04-10-2010 04:19 PM
I have one windows 7 PC that is able to connect and authenticate, but cannot ping any host on the remote network.
Any help is appreciated, I have been unable to generate a deny msgs from any ping/tracert or rdp connections.
My sh run.
cerberus(config)# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname cerberus
domain-name arcadia.com
enable password xxx encrypted
passwd xxx.xx encrypted
names
name 10.42.42.21 media_center description media center pc
!
interface Vlan11
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan21
nameif inside
security-level 100
ip address 10.42.42.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 11
!
interface Ethernet0/1
switchport access vlan 21
!
interface Ethernet0/2
switchport access vlan 21
!
interface Ethernet0/3
switchport access vlan 21
!
interface Ethernet0/4
switchport access vlan 21
!
interface Ethernet0/5
switchport access vlan 21
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name arcadia.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP
description remote desktop
service-object tcp eq 3389
service-object tcp eq 8080
service-object tcp-udp eq domain
object-group service bittorrent
service-object tcp-udp eq 62774
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list public_traffic extended permit object-group RDP any interface outside
access-list public_traffic extended permit object-group bittorrent any interface outside
access-list public_traffic extended permit object-group TCPUDP any interface outside eq www
access-list nonat standard permit 10.42.42.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging asdm warnings
mtu outside 1500
mtu inside 1500
ip local pool sct_vpn 10.42.42.55-10.42.42.60 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 101 0.0.0.0 0.0.0.0 dns
static (inside,outside) tcp interface 3389 media_center 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 media_center 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 62774 media_center 62774 netmask 255.255.255.255
static (inside,outside) tcp interface www media_center www netmask 255.255.255.255
access-group public_traffic in interface outside
timeout xlate 3:00:00
timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
file-browsing enable
aaa authentication ssh console LOCAL
http server enable
http 10.42.42.0 255.255.255.0 inside
snmp-server group Authentication&Encryption v3 priv
snmp-server location xxx
snmp-server contact xxx@gmail.com
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set aes-md5 esp-aes esp-md5-hmac
crypto ipsec transform-set aes-md5 mode transport
crypto ipsec transform-set 3des_md5 esp-3des esp-md5-hmac
crypto ipsec transform-set 3des_md5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA TRANS_ESP_3DES_SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 aes-md5 3des_md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 24000
dhcpd domain arcadia.com
!
dhcpd address 10.42.42.20-10.42.42.40 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 24000 interface inside
dhcpd domain arcadia.com interface inside
dhcpd enable inside
!
priority-queue outside
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 131.216.22.17 source outside prefer
ntp server 131.216.22.15 source outside
tftp-server inside media_center TFTP-Root
webvpn
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
csd enable
group-policy DfltGrpPolicy attributes
banner value Welcome to SocalTrails!
vpn-tunnel-protocol IPSec l2tp-ipsec
ip-comp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value nonat
username jzakhar password xxx nt-encrypted privilege 15
username andy password xxx nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool sct_vpn
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
!
class-map CM_HTTP
match port tcp eq www
class-map CM_RDP
match port tcp eq 3389
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map PM_RDP
class CM_HTTP
priority
class CM_RDP
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
!
service-policy global_policy global
service-policy PM_RDP interface outside
prompt hostname context
Cryptochecksum:e2c8434ca3438eb01a3e4256ec9ea646
: end
04-10-2010 04:53 PM
You would need to configure NAT exemption as follows:
access-list inside-nonat permit ip any 10.42.42.0 255.255.255.0
nat (inside) 0 access-list inside-nonat
To ping, you would need to add the following:
policy-map global_policy
class inspection_default
inspect icmp
I would recommend that you change the ip pool to a different subnet to your internal network if the above doesn't work, and configure the NAT exemption access-list accordingly.
Hope that helps.
04-10-2010 08:11 PM
Still no luck over here on the Windows 7 pc.
The asa cannot ping the win7 host either with the vpn connected.
I did take your advice and added a new ip pool for vpn users, I am assuming the router will add the route automagically ?
I noticed the access-list isnt getting any hits. This used to be so much easier on the IOS routers
As always any help is much appreciated.
cerberus(config)# sh ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 99.178.130.201
local ident (addr/mask/prot/port): (99.178.130.201/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (172.28.42.19/255.255.255.255/17/1701)
current_peer: 172.28.42.19, username: jzakhar
dynamic allocated peer ip: 10.42.44.20
#pkts encaps: 32, #pkts encrypt: 32, #pkts digest: 32
#pkts decaps: 124, #pkts decrypt: 124, #pkts verify: 124
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 32, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 99.178.130.201, remote crypto endpt.: 172.28.42.19
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 37700603
current inbound spi : D20471BE
inbound esp sas:
spi: 0xD20471BE (3523506622)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Transport, }
slot: 0, conn_id: 139264, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (212388/3204)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x37700603 (930088451)
transform: esp-3des esp-sha-hmac no compression
in use settings ={RA, Transport, }
slot: 0, conn_id: 139264, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (212400/3204)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
sh run :
cerberus(config)# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname cerberus
domain-name arcadia.com
enable password xx encrypted
passwd xx encrypted
names
name 10.42.42.21 media_center description media center pc
!
interface Vlan11
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan21
nameif inside
security-level 100
ip address 10.42.42.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 11
!
interface Ethernet0/1
switchport access vlan 21
!
interface Ethernet0/2
switchport access vlan 21
!
interface Ethernet0/3
switchport access vlan 21
!
interface Ethernet0/4
switchport access vlan 21
!
interface Ethernet0/5
switchport access vlan 21
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
domain-name arcadia.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP
description remote desktop
service-object tcp eq 3389
service-object tcp eq 8080
service-object tcp-udp eq domain
object-group service bittorrent
service-object tcp-udp eq 62774
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list public_traffic extended permit object-group RDP any interface outside
access-list public_traffic extended permit object-group bittorrent any interface outside
access-list public_traffic extended permit object-group TCPUDP any interface outside eq www
access-list inside-nonat extended permit ip any 10.42.44.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging asdm warnings
mtu outside 1500
mtu inside 1500
ip local pool sct 10.42.44.20-10.42.44.25 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside-nonat
nat (inside) 101 0.0.0.0 0.0.0.0 dns
static (inside,outside) tcp interface 3389 media_center 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 media_center 8080 netmask 255.255.255.255
static (inside,outside) tcp interface 62774 media_center 62774 netmask 255.255.255.255
static (inside,outside) tcp interface www media_center www netmask 255.255.255.255
access-group public_traffic in interface outside
timeout xlate 3:00:00
timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
file-browsing enable
aaa authentication ssh console LOCAL
http server enable
http 10.42.42.0 255.255.255.0 inside
snmp-server group Authentication&Encryption v3 priv
snmp-server location Clairemont
snmp-server contact xxx@gmail.com
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set aes-md5 esp-aes esp-md5-hmac
crypto ipsec transform-set aes-md5 mode transport
crypto ipsec transform-set 3des_md5 esp-3des esp-md5-hmac
crypto ipsec transform-set 3des_md5 mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA TRANS_ESP_3DES_SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 aes-md5 3des_md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 8.8.8.8 8.8.4.4
dhcpd lease 24000
dhcpd domain arcadia.com
!
dhcpd address 10.42.42.20-10.42.42.40 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd lease 24000 interface inside
dhcpd domain arcadia.com interface inside
dhcpd enable inside
!
priority-queue outside
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics host number-of-rate 3
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 131.216.22.17 source outside prefer
ntp server 131.216.22.15 source outside
tftp-server inside media_center TFTP-Root
webvpn
csd image disk0:/securedesktop-asa-3.2.1.103-k9.pkg
csd enable
group-policy DfltGrpPolicy attributes
banner value Welcome to SocalTrails!
vpn-tunnel-protocol IPSec l2tp-ipsec
ip-comp enable
split-tunnel-policy tunnelspecified
username jzakhar password xx nt-encrypted privilege 15
username andy password xx nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool sct
authentication-server-group (outside) LOCAL
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
!
class-map CM_HTTP
match port tcp eq www
class-map CM_RDP
match port tcp eq 3389
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map PM_RDP
class CM_HTTP
priority
class CM_RDP
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
inspect icmp
!
service-policy global_policy global
service-policy PM_RDP interface outside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2b7fff22d00ccacd1854e00dd5a55822
: end
cerberus(config)#
04-10-2010 08:14 PM
This doesnt seem right for the route
cerberus(config)# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 99.178.128.1 to network 0.0.0.0
C 99.178.128.0 255.255.252.0 is directly connected, outside
C 10.42.42.0 255.255.255.0 is directly connected, inside
S 10.42.44.20 255.255.255.255 [1/0] via 99.178.128.1, outside
d* 0.0.0.0 0.0.0.0 [1/0] via 99.178.128.1, outside
cerberus(config)# sh ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Vlan11 outside 99.178.130.201 255.255.252.0 DHCP
Vlan21 inside 10.42.42.1 255.255.255.0 CONFIG
Current IP Addresses:
Interface Name IP address Subnet mask Method
Vlan11 outside 99.178.130.201 255.255.252.0 DHCP
Vlan21 inside 10.42.42.1 255.255.255.0 CONFIG
04-10-2010 08:19 PM
The routes look correct. The IP Pool should be routed out off the outside interface, which is correct.
You seem to have lost your split tunnel access-list.
Please configure the following:
access-list split-acl standard permit 10.42.42.0 255.255.255.0
group-policy DfltGrpPolicy attributes
split-tunnel-network-list value split-acl
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide