Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

ASA5505 VPN - Add new server and ports to existing VPN not working

Hi there,

We have added a new server into our company (.110) and I need to add it to the ASA5505 so that the VPN user named "external" will have access to the server 192.168.1.110 on ports tcp/24 and tcp/6023. To that end, I have tried to replicate what was on the ASA5505 for user "external", which has access to 192.168.1.8 with no problem - But seem to have failed.

I would appreciate any help on finding my mistake.

Matthew.

: Saved

:

ASA Version 7.2(4)

!

hostname company-asa

domain-name company.co.za

enable password ***************** encrypted

passwd ***************** encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.20 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ***.***.***.*** 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

clock timezone SAST 2

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 41.160.0.36

name-server 41.160.0.37

name-server 192.168.1.146

domain-name company.co.za

object-group service CAP_RIS tcp

port-object eq 1200

object-group service company1 tcp

port-object eq 1541

port-object eq telnet

port-object eq 6023

port-object eq 1433

port-object eq 8068

port-object eq 1200

port-object eq 1201

port-object eq 1202

port-object eq 1300

port-object eq 1301

port-object eq 1302

port-object eq 4780

port-object eq 1434

object-group service company2 tcp

port-object eq 8068

port-object eq 1200

port-object eq 1201

port-object eq 1202

port-object eq 1300

port-object eq 1301

port-object eq 1302

port-object eq 4780

object-group service company3 tcp

port-object eq 1500

port-object eq 1501

port-object eq 1502

port-object eq 8088

object-group service company4 tcp

port-object eq 8000

port-object eq 4780

port-object eq 4099

port-object eq 1300

port-object eq 1301

port-object eq 1302

port-object eq 8068

port-object eq 1433

port-object eq 1434

port-object eq 8030

port-object eq 8089

object-group service company5 tcp

port-object eq 8088

port-object eq 1400

port-object eq 1401

object-group service company6 tcp

port-object eq 8000

port-object eq 8001

port-object eq 8090

access-list 101 extended permit ip host 192.168.1.8 192.168.33.0 255.255.255.240

access-list 101 extended permit ip host 192.168.1.10 192.168.33.0 255.255.255.240

access-list 101 extended permit ip host 192.168.1.97 192.168.33.0 255.255.255.240

access-list 101 extended permit ip host 192.168.1.146 192.168.33.0 255.255.255.240

access-list 101 extended permit ip host 192.168.1.8 192.168.33.16 255.255.255.240

access-list 101 extended permit ip host 192.168.1.10 192.168.33.16 255.255.255.240

access-list 101 extended permit ip host 192.168.1.110 192.168.33.16 255.255.255.240

access-list 101 extended permit ip host 192.168.1.8 192.168.33.32 255.255.255.240

access-list 101 extended permit ip host 192.168.1.97 192.168.33.32 255.255.255.240

access-list 101 extended permit ip host 192.168.1.10 192.168.33.48 255.255.255.240

access-list 101 extended permit ip host 192.168.1.97 192.168.33.48 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.146 192.168.33.0 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.10 192.168.33.0 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.8 192.168.33.0 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.97 192.168.33.0 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.190 192.168.33.0 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.8 192.168.33.16 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.110 192.168.33.16 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.97 192.168.33.32 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.10 192.168.33.32 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.97 192.168.33.48 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.10 192.168.33.48 255.255.255.240

access-list in-out extended permit icmp any any

access-list in-out extended permit tcp any any eq www

access-list in-out extended permit tcp any any eq https

access-list in-out extended permit udp any any

access-list in-out extended permit tcp any any eq pop3

access-list in-out extended permit tcp any any eq smtp

access-list in-out extended permit tcp any any eq 587

access-list in-out extended permit tcp any any eq 5938

access-list split1 extended permit ip host 192.168.1.146 192.168.33.0 255.255.255.240

access-list split1 extended permit ip host 192.168.1.10 192.168.33.0 255.255.255.240

access-list split2 extended permit ip host 192.168.1.10 192.168.33.16 255.255.255.240

access-list split2 extended permit ip host 192.168.1.8 192.168.33.16 255.255.255.240

access-list split2 extended permit ip host 192.168.1.110 192.168.33.16 255.255.255.240

access-list nord extended deny tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 3389

access-list nord extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146

access-list nord extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 8088

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 5431

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 8085

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 8086

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 8087

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq telnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 6023

