Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
260
Views
0
Helpful
0
Replies

ASA remote access problems

jason.hsu
Level 1
Level 1

‎06-04-2015 08:23 AM - edited ‎03-11-2019 11:03 PM

Desperately need ASA assistance. VPN connects and can pass some traffic, i.e. server shares/RDP. Unable to ping any remote LAN address, seeing in the log that return traffic to VPN subnet is denied, the questions is why or what is denying it. Every interface has any/any allowed, it makes no sense why the traffic would be denied. Also, having issues with a VOIP app/softphone; I suspect it is the same deny problem affecting ping that is causing the VOIP issue. Unfortunately the trace output and deny log entries provide absolutely no clue as to what the issue is. I've gone through multiple threads with the same same behavior with no positive results from suggestions noted.

-----------------
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop

 

Seen on return UDP traffic from voice server to VPN client IP

-------------

%PIX|ASA-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.

This is a connection-related message. This message is displayed if an inbound UDP packet is denied by your security policy.

 

current config

--------------

: Saved
: Written by enable_15 at 11:00:10.220 EDT Thu Jun 4 2015
!
ASA Version 8.0(3)
!
hostname XXXXXXX
enable password h.w7Ecuzl/on2k1F encrypted
names
name 192.168.1.76 ipphone description ipphone
name 192.168.3.0 Montgomery
name 10.10.2.0 LFS-EDC
name 10.1.2.0 LFS-NOC
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.110.101.2 255.255.255.0
!
interface Vlan82
 nameif inside1
 security-level 0
 no ip address
!
interface Vlan99
 nameif outside
 security-level 100
 ip address 96.91.146.138 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 99
!
interface Ethernet0/1
 switchport access vlan 99
!
interface Ethernet0/2
 switchport access vlan 82
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd h.w7Ecuzl/on2k1F encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
 network-object LFS-NOC 255.255.255.0
 network-object LFS-EDC 255.255.255.0
 network-object 10.110.101.0 255.255.255.0
 network-object 10.101.101.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
 network-object LFS-NOC 255.255.255.0
 network-object LFS-EDC 255.255.255.0
object-group network DM_INLINE_NETWORK_3
 network-object 10.101.101.0 255.255.255.0
 network-object 10.110.101.0 255.255.255.0
access-list 101 extended permit tcp any host 72.243.2.228 eq smtp
access-list 101 extended permit tcp any host 72.243.2.228 eq www
access-list 101 extended permit tcp any host 72.243.2.228 eq https
access-list 101 extended permit tcp any host 72.243.2.228 eq 3389
access-list 101 extended permit tcp any host 72.243.2.228 eq 3388
access-list 101 extended permit tcp any host 72.243.2.228 eq 4125
access-list 101 extended permit icmp any any
access-list l2tp-vpn-group_splitTunnelAcl standard permit 10.110.101.0 255.255.255.0
access-list l2tp-vpn-group_splitTunnelAcl remark Phone Network
access-list l2tp-vpn-group_splitTunnelAcl standard permit 10.101.101.0 255.255.255.0
access-list 102 extended permit ip host 192.168.1.198 216.52.198.0 255.255.255.0
access-list 102 extended permit ip host 192.168.1.198 216.52.199.0 255.255.255.0
access-list 102 extended permit ip host 192.168.1.198 66.187.177.128 255.255.255.192
access-list 102 extended permit ip host 192.168.1.199 216.52.198.0 255.255.255.0
access-list 102 extended permit ip host 192.168.1.199 216.52.199.0 255.255.255.0
access-list 102 extended permit ip host 192.168.1.199 66.187.177.128 255.255.255.192
access-list 102 extended deny ip host 192.168.1.198 any
access-list 102 extended deny ip host 192.168.1.199 any
access-list 102 extended permit ip any any
access-list inside_nat0_outbound extended permit ip 10.101.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.110.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.110.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip LFS-EDC 255.255.255.0 10.110.101.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.110.101.0 255.255.255.0 LFS-EDC 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 10.101.101.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip any Montgomery 255.255.255.0
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any
access-list outside_access_in extended permit ip object-group DM_INLINE_NETWORK_2 any
access-list inside_access_in_1 extended permit ip 10.101.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_access_in_1 extended permit ip 10.110.101.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list inside_access_in_1 extended permit ip 192.168.100.0 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list inside_access_in_1 extended permit ip any any
access-list outside_access_in_1 extended permit ip 192.168.100.0 255.255.255.0 any
access-list outside_access_in_1 extended permit ip any any
access-list inside_nonat_toVPN extended permit ip any 192.168.100.0 255.255.255.0
access-list inside_nonat_toVPN extended permit ip 192.168.100.0 255.255.255.0 10.110.101.0 255.255.255.0
access-list inside_nonat_toVPN extended permit ip 192.168.100.0 255.255.255.0 10.101.101.0 255.255.255.0
access-list capture extended permit ip 192.168.100.0 255.255.255.0 host 10.101.101.100
access-list capture extended permit ip host 10.101.101.100 192.168.100.0 255.255.255.0
access-list inside_cryptomap_65535.65535 extended deny ip any any
pager lines 24
logging enable
logging list ipphone level informational
logging console notifications
logging asdm informational
mtu inside 1500
mtu inside1 1500
mtu outside 1500
ip local pool VPN 192.168.100.2-192.168.100.26 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
asdm location LFS-NOC 255.255.255.0 inside
asdm location LFS-EDC 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nonat_toVPN
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 0 access-list inside_nat0_outbound
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 96.91.146.142 1
route inside LFS-NOC 255.255.255.0 10.110.101.1 1
route inside LFS-EDC 255.255.255.0 10.110.101.1 1
route inside 10.101.101.0 255.255.255.0 10.110.101.1 1
timeout xlate 3:00:00
timeout conn 0:09:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server 4tsi protocol radius
aaa-server 4tsi host 10.110.101.100
 timeout 5
 key we1c0me!
 radius-common-pw we1c0me!
aaa authentication ssh console LOCAL
http server enable
http LFS-EDC 255.255.255.0 inside
http LFS-EDC 255.255.255.0 outside
http LFS-NOC 255.255.255.0 inside
http 10.110.101.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
snmp-server host inside 10.10.2.83 community @dm1n2
snmp-server host inside 10.10.2.84 community @dm1n2
snmp-server host inside 10.10.2.87 community @dm1n2
snmp-server location TSI
no snmp-server contact
snmp-server community @dm1n2
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp inside1
sla monitor 100
 type echo protocol ipIcmpEcho 4.2.2.2 interface outside
 timeout 1000
 frequency 30
sla monitor schedule 100 start-time now recurring
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map tsidynmap 20 set pfs
crypto dynamic-map tsidynmap 20 set transform-set myset
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address inside_cryptomap_65535.65535
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map mymap 1 match address outside_1_cryptomap
crypto map mymap 1 set pfs
crypto map mymap 1 set peer 96.37.134.34
crypto map mymap 1 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic tsidynmap
crypto map mymap interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 10
telnet 192.168.1.0 255.255.255.0 inside
telnet 10.110.101.0 255.255.255.0 inside
telnet LFS-NOC 255.255.255.0 inside
telnet LFS-EDC 255.255.255.0 inside
telnet 192.168.100.0 255.255.255.0 inside
telnet 73.46.235.173 255.255.255.255 outside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh LFS-EDC 255.255.255.0 inside
ssh 10.110.101.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh LFS-EDC 255.255.255.0 outside
ssh 73.43.235.173 255.255.255.255 outside
ssh timeout 5
console timeout 0
management-access inside
dhcpd domain 4tsi.com
dhcpd auto_config inside
!

