Re: two DMVPN Spokes behind ASA doing hide-NAT to the Internet - Page 2

ciscomoderator · ‎06-18-2010

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on IP Security VPN with Cisco experts Syed Ziaullah and Sundar Srinivasaraghavan. Syed is a customer support engineer at Cisco's Technical Assistance Center in the VPN and security domain, where he has worked for more than four years. He helps a variety of Cisco customers in configuring new network setups as well as troubleshooting their existing network issues related to security. Syed holds CCIE certification (CCIE # 19264) in Security. Sundar is a customer support engineer at Cisco in the High Touch Technical Support (HTTS) Security team, providing configuration and troubleshooting assistance to customers through service requests. He has been with Cisco for more than 10 years and has extensive experience in installation, configuration, and troubleshooting of IPsec VPNs. He holds CCIE certification (CCIE # 6415) in both Routing & Switching and Security.

Remember to use the rating system to let Syed and Sundar know if you have received an adequate response.

Syed and Sundar might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 2, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

gadholwi1 · ‎06-23-2010

Appendix:

only one of the spokes is able to establish an connection (eigrp neighborship is up) to the central hub, the other one show that the crypto session is UP-ACTIVE, but one eigrp neighborship.

Resetting the cryto session of the active spoke result in activating the second spoke, but then the formerly active spoke lost the eigrp neighborship.

asa/pri/act# sh conn lon | in customer
UDP outside:b.b.b.b/4500 (b.b.b.b/4500) customer:10.1.1.100/4500 (a.a.a.a/63943), flags -, idle 3s, uptime 16h29m, timeout 2m0s, bytes 4274181
UDP outside:b.b.b.b/4500 (b.b.b.b/4500) customer:10.1.1.101/4500 (a.a.a.a/39870), flags -, idle 1s, uptime 16h37m, timeout 2m0s, bytes 3512027
UDP outside:c.c.c.c/4500 (c.c.c.c/4500) customer:10.1.1.100/4500 (a.a.a.a/63943), flags -, idle 0s, uptime 16h29m, timeout 2m0s, bytes 4052125
UDP outside:c.c.c.c/4500 (c.c.c.c/4500) customer:10.1.1.101/4500 (a.a.a.a/39870), flags -, idle 0s, uptime 16h37m, timeout 2m0s, bytes 5446799

sziaulla · ‎06-23-2010

Hi Holger,

can you pls send us the DMVPN releveant config from hub and spoke? also which version of code you are running on hub and spoke?

thanks

-Syed / Sundar

sziaulla · ‎06-23-2010

Hi Holger,

you need to use the NAT and not the PAT if your both Spokes are behind the same ASA. you can configure static translation on ASA for both the spoke interface IP address and that should take care of your eigrp issue.

here is some more information about the NAT for DMVPN

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1122466

pls let me know if you have any further questions.

thanks

-Syed

gadholwi1 · ‎06-24-2010

Hi Syed,

thx for your reply, I read the document about NAT for DMVPN. Thus we can say it is not possible to run two DMVPN spokes behind one PAT device when both spokes are translated to the same public IP adfdress. Is it correct?

I have only a few information about the spoke, because I'm not responsible for the DMVPN installation. Only the Internet Firewall is operated by us.

DMVPN spoke is a Cisco 871 running Cisco IOS c870-advipservicesk9-mz.124-15.T7.bin

# crypto profile used for tunnel protection work in ipsec transport mode

interface: Tunnelx
<--- omitted --->
current_peer x.x.x.x port 4500

<--- omitted --->

     inbound esp sas:
      spi: 0xaaaaaaaaaaaaaa
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }

<--- omitted --->

best regards

Holger

sziaulla · ‎06-24-2010

Hi Holger,

Yes, 2 spokes getting PATed on same public IP is not supported.

here is the link about this restriction as well.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1039490

thanks

-Syed

gadholwi1 · ‎06-24-2010

Hi Syed,

thx for your reply, my problem is SOLVED.

/Holger

Peter.Supko · ‎06-23-2010

A number of the clients I work with would like to use VPNs between sites. I've looked at both the RVS4000 and the SA520. Both have IPSEC VPN site to site capabilities. The setup of both routers have easy setups. Only problem is that there is no way to disable split tunneling. A large vector for malware and viruses is users going to sites using the split tunnel and not going through the corporate firewall. For the site to site VPN how can you turn off split tunneling? The SSL VPN seems to be able to disable split tunneling for SSL VPN clients.

sziaulla · ‎06-23-2010

Hi Peter,

there is no concept of split tunnel in site to site vpn. in Site to site vpn you actually define the ACL for the traffic that needs to be encrypted. I have not done the configuration on RVS4000 by myself therefore not aware of the options available there. do you have the option of defing the vpn domain on this platform or it just encrypt anything coming from the inside vlan?

thanks

-Syed

sziaulla · ‎06-24-2010

Hi Peter,

I never sent you a link?

thanks

-Syed

Peter.Supko · ‎06-24-2010

Syed,

Right. I'm now concentrating on the SA520. Within the site to site

VPN how can the split tunneling be turned off?

Pete.

sziaulla · ‎06-24-2010

Hi Peter,

i think you want to send all traffic from the local subnet to go to the remote site?

In this case your vpn domain should be a.b.c.d to any and on the other side it should be mirror image.

try defining the Remote LAN as 0.0.0.0 0.0.0.0 and if it doesn't take this then my best guess is that it is not supported on this platform.

thanks

-Syed

es-netops · ‎06-23-2010

Edit: Using the Cisco VPN Client 5.0.07.0290 on Windows XP 32bit

Hi,

I am having an issue connecting to a remote IPSEC VPN on a Cisco ASA 5505. I have tried both manual configuration and using ASDM's IPSEC VPN Wizard. Each time I connect, I can authenticate and then I receive an error at the client "Reason 433 not specified by peer" and on the ASA I see with crypto debugging the following:

Debug:

Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, IP = 69.30.17.149, process_attr(): Enter!
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, IP = 69.30.17.149, Processing MODE_CFG Reply attributes.
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: primary DNS = cleared
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: secondary DNS = cleared
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: primary WINS = cleared
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: secondary WINS = cleared
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: split tunneling list = avnt-group_splitTunnelAcl
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: IP Compression = disabled
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: Split Tunneling Policy = Split Network
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jun 23 10:33:32 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, User (avnt.admin) authenticated.
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, constructing blank hash payload
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, constructing qm hash payload
Jun 23 10:33:32 [IKEv1]: IP = 69.30.17.149, IKE_DECODE SENDING Message (msgid=346f083a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jun 23 10:33:32 [IKEv1]: IP = 69.30.17.149, IKE_DECODE RECEIVED Message (msgid=346f083a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, process_attr(): Enter!
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Processing cfg ACK attributes
Jun 23 10:33:33 [IKEv1]: IP = 69.30.17.149, IKE_DECODE RECEIVED Message (msgid=3f82ad4b) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 191
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, process_attr(): Enter!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Processing cfg Request attributes
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for IPV4 address!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for IPV4 net mask!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for DNS server address!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for WINS server address!
Jun 23 10:33:33 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Received unsupported transaction mode attribute: 5
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Banner!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Save PW setting!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Default Domain Name!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Split Tunnel List!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Split DNS!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for PFS setting!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Client Browser Proxy Setting!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for backup ip-sec peer list!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Application Version!
Jun 23 10:33:33 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Client Type: WinNT Client Application Version: 5.0.07.0290
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for FWTYPE!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for DHCP hostname for DDNS is: LAB01!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for UDP Port!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKE received response of type [] to a request from the IP address utility
Jun 23 10:33:33 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Cannot obtain an IP address for remote peer
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKE TM V6 FSM error history (struct &0xc9f6b1d0) , : TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKE AM Responder FSM error history (struct &0xc9f6ea00) , : AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKE SA AM:efd86a93 terminating: flags 0x0945c001, refcnt 0, tuncnt 0
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, sending delete/delete with reason message
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, constructing blank hash payload
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, constructing IKE delete payload
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, constructing qm hash payload
Jun 23 10:33:33 [IKEv1]: IP = 69.30.17.149, IKE_DECODE SENDING Message (msgid=48c593ff) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 23 10:33:33 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Removing peer from peer table failed, no match!
Jun 23 10:33:33 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Error: Unable to remove PeerTblEntry

Config:

hostname FW-AVANT
enable password sFHPoSNXoNmXBMbQ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 69.30.50.142 AVANT_WEB_VIP description AVANT WEB VIP (inside)
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 69.30.33.246 255.255.255.248
!
interface Vlan10
nameif Inside
security-level 100
ip address 69.30.50.129 255.255.255.240
!
interface Ethernet0/0
description Connection to Agr107 1/19 (outside)
switchport access vlan 2
!
interface Ethernet0/1
description Connection to AVANT_SLB_A (inside)
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network ES_NETWORKS
network-object 69.30.17.0 255.255.255.0
network-object 69.30.2.0 255.255.255.0
network-object 69.30.19.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list ACL-OUTSIDE_in remark ****** Inbound access to AVANT_WEB servers from outside ******
access-list ACL-OUTSIDE_in extended permit object-group TCPUDP any host AVANT_WEB_VIP eq www
access-list ACL-OUTSIDE_in extended permit tcp any host AVANT_WEB_VIP eq https
access-list ACL-OUTSIDE_in remark ****** Allow ICMP In ******
access-list ACL-OUTSIDE_in extended permit icmp any any log disable
access-list ACL-OUTSIDE_in remark ****** Allow ES Networks Access ******
access-list ACL-OUTSIDE_in extended permit ip object-group ES_NETWORKS any log disable
access-list avnt-group_splitTunnelAcl standard permit 69.30.50.128 255.255.255.240
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu Inside 1500
ip local pool avntpool 69.30.50.130-69.30.50.132
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group ACL-OUTSIDE_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.30.33.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 69.30.17.0 255.255.255.0 outside
snmp-server host outside 69.30.2.38 community marzatax
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local
telnet timeout 5
ssh 69.30.17.0 255.255.255.0 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 206.103.37.4 source outside prefer
webvpn
group-policy avnt-group internal
group-policy avnt-group attributes
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value avnt-group_splitTunnelAcl
address-pools value avntpool
username avnt.admin password /Lrz8JA7Xitr16AN encrypted privilege 0
username avnt.admin attributes
vpn-group-policy avnt-group
tunnel-group avnt-group type remote-access
tunnel-group avnt-group general-attributes
address-pool avntpool
default-group-policy avnt-group
tunnel-group avnt-group ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
   message-length maximum 512
policy-map global_policy
class inspection_default
   inspect dns preset_dns_map
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect rsh
   inspect rtsp
   inspect esmtp
   inspect sqlnet
   inspect skinny
   inspect sunrpc
   inspect xdmcp
   inspect sip
   inspect netbios
   inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:58dd50b73ef7454112659aa970bd633c
: end

Please help a girl out. I have spent too many hours trying to get this to work

sziaulla · ‎06-23-2010

the problem you are facing is due to the IP address assignment. pls check the following from the debugs

Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKE received response of type [] to a request from the IP address utility
Jun 23 10:33:33 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Cannot obtain an IP address for remote peer

you have configured the following on your ASA which is causing the issue.

no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local

can you pls remove "no" from atleast these 2 commands and try again

crypto isakmp nat-traversal
vpn-addr-assign local

hope this help.

thanks

-Syed

es-netops · ‎06-24-2010

Hi Syed-

I did the recommended changes and I can now login! I also changed the local pool to 172.16.32.18-172.16.32.30 addresses to save IP Addresses for the customer. The problem I am having now is that I cannot ping anything on the inside when I successfully connect to the vpn. I have the IPSec/UDP (NAT/PAT) setting set on my client as well.

Here is my revised config (removed bulk non-related lines):

ASA Version 8.2(1)
!
hostname FW-AVANT
enable password sFHPoSNXoNmXBMbQ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 69.30.50.142 AVANT_WEB_VIP description AVANT WEB VIP (inside)
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 69.30.33.246 255.255.255.248
!
interface Vlan10
nameif Inside
security-level 100
ip address 69.30.50.129 255.255.255.240
!
interface Ethernet0/0
description Connection to Agr107 1/19 (outside)
switchport access vlan 2
!
interface Ethernet0/1
description Connection to AVANT_SLB_A (inside)
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

protocol-object tcp
access-list avnt-group_splitTunnelAcl standard permit 69.30.50.128 255.255.255.240
access-list Inside_nat0_outbound extended permit ip 69.30.50.128 255.255.255.240 172.16.32.16 255.255.255.240
mtu Inside 1500
ip local pool avnt-pool 172.16.32.18-172.16.32.30 mask 255.255.255.240
global (outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
access-group ACL-OUTSIDE_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.30.33.241 1
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 69.30.17.0 255.255.255.0 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 206.103.37.4 source outside prefer
webvpn
group-policy avnt-group internal
group-policy avnt-group attributes
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value avnt-group_splitTunnelAcl
username avnt.admin password /Lrz8JA7Xitr16AN encrypted privilege 0
username avnt.admin attributes
vpn-group-policy avnt-group
tunnel-group avnt-group type remote-access
tunnel-group avnt-group general-attributes
address-pool avnt-pool
default-group-policy avnt-group
tunnel-group avnt-group ipsec-attributes
pre-shared-key *
!

sziaulla · ‎06-24-2010

can you pls out this command in the config of ASA

managment-access inside

now try to ping the inside interface IP address from the client. if you are unable to ping pls get me the output of the following command from ASA

show crypto isakmp sa

show crypto ipsec sa

thanks

-Syed

ASK THE EXPERTS - IP SECURITY VPN