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 445

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq netbios-ssn

access-list list1 extended permit udp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq netbios-ns

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 3389

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq ftp

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq smtp

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 5431

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 8085

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 8086

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 8087

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq telnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 6023

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 445

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq netbios-ssn

access-list list1 extended permit udp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq netbios-ns

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 3389

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq ftp

access-list list1 extended permit ip 192.168.33.0 255.255.255.240 host 192.168.1.146

access-list list1 extended permit ip 192.168.33.0 255.255.255.240 host 192.168.1.10

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 8088

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 1433

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq sqlnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 1080

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 32000

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 2179

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 1505

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 1506

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 1507

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 1508

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq https

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 23150

access-list list1 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.10 eq 1541

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 5431

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 8085

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 8086

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 8087

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq telnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 6023

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 445

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq netbios-ssn

access-list list1 extended permit udp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq netbios-ns

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 3389

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq ftp

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 8088

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 1433

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq sqlnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 1080

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 32000

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 2179

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 1505

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 1506

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 1507

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 1508

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq https

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 23150

access-list list1 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.8 eq 1541

access-list list1 extended permit ip 192.168.33.0 255.255.255.240 host 192.168.1.8

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 5431

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 8085

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 8086

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 8087

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq telnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 6023

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 445

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq netbios-ssn

access-list list1 extended permit udp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq netbios-ns

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 3389

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq ftp

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 8088

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 1433

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq sqlnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 1080

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 32000

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 2179

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 1505

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 1506

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 1507

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 1508

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq https

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 23150

access-list list1 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.97 eq 1541

access-list list1 extended permit ip 192.168.33.0 255.255.255.240 host 192.168.1.97

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.8 eq telnet

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.8 eq 6023

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.8 eq 1541

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.8 eq 1433

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.110 eq 6024

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.110 eq 24

access-list vpntest extended permit ip 192.168.33.0 255.255.255.0 host 192.168.1.10

access-list vpntest extended permit ip 192.168.33.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list out-in extended permit icmp any any

access-list CAP extended permit tcp 192.168.33.32 255.255.255.240 host 192.168.1.97 object-group company1

access-list Split3CAP extended permit ip host 192.168.1.97 192.168.33.32 255.255.255.240

access-list RIS extended permit tcp 192.168.33.48 255.255.255.240 host 192.168.1.97 object-group company1

access-list RIS extended permit tcp 192.168.33.48 255.255.255.240 host 192.168.1.10 object-group company2

access-list Split4RIS extended permit ip host 192.168.1.97 192.168.33.48 255.255.255.240

access-list Split4RIS extended permit ip host 192.168.1.10 192.168.33.48 255.255.255.240

access-list inside_access_in extended permit tcp any any eq www

access-list inside_access_in extended permit tcp any any eq https

access-list outside_access_in extended permit tcp any host ***.***.***.*** object-group company3

access-list outside_access_in extended permit tcp any host ***.***.***.*** object-group company4

access-list outside_access_in extended permit tcp any host ***.***.***.*** object-group company5

access-list outside_access_in extended permit tcp any host ***.***.***.*** object-group company6

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn1 192.168.33.1-192.168.33.15

ip local pool vpn2 192.168.33.16-192.168.33.31

ip local pool vpn3 192.168.33.32-192.168.33.47

ip local pool vpn4 192.168.33.48-192.168.33.63

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-524.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 1500 192.168.1.98 1500 netmask 255.255.255.255

static (inside,outside) tcp interface 1501 192.168.1.98 1501 netmask 255.255.255.255

static (inside,outside) tcp interface 1502 192.168.1.98 1502 netmask 255.255.255.255

static (inside,outside) tcp interface 8088 192.168.1.10 8088 netmask 255.255.255.255

static (inside,outside) tcp interface 1400 192.168.1.10 1400 netmask 255.255.255.255

static (inside,outside) tcp interface 1401 192.168.1.10 1401 netmask 255.255.255.255

static (inside,outside) tcp interface 8000 192.168.1.97 8000 netmask 255.255.255.255

static (inside,outside) tcp interface 4780 192.168.1.97 4780 netmask 255.255.255.255

static (inside,outside) tcp interface 4099 192.168.1.97 4099 netmask 255.255.255.255

static (inside,outside) tcp interface 1300 192.168.1.97 1300 netmask 255.255.255.255

static (inside,outside) tcp interface 1301 192.168.1.97 1301 netmask 255.255.255.255

static (inside,outside) tcp interface 1302 192.168.1.97 1302 netmask 255.255.255.255

static (inside,outside) tcp interface 8068 192.168.1.97 8068 netmask 255.255.255.255

static (inside,outside) tcp interface 1433 192.168.1.97 1433 netmask 255.255.255.255

static (inside,outside) tcp interface 1434 192.168.1.97 1434 netmask 255.255.255.255

static (inside,outside) tcp interface 8030 192.168.1.97 8030 netmask 255.255.255.255

static (inside,outside) tcp interface 8089 192.168.1.97 8089 netmask 255.255.255.255

static (inside,outside) tcp interface 8090 192.168.1.98 8090 netmask 255.255.255.255

static (inside,outside) tcp interface 8001 192.168.1.190 8001 netmask 255.255.255.255

static (inside,outside) tcp interface telnet 192.168.1.10 telnet netmask 255.255.255.255

static (inside,outside) tcp interface 6023 192.168.1.10 6023 netmask 255.255.255.255

access-group in-out in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 41.160.144.161 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.146 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto dynamic-map dynmap 30 set pfs

crypto dynamic-map dynmap 30 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

no vpn-addr-assign dhcp

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

management-access inside

dhcpd address 192.168.1.100-192.168.1.131 inside

dhcpd dns 41.160.0.36 41.160.0.37 interface inside

dhcpd wins 41.160.0.36 41.160.0.37 interface inside

dhcpd lease 691200 interface inside

dhcpd domain company.co.za interface inside

!

group-policy company internal

group-policy company attributes

dns-server value 192.168.1.146 41.160.0.36

vpn-idle-timeout 45

vpn-filter value list1

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split1

default-domain value company.co.za

group-policy CAP internal

group-policy CAP attributes

dns-server value 192.168.1.146 41.160.0.36

vpn-filter value CAP

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split3CAP

default-domain value capvpn.co.za

group-policy external internal

group-policy external attributes

dns-server value 192.168.1.146 41.160.0.36

vpn-idle-timeout 600

vpn-filter value list2

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value list2

default-domain value external.co.za

group-policy RIS internal

group-policy RIS attributes

dns-server value 192.168.1.146 41.160.0.36

vpn-filter value RIS

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split4RIS

default-domain value ris.co.za

username test_vpn password ************* encrypted

username test_vpn attributes

vpn-group-policy CAP

vpn-filter value CAP

username programmer password ************* encrypted

username programmer attributes

vpn-group-policy programmer

vpn-simultaneous-logins 10

vpn-filter value list2

username cap_vpn password ************* encrypted privilege 0

username cap_vpn attributes

vpn-group-policy CAP

vpn-filter value CAP

username company password ************* encrypted

username company attributes

vpn-group-policy company

vpn-filter value list1

username ris_vpn password ************* encrypted privilege 0

username ris_vpn attributes

vpn-group-policy RIS

vpn-filter value RIS

username matthew password ************* encrypted privilege 15

username external password ************* encrypted

username external attributes

vpn-group-policy external

vpn-simultaneous-logins 10

vpn-filter value list2

tunnel-group company type ipsec-ra

tunnel-group company general-attributes

address-pool vpn1

default-group-policy company

tunnel-group company ipsec-attributes

pre-shared-key *

tunnel-group external type ipsec-ra

tunnel-group external general-attributes

address-pool vpn2

default-group-policy external

tunnel-group external ipsec-attributes

pre-shared-key *

tunnel-group CAP type ipsec-ra

tunnel-group CAP general-attributes

address-pool vpn3

default-group-policy CAP

tunnel-group CAP ipsec-attributes

pre-shared-key *

tunnel-group RIS type ipsec-ra

tunnel-group RIS general-attributes

address-pool vpn4

default-group-policy RIS

tunnel-group RIS ipsec-attributes

pre-shared-key *

tunnel-group test_vpn type ipsec-ra

tunnel-group test_vpn general-attributes

address-pool vpn3

default-group-policy CAP

tunnel-group test_vpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:29138bd5c321ee8c5c07192167851b02

: end

asdm image disk0:/asdm-524.bin

asdm location 192.168.1.8 255.255.255.255 inside

asdm location 192.168.1.97 255.255.255.255 inside

asdm location 192.168.33.48 255.255.255.240 inside

asdm history enable

Everyone's tags (2)
7 REPLIES
Community Member

ASA5505 VPN - Add new server and ports to existing VPN not worki

Just an update...

