10-16-2010 11:36 AM
Hello, I have an Asa5505 that I am trying to configure it to be a site to site vpn. I can get to the internet behind the asa and I can connect to the VPN, so it must be an issue with just the way that I am trying to connect site to site. IP of the VPN is 1.1.1.1 and my group is test and username test1. When I try to go to http://10.241.113.194 I cannot access the page. IP is changed for security. Thanks for your help in advance.
Here is my config....ASA Version 7.2(3)
!
hostname ciscoasa
domain-name comcast.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 4Wtw78CIa2UJQxhM encrypted
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 205.171.2.65
name-server 205.171.3.65
domain-name comcast.net
access-list Home_Users_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended deny ip any host 207.225.227.242
access-list inside_nat0_outbound extended deny ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192
access-list Home_Users_splitTunnelAcl_1 standard permit any
access-list Home_Users_splitTunnelAcl_2 standard permit any
access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool hoe_addressed 192.168.1.75-192.168.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set pfs
crypto map outside_map0 1 set peer 1.1.1.1
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
!
vpnclient server 1.1.1.1
vpnclient mode client-mode
vpnclient vpngroup test password ********
vpnclient username test1 password ********
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:98ac6f4e89af2535963c6a2de08d9132
: end
10-16-2010 11:54 AM
Dan
Looking at your config it looks like you are setting up a NAT exemption for the site to site VPN traffic ?
If you are there is a mistake in your config. You have used this acl for nat exemption -
access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0
ie. the acl name is "inside_nat0_outbound_1" - note the _1 at the end
but your nat statement is not referencing this acl eg. -
nat (inside) 0 access-list inside_nat0_outbound - note the missing _1 at the end of the acl name
Jon
10-16-2010 12:44 PM
Thank you very much for your prompt response. I really appreciate it.
So I think I have fixed what you are describing. Here is my new config, and I still cannot access 10.241.113.194, any other help that you are able to give I thank you for in advance!
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name comcast.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 4Wtw78CIa2UJQxhM encrypted
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 205.171.2.65
name-server 205.171.3.65
domain-name comcast.net
access-list Home_Users_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended deny ip any host 207.225.227.242
access-list inside_nat0_outbound extended deny ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192
access-list Home_Users_splitTunnelAcl_1 standard permit any
access-list Home_Users_splitTunnelAcl_2 standard permit any
access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool hoe_addressed 192.168.1.75-192.168.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set pfs
crypto map outside_map0 1 set peer 173.160.193.178
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
!
vpnclient server 1.1.1.1
vpnclient mode client-mode
vpnclient vpngroup test password ********
vpnclient username test1 password ********
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:98ac6f4e89af2535963c6a2de08d9132
: end
10-16-2010 03:10 PM
Hi Dan,
Can you explain a little more on what you are trying do :-
1> Do you want just the site to site to work , meaning you want to have access from internal network ( 192.168.x.x ) to access 10.x.x.x network ?
2> do you want to be able to connect to the remote vpn and have access to both 192.168.x.x. & 10.x.x.x network ?
if you want the first option then do sh crypto ipsec sa and see if the encypt/decrypt counter increases when you initiate traffic between sites. if you want the second option there some changes required to make it work.
Thanks
Manish
10-17-2010 01:32 AM
Sorry for my delayed response. My phone does not support this forum.
1. Yes that's I what I would initially like to start with.
2. I do not need to be able to connect to this remotely, seeing that the 10.241.133.0 network has a Cisco 3000 concentrator that I use.
So right now what I would like to to be able to plug in the internet into eth0, with the ip 192.168.1.200 and then plug all my other computers into the other ethernet ports and have them have ips of 192.168.1.0. Those need to be able to access 192.168.1.0 and also need to be able to access 10.241.113.0.
Eventually I would like to make it so if the ip requested is 10.241.113.0 then it goes over the vpn, everything else does not, but I was thinking for simplicity sake, I would like to get started with just being able to access 10.241.113.0 from my 192.168.1.0.
Thanks for your help!
10-17-2010 11:39 AM
Hi Dan,
Can you please make the eth1-7 part of Vlan 1 and then use you ports and try the connection ? Thats the only thing I can see as far as the configuration of this side is concerned.
If it still doesn't work :-
1> Post sh crypto iskamp sa
2>sh crypto ipsec sa ( twice with some traffic flow ).
3> Debug crupto iskamp & ipsec 128
Thanks
Manish
10-17-2010 12:34 PM
Hello Manish,
It seems as if they are already a part of that vlan, just don't say it...
ciscoasa# show switch vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------
1 inside down Et0/1, Et0/2, Et0/3, Et0/4
Et0/5, Et0/6, Et0/7
2 outside up Et0/0
10-17-2010 02:13 PM
Dan,
Please connect a device to eth0/1 and make sure you manually do :-
int eth0/1
switchport access vlan 1
no shut
Then try to ping 192.168.1.200 ( the gateway ) , if its succesful then try to connect to 10.x.x.x network and see the output of crypto commands and see if you get any output. Are you sure the other end is configured properly ?
Manish
10-17-2010 02:36 PM
I tired that, and I still cannot access 192.168.1.0, but what I can access the web.
I am not sure if the other side is configured correctly, but the fact that I can use the cisco VPNClient and enter the same settings into the asa as I enter into the VPN Client I would assume that it is configured correctly, but I could be mistaken.
Thanks for your help Manish. I really appreciate it.
10-17-2010 08:40 PM
Here is the other information your requested...
ciscoasa# show switch vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------
1 inside up Et0/1, Et0/2, Et0/3, Et0/4
Et0/5, Et0/6, Et0/7
2 outside up Et0/0
ciscoasa# show crypto ipsec sa
There are no ipsec sas
ciscoasa# show crypto isakmp sa
There are no isakmp sas
ciscoasa#
I really appreciate anyone that can help me fix this issue, beacuse it is becoming somewhat urgent. Thanks for your time!@
10-20-2010 07:06 PM
Would anyone else be able to lend a hand in helping with this. As always, I greatly appreciate your help, and thank you very much!
10-20-2010 08:35 PM
Base on your latest configuration, you have 2 crypto map (one for vpn client and another one for site-to-site vpn) and only 1 is applied to an interface.
You can only have 1 crypto map with multiple sequence number, not 2 crypto map because you can only apply 1 crypto map to an interface.
Can you please share the latest output of:
sh run crypto map
And advise which is working, vpn client or site-to-site vpn?
10-20-2010 10:01 PM
Jennifer, Thank you so much for your reply.
I am only trying to make this ASA act as the hardware based client in the site to site. The VPN 3000 is up and running correctly and I can connect to it with the Cisco VPN Client. There maybe old reminants in this config from the other test it was used from, but I tried to delete all the old VPN settings.
Could you advise me on what to change in the cryptos that you were refering to perviously.
Thanks again Jennifer.
10-20-2010 10:18 PM
Ahh.. makes sense now.
To trigger the tunnel, on the ASA, please enter: vpnclient enable
Here is the sample configuration for your reference:
Hope that helps.
10-20-2010 10:32 PM
Thanks so much for your reply again Jennifer. One thing I did not explicetly mention was, the VPN 3000 is the server, and the ASA is the harware client.
Tried that command, and I recieved this error.
ciscoasa(config)# vpnclient enable
* Remove "nat (inside) 0 inside_nat0_outbound_1"
* Detach crypto map attached to interface outside
* Remove user-defined tunnel-groups
* Remove manually configured ISA policies
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: