03-15-2014 09:15 PM - edited 03-11-2019 08:56 PM
Hello all,
I have several ASA 5505's that connect to one 5510 at our corporate headquarters. I just added a new location and for some reason I cannot access resources on the 192.168.1.0 subnet which is at the remote site. The VPN works fine and traffic to 192.168.5.0 resources work fine. I also have internet access. Here is my configuration:
ASA Version 9.0(1)
!
hostname asa-fw
enable password k4HlcGX2lC1ypFOm encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
shutdown
!
interface Vlan1
description Private-Interface
nameif inside
security-level 100
ip address 172.16.40.254 255.255.0.0
!
interface Vlan2
description Public-Interface
nameif outside
security-level 0
pppoe client vpdn group xxxxxxxxxxxxxxxxxx
ip address pppoe setroute
!
ftp mode passive
object network inside-network
subnet 172.16.40.0 255.255.255.0
object network NETWORK_OBJ_172.16.40.0_24
subnet 172.16.40.0 255.255.255.0
object network NETWORK_OBJ_192.168.5.0_24
subnet 192.168.5.0 255.255.255.0
object network NETWORK_OBJ_172.16.25.0_24
subnet 172.16.25.0 255.255.255.0
object network OBJ_192.168.1.0
subnet 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.40.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.40.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap extended permit ip 172.16.40.0 255.255.255.0 172.16.25.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24
proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24
nat (inside,outside) source static NETWORK_OBJ_172.16.40.0_24
proxy-arp route-lookup
!
object network inside-network
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 172.16.40.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-
3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 172.16.40.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
vpdn group xxxxxxxxxxxxxxxxxxxxxxxxxx
vpdn group xxxxxxxxxxxxxxxxxxxxxxxxxx
vpdn group xxxxxxxxxxxxxxxxxxxxxxxxxx
vpdn username xxxxxxxxxxxxxxxxxxxxxxx password *****
dhcpd dns 192.168.5.9 192.168.5.10
!
dhcpd address 172.16.40.5-172.16.40.15 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_xxx.xxx.xxx.xx
group-policy GroupPolicy_xxx.xxx.xxx.xx
vpn-tunnel-protocol ikev1 ikev2
username xxxxxxxxxxx password 21dkb29Q2GbIGmA9 encrypted privilege 15
username xxxxxxxxxxx password 1NHJ1uyMBfQkbbS9 encrypted privilege 15
username xxxxxxxxxxx password NL1c1I7HLpyQAiL3 encrypted privilege 15
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
default-group-policy GroupPolicy_xxx.xxx.xxx.xx
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/it
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:bfa3f7b53a5
: end
no asdm history enable
Access lists on the 5510 at the corporate headquarters (remote site) are these:
access-list INSIDE_NONAT extended permit ip 192.168.5.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list INSIDE_NONAT extended permit ip 192.168.1.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list INSIDE_NONAT extended permit ip 172.16.25.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.5.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 172.16.25.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.40.0 255.255.255.0
I am at wits end on this because I just dont see where I went wrong :( Any help or insight that anyone can provide would be great.
Thanks
03-15-2014 11:14 PM
Does 'sh crypto ipsec sa' show that the SAs are being created on both sides for the 192.168.1.0 ID?
03-16-2014 01:33 PM
Thanks for the reply. I cannot check that until Monday when I am at work. How does the NAT statements and ACL's look, are they correct?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: