Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5505 VPN

Can anyone help me with this vpn? I am not sure if it is different on the 8.2 or if I am missing something.

I can connect to the vpn but cannot get to the inside computers. I can ping them from the ASA but not from the vpn client.

Thanks!!

Here's my config

ASA Version 8.2(5)

!

hostname testingwall

domain-name testing.com

enable password  encrypted

passwd encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.160.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 60.77.44.22 255.255.255.252

!

ftp mode passive

dns server-group DefaultDNS

domain-name testing.com

same-security-traffic permit intra-interface

object-group network vpngroup

network-object 192.168.161.0 255.255.255.0

object-group network inside

network-object 192.168.160.0 255.255.255.0

object-group icmp-type icmp-grp

description ICMP Types allowed         

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list inside_nat0_outbound extended permit ip any 192.168.161.0 255.255.255.240

access-list split-acl standard permit 192.168.160.0 255.255.255.0

access-list outside_access_in extended permit icmp any any object-group icmp-grp

pager lines 24

logging enable

logging timestamp

logging trap alerts

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool testinggroup_vpn_pool 192.168.161.100-192.168.161.130 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 10

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 60.77.44.23 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.160.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set pfs

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2     

lifetime 14400

crypto isakmp nat-traversal 3600

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

dhcpd dns 75.75.75.75 75.75.76.76

dhcpd ping_timeout 750

dhcpd domain testing.com

!

dhcpd address 192.168.160.100-192.168.160.200 inside

dhcpd enable inside

!

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1 rc4-md5

webvpn

group-policy testinggroup internal

group-policy testinggroup attributes

wins-server value 192.168.160.10

dns-server value 75.75.75.75 75.75.76.76

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-acl

default-domain value testinggroup

split-dns value 75.75.75.75 75.75.76.76

username testing password fUG encrypted privilege 5

username testing attributes

vpn-group-policy testinggroup

tunnel-group testinggroup type remote-access

tunnel-group testinggroup general-attributes

address-pool testinggroup_vpn_pool

default-group-policy testinggroup

tunnel-group testinggroup ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect rsh

  inspect rtsp

  inspect sip 

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect tftp

  inspect dns preset_dns_map

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Here is the vpn connection:

show cry ipsec sa                      

interface: outside

    Crypto map tag: dynmap, seq num: 10, local addr: 60.77.44.22

      local ident (addr/mask/prot/port): (192.168.160.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.161.100/255.255.255.255/0/0)

      current_peer: 67.178.89.90, username: testing

      dynamic allocated peer ip: 192.168.161.100

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 83, #pkts decrypt: 83, #pkts verify: 83

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 60.77.44.22/4500, remote crypto endpt.: 67.178.89.90/26936

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 0CA9D64B

      current inbound spi : 980D8B6A

    inbound esp sas:

      spi: 0x980D8B6A (2551024490)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 65536, crypto-map: dynmap

         sa timing: remaining key lifetime (sec): 2399

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x0CA9D64B (212457035)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 65536, crypto-map: dynmap

         sa timing: remaining key lifetime (sec): 2399

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: ASA5505 VPN

Hello Slava,

Please change the following:

nat (inside,outside) source static any any destination static

192.168.0.0 192.168.0.0 route-lookup

Instead of any use the real internal ip addresses and give it try

Edit: also I do not see the crypto traffic on the crypto map

Regards.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ASA5505 VPN

Hi Rill,

Remove these below two commands, highlighted entries below.


vpn-tunnel-protocol IPSec
crypto dynamic-map dynmap 10 set pfs


and add this command.

crypto dynamic-map dynmap 10 set reverse-route


Redefine your inside_nat0_outbound acl as below.

access-list inside_nat0_outbound extended permit ip 192.168.160.0 255.255.255.0  192.168.161.0 255.255.255.0


At last, please make sure that you have a static route is added in the intside network to push "192.168.161.0 255.255.255.0" to inside firewall ip-address.

Let me know the results.

thanks

Rizwan Rafeek

17 REPLIES
Cisco Employee

ASA5505 VPN

Hi,

As I understand that you are to access internal network from client and we do not see any encaps.

Please provide me the following output:-

packet-tracer input inside icmp 8 0  < client ip from pool 192.168.161.x> detailed.

Thanks,

Shilpa

Cisco Employee

ASA5505 VPN

Apart from above, also paste the output of " sh run all sysopt" from ASA

Thanks,

Shilpa

Cisco Employee

ASA5505 VPN

Also try to ping the inside interface ip "192.168.160.1" from the client after you are connected via VPN.

For this issue the command:-

management-access inside

If you are able to ping the ASA's interface and not the host on the inside, make sure internal host have a route for 192.168.161.0/24 subnet  which should point them towards the ASA.

Thanks,

Shilpa

New Member

ASA5505 VPN

(config)# sh run all sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-vpn

sysopt connection reclassify-vpn

no sysopt connection preserve-vpn-flows

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt noproxyarp inside

no sysopt noproxyarp outside

ASA5505 VPN

Problem is on your no-nat acl.

Your network ID, does not include the IP range allocated for VPN DHCP client.

access-list inside_nat0_outbound extended permit ip any 192.168.161.0 255.255.255.240

The above acl includes, ip range between.

192.168.161.1

192.168.161.14

Your local pool is in different subnet.

ip local pool testinggroup_vpn_pool 192.168.161.100-192.168.161.130 mask 255.255.255.0

So, use this as your network ID: 192.168.161.96 and it will include IP range from

192.168.161.97

192.168.161.126

ASA5505 VPN

So, here is your no-nat ACL entry should look like.

access-list inside_nat0_outbound extended permit ip any 192.168.161.96 255.255.255.224.

So, make your IP allocation within to a specific subnet, rather than pulling IP range from thin air.

Thanks

Rizwan Rafeek

New Member

ASA5505 VPN

Thanks that was a type as I have added and deleted the acl so many times trying to get this to work.

I still can't access the inside computers though.

After running

management-access inside

I can ping the inside interface from the client while vpn is connected but still can't ping the computers on the LAN.

There has to be something!!

I suppose I should say, I am on a mac running 10.7.2 using the built in client, it doesn't have packet-tracer. All my other cisco vpns work, just not this one... There has to be something I am missing or something new about this Cisco OS?

ASA5505 VPN

all other vpn clients works fine but only MAC OS 10.7.2 having this problem, then this problem is something do with MAC client itself.

New Member

ASA5505 VPN

What I meant was I have multiple Cisco VPN setups on my 10.7 Mac. They all work fine on the Mac. I don't think it's a Mac issue.

I think this is some kind of NAT issue on the ASA but I am not sure what I am doing wrong.

Do I need to set up routing for the VPN or something?

ASA5505 VPN

Post your current runing config.

I will see, what I can do.

New Member

Re: ASA5505 VPN

explain that I did not do so. need to arrange a remote connection, for

those who do not know, much has changed in 8.4.

this configuration of the docks from the site cisco.com

hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config-if)# no shutdown
hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)# authentication pre-share
hostname(config-ikev1-policy)# encryption 3des
hostname(config-ikev1-policy)# hash sha
hostname(config-ikev1-policy)# group 2
hostname(config-ikev1-policy)# lifetime 43200
hostname(config)# crypto ikev1 outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec ikev1 transform set FirstSet esp-3des
esp-md5-hmac
hostname(config)# tunnel-group testgroup type remote-access
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# ikev1 pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set ikev1 transform-set
FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside

hostname(config)# nat (inside,outside) source static any any destination static

192.168.0.0 192.168.0.0 route-lookup
hostname(config)# write memory
n this case a config client connects, is assigned an address from the
pool, but local resources can not see, tell me, what is missing.

Re: ASA5505 VPN

Hello Slava,

Please change the following:

nat (inside,outside) source static any any destination static

192.168.0.0 192.168.0.0 route-lookup

Instead of any use the real internal ip addresses and give it try

Edit: also I do not see the crypto traffic on the crypto map

Regards.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ASA5505 VPN

Hi Rill,

Remove these below two commands, highlighted entries below.


vpn-tunnel-protocol IPSec
crypto dynamic-map dynmap 10 set pfs


and add this command.

crypto dynamic-map dynmap 10 set reverse-route


Redefine your inside_nat0_outbound acl as below.

access-list inside_nat0_outbound extended permit ip 192.168.160.0 255.255.255.0  192.168.161.0 255.255.255.0


At last, please make sure that you have a static route is added in the intside network to push "192.168.161.0 255.255.255.0" to inside firewall ip-address.

Let me know the results.

thanks

Rizwan Rafeek

New Member

ASA5505 VPN

Thank you so much Rizwan!!! That worked! What a relief!

New Member

ASA5505 VPN

Here it is.

Thanks for your help!

ASA Version 8.2(5)

!

hostname testingwall

domain-name testing.com

enable password  encrypted

passwd encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.160.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 60.77.44.22 255.255.255.252

!

ftp mode passive

dns server-group DefaultDNS

domain-name testing.com

same-security-traffic permit intra-interface

object-group network vpngroup

network-object 192.168.161.0 255.255.255.0

object-group network inside

network-object 192.168.160.0 255.255.255.0

object-group icmp-type icmp-grp

description ICMP Types allowed        

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list inside_nat0_outbound extended permit ip any 192.168.161.0 255.255.255.0

access-list split-acl standard permit 192.168.160.0 255.255.255.0

access-list outside_access_in extended permit icmp any any object-group icmp-grp

pager lines 24

logging enable

logging timestamp

logging trap alerts

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool testinggroup_vpn_pool 192.168.161.100-192.168.161.130 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 10

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 60.77.44.23 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.160.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set pfs

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2    

lifetime 14400

crypto isakmp nat-traversal 3600

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

dhcpd dns 75.75.75.75 75.75.76.76

dhcpd ping_timeout 750

dhcpd domain testing.com

!

dhcpd address 192.168.160.100-192.168.160.200 inside

dhcpd enable inside

!

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1 rc4-md5

webvpn

group-policy testinggroup internal

group-policy testinggroup attributes

wins-server value 192.168.160.10

dns-server value 75.75.75.75 75.75.76.76

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-acl

default-domain value testinggroup

split-dns value 75.75.75.75 75.75.76.76

username testing password fUG encrypted privilege 5

username testing attributes

vpn-group-policy testinggroup

tunnel-group testinggroup type remote-access

tunnel-group testinggroup general-attributes

address-pool testinggroup_vpn_pool

default-group-policy testinggroup

tunnel-group testinggroup ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect http

  inspect rsh

  inspect rtsp

  inspect sip

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect tftp

  inspect dns preset_dns_map

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

ASA5505 VPN

Please provide:

packet-tracer input inside icmp 8 0  < client ip from pool 192.168.161.x> detailed.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

ASA5505 VPN

HI  Julio,

does not work so I had already tried to do a translation of documentation described exactly

In this example, there is no need to allow traffic acces list?

1070
Views
0
Helpful
17
Replies
CreatePlease login to create content