Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem With VPN Ipsec

Hell Everybody,

Sorry for my english but I'm French and I don't speek Englsih very well.

I configured à VPN Ipsec Connetion to an ASA5505 for a client.

I can connect without problems to the ASA and I receive the correct Ip Address. But I can't do nothing, ping, rdp,...

See a litle description

Home --------VPN----------> Outside ASA (PPOE) --------------------> Inside (192.168.10.0/24)

The remote VPN address pool is 192.168.20.0/24

ASA-COPAS# write t

: Saved

:

ASA Version 8.2(5)

!

hostname ASA-COPAS

domain-name copas.lu

enable password Z64xpU91umTXJNBb encrypted

passwd mdqgUWurX2Iw.1.m encrypted

names

name 192.168.10.1 SBS2011-DC description Domain Server

name 192.168.10.254 ASA5505

name 192.168.120.0 ENTENTES-NETWORK description Network of EGIPA/EFJ/EGCA

!

interface Ethernet0/0

switchport access vlan 20

!

interface Ethernet0/1

switchport access vlan 10

!

interface Ethernet0/2

switchport access vlan 30

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan10

nameif inside

security-level 100

ip address ASA5505 255.255.255.0

!

interface Vlan20

nameif Outside

security-level 0

ip address pppoe setroute

!

ftp mode passive

dns server-group DefaultDNS

domain-name copas.lu

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object icmp

protocol-object tcp

protocol-object udp

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object ip

protocol-object tcp

protocol-object udp

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object udp

protocol-object tcp

object-group service RDP tcp

port-object eq 3389

access-list outside_access_in extended permit tcp any host SBS2011-DC eq https

access-list outside_in remark Permit traffic to exchange - 15/03/2012

access-list outside_in extended permit tcp any interface Outside eq smtp

access-list outside_in remark Permit OWA access - 15/03/2012

access-list outside_in extended permit tcp any interface Outside eq https

access-list outside_in extended permit icmp any any

access-list outside_in extended permit tcp any any object-group RDP

access-list nat0_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0

access-list splitttunnel standard permit 192.168.10.0 255.255.255.0

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 1

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 E

access-list inside_access_in remark Permit Internet Traffic

access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any

access-list inside_access_in remark Permit DNS request

access-list inside_access_in extended permit udp host SBS2011-DC any eq domain

access-list inside_access_in remark Permit HTTPS Traffic

access-list inside_access_in extended permit tcp 192.168.10.0 255.255.255.0 any

access-list inside_access_in remark Permit SMTP traffic

access-list inside_access_in extended permit tcp host SBS2011-DC any eq smtp

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit icmp any any echo-reply

access-list splittunnel standard permit 192.168.10.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu Outside 1500

ip local pool vpnpool 192.168.20.1-192.168.20.50

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (inside) 0 access-list nat0_acl

nat (inside) 1 192.168.10.0 255.255.255.0

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,Outside) tcp interface 3389 SBS2011-DC 3389 netmask 255.255.255.2

static (inside,Outside) tcp interface smtp SBS2011-DC smtp netmask 255.255.255.2

static (inside,Outside) tcp interface https SBS2011-DC https netmask 255.255.255

access-group inside_access_in in interface inside

access-group outside_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 ASA5505 1

route inside ENTENTES-NETWORK 255.255.255.0 ASA5505 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.10.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 6

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh 192.168.10.0 255.255.255.0 inside

ssh 192.168.20.0 255.255.255.0 inside

ssh 192.168.20.0 255.255.255.0 Outside

ssh timeout 5

console timeout 0

management-access inside

vpdn group COPAS request dialout pppoe

vpdn group COPAS localname w.11.100219.1

vpdn group COPAS ppp authentication pap

vpdn username w.11.100219.1 password *****

dhcpd auto_config Outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy remotevpn internal

group-policy remotevpn attributes

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

username support password MEoT5LGS1rX8h2hM encrypted

username qits password IxwD9AtR5a.jldfo encrypted

tunnel-group remotevpn type remote-access

tunnel-group remotevpn general-attributes

address-pool vpnpool

default-group-policy remotevpn

tunnel-group remotevpn ipsec-attributes

pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:1712110322795c9d231dcc80a35edad1

: end

[OK]

ASA-COPAS#

Thanks by advance,

Everyone's tags (2)
3 REPLIES
Hall of Fame Super Silver

Problem With VPN Ipsec

Jeremy,

Your client connects and receives a DHCP address from 192.168.20.1-50 (vpnpool). When trying to reach addresses, the client packets would be affected by access-list inside_access_in. That access-list does not allow addresses from your vpnpool range.

Did you create your remote access VPN from CLI? I suggest using the wizard in ASDM as it anticipates the commonly required commands and supplies them automatically.

New Member

Problem With VPN Ipsec

Hello,

Thansk for the information.

Now, I can connect VPN, I can do RDP to my Server but only to my server....

I cannot connect to my workstations.

RDP is enabled and works, if I connect to the server and I connect to workstation by the server...

Any idea ?

Hall of Fame Super Silver

Problem With VPN Ipsec

Are the worksations on the same 192.168.10.0 /24 network as your server? If they are, I would check for host level firewall software.

578
Views
0
Helpful
3
Replies