Thank you very much for your prompt response. I really appreciate it.

So I think I have fixed what you are describing. Here is my new config, and I still cannot access 10.241.113.194, any other help that you are able to give I thank you for in advance!

ASA Version 7.2(3)

!

hostname ciscoasa

domain-name comcast.net

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.200 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!           

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 4Wtw78CIa2UJQxhM encrypted

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 205.171.2.65

name-server 205.171.3.65

domain-name comcast.net

access-list Home_Users_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended deny ip any host 207.225.227.242

access-list inside_nat0_outbound extended deny ip 192.168.1.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192

access-list Home_Users_splitTunnelAcl_1 standard permit any

access-list Home_Users_splitTunnelAcl_2 standard permit any

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool hoe_addressed 192.168.1.75-192.168.1.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map0 1 match address outside_1_cryptomap

crypto map outside_map0 1 set pfs

crypto map outside_map0 1 set peer 173.160.193.178

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd enable inside

!

vpnclient server 1.1.1.1

vpnclient mode client-mode

vpnclient vpngroup test password ********

vpnclient username test1 password ********

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

!

service-policy global_policy global

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:98ac6f4e89af2535963c6a2de08d9132

: end

Hi Dan,

Can you explain a little more on what you are trying do :-

1> Do you want just the site to site to work , meaning you want to have access from internal network ( 192.168.x.x ) to access 10.x.x.x network ?

2> do you want to be able to connect to the remote vpn and have access to both 192.168.x.x. & 10.x.x.x network ?

if you want the first option then do sh crypto ipsec sa and see if the encypt/decrypt counter increases when you initiate traffic between sites. if you want the second option there some changes required to make it work.

Thanks

Manish

Sorry for my delayed response. My phone does not support this forum.

1. Yes that's I what I would initially like to start with.

2. I do not need to be able to connect to this remotely, seeing that the 10.241.133.0 network has a Cisco 3000 concentrator that I use.

So right now what I would like to to be able to plug in the internet into eth0, with the ip 192.168.1.200 and then plug all my other computers into the other ethernet ports and have them have ips of 192.168.1.0. Those need to be able to access 192.168.1.0 and also need to be able to access 10.241.113.0.

Eventually I would like to make it so if the ip requested is 10.241.113.0 then it goes over the vpn, everything else does not, but I was thinking for simplicity sake, I would like to get started with just being able to access 10.241.113.0 from my 192.168.1.0.

Thanks for your help!

Hi Dan,

Can you please make the eth1-7 part of Vlan 1 and then use you ports and try the connection ? Thats the only thing I can see as far as the configuration of this side is concerned.

If it still doesn't work :-

1> Post sh crypto iskamp sa

2>sh crypto ipsec sa ( twice with some traffic flow ).

3> Debug crupto iskamp & ipsec 128

Thanks

Manish

Hello Manish,

It seems as if they are already a part of that vlan, just don't say it...

ciscoasa# show switch vlan

VLAN Name                             Status    Ports

---- -------------------------------- --------- -----------------------------

1    inside                           down      Et0/1, Et0/2, Et0/3, Et0/4

                                                Et0/5, Et0/6, Et0/7

2    outside                          up        Et0/0

Dan,

Please connect a device to eth0/1 and make sure you manually do :-

int eth0/1

switchport access vlan 1

no shut

Then try to ping 192.168.1.200 ( the gateway ) , if its succesful   then try to connect to 10.x.x.x network and see the output of crypto commands and see if you get any output. Are you sure the other end is configured properly ?

Manish

I tired that, and I still cannot access 192.168.1.0, but what I can access the web.

I am not sure if the other side is configured correctly, but the fact that I can use the cisco VPNClient and enter the same settings into the asa as I enter into the VPN Client I would assume that it is configured correctly, but I could be mistaken.

Thanks for your help Manish. I really appreciate it.

Here is the other information your requested...

ciscoasa# show switch vlan
VLAN Name                             Status    Ports
---- -------------------------------- --------- -----------------------------
1    inside                           up        Et0/1, Et0/2, Et0/3, Et0/4
                                                Et0/5, Et0/6, Et0/7
2    outside                          up        Et0/0
ciscoasa# show crypto ipsec sa

There are no ipsec sas
ciscoasa# show crypto isakmp sa

There are no isakmp sas
ciscoasa#

I really appreciate anyone that can help me fix this issue, beacuse it is becoming somewhat urgent. Thanks for your time!@

Base on your latest configuration, you have 2 crypto map (one for vpn client and another one for site-to-site vpn) and only 1 is applied to an interface.

You can only have 1 crypto map with multiple sequence number, not 2 crypto map because you can only apply 1 crypto map to an interface.

Can you please share the latest output of:

sh run crypto map

And advise which is working, vpn client or site-to-site vpn?

Jennifer, Thank you so much for your reply.

I am only trying to make this ASA act as the hardware based client in the site to site. The VPN 3000 is up and running correctly and I can connect to it with the Cisco VPN Client. There maybe old reminants in this config from the other test it was used from, but I tried to delete all the old VPN settings.

Could you advise me on what to change in the cryptos that you were refering to perviously.

Thanks again Jennifer.

Ahh.. makes sense now.

To trigger the tunnel, on the ASA, please enter: vpnclient enable

Here is the sample configuration for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808a61f4.shtml

Hope that helps.

Thanks so much for your reply again Jennifer. One thing I did not explicetly mention was, the VPN 3000 is the server, and the ASA is the harware client.

Tried that command, and I recieved this error.

ciscoasa(config)# vpnclient enable

* Remove "nat (inside) 0 inside_nat0_outbound_1"

* Detach crypto map attached to interface outside

* Remove user-defined tunnel-groups

* Remove manually configured ISA policies