Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1431
Views
0
Helpful
4
Replies

ASA 5510 Configuration

Hoang Tran
Level 1
Level 1

‎09-13-2011 08:05 PM - edited ‎03-11-2019 02:24 PM

Hi,

I am migrating over from and old PIX to an ASA 5510. After configuring the new device everything else is functional (Internet) but users are unable to pass traffic when connected through the vpn, they are able to authenticate and I see their session connected on the ASDM but no data is passed...Help

Here is the current config.

User is connecting with VPN Client and getting a 192.168.2.101 address from the VPN pool....

ASA Version 7.0(8)

!

hostname ASA5510

names

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 36.96.148.84 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.1.1.172 255.255.255.0

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

ftp mode passive

access-list outside_access_in extended permit icmp any any echo

access-list outside_access_in extended permit icmp any any echo-reply

access-list outside_access_in extended permit icmp any any unreachable

access-list outside_access_in extended permit icmp any any time-exceeded

access-list inside_nat0_outbound extended permit ip 192.1.1.0 255.255.255.0 192.1.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 192.1.2.0 255.255.255.0

access-list xxxx_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool clientvpnpool 192.1.2.100-192.1.2.254 mask 255.255.255.0

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 36.96.148.81 1

route inside 10.1.0.0 255.255.0.0 192.1.1.231 1

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server vpn protocol radius

aaa-server vpn (inside) host 192.1.1.183

timeout 5

key texas

group-policy xxxx internal

group-policy xxxx attributes

dns-server value 192.1.1.183 192.1.1.254

split-tunnel-policy tunnelspecified

split-tunnel-network-list value xxxx_splitTunnelAcl

default-domain value xxxxx.com

webvpn

username xxxx password xxxxxxxxx encrypted

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 outside

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group xxxx type ipsec-ra

tunnel-group xxxx general-attributes

address-pool clientvpnpool

authentication-server-group vpn

default-group-policy xxx

tunnel-group xxx ipsec-attributes

pre-shared-key *

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect dns maximum-length 512

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

Cryptochecksum:1227f35137a7b619ef16e7140f0fbf36

: end

Labels:
0 Helpful
4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

‎09-14-2011 01:49 AM

Split tunnel is configured to allow access to 10.1.0.0/16 network only. What network are you trying to reach after the VPN is connected?

You might also want to enable NAT-T:

isakmp nat-traversal 30

This will ensure that ESP gets encapsulated to UDP/4500 so it works if they are behind a PAT device.

Hope this helps.

0 Helpful

Hoang Tran
Level 1
Level 1
In response to Jennifer Halim

‎09-14-2011 12:47 PM

I need to reach the 192.1.1.0 network.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Hoang Tran

‎09-14-2011 10:56 PM

In that case, your split tunnel access-list also needs to include that subnet:

access-list xxxx_splitTunnelAcl standard permit 192.1.1.0 255.255.255.0

0 Helpful

Hoang Tran
Level 1
Level 1
In response to Jennifer Halim

‎09-15-2011 06:45 AM

Thanks, can I just add that additional access list and keep the other one also or do I just need to incorpporate both subnets into one? The 10.1.0.0 subnet is another office connected via P2P.

access-list xxxx_splitTunnelAcl standard permit 192.1.1.0 255.255.255.0

access-list xxxx_splitTunnelAcl standard permit 10.1.0.0 255.255.0.0

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card