topic Re: ASA 55810 remote access VPN problem in Network Security

ASA 5580 remote access VPN problem

gasparmenendez — Fri, 21 Feb 2020 14:16:30 GMT

Hi friends, I already configured a VPN connection between a PC (with public ip address) and my ASA 5580 for testing purposes. The problem is that I need to ping a subnet (192.168.199.0/24) behind the ASA from the PC connected through VPN but I can't, I've been trying a lot of things but is nearly impossible. I really need every help I can get in order to solve this issue. When I run a packet-tracer on the ASA I get:

ASA5580# packet-trace input outside icmp 192.168.239.2 8 0 192.168.199.33

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE_Prueba,OUTSIDE) source static redvpn redvpn destination static NETWORK_OBJ_192.168.239.0_25 NETWORK_OBJ_192.168.239.0_25 no-proxy-arp
Additional Information:
NAT divert to egress interface INSIDE_Prueba
Untranslate 192.168.199.33/0 to 192.168.199.33/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE_access_in in interface OUTSIDE
access-list OUTSIDE_access_in extended permit ip any any
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: INSIDE_Prueba
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Obviously PC connected to LAN behind ASA has ip address 192.168.199.33 and the other one with public ip address gets 192.168.239.2 when VPN comes up. Can anybody help me please???

Thanks in advance. BR.

Re: ASA 55810 remote access VPN problem

Spooster IT Services — Wed, 06 Sep 2017 17:08:50 GMT

Hi gasparmenendez,

Can you post the ASA 5580 config related to VPN with NAT exemption you have configured ?

Re: ASA 55810 remote access VPN problem

gasparmenendez — Wed, 06 Sep 2017 18:26:11 GMT

Here it is:

object network 192.168.239.0
subnet 192.168.239.0 255.255.255.128
description 192.168.239.0
object network NETWORK_OBJ_192.168.239.0_25
subnet 192.168.239.0 255.255.255.128
object network pool-vpn-prueba
subnet 192.168.239.0 255.255.255.128
object-group network redvpn
network-object object 192.168.199.0

access-list INSIDE_Prueba_access_in extended permit ip object 192.168.199.0 any

access-list ACL-tunel-vpn-prueba standard permit 192.168.239.0 255.255.255.0
access-list ACL-tunel-vpn-prueba standard permit 192.168.199.0 255.255.255.0

access-list INSIDE_Prueba_access_out extended permit ip 192.168.199.0 255.255.255.0 any

ip local pool pool-vpn-prueba 192.168.239.1-192.168.239.100 mask 255.255.255.0

nat (INSIDE_Prueba,OUTSIDE) source static redvpn redvpn destination static NETWORK_OBJ_192.168.239.0_25 NETWORK_OBJ_192.168.239.0_25 no-proxy-arp

nat (CARRIERS,OUTSIDE) after-auto source dynamic any interface
nat (INSIDE_Prueba,OUTSIDE) after-auto source dynamic any interface

nat (OUTSIDE,OUTSIDE) after-auto source static pool-vpn-prueba interface no-proxy-arp
access-group OUTSIDE_access_in in interface OUTSIDE
access-group CARRIERS_access_in in interface CARRIERS
access-group CARRIERS_access_out out interface CARRIERS
access-group INSIDE_Prueba_access_in in interface INSIDE_Prueba
access-group INSIDE_Prueba_access_out out interface INSIDE_Prueba

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map INSIDE_Prueba_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INSIDE_Prueba_map interface INSIDE_Prueba
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 enable INSIDE_Prueba
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access INSIDE_Prueba
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy policiy-tunel-vpn-prueba-all internal
group-policy policiy-tunel-vpn-prueba-all attributes
dns-server value 209.244.0.3 209.244.0.4
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelall
group-policy policiy-tunel-vpn-prueba-split internal
group-policy policiy-tunel-vpn-prueba-split attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL-tunel-vpn-prueba

tunnel-group tunel-vpn-prueba type remote-access
tunnel-group tunel-vpn-prueba general-attributes
address-pool pool-vpn-prueba
default-group-policy policiy-tunel-vpn-prueba-split
tunnel-group tunel-vpn-prueba ipsec-attributes
ikev1 pre-shared-key *****

I think that would be all but maybe I miss some lines related to what you ask. If you need anything else please let me know.

Thanks.

Re: ASA 55810 remote access VPN problem

Spooster IT Services — Wed, 06 Sep 2017 19:35:39 GMT

1) What happen when you try to ping from remote PC (192.168.239.x) to LAN server/PC (192.168.199.x) instead of packet tracer command?

2) Are to able to setup VPN session successfully or getting some error while to connect?

3) Are you inspecting the ICMP traffic?

4) You need to allow the traffic in outbound ACL INSIDE_Prueba_access_out. Following is the command.

access-list INSIDE_Prueba_access_out extended permit ip 192.168.239.0 255.255.255.128 192.168.199.0 255.255.255.0

Re: ASA 55810 remote access VPN problem

gasparmenendez — Wed, 06 Sep 2017 22:13:06 GMT

first of all the command you refer in 4) made no difference, and about tyour other questions:

1) nothing happens

2) VPN comes up fast and without any errors

3) how and where can I inspect ICMP traffic??

Thanks.

Re: ASA 55810 remote access VPN problem

gasparmenendez — Fri, 08 Sep 2017 19:03:17 GMT

I ran a tcpdump in the internal PC while ping it from PC connected through VPN and internal PC receive and reply packets...I think ASA is not permiting traffic in both directions.Here's tcpdump:

gaspar@gaspar-Lenovo-ideapad-310-15ISK ~ $ sudo tcpdump -i enp1s0 | grep 192.168.239.3
[sudo] password for gaspar:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:23:17.968146 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 843, length 40
13:23:17.968170 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 843, length 40
13:23:22.946540 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 844, length 40
13:23:22.946573 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 844, length 40
13:23:27.958995 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 845, length 40
13:23:27.959013 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 845, length 40
13:23:32.946256 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 846, length 40
13:23:32.946275 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 846, length 40
13:23:37.954738 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 847, length 40
13:23:37.954762 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 847, length 40
13:23:42.953934 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 848, length 40
13:23:42.953967 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 848, length 40
13:23:47.973584 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 849, length 40
13:23:47.973605 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 849, length 40
13:23:52.953619 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 850, length 40
13:23:52.953646 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 850, length 40
13:23:57.964301 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 851, length 40
13:23:57.964323 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 851, length 40
13:24:02.945082 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 852, length 40
13:24:02.945104 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 852, length 40
13:24:07.957750 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 853, length 40
13:24:07.957770 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 853, length 40
13:24:12.950293 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 854, length 40
13:24:12.950342 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 854, length 40
13:24:17.946094 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 855, length 40
13:24:17.946115 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 855, length 40
13:24:22.958903 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 856, length 40
13:24:22.958924 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 856, length 40
13:24:27.954405 IP 192.168.239.3 > 192.168.199.30: ICMP echo request, id 1, seq 857, length 40
13:24:27.954426 IP 192.168.199.30 > 192.168.239.3: ICMP echo reply, id 1, seq 857, length 40
^C14559 packets captured
14576 packets received by filter
0 packets dropped by kernel
38 packets dropped by interface

no more help?????

Re: ASA 55810 remote access VPN problem

Spooster IT Services — Fri, 08 Sep 2017 19:15:31 GMT

Try to add the following command:-

access-list INSIDE_Prueba_access_in extended permit ip 192.168.199.0 255.255.255.0 192.168.239.0 255.255.255.128

Establish a VPN session between ASA and VPN client. Setup captures at ASA. Following are commands to setup capture
access-list TEST extended permit ip 192.168.199.0 255.255.255.0 192.168.239.0 255.255.255.128

access-list TEST extended permit ip 192.168.239.0 255.255.255.128 192.168.199.0 255.255.255.0

capture CAP interface INSIDE_Prueba access-list TEST buffer 100000

and post the following outputs:-

1) show capture CAP

2) sh conn | in 192.168.239.
3) sh xlate | in 192.168.239.

Re: ASA 55810 remote access VPN problem

gasparmenendez — Fri, 08 Sep 2017 21:11:48 GMT

After did what you said:

ASA5580# show capture CAP

14 packets captured

   1: 16:08:46.154761 192.168.239.3 > 192.168.199.33: icmp: echo request
   2: 16:08:51.163581 192.168.239.3 > 192.168.199.33: icmp: echo request
   3: 16:08:56.157538 192.168.239.3 > 192.168.199.33: icmp: echo request
   4: 16:09:01.151466 192.168.239.3 > 192.168.199.33: icmp: echo request
   5: 16:09:06.160025 192.168.239.3 > 192.168.199.33: icmp: echo request
   6: 16:09:11.153083 192.168.239.3 > 192.168.199.33: icmp: echo request
   7: 16:09:16.152442 192.168.239.3 > 192.168.199.33: icmp: echo request
   8: 16:09:21.147285 192.168.239.3 > 192.168.199.33: icmp: echo request
   9: 16:09:26.154044 192.168.239.3 > 192.168.199.33: icmp: echo request
10: 16:09:31.170050 192.168.239.3 > 192.168.199.33: icmp: echo request
11: 16:09:36.157401 192.168.239.3 > 192.168.199.33: icmp: echo request
12: 16:09:41.177358 192.168.239.3 > 192.168.199.33: icmp: echo request
13: 16:09:46.171698 192.168.239.3 > 192.168.199.33: icmp: echo request
14: 16:09:51.165473 192.168.239.3 > 192.168.199.33: icmp: echo request
14 packets shown

ASA5580# sh conn | in 192.168.239. shows nothing, but:

ASA5580# sh conn | in 192.168.239.3
ICMP OUTSIDE 192.168.239.3:1 INSIDE_Prueba 192.168.199.33:0, idle 0:00:01, bytes 32

and:

ASA5580# sh xlate | in 192.168.239.
NAT from OUTSIDE:192.168.239.0/25 to INSIDE_Prueba:192.168.239.0/25
NAT from OUTSIDE:192.168.239.0/25 to OUTSIDE:170.80.240.2

forgive me for asking but, is it so hard what I want to do???
Thanks.

Re: ASA 55810 remote access VPN problem

Spooster IT Services — Fri, 08 Sep 2017 21:25:39 GMT

There is one way traffic in ASA captures. This means either inbound ACL is dropping the return traffic or Server has wrong default gateway settings or wrong route for 192.168.239.0/24 subnet.

Verify the following:-

1) ASA's INSIDE_Prueba interface ACL. (Post the output of "show access-list INSIDE_Prueba_access_in" and "show access-list INSIDE_Prueba_access_out").

2) Default Gateway of server

3) Route entries at server (Post the output of cmd "route print" command).

Re: ASA 55810 remote access VPN problem

gasparmenendez — Fri, 08 Sep 2017 21:47:10 GMT

ASA5580# show access-list INSIDE_Prueba_access_in
access-list INSIDE_Prueba_access_in; 6 elements; name hash: 0xafbf4ce6
access-list INSIDE_Prueba_access_in line 1 extended permit ip 192.168.62.0 255.255.255.0 any (hitcnt=39561) 0x716f37f7
access-list INSIDE_Prueba_access_in line 2 extended permit ip object 172.16.99.0 any (hitcnt=90342246) 0x4427b2ed
access-list INSIDE_Prueba_access_in line 2 extended permit ip 172.16.99.0 255.255.255.0 any (hitcnt=90342246) 0x4427b2ed
access-list INSIDE_Prueba_access_in line 3 extended permit ip object 192.168.199.0 any (hitcnt=155560) 0x168ba1f4
access-list INSIDE_Prueba_access_in line 3 extended permit ip 192.168.199.0 255.255.255.0 any (hitcnt=155560) 0x168ba1f4
access-list INSIDE_Prueba_access_in line 4 extended permit ip object 10.228.0.0 any (hitcnt=1599026) 0xa793330c
access-list INSIDE_Prueba_access_in line 4 extended permit ip 10.228.0.0 255.255.240.0 any (hitcnt=1599026) 0xa793330c
access-list INSIDE_Prueba_access_in line 5 extended permit ip 10.227.224.0 255.255.252.0 192.168.199.0 255.255.255.0 (hitcnt=0) 0xa4d41a0d
access-list INSIDE_Prueba_access_in line 6 extended permit ip 192.168.199.0 255.255.255.0 192.168.239.0 255.255.255.128 (hitcnt=0) 0xc9b601cc

ASA5580# show access-list INSIDE_Prueba_access_out
access-list INSIDE_Prueba_access_out; 4 elements; name hash: 0x68c766de
access-list INSIDE_Prueba_access_out line 1 extended permit ip 10.227.224.0 255.255.252.0 any (hitcnt=7363) 0x6bf6b718
access-list INSIDE_Prueba_access_out line 2 extended permit ip 192.168.199.0 255.255.255.0 any (hitcnt=0) 0xbde038cd
access-list INSIDE_Prueba_access_out line 3 extended permit ip any object 172.16.99.0 (hitcnt=0) 0x6622900f
access-list INSIDE_Prueba_access_out line 3 extended permit ip any 172.16.99.0 255.255.255.0 (hitcnt=669327) 0x6622900f
access-list INSIDE_Prueba_access_out line 4 extended permit ip 192.168.239.0 255.255.255.128 192.168.199.0 255.255.255.0 (hitcnt=0) 0x9aa43cbf

Pic attached with Default Gateway of server and Route entries

Thanks!

Re: ASA 55810 remote access VPN problem

Spooster IT Services — Fri, 08 Sep 2017 21:56:18 GMT

Whose IP is 192.168.199.254?

It seems that something wrong with ASA configuration. Can you post the ASA 's full config? Please remember to remove the sensitive information before posting (like public IP, Passwords etc.)

Re: ASA 55810 remote access VPN problem

gasparmenendez — Fri, 08 Sep 2017 22:03:36 GMT

ASA5580# sh running-config
: Saved
:
ASA Version 8.4(5)
!
hostname ASA5580
enable password TFy5Z encrypted
passwd 2KFQnbNIdI encrypted
names
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.0.44 255.255.255.0
!
interface Management0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3/2
nameif CARRIERS
security-level 30
ip address 10.227.224.3 255.255.252.0
!
interface GigabitEthernet3/3
nameif INSIDE_Prueba
security-level 40
ip address 192.168.62.254 255.255.255.0
!
interface TenGigabitEthernet5/0
nameif CMTS
security-level 50
ip address 192.168.61.9 255.255.255.0
!
interface TenGigabitEthernet5/1
shutdown
no nameif
no security-level
no ip address
!
interface TenGigabitEthernet7/0
nameif OUTSIDE
security-level 0
ip address 170.X.X.2 255.255.255.240
!
interface TenGigabitEthernet7/1
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 10.19.0.0
subnet 10.19.0.0 255.255.0.0
object network 170.X.X.3
host 170.X.X.3
object network 170.X.X.4
host 170.X.X.4
object network 170.X.X.5
host 170.X.X.5
object network 170.X.X.6
host 170.X.X.6
object network 170.X.X.7
host 170.X.X.7
object network 170.X.X.8
host 170.X.X.8
object network 170.X.X.9
host 170.X.X.9
object network 170.X.X.10
host 170.X.X.10
object network 170.X.X.11
host 170.X.X.11
object network 170.X.X.12
host 170.X.X.12
object network 170.X.X.13
host 170.X.X.13
object network 170.X.X.14
host 170.X.X.14
object network 10.27.0.0
subnet 10.27.0.0 255.255.0.0
object network 10.25.0.0
subnet 10.25.0.0 255.255.0.0
object network 10.9.0.0
subnet 10.9.0.0 255.255.0.0
object network 10.39.0.0
subnet 10.39.0.0 255.255.0.0
object network 10.11.0.0
subnet 10.11.0.0 255.255.0.0
object network 10.35.0.0
subnet 10.35.0.0 255.255.0.0
object network 10.33.0.0
subnet 10.33.0.0 255.255.0.0
object network 10.13.0.0
subnet 10.13.0.0 255.255.0.0
object network 10.17.0.0
subnet 10.17.0.0 255.255.0.0
object network 10.37.0.0
subnet 10.37.0.0 255.255.0.0
object network 10.41.0.0
subnet 10.41.0.0 255.255.0.0
object network 10.45.0.0
subnet 10.45.0.0 255.255.0.0
object network 170.X.X.16
host 170.X.X.16
object network 170.X.X.17
host 170.X.X.17
object network 170.X.X.18
host 170.X.X.18
object network 170.X.X.19
host 170.X.X.19
object network 170.X.X.20
host 170.X.X.20
object network 170.X.X.21
host 170.X.X.21
object network 170.X.X.22
host 170.X.X.22
object network 170.X.X.23
host 170.X.X.23
object network 170.X.X.24
host 170.X.X.24
object network 170.X.X.25
host 170.X.X.25
object network 10.47.0.0
subnet 10.47.0.0 255.255.0.0
object network 170.X.X.26
host 170.X.X.26
object network 170.X.X.27
host 170.X.X.27
object network 170.X.X.28
host 170.X.X.28
object network 170.X.X.29
host 170.X.X.29
object network 170.X.X.30
host 170.X.X.30
object network 170.X.X.31
host 170.X.X.31
object network 10.49.0.0
subnet 10.49.0.0 255.255.0.0
object network Prueba-10.227.225.210
host 10.227.225.210
object network 10.227.225.210
host 10.227.225.210
object network 172.16.99.0
subnet 172.16.99.0 255.255.255.0
object network 172.16.99.22
host 172.16.99.22
object network 10.50.0.0
subnet 10.50.0.0 255.255.0.0
object network 10.51.0.0
subnet 10.51.0.0 255.255.0.0
object network 10.227.225.20
host 10.227.225.20
object network CentroValle_1930
host 10.227.225.20
object network CentroValle_1946
host 10.227.225.20
object network 170.X.X.2
host 170.X.X.2
object network Stgo4646_3050
host 10.44.0.130
object network 10.44.0.130
host 10.44.0.130
object network 192.168.199.0
subnet 192.168.199.0 255.255.255.0
object network 10.227.225.41
host 10.227.225.41
object network Administracion_FTTH_NuevoIdeal
subnet 10.16.10.0 255.255.255.0
description Administracion FTTH Nuevo Ideal
object network 10.228.0.0
subnet 10.228.0.0 255.255.240.0
description 10.228.0.0
object network 192.168.239.0
subnet 192.168.239.0 255.255.255.128
description 192.168.239.0
object network NETWORK_OBJ_192.168.239.0_25
subnet 192.168.239.0 255.255.255.128
object network pool-vpn-prueba
subnet 192.168.239.0 255.255.255.128
object network Pool_CMTS_Stgo
range 170.X.X.8 170.X.X.9
object network 10.227.225.12
host 10.227.225.12
object network AutopartesStgo_Suc_NI_81
host 10.227.225.12
object network AutopartesStgo_Suc_NI_554
host 10.227.225.12
object network AutopartesStgo_Suc_NI_8000
host 10.227.225.12
object network 10.227.225.31
host 10.227.225.31
object network Ferrepisos_NI_3389
host 10.227.225.31
object network Ferrepisos_NI_8081
host 10.227.225.31
object network 10.227.225.21
host 10.227.225.21
object network 10.227.225.22
host 10.227.225.22
object network 170.X.X.80
host 170.X.X.80
object network 170.X.X.81
host 170.X.X.81
object network 170.X.X.82
host 170.X.X.82
object network 10.227.225.29
host 10.227.225.29
object network 10.227.225.39
host 10.227.225.39
object network 170.X.X.83
host 170.X.X.83
object network 170.X.X.84
host 170.X.X.84
object network 170.X.X.85
host 170.X.X.85
object network 192.168.199.29
host 192.168.199.29
description Gaspar
object network 10.227.224.11
host 10.227.224.11
description CACTI_Carrier
object network CACTI_Carrier
host 10.227.224.11
object network 10.227.224.0
subnet 10.227.224.0 255.255.252.0
object network ALTAI
host 172.16.99.22
object-group network redvpn
network-object object 192.168.199.0
access-list CARRIERS_access_in extended permit ip 10.227.224.0 255.255.252.0 any
access-list CARRIERS_access_out extended permit ip any 10.227.224.0 255.255.252.0
access-list CARRIERS_access_out extended permit ip 192.168.199.0 255.255.255.0 10.227.224.0 255.255.252.0
access-list OUTSIDE_access_in remark ALTAI
access-list OUTSIDE_access_in extended permit ip any object 172.16.99.22
access-list OUTSIDE_access_in remark Centro Valle
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.20 eq 1930
access-list OUTSIDE_access_in remark Centro Valle
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.20 eq 1946
access-list OUTSIDE_access_in remark Stgo Contrato 4646
access-list OUTSIDE_access_in extended permit tcp any object 10.44.0.130 eq 3050
access-list OUTSIDE_access_in remark Prueba
access-list OUTSIDE_access_in extended permit ip any object 10.227.225.210
access-list OUTSIDE_access_in remark Gasolinera Holanda
access-list OUTSIDE_access_in extended permit ip any object 10.227.225.41
access-list OUTSIDE_access_in remark AutopartesStgo_Suc_NI
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.12 eq 81
access-list OUTSIDE_access_in remark AutopartesStgo_Suc_NI
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.12 eq rtsp
access-list OUTSIDE_access_in remark AutopartesStgo_Suc_NI
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.12 eq 8000
access-list OUTSIDE_access_in remark Ferrepisos_NI
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.31 eq 3389
access-list OUTSIDE_access_in remark Ferrepisos_NI
access-list OUTSIDE_access_in extended permit tcp any object 10.227.225.31 eq 8081
access-list OUTSIDE_access_in remark Gasolinera Samantha
access-list OUTSIDE_access_in extended permit ip any object 10.227.225.21
access-list OUTSIDE_access_in remark Gasolinera CM
access-list OUTSIDE_access_in extended permit ip any object 10.227.225.22
access-list OUTSIDE_access_in remark Farmacia Economica NI
access-list OUTSIDE_access_in extended permit ip any object 10.227.225.39
access-list OUTSIDE_access_in remark Caja Hipodromo NI
access-list OUTSIDE_access_in extended permit ip any object 10.227.225.29
access-list OUTSIDE_access_in remark CACTI_Carrier
access-list OUTSIDE_access_in extended permit ip any object 10.227.224.11
access-list OUTSIDE_access_in extended permit ip any any
access-list INSIDE_Prueba_access_in extended permit ip 192.168.62.0 255.255.255.0 any
access-list INSIDE_Prueba_access_in extended permit ip object 172.16.99.0 any
access-list INSIDE_Prueba_access_in extended permit ip object 192.168.199.0 any
access-list INSIDE_Prueba_access_in extended permit ip object 10.228.0.0 any
access-list INSIDE_Prueba_access_in extended permit ip 10.227.224.0 255.255.252.0 192.168.199.0 255.255.255.0
access-list INSIDE_Prueba_access_in extended permit ip 192.168.199.0 255.255.255.0 192.168.239.0 255.255.255.128
access-list ACL-tunel-vpn-prueba standard permit 192.168.239.0 255.255.255.0
access-list ACL-tunel-vpn-prueba standard permit 192.168.199.0 255.255.255.0
access-list INSIDE_Prueba_access_out extended permit ip 10.227.224.0 255.255.252.0 any
access-list INSIDE_Prueba_access_out extended permit ip 192.168.199.0 255.255.255.0 any
access-list INSIDE_Prueba_access_out extended permit ip any object 172.16.99.0
access-list INSIDE_Prueba_access_out extended permit ip 192.168.239.0 255.255.255.128 192.168.199.0 255.255.255.0
access-list TEST extended permit ip 192.168.199.0 255.255.255.0 192.168.239.0 255.255.255.128
access-list TEST extended permit ip 192.168.239.0 255.255.255.128 192.168.199.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu OUTSIDE 1500
mtu CARRIERS 1500
mtu INSIDE_Prueba 1500
mtu CMTS 1500
ip local pool pool-vpn-prueba 192.168.239.1-192.168.239.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any OUTSIDE
icmp permit any CARRIERS
icmp permit any echo CARRIERS
icmp permit any echo-reply CARRIERS
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (CMTS,OUTSIDE) source dynamic 10.19.0.0 170.X.X.16
nat (CMTS,OUTSIDE) source dynamic 10.27.0.0 170.X.X.17
nat (CMTS,OUTSIDE) source dynamic 10.25.0.0 170.X.X.18
nat (CMTS,OUTSIDE) source dynamic 10.9.0.0 170.X.X.12
nat (CMTS,OUTSIDE) source dynamic 10.39.0.0 170.X.X.20
nat (CMTS,OUTSIDE) source dynamic 10.11.0.0 170.X.X.11
nat (CMTS,OUTSIDE) source dynamic 10.35.0.0 170.X.X.22
nat (CMTS,OUTSIDE) source dynamic 10.33.0.0 170.X.X.23
nat (CMTS,OUTSIDE) source dynamic 10.13.0.0 170.X.X.13
nat (CMTS,OUTSIDE) source dynamic 10.17.0.0 170.X.X.25
nat (CMTS,OUTSIDE) source dynamic 10.37.0.0 170.X.X.26
nat (CMTS,OUTSIDE) source dynamic 10.41.0.0 170.X.X.27
nat (CMTS,OUTSIDE) source dynamic 10.33.0.0 170.X.X.29
nat (CMTS,OUTSIDE) source dynamic 10.47.0.0 170.X.X.21
nat (CMTS,OUTSIDE) source dynamic 10.49.0.0 170.X.X.24
nat (CARRIERS,OUTSIDE) source static 10.227.225.210 170.X.X.3
nat (CARRIERS,OUTSIDE) source static 10.227.225.41 170.X.X.82 description Gasolinera Holanda
nat (INSIDE_Prueba,OUTSIDE) source dynamic 10.228.0.0 170.X.X.10
nat (CMTS,OUTSIDE) source dynamic 10.51.0.0 pat-pool Pool_CMTS_Stgo
nat (CARRIERS,OUTSIDE) source static 10.227.225.21 170.X.X.80 description Gasolinera Samantha
nat (CARRIERS,OUTSIDE) source static 10.227.225.22 170.X.X.81 description Gasolinera CM
nat (CARRIERS,OUTSIDE) source static 10.227.225.39 170.X.X.83
nat (CARRIERS,OUTSIDE) source static 10.227.225.29 170.X.X.84
nat (INSIDE_Prueba,OUTSIDE) source static redvpn redvpn destination static NETWORK_OBJ_192.168.239.0_25 NETWORK_OBJ_192.168.239.0_25 no-proxy-arp
!
object network CentroValle_1930
nat (CARRIERS,OUTSIDE) static interface service tcp 1930 11930
object network CentroValle_1946
nat (CARRIERS,OUTSIDE) static interface service tcp 1946 11946
object network Stgo4646_3050
nat (CMTS,OUTSIDE) static 170.X.X.28 service tcp 3050 13050
object network AutopartesStgo_Suc_NI_81
nat (CARRIERS,OUTSIDE) static interface service tcp 81 10081
object network AutopartesStgo_Suc_NI_554
nat (CARRIERS,OUTSIDE) static interface service tcp rtsp 10554
object network AutopartesStgo_Suc_NI_8000
nat (CARRIERS,OUTSIDE) static interface service tcp 8000 18000
object network Ferrepisos_NI_3389
nat (CARRIERS,OUTSIDE) static interface service tcp 3389 13389
object network Ferrepisos_NI_8081
nat (CARRIERS,OUTSIDE) static interface service tcp 8081 18081
object network CACTI_Carrier
