IPSEC packets are not encrypted

Answered Question
Nov 27th, 2013
User Badges:

Hello (and Happy Thanksgiving to those in the USA),


We recently swapped our ASA and re-applied the saved config to the new device. There is a site-to-site VPN that works and a remote client VPN that does not. We use some Cisco VPN clients and some Shrew Soft VPN clients.I've compared the config of the new ASA to that of the old ASA and I cannot find any differences (but the remote client VPN was working on the old ASA). The remote clients do connect and a tunnel is established but they are unable to pass traffic. Systems on the network where the ASA is located are able to access the internet.


Output of sho crypto isakmp sa (ignore peer #1, that is the working site-to-site VPN)


   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA d

Total IKE SA: 2


1   IKE Peer: xx.168.155.98

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: xx.211.206.48

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_ACTIVE


Output of sho crypto ipsec sa (info regarding site-to-site VPN removed). Packets are decrypted but not encrypted.


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: publi

c-ip


      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.20.1.100/255.255.255.255/0/0)

      current_peer: xx.211.206.48, username: me

      dynamic allocated peer ip: 10.20.1.100


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 20, #pkts decrypt: 20, #pkts verify: 20

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: public-ip/4500, remote crypto endpt.: xx.211.206.48/4

500

      path mtu 1500, ipsec overhead 82, media mtu 1500

      current outbound spi: 7E0BF9B9

      current inbound spi : 41B75CCD


    inbound esp sas:

      spi: 0x41B75CCD (1102535885)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28776

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

      spi: 0xC06BF0DD (3228299485)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, Rekeyed}

         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28774

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x000003FF 0xFFF80001

    outbound esp sas:

      spi: 0x7E0BF9B9 (2114714041)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28774

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

      spi: 0xCBF945AC (3422111148)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, Rekeyed}

         slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28772

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001


Config from ASA


: Saved

: Written by me at 19:56:37.957 pst Tue Nov 26 2013

!

ASA Version 8.2(4)

!

hostname mfw01

domain-name company.int

enable password xxx encrypted

passwd xxx encrypted

names

name xx.174.143.97 cox-gateway description cox-gateway

name 172.16.10.0 iscsi-network description iscsi-network

name 192.168.1.0 legacy-network description legacy-network

name 10.20.50.0 management-network description management-network

name 10.20.10.0 server-network description server-network

name 10.20.20.0 user-network description user-network

name 192.168.1.101 private-em-imap description private-em-imap

name 10.20.10.2 private-exchange description private-exchange

name 10.20.10.3 private-ftp description private-ftp

name 192.168.1.202 private-ip-phones description private-ip-phones

name 10.20.10.6 private-kaseya description private-kaseya

name 192.168.1.2 private-mitel-3300 description private-mitel-3300

name 10.20.10.1 private-pptp description private-pptp

name 10.20.10.7 private-sharepoint description private-sharepoint

name 10.20.10.4 private-tportal description private-tportal

name 10.20.10.8 private-xarios description private-xarios

name 192.168.1.215 private-xorcom description private-xorcom

name xx.174.143.99 public-exchange description public-exchange

name xx.174.143.100 public-ftp description public-ftp

name xx.174.143.101 public-tportal description public-tportal

name xx.174.143.102 public-sharepoint description public-sharepoint

name xx.174.143.103 public-ip-phones description public-ip-phones

name xx.174.143.104 public-mitel-3300 description public-mitel-3300

name xx.174.143.105 public-xorcom description public-xorcom

name xx.174.143.108 public-remote-support description public-remote-support

name xx.174.143.109 public-xarios description public-xarios

name xx.174.143.110 public-kaseya description public-kaseya

name xx.174.143.111 public-pptp description public-pptp

name 192.168.2.0 Irvine_LAN description Irvine_LAN

name xx.174.143.98 public-ip

name 10.20.10.14 private-RevProxy description private-RevProxy

name xx.174.143.107 public-RevProxy description Public-RevProxy

name 10.20.10.9 private-XenDesktop description private-XenDesktop

name xx.174.143.115 public-XenDesktop description public-XenDesktop

name 10.20.1.1 private-gateway description private-gateway

name 192.168.1.96 private-remote-support description private-remote-support

!

interface Ethernet0/0

nameif public

security-level 0

ip address public-ip 255.255.255.224

!

interface Ethernet0/1

speed 100

duplex full

nameif private

security-level 100

ip address private-gateway 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.0.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone pst -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name mills.int

object-group service ftp

service-object tcp eq ftp

service-object tcp eq ftp-data

object-group service DM_INLINE_SERVICE_1

group-object ftp

service-object udp eq tftp

object-group service DM_INLINE_TCP_1 tcp

port-object eq 40

port-object eq ssh

object-group service web-server

service-object tcp eq www

service-object tcp eq https

object-group service DM_INLINE_SERVICE_2

service-object tcp eq smtp

group-object web-server

object-group service DM_INLINE_SERVICE_3

service-object tcp eq ssh

group-object web-server

object-group service kaseya

service-object tcp eq 4242

service-object tcp eq 5721

service-object tcp eq 8080

service-object udp eq 5721

object-group service DM_INLINE_SERVICE_4

group-object kaseya

group-object web-server

object-group service DM_INLINE_SERVICE_5

service-object gre

service-object tcp eq pptp

object-group service VPN

service-object gre

service-object esp

service-object ah

service-object tcp eq pptp

service-object udp eq 4500

service-object udp eq isakmp

object-group network MILLS_VPN_VLANS

network-object 10.20.1.0 255.255.255.0

network-object server-network 255.255.255.0

network-object user-network 255.255.255.0

network-object management-network 255.255.255.0

network-object legacy-network 255.255.255.0

object-group service InterTel5000

service-object tcp range 3998 3999

service-object tcp range 6800 6802

service-object udp eq 20001

service-object udp range 5004 5007

service-object udp range 50098 50508

service-object udp range 6604 7039

service-object udp eq bootpc

service-object udp eq tftp

service-object tcp eq 4000

service-object tcp eq 44000

service-object tcp eq www

service-object tcp eq https

service-object tcp eq 5566

service-object udp eq 5567

service-object udp range 6004 6603

service-object tcp eq 6880

object-group service DM_INLINE_SERVICE_6

service-object icmp

service-object tcp eq 2001

service-object tcp eq 2004

service-object tcp eq 2005

object-group service DM_INLINE_SERVICE_7

service-object icmp

group-object InterTel5000

object-group service DM_INLINE_SERVICE_8

service-object icmp

service-object tcp eq https

service-object tcp eq ssh

object-group service RevProxy tcp

description RevProxy

port-object eq 5500

object-group service XenDesktop tcp

description Xen

port-object eq 8080

port-object eq 2514

port-object eq 2598

port-object eq 27000

port-object eq 7279

port-object eq 8000

port-object eq citrix-ica

access-list public_access_in extended permit object-group DM_INLINE_SERVICE_8 any host public-ip

access-list public_access_in extended permit object-group VPN any host public-ip

access-list public_access_in extended permit object-group DM_INLINE_SERVICE_7 any host public-ip-phones

access-list public_access_in extended permit object-group DM_INLINE_SERVICE_1 any host public-ftp

access-list public_access_in extended permit tcp any host public-xorcom object-group DM_INLINE_TCP_1

access-list public_access_in extended permit object-group DM_INLINE_SERVICE_2 any host public-exchange

access-list public_access_in extended permit tcp any host public-RevProxy object-group RevProxy

access-list public_access_in extended permit object-group DM_INLINE_SERVICE_3 any host public-remote-support

access-list public_access_in extended permit object-group DM_INLINE_SERVICE_6 any host public-xarios

access-list public_access_in extended permit object-group web-server any host public-sharepoint

access-list public_access_in extended permit object-group web-server any host public-tportal

access-list public_access_in extended permit object-group DM_INLINE_SERVICE_4 any host public-kaseya

access-list public_access_in extended permit object-group DM_INLINE_SERVICE_5 any host public-pptp

access-list public_access_in extended permit ip any host public-XenDesktop

access-list private_access_in extended permit icmp any any

access-list private_access_in extended permit ip any any

access-list VPN_Users_SplitTunnelAcl standard permit server-network 255.255.255.0

access-list VPN_Users_SplitTunnelAcl standard permit user-network 255.255.255.0

access-list VPN_Users_SplitTunnelAcl standard permit management-network 255.255.255.0

access-list VPN_Users_SplitTunnelAcl standard permit 10.20.1.0 255.255.255.0

access-list VPN_Users_SplitTunnelAcl standard permit legacy-network 255.255.255.0

access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS Irvine_LAN 255.255.255.0

access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS 10.20.1.96 255.255.255.240

access-list private_nat0_outbound extended permit ip object-group MILLS_VPN_VLANS 10.90.2.0 255.255.255.0

access-list public_1_cryptomap extended permit ip object-group MILLS_VPN_VLANS Irvine_LAN 255.255.255.0

access-list public_2_cryptomap extended permit ip object-group MILLS_VPN_VLANS 10.90.2.0 255.255.255.0

pager lines 24

logging enable

logging list Error-Events level warnings

logging monitor warnings

logging buffered warnings

logging trap warnings

logging asdm warnings

logging mail warnings

logging host private private-kaseya

logging permit-hostdown

logging class auth trap alerts

mtu public 1500

mtu private 1500

mtu management 1500

ip local pool VPN_Users 10.20.1.100-10.20.1.110 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (public) 101 interface

nat (private) 0 access-list private_nat0_outbound

nat (private) 101 0.0.0.0 0.0.0.0

nat (management) 101 0.0.0.0 0.0.0.0

static (private,public) public-ip-phones private-ip-phones netmask 255.255.255.255 dns

static (private,public) public-ftp private-ftp netmask 255.255.255.255 dns

static (private,public) public-xorcom private-xorcom netmask 255.255.255.255 dns

static (private,public) public-exchange private-exchange netmask 255.255.255.255 dns

static (private,public) public-RevProxy private-RevProxy netmask 255.255.255.255 dns

static (private,public) public-remote-support private-remote-support netmask 255.255.255.255 dns

static (private,public) public-xarios private-xarios netmask 255.255.255.255 dns

static (private,public) public-sharepoint private-sharepoint netmask 255.255.255.255 dns

static (private,public) public-tportal private-tportal netmask 255.255.255.255 dns

static (private,public) public-kaseya private-kaseya netmask 255.255.255.255 dns

static (private,public) public-pptp private-pptp netmask 255.255.255.255 dns

static (private,public) public-XenDesktop private-XenDesktop netmask 255.255.255.255 dns

access-group public_access_in in interface public

access-group private_access_in in interface private

route public 0.0.0.0 0.0.0.0 cox-gateway 1

route private server-network 255.255.255.0 10.20.1.254 1

route private user-network 255.255.255.0 10.20.1.254 1

route private management-network 255.255.255.0 10.20.1.254 1

route private iscsi-network 255.255.255.0 10.20.1.254 1

route private legacy-network 255.255.255.0 10.20.1.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

ldap attribute-map admin-control

  map-name  comment Privilege-Level

ldap attribute-map allow-dialin

  map-name  msNPAllowDialin IETF-Radius-Class

  map-value msNPAllowDialin FALSE NOACCESS

  map-value msNPAllowDialin TRUE IPSecUsers

ldap attribute-map mills-vpn_users

  map-name  msNPAllowDialin IETF-Radius-Class

  map-value msNPAllowDialin FALSE NOACCESS

  map-value msNPAllowDialin True IPSecUsers

ldap attribute-map network-admins

  map-name  memberOf IETF-Radius-Service-Type

  map-value memberOf FALSE NOACCESS

  map-value memberOf "Network Admins" 6

dynamic-access-policy-record DfltAccessPolicy

aaa-server Mills protocol nt

aaa-server Mills (private) host private-pptp

nt-auth-domain-controller ms01.mills.int

aaa-server Mills_NetAdmin protocol ldap

aaa-server Mills_NetAdmin (private) host private-pptp

server-port 389

ldap-base-dn ou=San Diego,dc=mills,dc=int

ldap-group-base-dn ou=San Diego,dc=mills,dc=int

ldap-scope subtree

ldap-naming-attribute cn

ldap-login-password *

ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int

server-type microsoft

ldap-attribute-map mills-vpn_users

aaa-server NetworkAdmins protocol ldap

aaa-server NetworkAdmins (private) host private-pptp

ldap-base-dn ou=San Diego,dc=mills,dc=int

ldap-group-base-dn ou=San Diego,dc=mills,dc=int

ldap-scope subtree

ldap-naming-attribute cn

ldap-login-password *

ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int

server-type microsoft

ldap-attribute-map network-admins

aaa-server ADVPNUsers protocol ldap

aaa-server ADVPNUsers (private) host private-pptp

ldap-base-dn ou=San Diego,dc=mills,dc=int

ldap-group-base-dn ou=San Diego,dc=mills,dc=int

ldap-scope subtree

ldap-naming-attribute cn

ldap-login-password *

ldap-login-dn cn=asa,ou=Service Accounts,ou=San Diego,dc=mills,dc=int

server-type microsoft

ldap-attribute-map mills-vpn_users

aaa authentication enable console ADVPNUsers LOCAL

aaa authentication http console ADVPNUsers LOCAL

aaa authentication serial console ADVPNUsers LOCAL

aaa authentication telnet console ADVPNUsers LOCAL

aaa authentication ssh console ADVPNUsers LOCAL

http server enable

http 0.0.0.0 0.0.0.0 management

http 0.0.0.0 0.0.0.0 public

http 0.0.0.0 0.0.0.0 private

snmp-server host private private-kaseya poll community ***** version 2c

snmp-server location Mills - San Diego

snmp-server contact Mills Assist

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp private

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map public_map 1 match address public_1_cryptomap

crypto map public_map 1 set pfs

crypto map public_map 1 set peer xx.168.155.98

crypto map public_map 1 set transform-set ESP-3DES-MD5 ESP-AES-128-SHA

crypto map public_map 1 set nat-t-disable

crypto map public_map 1 set phase1-mode aggressive

crypto map public_map 2 match address public_2_cryptomap

crypto map public_map 2 set pfs group5

crypto map public_map 2 set peer xx.181.134.141

crypto map public_map 2 set transform-set ESP-AES-128-SHA

crypto map public_map 2 set nat-t-disable

crypto map public_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map public_map interface public

crypto isakmp enable public

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 28800

telnet 0.0.0.0 0.0.0.0 private

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 public

ssh 0.0.0.0 0.0.0.0 private

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

console timeout 0

dhcpd address 192.168.0.2-192.168.0.254 management

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp authenticate

ntp server 216.129.110.22 source public

ntp server 173.244.211.10 source public

ntp server 24.124.0.251 source public prefer

webvpn

enable public

svc enable

group-policy NOACCESS internal

group-policy NOACCESS attributes

vpn-simultaneous-logins 0

vpn-tunnel-protocol svc

group-policy IPSecUsers internal

group-policy IPSecUsers attributes

wins-server value 10.20.10.1

dns-server value 10.20.10.1

vpn-tunnel-protocol IPSec

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_Users_SplitTunnelAcl

default-domain value mills.int

address-pools value VPN_Users

group-policy Irvine internal

group-policy Irvine attributes

vpn-tunnel-protocol IPSec

username admin password Kra9/kXfLDwlSxis encrypted

tunnel-group VPN_Users type remote-access

tunnel-group VPN_Users general-attributes

address-pool VPN_Users

authentication-server-group Mills_NetAdmin

default-group-policy IPSecUsers

tunnel-group VPN_Users ipsec-attributes

pre-shared-key *

tunnel-group xx.189.99.114 type ipsec-l2l

tunnel-group xx.189.99.114 general-attributes

default-group-policy Irvine

tunnel-group xx.189.99.114 ipsec-attributes

pre-shared-key *

tunnel-group xx.205.23.76 type ipsec-l2l

tunnel-group xx.205.23.76 general-attributes

default-group-policy Irvine

tunnel-group xx.205.23.76 ipsec-attributes

pre-shared-key *

tunnel-group xx.168.155.98 type ipsec-l2l

tunnel-group xx.168.155.98 general-attributes

default-group-policy Irvine

tunnel-group xx.168.155.98 ipsec-attributes

pre-shared-key *

!

class-map global-class

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global-policy

class global-class

  inspect dns

  inspect esmtp

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect sip 

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect xdmcp

!

service-policy global-policy global

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:5d5c963680401d150bee94b3c7c85f7a


Maybe my eyes are glazing over from looking at this for too long. Does anything look wrong? Maybe I missed a command that would not show up in the config?


Thanks in advance to all who take a look.

Correct Answer by Marius Gunnerud about 3 years 8 months ago

We see that the echo request is sent out the inerface but there is no echo reply.  This looks to be a routing issue between the ASA and the host you are trying to ping.  Could you check the routing so that traffic destined for 10.20.1.0 network is routed toward the ASA.  If there is no other routing device make sure that the default gateway is correct on the host you ate trying to reach.


if you are trying to ping a windows machine make sure windows firewall is off or allows ICMP.


--

Please remember to rate and select a xorrect answer

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marius Gunnerud Thu, 11/28/2013 - 00:28
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Could you run a packet capture when initiating a connection from the host.  If at possible you can amend the ACL to match the VPN client ACL more exactly.


access-list cap-inside extended permit ip 10.20.1.96 255.255.255.240 any

access-list cap-inside extended permit ip any 10.20.1.96 255.255.255.240


capture capin interface inside access-list cap-inside



show capture capin


--

Please rate all helpful posts

Kris McCormick Fri, 11/29/2013 - 09:52
User Badges:

Marius,


I connected via my VPN client at home and pinged a remote server, attempted to RDP by name and then attempted to RDP by IP address. All were unsuccessful. Here is the packet capture:


72 packets captured


   1: 09:44:06.304671 10.20.1.100.137 > 10.20.10.1.137:  udp 68

   2: 09:44:06.304885 10.20.1.100.54543 > 10.20.10.1.53:  udp 34

   3: 09:44:07.198384 10.20.1.100.51650 > 10.20.10.1.53:  udp 32

   4: 09:44:07.300353 10.20.1.100.54543 > 10.20.10.1.53:  udp 34

   5: 09:44:07.786504 10.20.1.100.137 > 10.20.10.1.137:  udp 68

   6: 09:44:07.786671 10.20.1.100.137 > 10.20.10.1.137:  udp 68

   7: 09:44:07.786855 10.20.1.100.137 > 10.20.10.1.137:  udp 68

   8: 09:44:08.198399 10.20.1.100.51650 > 10.20.10.1.53:  udp 32

   9: 09:44:09.282608 10.20.1.100.61328 > 10.20.10.1.53:  udp 32

  10: 09:44:09.286667 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  11: 09:44:09.286926 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  12: 09:44:09.287201 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  13: 09:44:09.300491 10.20.1.100.54543 > 10.20.10.1.53:  udp 34

  14: 09:44:10.199193 10.20.1.100.51650 > 10.20.10.1.53:  udp 32

  15: 09:44:10.282150 10.20.1.100.61328 > 10.20.10.1.53:  udp 32

  16: 09:44:11.286865 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  17: 09:44:12.302993 10.20.1.100.61328 > 10.20.10.1.53:  udp 32

  18: 09:44:12.785054 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  19: 09:44:13.301101 10.20.1.100.54543 > 10.20.10.1.53:  udp 34

  20: 09:44:14.204029 10.20.1.100.51650 > 10.20.10.1.53:  udp 32

  21: 09:44:14.287323 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  22: 09:44:14.375331 10.20.1.100 > 10.20.10.1: icmp: echo request

  23: 09:44:16.581589 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  24: 09:44:18.083842 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  25: 09:44:18.199879 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  26: 09:44:19.224063 10.20.1.100 > 10.20.10.1: icmp: echo request

  27: 09:44:19.582367 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  28: 09:44:19.704019 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  29: 09:44:20.288193 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  30: 09:44:21.200307 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  31: 09:44:21.786321 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  32: 09:44:23.289535 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  33: 09:44:24.204777 10.20.1.100 > 10.20.10.1: icmp: echo request

  34: 09:44:29.219440 10.20.1.100 > 10.20.10.1: icmp: echo request

  35: 09:44:29.287460 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  36: 09:44:30.787617 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  37: 09:44:32.287887 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  38: 09:45:00.533816 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  39: 09:45:02.018019 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  40: 09:45:03.160239 10.20.1.100.52764 > 10.20.10.1.53:  udp 34

  41: 09:45:03.350354 10.20.1.100.53948 > 10.20.10.1.53:  udp 38

  42: 09:45:03.521960 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  43: 09:45:04.158408 10.20.1.100.52764 > 10.20.10.1.53:  udp 34

  44: 09:45:04.344342 10.20.1.100.53948 > 10.20.10.1.53:  udp 38

  45: 09:45:06.160681 10.20.1.100.52764 > 10.20.10.1.53:  udp 34

  46: 09:45:06.358593 10.20.1.100.53948 > 10.20.10.1.53:  udp 38

  47: 09:45:10.159125 10.20.1.100.52764 > 10.20.10.1.53:  udp 34

  48: 09:45:10.345227 10.20.1.100.53948 > 10.20.10.1.53:  udp 38

  49: 09:45:14.550478 10.20.1.100.59402 > 10.20.10.1.53:  udp 32

  50: 09:45:15.536166 10.20.1.100.59402 > 10.20.10.1.53:  udp 32

  51: 09:45:17.546144 10.20.1.100.59402 > 10.20.10.1.53:  udp 32

  52: 09:45:21.882812 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  53: 09:45:23.379222 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  54: 09:45:24.893386 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  55: 09:45:41.550035 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  56: 09:45:43.029875 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  57: 09:45:44.541979 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  58: 09:46:10.767782 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  59: 09:46:12.261934 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  60: 09:46:13.776250 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  61: 09:46:19.848970 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  62: 09:46:20.113183 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192

  63: 09:46:21.331251 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  64: 09:46:22.831423 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  65: 09:46:23.101511 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  66: 09:46:23.123254 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192

  67: 09:46:24.591705 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  68: 09:46:26.115976 10.20.1.100.137 > 10.20.10.1.137:  udp 50

  69: 09:46:28.834276 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  70: 09:46:29.125817 10.20.1.100.49751 > 10.20.10.7.3389: S 3288428077:3288428077(0) win 8192

  71: 09:46:30.342816 10.20.1.100.137 > 10.20.10.1.137:  udp 68

  72: 09:46:31.840746 10.20.1.100.137 > 10.20.10.1.137:  udp 68

72 packets shown

Correct Answer
Marius Gunnerud Fri, 11/29/2013 - 10:12
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

We see that the echo request is sent out the inerface but there is no echo reply.  This looks to be a routing issue between the ASA and the host you are trying to ping.  Could you check the routing so that traffic destined for 10.20.1.0 network is routed toward the ASA.  If there is no other routing device make sure that the default gateway is correct on the host you ate trying to reach.


if you are trying to ping a windows machine make sure windows firewall is off or allows ICMP.


--

Please remember to rate and select a xorrect answer

Kris McCormick Fri, 11/29/2013 - 10:36
User Badges:

Marius,


You were correct. The interntal gateway behind the ASA is an Enterasys switch. I added this route:


ip route 10.20.1.96 255.255.255.240 10.20.1.1


Once added, I was able to connect to internal resources via the VPN client.


What is odd is that the Enterasys did not require this route before the hardware swap for us to access via the VPN client. Oh well, I am glad it is working now.


Thanks so much for the assistance!

Marius Gunnerud Fri, 11/29/2013 - 11:04
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Glad you got it working :-)

Actions

This Discussion