I have tried to use different ports to see if that made a difference, but it still didn't work. Anybody got some advice for me?

Super Bronze

ASA5505 VPN - Add new server and ports to existing VPN not worki

Hi,

I would check the ASA rules with "packet-tracer" command when the VPN Client connections is active.

packet-tracer input outside tcp 12345 192.168.1.110

Just replace the with the IP address the VPN client received from the ASA and replace the with the destination port you are testing.

The output should tell us if there is a problem with ASA configurations.

There is naturally always a chance that the actual host is blocking the connections because of software firewall, not having the service enabled (listening) or some other reason.

Since you are using VPN Filter ACL for the user anyway, I would personally use a Standard type ACL for the Split Tunnel and use a separate ACL for the VPN Filter.

- Jouni

Community Member

ASA5505 VPN - Add new server and ports to existing VPN not worki

Hi Jouni,

Thanks so much for your relpy. I am completely lost on this one...

First off I noticed that I made a mistake for user "external" and for external's split, set it to use "list2" and not "split2" as it was meant to be... That being said, it did not fix my problem, but my connection to .8 which had stopped working over the weekend (From me fiddling) is now working again.

Ok, packet-tracer. Here we go.

packet-tracer input outside tcp 192.168.33.17 12345 192.168.1.110 6024

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.1.0     255.255.255.0   inside

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

I deleted the access-list rule (Through ADSM) and have logged in through ssh to try apply it manually to see if the ASDM is my problem. However it won't take the new rule for some reason.

company-asa# access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.110 eq 6024

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168  ^.1.110 eq 6024

ERROR: % Invalid input detected at '^' marker.

I have no idea why it is moaning about the IP address. Looks fine to me!

As for the host blocking the connection. I have turned the Windows Firewall off completely to test and get this up and running, and there is no other firewall software running. I have also created a Microsoft VPN onto the DC and have tested, and everything connects without a moments hesitation to port 6024. I have also gone into the client program that connects on port 6024 and made sure that it is indeed listening

To the last part (VPN Filter ACL & Standard type ACL) I am afraid that I am not following you. Are you saying that I should put the access rules into the split (split2 in this case) and not in the VPN group policy for "external" as in "list2"?

Thanks once again for you help on this.

Matthew.

Community Member

ASA5505 VPN - Add new server and ports to existing VPN not worki

I seem to be doing somehting wrong with the packet-tracer...

I have logged onto all the VPN's and have used the packet-tracer to trace one of the ports allowed through for that VPN, and they all come back as dropped by implicet rule!

Super Bronze

ASA5505 VPN - Add new server and ports to existing VPN not worki

Hi,

Can you post the current version of the ASA configuration again and I'll try to look it through later and possibly suggest the exact commands you could use to change the VPN configuration for the External users.

- Jouni

Community Member

ASA5505 VPN - Add new server and ports to existing VPN not worki

Hi Jouni,

Thanks, that would be a real help - Much appreciated.

The running config is as follows.

: Saved

:

ASA Version 7.2(4)

!

hostname fleetcorp-asa

domain-name fleetcorp.co.za

enable password **************** encrypted

passwd *************** encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.20 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ***.***.***.*** 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

ftp mode passive

clock timezone SAST 2

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

name-server 41.160.0.36

name-server 41.160.0.37

name-server 192.168.1.146

domain-name fleetcorp.co.za

object-group service CAP_RIS tcp

port-object eq 1200

object-group service fleetcorp1 tcp

port-object eq 1541

port-object eq telnet

port-object eq 6023

port-object eq 1433

port-object eq 8068

port-object eq 1200

port-object eq 1201

port-object eq 1202

port-object eq 1300

port-object eq 1301

port-object eq 1302

port-object eq 4780

port-object eq 1434

object-group service fleetcorp2 tcp

port-object eq 8068

port-object eq 1200

port-object eq 1201

port-object eq 1202

port-object eq 1300

port-object eq 1301

port-object eq 1302

port-object eq 4780

object-group service fleetcorp3 tcp

port-object eq 1500

port-object eq 1501

port-object eq 1502

port-object eq 8088

object-group service fleetcorp4 tcp

port-object eq 8000

port-object eq 4780

port-object eq 4099

port-object eq 1300

port-object eq 1301

port-object eq 1302

port-object eq 8068

port-object eq 1433

port-object eq 1434

port-object eq 8030

port-object eq 8089

object-group service fleetcorp5 tcp

port-object eq 8088

port-object eq 1400

port-object eq 1401

object-group service fleetcorp6 tcp

port-object eq 8000

port-object eq 8001

port-object eq 8090

object-group service fleetcorp7 tcp

port-object eq 1433

port-object eq 1541

port-object eq 6023

port-object eq telnet

port-object eq 6024

port-object eq ssh

access-list 101 extended permit ip host 192.168.1.146 192.168.33.0 255.255.255.240

access-list 101 extended permit ip host 192.168.1.10 192.168.33.0 255.255.255.240

access-list 101 extended permit ip host 192.168.1.8 192.168.33.16 255.255.255.240

access-list 101 extended permit ip host 192.168.1.10 192.168.33.16 255.255.255.240

access-list 101 extended permit ip host 192.168.1.110 192.168.33.16 255.255.255.240

access-list 101 extended permit ip host 192.168.1.8 192.168.33.32 255.255.255.240

access-list 101 extended permit ip host 192.168.1.97 192.168.33.32 255.255.255.240

access-list 101 extended permit ip host 192.168.1.10 192.168.33.48 255.255.255.240

access-list 101 extended permit ip host 192.168.1.97 192.168.33.48 255.255.255.240

access-list 101 extended permit ip host 192.168.1.97 192.168.33.0 255.255.255.240

access-list 101 extended permit ip host 192.168.1.8 192.168.33.0 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.146 192.168.33.0 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.10 192.168.33.0 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.8 192.168.33.0 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.97 192.168.33.0 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.190 192.168.33.0 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.8 192.168.33.16 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.110 192.168.33.16 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.97 192.168.33.32 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.10 192.168.33.32 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.97 192.168.33.48 255.255.255.240

access-list in-out extended permit tcp host 192.168.1.10 192.168.33.48 255.255.255.240

access-list in-out extended permit tcp any any eq www

access-list in-out extended permit tcp any any eq https

access-list in-out extended permit udp any any

access-list in-out extended permit tcp any any eq pop3

access-list in-out extended permit tcp any any eq smtp

access-list in-out extended permit tcp any any eq 587

access-list in-out extended permit tcp any any eq 5938

access-list in-out extended permit icmp any any

access-list split1 extended permit ip host 192.168.1.146 192.168.33.0 255.255.255.240

access-list split1 extended permit ip host 192.168.1.10 192.168.33.0 255.255.255.240

access-list split2 extended permit ip host 192.168.1.10 192.168.33.16 255.255.255.240

access-list split2 extended permit ip host 192.168.1.8 192.168.33.16 255.255.255.240

access-list split2 extended permit ip host 192.168.1.110 192.168.33.16 255.255.255.240

access-list nord extended deny tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 3389

access-list nord extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146

access-list nord extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 8088

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 5431

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 8085

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 8086

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 8087

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq telnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 6023

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 445

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq netbios-ssn

access-list list1 extended permit udp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq netbios-ns

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq 3389

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq ftp

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.146 eq smtp

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 5431

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 8085

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 8086

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 8087

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq telnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 6023

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 445

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq netbios-ssn

access-list list1 extended permit udp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq netbios-ns

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 3389

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq ftp

access-list list1 extended permit ip 192.168.33.0 255.255.255.240 host 192.168.1.146

access-list list1 extended permit ip 192.168.33.0 255.255.255.240 host 192.168.1.10

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 8088

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 1433

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq sqlnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 1080

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 32000

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 2179

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 1505

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 1506

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 1507

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 1508

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq https

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.10 eq 23150

access-list list1 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.10 eq 1541

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 5431

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 8085

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 8086

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 8087

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq telnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 6023

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 445

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq netbios-ssn

access-list list1 extended permit udp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq netbios-ns

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 3389

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq ftp

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 8088

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 1433

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq sqlnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 1080

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 32000

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 2179

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 1505

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 1506

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 1507

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 1508

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq https

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.8 eq 23150

access-list list1 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.8 eq 1541

access-list list1 extended permit ip 192.168.33.0 255.255.255.240 host 192.168.1.8

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 5431

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 8085

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 8086

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 8087

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq telnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 6023

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 445

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq netbios-ssn

access-list list1 extended permit udp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq netbios-ns

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 3389

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq ftp

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 8088

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 1433

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq sqlnet

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 1080

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 32000

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 2179

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 1505

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 1506

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 1507

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 1508

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq https

access-list list1 extended permit tcp 192.168.33.0 255.255.255.240 host 192.168.1.97 eq 23150

access-list list1 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.97 eq 1541

access-list list1 extended permit ip 192.168.33.0 255.255.255.240 host 192.168.1.97

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.8 eq telnet

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.8 eq 6023

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.8 eq 1541

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.8 eq 1433

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.110 eq 6024

access-list list2 extended permit tcp 192.168.33.16 255.255.255.240 host 192.168.1.110 eq telnet

access-list vpntest extended permit ip 192.168.33.0 255.255.255.0 host 192.168.1.10

access-list vpntest extended permit ip 192.168.33.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list out-in extended permit icmp any any

access-list CAP extended permit tcp 192.168.33.32 255.255.255.240 host 192.168.1.97 object-group fleetcorp1

access-list Split3CAP extended permit ip host 192.168.1.97 192.168.33.32 255.255.255.240

access-list RIS extended permit tcp 192.168.33.48 255.255.255.240 host 192.168.1.97 object-group fleetcorp1

access-list RIS extended permit tcp 192.168.33.48 255.255.255.240 host 192.168.1.10 object-group fleetcorp2

access-list Split4RIS extended permit ip host 192.168.1.97 192.168.33.48 255.255.255.240

access-list Split4RIS extended permit ip host 192.168.1.10 192.168.33.48 255.255.255.240

access-list inside_access_in extended permit tcp any any eq www

access-list inside_access_in extended permit tcp any any eq https

access-list outside_access_in extended permit tcp any host ***.***.***.*** object-group fleetcorp3

access-list outside_access_in extended permit tcp any host ***.***.***.*** object-group fleetcorp4

access-list outside_access_in extended permit tcp any host ***.***.***.*** object-group fleetcorp5

access-list outside_access_in extended permit tcp any host ***.***.***.*** object-group fleetcorp6

pager lines 24

logging enable

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn1 192.168.33.1-192.168.33.15

ip local pool vpn2 192.168.33.16-192.168.33.31

ip local pool vpn3 192.168.33.32-192.168.33.47

ip local pool vpn4 192.168.33.48-192.168.33.63

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-524.bin

asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 1500 192.168.1.98 1500 netmask 255.255.255.255

static (inside,outside) tcp interface 1501 192.168.1.98 1501 netmask 255.255.255.255

static (inside,outside) tcp interface 1502 192.168.1.98 1502 netmask 255.255.255.255

static (inside,outside) tcp interface 8088 192.168.1.10 8088 netmask 255.255.255.255

static (inside,outside) tcp interface 1400 192.168.1.10 1400 netmask 255.255.255.255

static (inside,outside) tcp interface 1401 192.168.1.10 1401 netmask 255.255.255.255

static (inside,outside) tcp interface 8000 192.168.1.97 8000 netmask 255.255.255.255

static (inside,outside) tcp interface 4780 192.168.1.97 4780 netmask 255.255.255.255

static (inside,outside) tcp interface 4099 192.168.1.97 4099 netmask 255.255.255.255

static (inside,outside) tcp interface 1300 192.168.1.97 1300 netmask 255.255.255.255

static (inside,outside) tcp interface 1301 192.168.1.97 1301 netmask 255.255.255.255

static (inside,outside) tcp interface 1302 192.168.1.97 1302 netmask 255.255.255.255

static (inside,outside) tcp interface 8068 192.168.1.97 8068 netmask 255.255.255.255

static (inside,outside) tcp interface 1433 192.168.1.97 1433 netmask 255.255.255.255

static (inside,outside) tcp interface 1434 192.168.1.97 1434 netmask 255.255.255.255

static (inside,outside) tcp interface 8030 192.168.1.97 8030 netmask 255.255.255.255

static (inside,outside) tcp interface 8089 192.168.1.97 8089 netmask 255.255.255.255

static (inside,outside) tcp interface 8090 192.168.1.98 8090 netmask 255.255.255.255

static (inside,outside) tcp interface 8001 192.168.1.190 8001 netmask 255.255.255.255

static (inside,outside) tcp interface telnet 192.168.1.10 telnet netmask 255.255.255.255

static (inside,outside) tcp interface 6023 192.168.1.10 6023 netmask 255.255.255.255

static (inside,outside) tcp interface 6024 192.168.1.110 6024 netmask 255.255.255.255

access-group in-out in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 41.160.144.161 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.146 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto dynamic-map dynmap 30 set pfs

crypto dynamic-map dynmap 30 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

no vpn-addr-assign dhcp

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

management-access inside

dhcpd address 192.168.1.100-192.168.1.131 inside

dhcpd dns 41.160.0.36 41.160.0.37 interface inside

dhcpd wins 41.160.0.36 41.160.0.37 interface inside

dhcpd lease 691200 interface inside

dhcpd domain fleetcorp.co.za interface inside

!

group-policy fleetcorp internal

group-policy fleetcorp attributes

dns-server value 192.168.1.146 41.160.0.36

vpn-idle-timeout 45

vpn-filter value list1

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split1

default-domain value fleetcorp.co.za

group-policy CAP internal

group-policy CAP attributes

dns-server value 192.168.1.146 41.160.0.36

vpn-filter value CAP

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split3CAP

default-domain value capvpn.co.za

group-policy external internal

group-policy external attributes

dns-server value 192.168.1.146 41.160.0.36

vpn-idle-timeout 600

vpn-filter value list2

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split2

default-domain value external.co.za

group-policy RIS internal

group-policy RIS attributes

dns-server value 192.168.1.146 41.160.0.36

vpn-filter value RIS

password-storage enable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split4RIS

default-domain value ris.co.za

username test_vpn password ***************** encrypted

username test_vpn attributes

vpn-group-policy CAP

vpn-filter value CAP

username programmer password ***************** encrypted

username programmer attributes

vpn-group-policy programmer

vpn-simultaneous-logins 10

vpn-filter value list2

username cap_vpn password ***************** encrypted privilege 0

username cap_vpn attributes

vpn-group-policy CAP

vpn-filter value CAP

username fleetcorp password ***************** encrypted

username fleetcorp attributes

vpn-group-policy fleetcorp

vpn-filter value list1

username ris_vpn password ***************** encrypted privilege 0

username ris_vpn attributes

vpn-group-policy RIS

vpn-filter value RIS

username matthew password ***************** encrypted privilege 15

username external password ***************** encrypted

username external attributes

vpn-group-policy external

vpn-simultaneous-logins 10

vpn-filter value list2

tunnel-group fleetcorp type ipsec-ra

tunnel-group fleetcorp general-attributes

address-pool vpn1

default-group-policy fleetcorp

tunnel-group fleetcorp ipsec-attributes

pre-shared-key *

tunnel-group external type ipsec-ra

tunnel-group external general-attributes

address-pool vpn2

default-group-policy external

tunnel-group external ipsec-attributes

pre-shared-key *

tunnel-group CAP type ipsec-ra

tunnel-group CAP general-attributes

address-pool vpn3

default-group-policy CAP

tunnel-group CAP ipsec-attributes

pre-shared-key *

tunnel-group RIS type ipsec-ra

tunnel-group RIS general-attributes

address-pool vpn4

default-group-policy RIS

tunnel-group RIS ipsec-attributes

pre-shared-key *

tunnel-group test_vpn type ipsec-ra

tunnel-group test_vpn general-attributes

address-pool vpn3

default-group-policy CAP

tunnel-group test_vpn ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:ab7a28cc20874fb8c3d07e808a869bc8

: end

asdm image disk0:/asdm-524.bin

asdm location 192.168.1.8 255.255.255.255 inside

asdm location 192.168.1.97 255.255.255.255 inside

asdm location 192.168.33.48 255.255.255.240 inside

asdm history enable

Community Member

ASA5505 VPN - Add new server and ports to existing VPN not worki

Hi there,

Ok, this is just an update to the above...

It is now all working! The code I was doing, deleting, redoing, changing and redoing again, over and over again turned out to be correct... The problem was that we are not using the ASA5505 as the gateway, and so had to add a persistent route to the server itself.

I feel  incredibly sheepish that I didn't think of that. Thanks Jouni for all your time and advice on the above. Greatly appreciated.

Matthew.

532
Views
0
Helpful
7
Replies
CreatePlease to create content