05-09-2014 01:26 AM - edited 03-11-2019 09:10 PM
Solved! Go to Solution.
05-17-2014 05:07 PM
You have an access-list for your remote access VPN users' address pool but you also need to reference it with a NAT exemption.
Try:
nat (inside) 0 access-list nonat
Here's a good reference to use.
05-09-2014 05:00 AM
If you go to the Cisco self-service licensing portal, you can request the activation key for a permanent AES-3DES license.
On that page, choose "Get New > IPS, Crypto, Other Licenses". The select "Security Products" and then "Cisco ASA 3DES/AES License". enter your unit's serial number and click Next. After submitting you should receive the activation key via email within a few minutes.
Once received, simply log into the ASA and enter "activation-key <the provided alphanumeric key>".
05-09-2014 10:35 AM
Dear Sir, Thanks for your replay i downloaded new license and i getting key but it is also for 90 days only Please see below details from Cisco. Limited Warranty Cisco warrants that commencing from the date of shipment to Customer (but in case of resale by an authorized Cisco reseller, commencing not more than ninety (90) days after original shipment by Cisco), and continuing for a period of the longer of (a) ninety (90) days or (b) the software warranty period (if any) set forth in the warranty card accompanying the Product (if any): (a) the media on which the Software is furnished will be free of defects in materials and workmanship under normal use; and (b) the Software substantially conforms to its published specifications. The date of shipment of a Product by Cisco is set forth on the packaging material in which the Product is shipped. Except for the foregoing, the Software is provided AS IS. This limited warranty extends only to the Customer who is the original licensee. Customer's sole and exclusive remedy and the entire liability of Cisco and its suppliers and licensors under this limited warranty will be, at Cisco's option, repair, replacement, or refund of the Software if reported (or, upon request, returned) to Cisco or the party supplying the Software to Customer, if different than Cisco. In no event does Cisco warrant that the Software is error free or that Customer will be able to operate the Software without problems or interruptions. In addition, due to the continual development of new techniques for intruding upon and attacking networks, Cisco does not warrant that the Software or any equipment, system or network on which the Software is used will be free of vulnerability to intrusion or attack. Restrictions. This warranty does not apply if the Software, Product or any other equipment upon which the Software is authorized to be used (a) has been altered, except by Cisco, (b) has not been installed, operated, repaired, or maintained in accordance with instructions supplied by Cisco, (c) has been subjected to abnormal physical or electrical stress, misuse, negligence, or accident; or (d) is licensed, for beta, evaluation, testing or demonstration purposes for which Cisco does not charge a purchase price or license fee.
05-09-2014 11:23 AM
The text you pasted in refers to the product (software) warranty.
The 3DES-AES license / activation-key does not expire - it is "perpetual". You can validate that by typing the following at the cli while in enable mode:
show activation-key | i 3DES
You should see something like:
VPN-3DES-AES : Enabled perpetual
05-16-2014 01:53 AM
sh version
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(1)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
kunauto up 6 days 3 hours
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is f866.f2c4.bcde, irq 9
1: Ext: Ethernet0/1 : address is f866.f2c4.bcdf, irq 9
2: Ext: Ethernet0/2 : address is f866.f2c4.bce0, irq 9
3: Ext: Ethernet0/3 : address is f866.f2c4.bce1, irq 9
4: Ext: Management0/0 : address is f866.f2c4.bce2, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
05-17-2014 07:19 AM
# show activation-key | i 3DES
VPN-3DES-AES : Enabled
05-17-2014 11:27 AM
dear Mr.Marvin Rhoads
As per below config remote vpn and site to site vpn remote vpn users unable to access local network please suggest me any config required
Local server ip 192.168.215.4 not able to ping this server remote vpn connectivity working fine but local network not able to ping from vpn users.
ASA Version 8.2(2)
!
hostname
domain-name kunchevrolet
enable password r8xwsBuKsSP7kABz encrypted
passwd r8xwsBuKsSP7kABz encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
pppoe client vpdn group dataone
ip address pppoe
!
interface Ethernet0/1
nameif inside
security-level 50
ip address 192.168.215.2 255.255.255.0
!
interface Ethernet0/2
nameif Internet
security-level 0
ip address dhcp setroute
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
ftp mode passive
clock timezone IST 5 30
dns server-group DefaultDNS
domain-name kunchevrolet
same-security-traffic permit intra-interface
object-group network GM-DC-VPN-Gateway
object-group network net-local
access-list sptnl extended permit ip 192.168.215.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.215.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list split-tunnel standard permit 192.168.215.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Internet 1500
ip local pool vpn_users 192.168.2.1-192.168.2.250 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 59.90.214.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http x.x.x.x 255.255.255.252 outside
http 192.168.215.0 255.255.255.252 inside
http 192.168.215.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 65500 set transform-set myset
crypto map VPN 10 ipsec-isakmp dynamic dynmap
crypto map VPN interface outside
crypto map ASA-01 10 set peer 221.135.138.130
crypto map ASA-01 10 set transform-set myset
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 28800
telnet 192.168.215.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
vpdn group dataone request dialout pppoe
vpdn group dataone localname bb4027654187_scdrid
vpdn group dataone ppp authentication chap
vpdn username bb4027654187_scdrid password ***** store-local
dhcp-client client-id interface Internet
dhcpd dns 218.248.255.141 218.248.245.1
!
dhcpd address 192.168.215.11-192.168.215.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
webvpn
enable outside
tunnel-group-list enable
group-policy kun internal
group-policy kun attributes
vpn-simultaneous-logins 8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value kunchevrolet
username test password P4ttSyrm33SV8TYp encrypted
username kunauto password bSHrKTGl8PUbvus/ encrypted privilege 15
username kunauto attributes
vpn-group-policy kun
vpn-tunnel-protocol IPSec
tunnel-group vpngroup type remote-access
tunnel-group vpngroup general-attributes
address-pool vpn_users
default-group-policy kun
tunnel-group vpngroup webvpn-attributes
group-alias vpngroup enable
tunnel-group vpngroup ipsec-attributes
pre-shared-key *****
tunnel-group test type remote-access
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0d2497e1280e41ab3875e77c6b184cf8
: end
kunauto#
05-17-2014 05:07 PM
You have an access-list for your remote access VPN users' address pool but you also need to reference it with a NAT exemption.
Try:
nat (inside) 0 access-list nonat
Here's a good reference to use.
05-18-2014 12:01 AM
Dear Mr.Marvin Rhoads ,
Thanks for your replay
As per this command nat (inside) 0 access-list nonat applied from firewall i able to ping but trough vpn client connected we are not able to ping local server 192.168.215.4
(config)# ping 192.168.215.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.215.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
kunauto(config)#
05-18-2014 06:56 AM
I noticed your address pool for VPN clients (192.168.215.1-250) overlaps your inside interface (192.168.215.2). Please adjust the pool range to exclude that and any other hosts addresses you have statically configured in that subnet. We typically recommend a unique subnet be used for VPN clients to minimize the potential for such confusion.
Can you run:
packet-tracer input outside icmp <your VPN client address> 0 0 192.168.215.4
05-19-2014 07:41 AM
Please find the below report
show capture cap_test
20 packets captured
1: 04:26:57.419274 192.168.2.2 > 192.168.215.4: icmp: echo request
2: 04:27:01.932858 192.168.2.2 > 192.168.215.4: icmp: echo request
3: 04:27:06.933347 192.168.2.2 > 192.168.215.4: icmp: echo request
4: 04:27:11.931897 192.168.2.2 > 192.168.215.4: icmp: echo request
5: 04:27:16.934064 192.168.2.2 > 192.168.215.4: icmp: echo request
6: 04:27:21.931378 192.168.2.2 > 192.168.215.4: icmp: echo request
7: 04:27:26.930371 192.168.2.2 > 192.168.215.4: icmp: echo request
8: 04:27:31.932370 192.168.2.2 > 192.168.215.4: icmp: echo request
9: 04:27:36.939023 192.168.2.2 > 192.168.215.4: icmp: echo request
10: 04:27:41.931882 192.168.2.2 > 192.168.215.4: icmp: echo request
11: 04:27:46.933850 192.168.2.2 > 192.168.215.4: icmp: echo request
12: 04:27:51.930142 192.168.2.2 > 192.168.215.4: icmp: echo request
13: 04:27:56.930615 192.168.2.2 > 192.168.215.4: icmp: echo request
14: 04:28:01.930142 192.168.2.2 > 192.168.215.4: icmp: echo request
15: 04:28:06.930860 192.168.2.2 > 192.168.215.4: icmp: echo request
16: 04:28:11.930844 192.168.2.2 > 192.168.215.4: icmp: echo request
17: 04:28:16.931561 192.168.2.2 > 192.168.215.4: icmp: echo request
18: 04:28:21.929105 192.168.2.2 > 192.168.215.4: icmp: echo request
19: 04:28:26.929593 192.168.2.2 > 192.168.215.4: icmp: echo request
20: 04:28:31.429497 192.168.2.2 > 192.168.215.4: icmp: echo request
20 packets shown
kunauto# packet-tracer input inside icmp 192.168.215.4 8 0 192.168.2.2
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.2.2 255.255.255.255 outside
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip inside 192.168.215.0 255.255.255.0 outside 192.168.2.0 255.255.255.0
NAT exempt
translate_hits = 1, untranslate_hits = 358
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (59.90.214.144 [Interface PAT])
translate_hits = 524205, untranslate_hits = 98146
Additional Information:
Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip inside any outside any
dynamic translation to pool 1 (59.90.214.144 [Interface PAT])
translate_hits = 524205, untranslate_hits = 98146
Additional Information:
Phase: 12
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 546896, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
05-19-2014 08:24 AM
So your cap_test shows the packets from the VPN client at 192.168.2.2 to the server at 192.168.215.4. That's good.
Can you check if replies are coming back via the firewall? (i.e setup a different cap_test to look for the icmp echo replies). If they aren't you may have either a host firewall or routing issue.
05-09-2014 06:20 PM
hi,
marvin is right, the 3DES/AES license is free and its permanent.
could you also post the output of show version to see if it's enabled and if you have other time-based licenses?
05-16-2014 01:52 AM
sh version
Cisco Adaptive Security Appliance Software Version 8.2(2)
Device Manager Version 6.2(1)
Compiled on Mon 11-Jan-10 14:19 by builders
System image file is "disk0:/asa822-k8.bin"
Config file at boot was "startup-config"
kunauto up 6 days 3 hours
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is f866.f2c4.bcde, irq 9
1: Ext: Ethernet0/1 : address is f866.f2c4.bcdf, irq 9
2: Ext: Ethernet0/2 : address is f866.f2c4.bce0, irq 9
3: Ext: Ethernet0/3 : address is f866.f2c4.bce1, irq 9
4: Ext: Management0/0 : address is f866.f2c4.bce2, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
05-16-2014 03:42 AM
As I noted above, "show activation-key | i 3DES" will further indicate the license is perpetual.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide