topic Re: ASA 5505 multiple VPNs not working in Network Security

ASA 5505 multiple VPNs not working

bradkenn75 — Mon, 11 Mar 2019 18:21:05 GMT

Had a new vpn setup last week, or so; since then, other vpn tunnels stopped working (site-to-site vpns) Need help troubleshooting issues; unable to ping across tunner when it was showing active, now all of the tunnels are not showing active.

Re: ASA 5505 multiple VPNs not working

Nagaraja Thanthry — Wed, 04 Aug 2010 17:37:40 GMT

Hello,

Can you please post the corresponding configurations here?

Regards,

Re: ASA 5505 multiple VPNs not working

bradkenn75 — Wed, 04 Aug 2010 17:45:23 GMT

let me know if you need more than this:

object-group network DM_INLINE_NETWORK_1
network-object host 172.30.1.14
network-object host 172.31.1.15
object-group service SSH-ALT tcp
description SSH-ALT
port-object eq 24
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_2
network-object CDX 255.255.255.0
network-object 172.31.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object CDX 255.255.255.0
network-object 172.31.1.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service PACS tcp-udp
description PACS
port-object eq 104
object-group network DM_INLINE_NETWORK_4
network-object 172.30.1.0 255.255.255.224
network-object 192.168.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 172.30.1.0 255.255.255.224
network-object 192.168.0.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object tcp
access-list outside extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 172.30.1.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.2.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.0.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.3.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.2.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.0.0 255.255.224.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.1.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.4.0 255.255.255.128 host 192.168.12.166
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3 inactive
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 host 10.1.1.243
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_3 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_6
access-list TGA-Split_splitTunnelAcl standard permit 172.30.1.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.2.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.0.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.3.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.30.2.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.4.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.30.4.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 host 10.1.1.243
access-list outside_cryptomap_1 extended permit ip 172.30.1.0 255.255.255.224 192.168.0.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 172.30.4.0 255.255.255.128 host 192.168.12.166
access-list outside_cryptomap extended permit ip host 172.31.1.112 host A-10.3.3.7
access-list outside_cryptomap extended permit ip 172.30.1.0 255.255.255.224 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip host 172.31.1.12 host A-10.3.3.7
access-list outside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 CDX 255.255.255.0 host 172.31.1.12
access-list nonat extended permit ip host 172.31.1.12 CDX 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 100000
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool FPSVPN 172.30.250.1-172.30.250.250 mask 255.255.255.0
ip local pool VPNTEST2 172.31.100.1-172.31.100.12 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 172.31.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4012 172.31.1.12 4012 netmask 255.255.255.255
static (inside,outside) tcp interface 24 172.31.1.10 24 netmask 255.255.255.255
static (inside,outside) tcp interface 5711 192.168.1.200 5711 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 68.115.200.145 1
route inside 10.0.0.0 255.255.255.0 172.30.1.1 1
route inside 172.30.0.0 255.255.255.0 172.30.1.1 1
route inside 172.30.2.0 255.255.255.0 172.30.1.1 1
route inside 172.30.4.0 255.255.255.0 172.30.1.1 1
route inside 172.30.41.0 255.255.255.0 172.30.1.1 1
route inside 172.30.42.0 255.255.255.0 172.30.1.1 1
route inside 172.31.1.0 255.255.255.0 172.30.1.1 1
route inside 192.168.1.0 255.255.255.0 172.30.1.1 1
route inside 192.168.100.0 255.255.255.0 172.30.1.1 1
route inside 0.0.0.0 0.0.0.0 CDX tunneled

Re: ASA 5505 multiple VPNs not working

Jitendriya Athavale — Wed, 04 Aug 2010 18:52:14 GMT

please paste the crypto map config

but i think i know the issue

you probably made different crypto map fo rthe new tunnel and applied it on the interface

so on one interface you can have only 1 crypto map but you can have different entries for that

this gives me a feeling you might have more than 1 crypto map

outside_1_cryptomap

outside_cryptomap_1

outside_3_cryptomap

outside_cryptomap

Re: ASA 5505 multiple VPNs not working

bradkenn75 — Wed, 04 Aug 2010 18:58:26 GMT

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set BasicESP3d esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 1 set peer BlueRidge

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 set peer 68.115.234.130

crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 3 set peer 68.191.0.66

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 3 set security-association lifetime seconds 28800

crypto map outside_map 3 set security-association lifetime kilobytes 4608000

crypto map outside_map 4 set pfs

crypto map outside_map 4 set peer CDX

crypto map outside_map 4 set transform-set BasicESP3d ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 5 match address outside_cryptomap_1

crypto map outside_map 5 set peer BlueRidge

crypto map outside_map 5 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption aes

hash md5

group 2

lifetime 86400

crypto isakmp policy 6

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Re: ASA 5505 multiple VPNs not working

manish arora — Wed, 04 Aug 2010 21:51:50 GMT

why i do not see any match statements in crypto map for 1,2,3 & 4 ? did you removed any configuration for one posted below ?

From the posted configuration only tunnel with Blue Ridge should be working given you have mirror ACL to indentify interesting traffic on both sides.

thanks

Manish

Re: ASA 5505 multiple VPNs not working

bradkenn75 — Wed, 04 Aug 2010 22:50:58 GMT

I don't know, it's all jacked up. We are seeing other odd behaviour, like configuration changes disappearing after we save them and go back into what was just configured. After posting this, I found out the air condition went out where the equipment is located, and we are suspecting the equipment overheated, as we are seeing some issues with other equipment as well. We are looking into the coverage on this firewall now, and considering alternative solutions. I'm not very experienced on Cisco yet. Can you give me an example of all we should need to have configured for a single tunnel to work, where multiple tunnels exist to access the same internal LAN(s)?

Thanks!

Re: ASA 5505 multiple VPNs not working

Jitendriya Athavale — Thu, 05 Aug 2010 06:23:44 GMT

what you have is perfectly fine expect one thing which manish mentioned

crypto map outside_map 1 set peer BlueRidge

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 28800

crypto map outside_map 1 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 set peer 68.115.234.130

crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 3 set peer 68.191.0.66

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 3 set security-association lifetime seconds 28800

crypto map outside_map 3 set security-association lifetime kilobytes 4608000

crypto map outside_map 4 set pfs

crypto map outside_map 4 set peer CDX

crypto map outside_map 4 set transform-set BasicESP3d ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 5 match address outside_cryptomap_1

crypto map outside_map 5 set peer BlueRidge

crypto map outside_map 5 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

the above is wht you have

see this part

crypto map outside_map 5 match address outside_cryptomap_1

crypto map outside_map 5 set peer BlueRidge

you have a match address, which is missing in rest of them. so it will always fall on dynamic crypto map which needs the traffic to be inited from the other end

all you have to do is hunt for those statemenst and put them

match address

this is the format

this access-list will have source from your network and destination as remotes vpn network

Re: ASA 5505 multiple VPNs not working

bradkenn75 — Thu, 05 Aug 2010 12:13:56 GMT

okay, we will try adding those this a.m.; other question though, why were we unable to ping across the VPN's when they were showing as

"up" previously, or we cannot ping to the "Blueridge" even though it appears to be correct, right? Also, do you know where we can run the SN# to see if smartnet is on the box?

THANKS!

Re: ASA 5505 multiple VPNs not working

Jitendriya Athavale — Thu, 05 Aug 2010 12:38:41 GMT

there could be many reason why the tunnel shows up and traffic doesnt pass

we need to check with command "sh crypto ips sa" to confirm that the phase 2 is up

if it shows up in "show cry isa sa" it means only phase 1 is up

Re: ASA 5505 multiple VPNs not working

bradkenn75 — Thu, 05 Aug 2010 15:14:04 GMT

the results for sh cry isa sa = "there are no isakmp sas"

the results for sh crypto ips sa = "There are no ipsec sas"

Added the "crypto map outside_map 3 match address ..." statements for 1, 2, 3, and 4; still have no tunnels coming up. Thanks!

Re: ASA 5505 multiple VPNs not working

Jitendriya Athavale — Thu, 05 Aug 2010 15:41:50 GMT

if you are ok with withclearing all the tunnels

if so the remove the crypto map from interafce

clear cry isa sa

clear cry ips sa

and then apply the crypto map again

Re: ASA 5505 multiple VPNs not working

bradkenn75 — Thu, 05 Aug 2010 16:07:14 GMT

I figured it may help if you have the overview of the config; I went through and changed all the public addresses we use, for confidentiality purposes. Here is the current:

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname **********
domain-name site.local
enable password ********** encrypted
passwd ************ encrypted
names
name 172.30.1.14 BlueRidgeServer description Blue Ridge XRAY
name 162.114.68.115 BlueRidge
name 172.30.1.16 Nuclear_Test description Nuclear_testing
name 200.146.68.115 Public description Public
name 200.144.68.115 Outside
name 187.232.66.83 UNG description UNG
name 151.130.68.115 CardCons. description Cardiology Consultants
name 10.3.3.0 CelligentCDX description Celligent CDX
name 97.98.66.49 CDX description CDX
name 10.3.3.7 A-10.3.3.7 description Celligent
!
interface Vlan1
nameif inside
security-level 100
ip address 172.30.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Public 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.31.1.10
domain-name fps.local
object-group network DM_INLINE_NETWORK_1
network-object host BlueRidgeServer
**** network-object host 172.31.1.15

object-group service SSH-ALT tcp
description SSH-ALT
port-object eq 24
object-group network FTP_Access
description FTP Access
network-object UNG 255.255.255.248
network-object host CardCons.
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_2
network-object CelligentCDX 255.255.255.0
network-object 172.31.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object CelligentCDX 255.255.255.0
network-object 172.31.1.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service PACS tcp-udp
description PACS
port-object eq 104
access-list outside extended permit icmp any any
access-list outside extended permit tcp any interface outside eq 3389
access-list outside extended permit tcp any interface outside eq 4012
access-list outside extended permit tcp object-group FTP_Access interface outside object-group SSH-ALT
access-list outside extended permit tcp any interface outside eq 5711
access-list outside remark SSH-ALT
access-list outside remark Pharmacy
access-list inside_nat0_outbound extended permit ip 172.30.1.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.2.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.0.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.3.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.2.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.0.0 255.255.224.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.1.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.4.0 255.255.255.128 host 192.168.12.166
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 host 10.1.1.243
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3
access-list inside_nat0_outbound extended permit ip 172.30.1.0 255.255.255.224 192.168.0.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.1.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.30.1.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.2.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.0.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.3.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.30.2.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.4.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.30.4.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 host 10.1.1.243
access-list outside_3_cryptomap extended permit ip 172.30.4.0 255.255.255.128 host 192.168.12.166
access-list outside_cryptomap extended permit ip host 172.31.1.12 host A-10.3.3.7
access-list outside_cryptomap extended permit ip 172.30.1.0 255.255.255.224 192.168.0.0 255.255.255.0
access-list outside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 CelligentCDX 255.255.255.0 172.31.1.0 255.255.255.0
access-list nonat extended permit ip 172.31.1.0 255.255.255.0 CelligentCDX 255.255.255.0
access-list outside_cryptomap_1 extended permit ip host BlueRidgeServer 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 100000
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool FPSVPN 172.30.250.1-172.30.250.250 mask 255.255.255.0
ip local pool VPNTEST2 172.31.100.1-172.31.100.12 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 172.31.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4012 172.31.1.12 4012 netmask 255.255.255.255
static (inside,outside) tcp interface 24 172.31.1.10 24 netmask 255.255.255.255
static (inside,outside) tcp interface 5711 192.168.1.200 5711 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 68.115.200.145 1
route inside 10.0.0.0 255.255.255.0 172.30.1.1 1
route inside 172.30.0.0 255.255.255.0 172.30.1.1 1
route inside 172.30.2.0 255.255.255.0 172.30.1.1 1
route inside 172.30.4.0 255.255.255.0 172.30.1.1 1
route inside 172.30.41.0 255.255.255.0 172.30.1.1 1
route inside 172.30.42.0 255.255.255.0 172.30.1.1 1
route inside 172.31.1.0 255.255.255.0 172.30.1.1 1
route inside 192.168.1.0 255.255.255.0 172.30.1.1 1
route inside 192.168.100.0 255.255.255.0 172.30.1.1 1
route inside 0.0.0.0 0.0.0.0 CDX tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy

snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set BasicESP3d esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer BlueRidge
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 234.130.68.115
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 110.66.68.191
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 match address outside_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer CDX
crypto map outside_map 4 set transform-set BasicESP3d ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 6
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.30.0.0 255.255.0.0 inside
telnet timeout 5
ssh 110.64.68.191 255.255.255.224 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 192.5.41.40 source inside
ntp server 172.31.1.10 source inside prefer
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy TGA-Split internal
group-policy TGA-Split attributes
dns-server value ****
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TGA-Split_splitTunnelAcl
group-policy FPSVPN internal
group-policy FPSVPN attributes
dns-server value **********
vpn-tunnel-protocol IPSec
group-policy remotetest internal
group-policy remotetest attributes
dns-server value **********
vpn-tunnel-protocol IPSec
group-policy Physician-Portal internal
group-policy Physician-Portal attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol svc webvpn
webvpn
url-list value Physician-Portal
customization value Physician-Portal
hidden-shares visible
file-entry enable
file-browsing enable
url-entry enable
group-policy CDX internal
group-policy CDX attributes
vpn-filter none
vpn-tunnel-protocol IPSec

tunnel-group FPSVPN type remote-access
tunnel-group FPSVPN general-attributes
address-pool FPSVPN
default-group-policy FPSVPN
tunnel-group FPSVPN ipsec-attributes
pre-shared-key *
tunnel-group TGA-Split type remote-access
tunnel-group TGA-Split general-attributes
address-pool FPSVPN
default-group-policy TGA-Split
tunnel-group TGA-Split ipsec-attributes
pre-shared-key *
tunnel-group remotetest type remote-access
tunnel-group remotetest general-attributes
address-pool VPNTEST2
default-group-policy remotetest
tunnel-group remotetest ipsec-attributes
pre-shared-key *
tunnel-group 162.114.68.115 type ipsec-l2l
tunnel-group 162.114.68.115 ipsec-attributes
pre-shared-key *
tunnel-group 234.130.68.115 type ipsec-l2l
tunnel-group 234.130.68.115 ipsec-attributes
pre-shared-key *
tunnel-group Physician-Portal type remote-access
tunnel-group Physician-Portal general-attributes
address-pool FPSVPN
default-group-policy Physician-Portal
tunnel-group Physician-Portal webvpn-attributes
customization Physician-Portal
nbns-server 172.31.1.10 timeout 2 retry 2
group-alias Physician-Portal enable
tunnel-group 97.98.66.49 type ipsec-l2l
tunnel-group 97.98.66.49 general-attributes
default-group-policy CDX
tunnel-group 97.98.66.49 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:************
: end

Re: ASA 5505 multiple VPNs not working

bradkenn75 — Thu, 05 Aug 2010 19:19:25 GMT

I ran these, "clear cry isa sa" / "clear cry ips sa" also, and the "crypto map" statements are still in the config. (in "sh run")

Re: ASA 5505 multiple VPNs not working

Nagaraja Thanthry — Fri, 06 Aug 2010 00:19:18 GMT

Hello,

Can you configure "management-access inside" on the firewall and then try to ping the inside interface from a remote location?

Regards,

Re: ASA 5505 multiple VPNs not working

manish arora — Fri, 06 Aug 2010 00:44:56 GMT

Your are also missing the nat exempt statement i believe in your sh run.Also, you have a lot of access lists identifying traffic that should not get NAT.

try

nat (inside) 0 access-list inside_nat0_outside

then try pinging the ip address ( private ) that are associated with it.

Thanks

Manish