nat (CARRIERS,OUTSIDE) static 170.X.X.6
object network ALTAI
nat (INSIDE_Prueba,OUTSIDE) static 170.X.X.4
!
nat (CARRIERS,OUTSIDE) after-auto source dynamic any interface
nat (INSIDE_Prueba,OUTSIDE) after-auto source dynamic any interface
nat (CMTS,OUTSIDE) after-auto source dynamic 10.45.0.0 170.X.X.28
nat (OUTSIDE,OUTSIDE) after-auto source static pool-vpn-prueba interface no-proxy-arp
access-group OUTSIDE_access_in in interface OUTSIDE
access-group CARRIERS_access_in in interface CARRIERS
access-group CARRIERS_access_out out interface CARRIERS
access-group INSIDE_Prueba_access_out out interface INSIDE_Prueba
route OUTSIDE 0.0.0.0 0.0.0.0 170.X.X.1 1
route CMTS 10.8.0.0 255.255.0.0 192.168.61.102 1
route CMTS 10.9.0.0 255.255.0.0 192.168.61.102 1
route CMTS 10.10.0.0 255.255.0.0 192.168.61.101 1
route CMTS 10.11.0.0 255.255.0.0 192.168.61.101 1
route CMTS 10.12.0.0 255.255.0.0 192.168.61.114 1
route CMTS 10.13.0.0 255.255.0.0 192.168.61.114 1
route CMTS 10.16.0.0 255.255.0.0 192.168.61.112 1
route CMTS 10.17.0.0 255.255.0.0 192.168.61.112 1
route CMTS 10.18.0.0 255.255.0.0 192.168.61.111 1
route CMTS 10.19.0.0 255.255.0.0 192.168.61.111 1
route CMTS 10.24.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.25.0.0 255.255.0.0 192.168.61.122 1
route CMTS 10.26.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.27.0.0 255.255.0.0 192.168.61.123 1
route CMTS 10.32.0.0 255.255.0.0 192.168.61.130 1
route CMTS 10.33.0.0 255.255.0.0 192.168.61.130 1
route CMTS 10.34.0.0 255.255.0.0 192.168.61.131 1
route CMTS 10.35.0.0 255.255.0.0 192.168.61.131 1
route CMTS 10.36.0.0 255.255.0.0 192.168.61.132 1
route CMTS 10.37.0.0 255.255.0.0 192.168.61.132 1
route CMTS 10.38.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.39.0.0 255.255.0.0 192.168.61.133 1
route CMTS 10.40.0.0 255.255.0.0 192.168.61.134 1
route CMTS 10.41.0.0 255.255.0.0 192.168.61.134 1
route CMTS 10.44.0.0 255.255.0.0 192.168.61.135 1
route CMTS 10.45.0.0 255.255.0.0 192.168.61.135 1
route CMTS 10.46.0.0 255.255.0.0 192.168.61.137 1
route CMTS 10.47.0.0 255.255.0.0 192.168.61.137 1
route CMTS 10.48.0.0 255.255.0.0 192.168.61.138 1
route CMTS 10.49.0.0 255.255.0.0 192.168.61.138 1
route CMTS 10.50.0.0 255.255.0.0 192.168.61.139 1
route CMTS 10.51.0.0 255.255.0.0 192.168.61.139 1
route INSIDE_Prueba 10.228.0.0 255.255.0.0 192.168.62.253 1
route INSIDE_Prueba 172.16.99.0 255.255.255.0 192.168.62.253 1
route INSIDE_Prueba 192.168.199.0 255.255.255.0 192.168.62.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 management
snmp-server host management 192.168.0.2 community ***** udp-port 161
snmp-server location Site-Dg
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map INSIDE_Prueba_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INSIDE_Prueba_map interface INSIDE_Prueba
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 enable INSIDE_Prueba
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access INSIDE_Prueba
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 ssl-clientless
group-policy policiy-tunel-vpn-prueba-all internal
group-policy policiy-tunel-vpn-prueba-all attributes
dns-server value 209.244.0.3 209.244.0.4
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelall
group-policy policiy-tunel-vpn-prueba-split internal
group-policy policiy-tunel-vpn-prueba-split attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ACL-tunel-vpn-prueba
username fermin password vWzuhgp2s encrypted privilege 15
username gaspar password uFhUyhgi encrypted privilege 15
username extra password Mgi9n5u3x encrypted privilege 15
tunnel-group tunel-vpn-prueba type remote-access
tunnel-group tunel-vpn-prueba general-attributes
address-pool pool-vpn-prueba
default-group-policy policiy-tunel-vpn-prueba-split
tunnel-group tunel-vpn-prueba ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 7
subscribe-to-alert-group configuration periodic monthly 7
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b209f3af7ae5cf8467a
: end

Re: ASA 55810 remote access VPN problem

Spooster IT Services — Sat, 09 Sep 2017 10:31:43 GMT

I see that subnet 192.168.199.0 is not directly connected to ASA. It has a route pointing towards 192.168.62.253.

1) whose ip is 192.168.62.253 ?

In server's route print output i noticed that server has a default gateway 192.168.199.254.

2) whose ip 192.168.199.254 ?

Re: ASA 55810 remote access VPN problem

gasparmenendez — Mon, 11 Sep 2017 15:30:09 GMT

sorry about the delay mi friend....

192.168.62.253 and 192.168.199.254 are vlan's ip addresses in the Sw 3750 connected directly to ASA. Here from my Sw 3750:

interface GigabitEthernet1/0/5
description *** Interfaz prueba ASA5580 ***
switchport access vlan 62
switchport mode access
switchport nonegotiate

interface Vlan62
description *** Prueba CMTS 2 ***
ip address 192.168.62.253 255.255.255.0

interface Vlan199
description *** Pruebas Level3 ***
ip address 192.168.199.254 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.62.254

please let me know if you need anything else.

Thanks.

Re: ASA 55810 remote access VPN problem

gasparmenendez — Tue, 12 Sep 2017 17:36:21 GMT

hi my friend,

did you see my last post??

thanks.

Re: ASA 55810 remote access VPN problem

Spooster IT Services — Tue, 12 Sep 2017 18:00:34 GMT

From your last two posts everything looks good in between server and ASA. Try the following commands

no nat (INSIDE_Prueba,OUTSIDE) source static redvpn redvpn destination static NETWORK_OBJ_192.168.239.0_25 NETWORK_OBJ_192.168.239.0_25 no-proxy-arp

nat (INSIDE_Prueba,OUTSIDE) source static redvpn redvpn destination static NETWORK_OBJ_192.168.239.0_25 NETWORK_OBJ_192.168.239.0_25

Re: ASA 55810 remote access VPN problem

gasparmenendez — Tue, 12 Sep 2017 21:57:42 GMT

tried that already without luck my friend....