10-23-2012 08:01 AM
Hi,
I have been working on figuring out a VPN problem on my companies ASA5510. I was accessing the device via: ASDM, SSH using Putty, and even initially with a console cable (also using Putty) using a computer in the networking closet. All 3 of these access methods worked properly for me.
I believe I may have inadvertantly changed something as of Friday using ASDM. I am mostly assuming this because, as of yesterday I can no longer connect to the device. I actually cannot even communicate with it (ping the interface I normally use to manage, which I could previously ping). No computer on the same subnet as me is able to ping the interface.
The device is still accepting VPN connections, dishing out DHCP addresses and everything else it normally does, but I really need to be able to gain access to it again. Any suggestions as to where to start? I am thinking to reboot the device when there is some downtime, in the hopes that ASDM doesn't save to startup-config and only to running-config.
Thanks for your time,
Ramai
Solved! Go to Solution.
11-08-2012 07:21 PM
Looks like this particular static NAT statement cause the issue:
static (inside1,inside1) interface 192.168.5.35 netmask 255.255.255.255
You can't configure static NAT to the interface, because that will stop all the access to the ASA as you have experienced.
If you want to configure static NAT to the interface, you would need to configure static PAT instead, ie: specifying the port.
10-23-2012 01:13 PM
Pls share your current running config so we can check if there is any missing lines.
Console should work, as there is no networking or configuration that can prevent the console connection.
11-08-2012 11:10 AM
I apologize for the very late reply.
Console did work, I must have missed something very obvious last time I tried it.
Here is the running-config:
ciscoasa# sh ru
: Saved
:
ASA Version 8.2(5)
!
hostname *********
enable password 8R*********24 encrypted
passwd c/*********Mi encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 98.***.***.57 255.255.255.192
!
interface Ethernet0/1
nameif inside1
security-level 100
ip address 192.168.1.1 255.255.254.0
!
interface Ethernet0/2
nameif inside2
security-level 99
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
nameif inside3
security-level 98
ip address 192.168.3.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 101 extended permit tcp any host 98.***.***.57 eq ftp
access-list cap extended permit ip host 192.168.3.2 host 192.168.1.50
access-list cap extended permit ip host 192.168.3.2 host 192.168.1.75
access-list test extended permit ip host 192.168.2.27 host 192.168.1.20
access-list test extended permit ip host 192.168.1.20 host 192.168.2.27
access-list test extended permit ip any host 192.168.1.20
access-list test extended permit ip host 192.168.1.20 any
access-list split standard permit 192.168.0.0 255.255.254.0
access-list split standard permit 192.168.2.0 255.255.255.0
access-list split standard permit 192.168.3.0 255.255.255.0
access-list split standard permit 192.168.4.0 255.255.255.0
access-list nonat extended permit ip 192.168.0.0 255.255.254.0 192.168.5.0 255.255.255.0
access-list nonat extended permit ip any 192.168.5.0 255.255.255.0
access-list nonat1 extended permit ip 192.168.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list nonat2 extended permit ip 192.168.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list new extended permit ip host 192.168.1.50 host 192.168.2.131
access-list new extended permit ip host 192.168.2.131 host 192.168.1.50
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit tcp any any eq ftp
access-list capin extended permit tcp host 192.168.2.131 host 192.168.2.1
access-list capin extended permit tcp host 192.168.2.1 host 192.168.2.131
access-list capin extended permit tcp host 192.168.1.1 host 192.168.1.50
access-list capin extended permit tcp host 192.168.1.50 host 192.168.1.1
access-list capin extended permit tcp any host 98.***.***.57
access-list capin extended permit tcp host 98.***.***.57 any
access-list capin extended permit tcp host 192.168.1.50 host 192.168.2.131
access-list capin extended permit tcp host 192.168.3.2 host 192.168.3.1
access-list capin extended permit tcp host 192.168.3.1 host 192.168.3.2
access-list tcpstatebypass extended permit tcp host 192.168.2.131 host 192.168.1.50
access-list inside1 extended permit ip any any
access-list inside2 extended permit ip any any
pager lines 15
logging enable
logging buffered debugging
logging asdm informational
logging from-address *********@*********.com
logging recipient-address *********@*********.com level critical
mtu outside 1500
mtu inside1 1500
mtu inside2 1500
mtu inside3 1500
mtu management 1500
ip local pool VPNPOOL 192.168.5.1-192.168.5.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside1) 1 interface
global (inside2) 1 interface
nat (inside1) 0 access-list nonat
nat (inside1) 1 0.0.0.0 0.0.0.0
nat (inside2) 0 access-list nonat1
nat (inside2) 1 0.0.0.0 0.0.0.0
nat (inside3) 0 access-list nonat2
nat (inside3) 1 0.0.0.0 0.0.0.0
static (inside1,outside) tcp interface ftp 192.168.1.50 ftp netmask 255.255.255.255 dns
static (inside1,inside2) tcp 98.***.***.57 ftp 192.168.1.50 ftp netmask 255.255.255.255
static (inside1,inside3) tcp 98.***.***.57 ftp 192.168.1.50 ftp netmask 255.255.255.255
static (inside1,inside1) tcp 98.***.***.57 ftp 192.168.1.50 ftp netmask 255.255.255.255
static (inside2,inside3) 192.168.2.0 192.168.2.0 netmask 255.255.255.0
static (inside3,inside1) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside3,inside2) 192.168.3.0 192.168.3.0 netmask 255.255.255.0
static (inside3,inside1) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (inside3,inside2) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
static (inside1,inside3) 192.168.0.0 192.168.0.0 netmask 255.255.254.0
static (inside1,inside2) 192.168.0.0 192.168.0.0 netmask 255.255.254.0
static (inside1,inside1) interface 192.168.5.35 netmask 255.255.255.255
access-group 101 in interface outside
access-group inside1 in interface inside2
access-group inside2 in interface inside3
route outside 0.0.0.0 0.0.0.0 98.***.***.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection timewait
sysopt connection tcpmss 0
sysopt noproxyarp inside1
crypto ipsec transform-set ESP-3DES esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 1 set pfs group1
crypto dynamic-map dynmap 1 set transform-set ESP-3DES
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-
DES-SHA ESP-DES-MD5
crypto map outside-map 65535 ipsec-isakmp dynamic dynmap
crypto map outside-map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside1
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside1
ssh timeout 20
console timeout 0
management-access inside2
dhcpd dns 208.***.***.222 208.***.***.220
!
dhcpd address 192.168.0.1-192.168.0.254 inside1
dhcpd enable inside1
!
dhcpd address 192.168.2.11-192.168.2.254 inside2
dhcpd enable inside2
!
dhcpd address 192.168.3.2-192.168.3.254 inside3
dhcpd enable inside3
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
enable inside1
enable inside2
enable inside3
group-policy VPNPOOL internal
group-policy VPNPOOL attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
username R*********n password K2*********E0 encrypted
username c*********r password wZ*********an encrypted
username s*********w password 91*********/3 encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPOOL
default-group-policy VPNPOOL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group VPNPOOL type remote-access
tunnel-group VPNPOOL general-attributes
address-pool VPNPOOL
default-group-policy VPNPOOL
tunnel-group VPNPOOL ipsec-attributes
pre-shared-key *****
!
class-map tcpstatebypass
match access-list tcpstatebypass
class-map inspection_default
match default-inspection-traffic
class-map new
match access-list new
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class new
set connection random-sequence-number disable
set connection advanced-options tcp-state-bypass
policy-map tcpstatebypass
class tcpstatebypass
set connection advanced-options tcp-state-bypass
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ac8cca6aeb421d84c69f7cb2a19758b3
: end
Thank you for your time Jennifer.
-Ramai
11-08-2012 07:21 PM
Looks like this particular static NAT statement cause the issue:
static (inside1,inside1) interface 192.168.5.35 netmask 255.255.255.255
You can't configure static NAT to the interface, because that will stop all the access to the ASA as you have experienced.
If you want to configure static NAT to the interface, you would need to configure static PAT instead, ie: specifying the port.
11-09-2012 06:58 AM
I removed the static route and am able to access it again. Thank you once again Jennifer, I really appreciate it.
-Ramai
11-09-2012 04:09 PM
Excellent, thanks for your update and rating.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide