Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
879
Views
0
Helpful
2
Replies

Help: Inside network access issue over IPSEC VPN

Pinesh Amin
Level 1
Level 1

‎10-02-2013 03:53 PM - edited ‎02-21-2020 07:12 PM

Hi,

I have an issue accessing the inside network of my temple over IPSec VPN from my home network.  This only happens when I connect from my home networkusing Cisco ASA-5505. I have no problem accessing inside network of my temple if I use netgear router or Clear Hotspot instead of ASA-5505.  Here is the hardware detail:

At the temple, we are using Cisco ASA 5510 and we have so many IPSec site-to-site tunnels to different temple in the country.   Please see attached configuration for my home ASA5505.  I have verified that none of my home networks are overlapping the temple's networks.

Please help.

PatminASA-01# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname PatminASA-01

enable password 1234xyz encrypted

passwd 1234xyz encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

switchport access vlan 3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

switchport access vlan 3

!            

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

switchport access vlan 3

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

nameif inside

security-level 100

ip address 10.10.105.254 255.255.255.0

!

ftp mode passive

same-security-traffic permit inter-interface

access-list NONAT extended permit ip 10.10.105.0 255.255.255.0 192.168.80.0 255.255.255.0

access-list NONAT extended permit ip 10.10.105.0 255.255.255.0 192.168.81.0 255.255.255.0

access-list ST-SSL standard permit 10.10.105.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool IPP-SSL 192.168.80.100-192.168.80.110 mask 255.255.255.0

ip local pool IPP-SEC 192.168.81.100-192.168.81.110 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 192.168.80.0 255.255.255.0

nat (outside) 1 192.168.81.0 255.255.255.0

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 10.10.105.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TSSET-SEC esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN1-SEC 1 set transform-set TSSET-SEC

crypto dynamic-map DYN1-SEC 1 set reverse-route

crypto map MAP-SEC 1 ipsec-isakmp dynamic DYN1-SEC

crypto map MAP-SEC interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

telnet 10.10.105.0 255.255.255.0 inside

telnet timeout 10

ssh 10.10.105.0 255.255.255.0 inside

ssh timeout 10

console timeout 0

management-access inside

dhcpd auto_config outside

!            

dhcpd address 10.10.105.101-10.10.105.132 inside

dhcpd dns 97.81.22.195 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy GP-SSL internal

group-policy GP-SSL attributes

dns-server value 8.8.8.8

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ST-SSL

address-pools value IPP-SSL

webvpn

  svc keep-installer installed

  svc rekey time 30

  svc rekey method ssl

  svc ask enable default svc timeout 20

username pinesh password 1234xyz encrypted

username pinesh attributes

service-type remote-access

tunnel-group PROF-SSL type remote-access

tunnel-group PROF-SSL general-attributes

default-group-policy GP-SSL

tunnel-group PROF-SSL webvpn-attributes

group-alias PATMIN-Office enable

tunnel-group TG-SEC type remote-access

tunnel-group TG-SEC general-attributes

address-pool IPP-SEC

tunnel-group TG-SEC ipsec-attributes

pre-shared-key 1234xyz

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:fcf9c9196cbe2c92222e127bdc8b30be

: end

PatminASA-01# 

Labels:
0 Helpful
2 Replies 2

pranesh deshpande
Level 1
Level 1

‎10-03-2013 09:27 PM

Hi

Does ipsec tunnel is coming up, if not past sh cry isakmp , sh cry ipsec, debu cry isakmp  and debug cry ips

If its up check the routing.

Thanks

Pranesh

0 Helpful

Pinesh Amin
Level 1
Level 1
In response to pranesh deshpande

‎10-04-2013 05:45 AM

Thanks Pranesh,

I haven't checked IPsec tunnel but I assumed that since I get successful connection to the VPN tunnel, the tunnel is up.  I have very limited knowledge about this; still learning the basics for CCNA certification.    The wiered thing is when I swap out ASA-5505 with home netgear router (at home), I don't have any problem accessing inside network at the temple.  Therefore, my assumption is something is wrong on my ASA-5505 config at home (the confg is pasted in intitial post.).  Please advise.

Again thank yo so much for your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents