.0.0.0 Routeur-Fullsave 64 track 1

route WAN_FREE 0.0.0.0 0.0.0.0 Freebox 128

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.0.0 255.255.0.0 LAN

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 1

type echo protocol ipIcmpEcho Routeur-Fullsave interface WAN_Fibre

sla monitor schedule 1 life forever start-time now

service resetoutside

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map WAN_dyn_map 20 set pfs group1

crypto dynamic-map WAN_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map WAN_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map WAN_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 60 set security-association lifetime seconds 28800

crypto dynamic-map WAN_dyn_map 60 set security-association lifetime kilobytes 4608000

crypto dynamic-map FREE_dyn_map 20 match address LAN_nat0_inbound.20

crypto dynamic-map FREE_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map FREE_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map FREE_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map WAN_map_FREE 20 ipsec-isakmp dynamic FREE_dyn_map

crypto map WAN_map_FREE interface WAN_Fibre

crypto ca trustpoint ASDM_SSLMM

enrollment terminal

subject-name CN=CISCOASA

crl configure

crypto ca trustpoint localtrust_Free

enrollment self

fqdn ************

email ****************

subject-name CN=ssl.666.mediameeting.net

ip-address ******************

keypair ****************

crl configure

crypto ca trustpoint localtrust_Fibre

enrollment self

fqdn *******************

email ******************

subject-name CN=**************

ip-address ***************

keypair **************

crl configure

crypto ca certificate chain localtrust_Free

certificate cbdcbd4f

    30820247 308201b0 a0030201 020204cb dcbd4f30 0d06092a 864886f7 0d010104

*******

  quit

crypto ca certificate chain localtrust_Fibre

certificate b5debd4f

    3082023f 308201a8 a0030201 020204b5 debd4f30 0d06092a 864886f7 0d010104

******

  quit

crypto isakmp identity hostname

crypto isakmp enable WAN_Fibre

crypto isakmp enable management

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 1 reachability

client-update enable

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 192.168.0.0 255.255.255.0 LAN

telnet 192.168.3.0 255.255.255.128 LAN

telnet timeout 10

ssh timeout 5

console timeout 0

management-access LAN

dhcpd address 192.168.1.2-192.168.1.254 management

!

dhcprelay server 192.168.0.1 LAN

dhcprelay enable vlan_postes

dhcprelay enable vlan_winradio

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point localtrust_Free WAN_FREE

ssl trust-point localtrust_Fibre WAN_Fibre

webvpn

enable WAN_FREE

enable WAN_Fibre

svc image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2 regex "Intel Mac OS X"

svc image disk0:/anyconnect-linux-2.5.3055-k9.pkg 3 regex "Linux"

svc image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 4

svc profiles DefaultProfile disk0:/defaultprofile.xml

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

dns-server value 192.168.0.1 8.8.8.8

group-policy Mediameet internal

group-policy Mediameet attributes

dns-server value 192.168.0.2 192.168.0.1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Mediameet_splitTunnelAcl

default-domain value MEDIAMEETING

group-policy Mediameet_1 internal

group-policy Mediameet_1 attributes

wins-server none

dns-server value 192.168.0.1 8.8.8.8

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Mediameet_splitTunnelAcl_1

default-domain value MEDIAMEETING

group-policy MediaSSL internal

group-policy MediaSSL attributes

dns-server value 192.168.0.1 8.8.8.8

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Mediameet_splitTunnelAcl

default-domain value MEDIAMEETING.local

msie-proxy method no-modify

vlan none

address-pools value RemoteConn

webvpn

  url-list none

  svc keep-installer installed

  svc modules value dart,vpngina

  svc ask enable default webvpn timeout 30

username j.deshaies password LO5lB1rnyhGb/fvs encrypted privilege 0

username j.deshaies attributes

vpn-group-policy Mediameet

username jl.simonet password AGYq7x1Zyk3V2dQJ encrypted privilege 0

username jl.simonet attributes

vpn-group-policy Mediameet

username b.niberon password GK4IufRVHvPpPLoX encrypted privilege 0

username b.niberon attributes

vpn-group-policy Mediameet

username s.ternoir password mYWJMd1aRkM.1tjc encrypted privilege 0

username s.ternoir attributes

vpn-group-policy Mediameet

username c.casse password MdCJ1tgbh5jQIiXJ encrypted privilege 15

username c.casse attributes

service-type admin

webvpn

  svc profiles value DefaultProfile

username a.hugounenq password ItUfDhv1D9cwmFvZ encrypted privilege 15

tunnel-group ********* type ipsec-l2l

tunnel-group ************* ipsec-attributes

pre-shared-key *

tunnel-group Mediameet type remote-access

tunnel-group Mediameet general-attributes

address-pool RemoteConn

default-group-policy Mediameet_1

tunnel-group Mediameet ipsec-attributes

pre-shared-key Amandine0804

tunnel-group ******** type ipsec-l2l

tunnel-group ********** ipsec-attributes

pre-shared-key MeD1A!!M2ET1ng

tunnel-group SSL_MM type remote-access

tunnel-group SSL_MM general-attributes

address-pool RemoteConn

authentication-server-group (LAN) LOCAL

default-group-policy MediaSSL

tunnel-group SSL_MM webvpn-attributes

group-alias PostesDistants enable

tunnel-group-map default-group Mediameet

!

class-map WinRadio-class

description limitation bande Passante à 1Mbits/s

match any

class-map global-class

match default-inspection-traffic

class-map Streaming-class

match any

class-map SITES-DISTANTS

description exemple priorisation Prise de main à distance

match access-list global_mpc_1

class-map global-class1

description exemple priorisation Prise de main à distance

match port tcp range 3389 3390

class-map global-class2

description Préparation streaming 2mbps

match port tcp range 9252 9256

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

  message-length maximum client auto

policy-map global_policy

class global-class

  inspect dns migrated_dns_map_1

  inspect esmtp

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect icmp

  inspect netbios

  inspect pptp

  inspect rsh

  inspect rtsp

  inspect sip 

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

policy-map global-policy

description default_inspection

class global-class1

  priority

class global-class2

  police input 2097000 1500

  police output 2097000 1500

class SITES-DISTANTS

  priority

class global-class

  inspect dns migrated_dns_map_1

  inspect esmtp

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect icmp

  inspect netbios

  inspect pptp

  inspect rsh

  inspect rtsp

  inspect sip 

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

policy-map WinRadio-policy

class WinRadio-class

  police input 1024000 1500

  police output 1024000 1500

policy-map Streaming-policy

class Streaming-class

  police input 1024000 1500

  police output 3072000 1536

!

service-policy global_policy global

prompt hostname priority state

Cryptochecksum:dd605e032202ff6791c19afc056b3757

: end

My host ipconfig (the one which execute ping) :

@IP: 192.168.31.2

Defaut gateway : 192.168.31.254

DHCP : 192.168.0.1

DNS : 192.168.0.1

secondary DNS : 8.8.8.8

Thank you for your attention.

Correct Answer
Jennifer Halim Tue, 05/29/2012 - 04:34

The reason why you can't ping is because you have the following configured:

static (vlan_postes,WAN_Fibre) 192.168.31.0 192.168.31.0 netmask 255.255.255.0

static (WAN_Fibre,vlan_postes) 192.168.2.0 192.168.2.0 netmask 255.255.255.0

I believe that you need that for your VPN, so please configure Nonat instead:

access-list vlan_postes_nonat permit ip 192.168.31.0 255.255.255.0 192.168.3.0 255.255.255.0

nat (vlan_postes) 0 access-list vlan_postes_nonat

And remove the above static NAT statements.

Then "clear xlate". Ping should work after the above changes.

Mediadeshaies Tue, 05/29/2012 - 05:14

Hello Jennifer Halim,

it works! Thank you very much for your help

Have a good day

Actions

Login or Register to take actions

This Discussion

Posted May 28, 2012 at 12:48 AM
Stats:
Replies:8 Avg. Rating:5
Views:703 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446