no threat-detection basic-threat
threat-detection statistics
ntp server 198.55.111.50 source outside
webvpn
 enable outside
 svc image disk0:/anyconnect-dart-win-2.4.0202-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 dns-server value 10.110.101.100
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-network-list value l2tp-vpn-group_splitTunnelAcl
 default-domain value tsi.titan.1sourcing.net
group-policy ip-phone internal
group-policy ip-phone attributes
 ip-phone-bypass disable
group-policy l2tp-vpn-group internal
group-policy l2tp-vpn-group attributes
 dns-server value 10.110.101.100 10.110.101.110
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value l2tp-vpn-group_splitTunnelAcl
 default-domain value tsi.titan.1sourcing.net
username sage password Z/yRgS3V.G4ycvnr encrypted privilege 15
username admin password UUZKOjMmBCJSrytq encrypted privilege 15
username neisner password S.CfXux1ZqFp9djK encrypted privilege 0
username neisner attributes
 vpn-group-policy l2tp-vpn-group
username dynasis password bvSw9ZCSNW3dfYVh encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (inside) LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN
 authentication-server-group 4tsi
 default-group-policy l2tp-vpn-group
tunnel-group l2tp-vpn-group type remote-access
tunnel-group l2tp-vpn-group general-attributes
 address-pool VPN
 authentication-server-group 4tsi
 default-group-policy l2tp-vpn-group
tunnel-group l2tp-vpn-group ipsec-attributes
 pre-shared-key 4tsi
tunnel-group 96.37.134.34 type ipsec-l2l
tunnel-group 96.37.134.34 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map ip-phone
policy-map global_policy
 class inspection_default
  inspect netbios
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ece6d7373f0a3235b5dd0909f82e8ae1
: end

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card