cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2122
Views
0
Helpful
12
Replies
mohant3ch
Beginner

Cisco ASA 5520 VPN Issue

Hi there/Greetings,

I have a Cisco ASA model 5520 setup in the office environment. The ASA's running version is ASA Version 8.2(5)33. I have been encountering a weird issue lately. Previously, users could Remote Desktop/SSH/etc to the internal nework via VPN IPSEC, but, just recently, a couple of weeks back, all of sudden, they can't do that anymore. I have been trying to diagnose and sort of the issues, but it came to a dead end. Well, this is how my office setup environment looks like, as below;

Internal Network ---------- Core Switch ---------- (Interface 0/3) Cisco ASA 5520 (Interface 0/0) ---------- Internet

172.16.0.0/22              172.16.0.254/22      172.16.0.252/22                      x.x.x.x

Config as below;

: Saved

: Written by admin at 17:09:45.651 MYT Mon Dec 24 2012

!

ASA Version 8.2(5)33

!

hostname CISCO-ASA-5520

domain-name FQDN-DOMAIN.DOMAIN.com

enable password ############## level 5 encrypted

enable password ############## encrypted

passwd ############## encrypted

names

name xxx.xxx.xxx.xxx INFRA_Spamfilter-1

name xxx.xxx.xxx.xxx INFRA_Spamfilter-2

name xxx.xxx.xxx.xxx SVR_Asterisk-1

name xxx.xxx.xxx.xxx SVR_Asterisk-2

name xxx.xxx.xxx.xxx SVR_Asterisk-3

name xxx.xxx.xxx.xxx SVR_Backup-1

name xxx.xxx.xxx.xxx SVR_Backup-2

name xxx.xxx.xxx.xxx SVR_ClientAccess

name xxx.xxx.xxx.xxx SVR_Conferencing

name xxx.xxx.xxx.xxx SVR_Contracts

name xxx.xxx.xxx.xxx SVR_DC-1

name xxx.xxx.xxx.xxx SVR_DC-2

name xxx.xxx.xxx.xxx SVR_GoogleSync-1

name xxx.xxx.xxx.xxx SVR_GoogleSync-2

name xxx.xxx.xxx.xxx SVR_HRMS

name xxx.xxx.xxx.xxx SVR_Helpdesk

name xxx.xxx.xxx.xxx SVR_KPI-QAAS

name xxx.xxx.xxx.xxx SVR_Lotus-Sametime

name xxx.xxx.xxx.xxx SVR_Redmine

name xxx.xxx.xxx.xxx SVR_Requisitions

name xxx.xxx.xxx.xxx SVR_SPEC-1

name xxx.xxx.xxx.xxx SVR_SPEC-2

name xxx.xxx.xxx.xxx SVR_SalesInquiry

name xxx.xxx.xxx.xxx SVR_Vault

name xxx.xxx.xxx.xxx SITE2SITE_CNDOMAIN

name xxx.xxx.xxx.xxx SITE2SITE_UKDOMAIN

name xxx.xxx.xxx.xxx INSIDE_VLAN103

name 172.16.0.252 INSIDE

name xxx.xxx.xxx.xxx OUTSIDE

name xxx.xxx.xxx.xxx MANAGEMENT

name 192.168.10.0 VPN_MYDOMAIN

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

pppoe client vpdn group SERVICEPROVIDER

ip address OUTSIDE 255.255.255.255 pppoe

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

nameif inside

security-level 100

ip address 172.16.0.252 255.255.252.0

!

interface Management0/0

nameif management

security-level 100

ip address xxx.xxx.xxx.xxx 255.255.255.0

management-only

!

boot system disk0:/asa825-33-k8.bin

ftp mode passive

clock timezone MYT 8

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

retries 3

timeout 5

name-server SVR_DC-1

name-server SVR_DC-2

name-server 8.8.8.8

name-server 8.8.4.4

name-server xxx.xxx.xxx.xxx

name-server xxx.xxx.xxx.xxx

domain-name FQDN-DOMAIN.DOMAIN.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service PostgresSQL tcp-udp

port-object eq 5432

port-object eq 5433

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group icmp-type ICMP

icmp-object alternate-address

icmp-object conversion-error

icmp-object echo

icmp-object echo-reply

icmp-object information-reply

icmp-object information-request

icmp-object mask-reply

icmp-object mask-request

icmp-object mobile-redirect

icmp-object parameter-problem

icmp-object redirect

icmp-object router-advertisement

icmp-object router-solicitation

icmp-object source-quench

icmp-object time-exceeded

icmp-object timestamp-reply

icmp-object timestamp-request

icmp-object traceroute

icmp-object unreachable

object-group service SPEC tcp-udp

port-object eq 82

object-group service Helpdesk tcp-udp

port-object eq 81

object-group service SMTP2 tcp

port-object eq 587

object-group service DM_INLINE_TCP_2 tcp

port-object eq smtp

group-object SMTP2

object-group service RequestTracker tcp-udp

port-object eq 1443

object-group service Asterisk tcp-udp

port-object eq 4569

object-group service DBSubsidiaries tcp-udp

port-object eq 85

object-group service Redmine tcp-udp

port-object eq 89

object-group service GoogleSync tcp-udp

port-object range 10006 10007

port-object range 8008 8009

object-group service Vault tcp-udp

port-object eq 1444

port-object eq 84

object-group service SelfupdatePassword tcp-udp

port-object range 8011 8012

object-group service Requisitions tcp-udp

port-object eq 83

object-group service DM_INLINE_SERVICE_1

service-object tcp eq www

service-object udp eq www

object-group service SalesInquiry tcp

port-object eq 88

object-group service HRMS_e-Leave tcp-udp

port-object eq 8080

object-group service Asterisk_Remote_Support tcp-udp

port-object range 10001 10002

port-object range 8081 8082

object-group service SPEC_Remote_Support tcp-udp

port-object range 10003 10004

object-group service Vault_Remote_Support tcp-udp

port-object eq 10005

object-group service RA_Teamviewer tcp-udp

port-object eq 5938

object-group service RA_VNC tcp-udp

port-object eq 5800

port-object eq 5801

port-object eq 5802

port-object eq 5803

port-object eq 5900

port-object eq 5901

port-object eq 5902

port-object eq 5903

object-group service RA_RemoteDesktop tcp

port-object eq 3389

access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host OUTSIDE

access-list outside_access_in extended permit tcp any host OUTSIDE eq https

access-list outside_access_in extended permit tcp any host OUTSIDE object-group DM_INLINE_TCP_2 inactive

access-list outside_access_in extended permit tcp any host OUTSIDE eq ssh inactive

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group PostgresSQL

access-list outside_access_in extended permit icmp any host OUTSIDE object-group ICMP

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Vault

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Vault_Remote_Support inactive

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group SPEC

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group SPEC_Remote_Support inactive

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Helpdesk

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group RequestTracker

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Asterisk

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Asterisk_Remote_Support inactive

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group DBSubsidiaries inactive

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group RA_Teamviewer inactive

access-list outside_access_in extended permit tcp any host OUTSIDE object-group RA_RemoteDesktop

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group RA_VNC inactive

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Redmine

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group SelfupdatePassword

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Requisitions

access-list outside_access_in extended permit tcp any host OUTSIDE object-group SalesInquiry

access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group HRMS_e-Leave

access-list inside_nat0_outbound extended permit ip INSIDE 255.255.252.0 SITE2SITE_CNDOMAIN 255.255.252.0

access-list inside_nat0_outbound extended permit ip INSIDE 255.255.252.0 SITE2SITE_UKDOMAIN 255.255.252.0

access-list inside_nat0_outbound extended permit ip INSIDE 255.255.252.0 VPN_MYDOMAIN 255.255.255.0

access-list inside_nat0_outbound extended permit ip INSIDE_VLAN103 255.255.254.0 VPN_MYDOMAIN 255.255.255.0

access-list outside_2_cryptomap extended permit ip INSIDE 255.255.252.0 SITE2SITE_UKDOMAIN 255.255.252.0

access-list outside_3_cryptomap extended permit ip INSIDE 255.255.252.0 SITE2SITE_CNDOMAIN 255.255.252.0

access-list MYDOMAIN_splitTunnelAcl standard permit INSIDE 255.255.252.0

access-list MYDOMAIN_splitTunnelAcl standard permit INSIDE_VLAN103 255.255.254.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool MYDOMAINpool 192.168.10.1-192.168.10.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

asdm image disk0:/asdm-649-103.bin

asdm location SITE2SITE_UKDOMAIN 255.255.252.0 inside

asdm location SVR_Backup-2 255.255.255.255 inside

asdm location SVR_Asterisk-1 255.255.255.255 inside

asdm location SVR_Asterisk-2 255.255.255.255 inside

asdm location SVR_SPEC-1 255.255.255.255 inside

asdm location SVR_Contracts 255.255.255.255 inside

asdm location SVR_Vault 255.255.255.255 inside

asdm location SVR_DC-1 255.255.255.255 inside

asdm location SVR_DC-2 255.255.255.255 inside

asdm location SVR_Conferencing 255.255.255.255 inside

asdm location SVR_KPI-QAAS 255.255.255.255 inside

asdm location SVR_Redmine 255.255.255.255 inside

asdm location SVR_HRMS 255.255.255.255 inside

asdm location SVR_GoogleSync-1 255.255.255.255 inside

asdm location SVR_GoogleSync-2 255.255.255.255 inside

asdm location SVR_Requisitions 255.255.255.255 inside

asdm location SVR_Asterisk-3 255.255.255.255 inside

asdm location SVR_SalesInquiry 255.255.255.255 inside

asdm location INSIDE_VLAN103 255.255.254.0 inside

asdm history enable

arp timeout 14400

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 0.0.0.0 0.0.0.0 dns

static (inside,outside) tcp interface smtp INFRA_Spamfilter-1 smtp netmask 255.255.255.255  norandomseq

static (inside,outside) tcp interface 587 INFRA_Spamfilter-2 587 netmask 255.255.255.255  norandomseq

static (inside,outside) tcp interface 81 SVR_Helpdesk 81 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 85 SVR_Helpdesk 85 netmask 255.255.255.255  norandomseq

static (inside,outside) udp interface 85 SVR_Helpdesk 85 netmask 255.255.255.255  norandomseq

static (inside,outside) tcp interface 5432 SVR_SPEC-1 5432 netmask 255.255.255.255  dns

static (inside,outside) udp interface 5432 SVR_SPEC-1 5432 netmask 255.255.255.255  dns

static (inside,outside) tcp interface www SVR_SPEC-1 www netmask 255.255.255.255  dns

static (inside,outside) udp interface www SVR_SPEC-1 www netmask 255.255.255.255  dns

static (inside,outside) tcp interface 10003 SVR_SPEC-1 10003 netmask 255.255.255.255  norandomseq

static (inside,outside) udp interface 10003 SVR_SPEC-1 10003 netmask 255.255.255.255  norandomseq

static (inside,outside) tcp interface 5433 SVR_SPEC-2 5433 netmask 255.255.255.255  dns

static (inside,outside) udp interface 5433 SVR_SPEC-2 5433 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 82 SVR_SPEC-2 82 netmask 255.255.255.255  dns

static (inside,outside) udp interface 82 SVR_SPEC-2 82 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 10004 SVR_SPEC-2 10004 netmask 255.255.255.255  norandomseq

static (inside,outside) udp interface 10004 SVR_SPEC-2 10004 netmask 255.255.255.255  norandomseq

static (inside,outside) tcp interface 10005 SVR_Vault 10005 netmask 255.255.255.255  dns

static (inside,outside) udp interface 10005 SVR_Vault 10005 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 1444 SVR_Vault 1444 netmask 255.255.255.255  dns

static (inside,outside) udp interface 1444 SVR_Vault 1444 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 84 SVR_Vault 84 netmask 255.255.255.255  dns

static (inside,outside) udp interface 84 SVR_Vault 84 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 1443 SVR_Contracts 1443 netmask 255.255.255.255  dns

static (inside,outside) udp interface 1443 SVR_Contracts 1443 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 10001 SVR_Asterisk-3 10001 netmask 255.255.255.255  dns

static (inside,outside) udp interface 10001 SVR_Asterisk-3 10001 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 10002 SVR_Asterisk-3 10002 netmask 255.255.255.255  dns

static (inside,outside) udp interface 10002 SVR_Asterisk-3 10002 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 8081 SVR_Asterisk-3 8081 netmask 255.255.255.255  norandomseq

static (inside,outside) udp interface 8081 SVR_Asterisk-3 8081 netmask 255.255.255.255  norandomseq

static (inside,outside) tcp interface 8082 SVR_Asterisk-3 8082 netmask 255.255.255.255  norandomseq

static (inside,outside) udp interface 8082 SVR_Asterisk-3 8082 netmask 255.255.255.255  norandomseq

static (inside,outside) tcp interface 4569 SVR_Asterisk-3 4569 netmask 255.255.255.255  dns

static (inside,outside) udp interface 4569 SVR_Asterisk-3 4569 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 3389 SVR_ClientAccess 3389 netmask 255.255.255.255  dns

static (inside,outside) udp interface 3389 SVR_ClientAccess 3389 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 89 SVR_Redmine 89 netmask 255.255.255.255  dns

static (inside,outside) udp interface 89 SVR_Redmine 89 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 8011 SVR_DC-1 8011 netmask 255.255.255.255  dns

static (inside,outside) udp interface 8011 SVR_DC-1 8011 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 8012 SVR_DC-2 8012 netmask 255.255.255.255  dns

static (inside,outside) udp interface 8012 SVR_DC-2 8012 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 83 SVR_Requisitions 83 netmask 255.255.255.255  dns

static (inside,outside) udp interface 83 SVR_Requisitions 83 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 88 SVR_SalesInquiry 88 netmask 255.255.255.255  dns

static (inside,outside) tcp interface 8080 SVR_HRMS 8080 netmask 255.255.255.255  dns

static (inside,outside) udp interface 8080 SVR_HRMS 8080 netmask 255.255.255.255  dns

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

route inside 0.0.0.0 0.0.0.0 172.16.0.254 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server RAD_AUTH protocol radius

aaa-server RAD_AUTH (inside) host xxx.xxx.xxx.xxx

key ######################################

aaa-server RAD_AUTH (inside) host xxx.xxx.xxx.xxx

key ######################################

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

aaa authorization exec authentication-server

http server enable

http INSIDE 255.255.252.0 inside

snmp-server location FQDN-DOMAIN.DOMAIN.com

snmp-server contact System Administrator

snmp-server community public

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer xxx.xxx.xxx.xxx

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set pfs

crypto map outside_map 3 set peer xxx.xxx.xxx.xxx

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet INSIDE 255.255.252.0 inside

telnet MANAGEMENT 255.255.255.0 management

telnet timeout 30

ssh 0.0.0.0 0.0.0.0 outside

ssh INSIDE 255.255.252.0 inside

ssh MANAGEMENT 255.255.255.0 management

ssh timeout 30

console timeout 0

management-access management

vpdn group SERVICEPROVIDER request dialout pppoe

vpdn group SERVICEPROVIDER localname MYUSERNAME

vpdn group SERVICEPROVIDER ppp authentication pap

vpdn username MYUSERNAME password ##########

dhcprelay server SVR_DC-2 inside

dhcprelay server SVR_DC-1 inside

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server xxx.xxx.xxx.xxx source inside prefer

ntp server xxx.xxx.xxx.xxx source inside prefer

ntp server xxx.xxx.xxx.xxx source inside prefer

webvpn

group-policy MYDOMAIN internal

group-policy MYDOMAIN attributes

wins-server value xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

dns-server value xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value MYDOMAIN_splitTunnelAcl

default-domain value FQDN-DOMAIN.DOMAIN.com

username admin password ########## encrypted privilege 15

username sysop password ########## encrypted privilege 5

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

pre-shared-key ##########

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

pre-shared-key ##########

tunnel-group MYDOMAIN type remote-access

tunnel-group MYDOMAIN general-attributes

address-pool MYDOMAINpool

authentication-server-group RAD_AUTH

default-group-policy MYDOMAIN

tunnel-group MYDOMAIN ipsec-attributes

pre-shared-key ##########

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

privilege cmd level 5 mode exec command reload

privilege cmd level 5 mode exec command perfmon

privilege cmd level 5 mode exec command ping

privilege cmd level 5 mode exec command who

privilege cmd level 5 mode exec command logging

privilege cmd level 5 mode exec command failover

privilege cmd level 5 mode exec command packet-tracer

privilege show level 5 mode exec command running-config

privilege show level 5 mode exec command reload

privilege show level 5 mode exec command mode

privilege show level 5 mode exec command firewall

privilege show level 5 mode exec command conn

privilege show level 5 mode exec command cpu

privilege show level 5 mode exec command interface

privilege show level 5 mode exec command clock

privilege show level 5 mode exec command dns-hosts

privilege show level 5 mode exec command access-list

privilege show level 5 mode exec command logging

privilege show level 5 mode exec command vlan

privilege show level 5 mode exec command ip

privilege show level 5 mode exec command failover

privilege show level 5 mode exec command asdm

privilege show level 5 mode exec command arp

privilege show level 5 mode exec command route

privilege show level 5 mode exec command ospf

privilege show level 5 mode exec command aaa-server

privilege show level 5 mode exec command aaa

privilege show level 5 mode exec command eigrp

privilege show level 5 mode exec command crypto

privilege show level 5 mode exec command vpn-sessiondb

privilege show level 5 mode exec command ssh

privilege show level 5 mode exec command dhcpd

privilege show level 5 mode exec command vpn

privilege show level 5 mode exec command blocks

privilege show level 5 mode exec command wccp

privilege show level 5 mode exec command uauth

privilege show level 5 mode configure command interface

privilege show level 5 mode configure command clock

privilege show level 5 mode configure command access-list

privilege show level 5 mode configure command logging

privilege show level 5 mode configure command ip

privilege show level 5 mode configure command failover

privilege show level 5 mode configure command arp

privilege show level 5 mode configure command route

privilege show level 5 mode configure command aaa-server

privilege show level 5 mode configure command aaa

privilege show level 5 mode configure command crypto

privilege show level 5 mode configure command ssh

privilege show level 5 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 5 mode exec command dns-hosts

privilege clear level 5 mode exec command logging

privilege clear level 5 mode exec command arp

privilege clear level 5 mode exec command aaa-server

privilege clear level 5 mode exec command crypto

privilege cmd level 5 mode configure command failover

privilege clear level 5 mode configure command logging

privilege clear level 5 mode configure command arp

privilege clear level 5 mode configure command crypto

privilege clear level 5 mode configure command aaa-server

privilege cmd level 5 mode route-map command set

privilege cmd level 5 mode mpf-policy-map-class command set

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:760d143b4e0a39e858043dd6af9651d8

: end

The issues;

1) Remote VPN users CANNOT RemoteDesktop/SSH/etc to internal network resources (NOT port forwarding)

2) Even Port Forwading is NOT working (tested for RemoteDesktop for one of the server)

3) Remote VPN users CAN ping to any network resources, DNS is working fine (can ping servers by DNS/NETBIOS names)

Reported error on the ASDM;

1) portmap translation creation failed for tcp src inside

Please advise. Thanks.

Regards,

12 REPLIES 12
Julio Carvajal
Advisor

Hello Mohan,

Enable the following and let me know

crypto isakmp nat-traversal

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

nope, no luck

it seems there is a weird prob, when i issue the command sh startup-config, I can the command I inserted as you suggested, as below;

crypto isakmp enable outside

crypto isakmp nat-traversal

crypto isakmp policy 10

After reboot the firewall ASA 5520 device and when I run the sh run command, I only get the following;

crypto isakmp enable outside

crypto isakmp policy 10

Seems like the command "crypto isakmp nat-traversal" goes missing. Please advise. Thanks.

managed to fix the missing entry "crypto isakmp nat-traversal" after each reboot, tried to rdesktop and ssh, still no luck, any suggestion(s)? thanks.

Hello,

Is this for a L2L tunnel or RA tunnel?

What is the other side of the tunnel , what is the subnet being used on that side

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

It's a IPSec RA tunnel.

                         RA VPN Users

                         192.168.10.0/24

                              |

                              |

                         Internet Cloud

                              |

                              |

                       --------------------------------------------------

                       Cisco ASA External (Interface 0/0)

                       x.x.x.x                                       

                              |                                           

                              |                                           

                       Cisco ASA Internal (Interface 0/3)

                       172.16.0.252/22                         

                       -------------------------------------------------

                              |

                              |

                         Core Switch

                         172.16.0.254/22

                              |

                              |

                         Internal Network

                         172.16.0.0/22

split-tunnel-network-list value MYDOMAIN_splitTunnelAcl

where is that acl in your config?

access-list inside_nat0_outbound extended permit ip INSIDE 255.255.252.0 VPN_MYDOMAIN 255.255.255.0

access-list inside_nat0_outbound extended permit ip INSIDE_VLAN103 255.255.254.0 VPN_MYDOMAIN 255.255.255.0

access-list MYDOMAIN_splitTunnelAcl standard permit INSIDE 255.255.252.0

access-list MYDOMAIN_splitTunnelAcl standard permit INSIDE_VLAN103 255.255.254.0

mohant3ch
Beginner

Could anyone assist me on this matter as I need to rectify this issue ASAP. Advance thanks.

can you provide the packet-tracer output for the specific source and destination (noth inbound and outbound) when a client is connected.

Sorry for the slight delay. Results as below;

Inside -> Outside

CISCO-ASA-5520# packet-tracer input inside tcp 172.16.0.21 3389 192.168.10.11 3976

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.10.11     255.255.255.255 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

nat-control

  match ip inside INSIDE 255.255.252.0 outside VPN_DBMY 255.255.255.0

    NAT exempt

    translate_hits = 5442, untranslate_hits = 98005

Additional Information:

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

static (inside,outside) tcp interface 3389 SVR_ClientAccess 3389 netmask 255.255.255.255  dns

nat-control

  match tcp inside host SVR_ClientAccess eq 3389 outside any

    static translation to OUTSIDE/3389

    translate_hits = 0, untranslate_hits = 72

Additional Information:

Phase: 6

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

static (inside,outside) tcp interface 3389 SVR_ClientAccess 3389 netmask 255.255.255.255  dns

nat-control

  match tcp inside host SVR_ClientAccess eq 3389 outside any

    static translation to OUTSIDE/3389

    translate_hits = 0, untranslate_hits = 72

Additional Information:

Phase: 7

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 905758, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Outside -> Inside

CISCO-ASA-5520# packet-tracer input outside tcp 192.168.10.11 3976 172.16.0.21 3389

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   INSIDE          255.255.252.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule


Hi,

Don't really know the reason of the problem but thought I'd mention what things seem strange (but might not be wrong in any way)

  • You have a route command with "tunneled" even though it seems it forwards all VPN traffic to the Core Switch? Do you really need the route "tunneled" since you whole LAN network is directly connected to the ASA?
  • Your Split Tunnel and NAT0 ACLs use the IP address 172.16.0.252 = INSIDE. Couldnt you just use 172.16.0.0 255.255.252.0 instead
  • Your above packet-tracer commands NAT Phase has a reference to a name that I cant see anywhere in the configuration (VPN_DBMY)

Just for the sake of trying, could you do the same OUTSIDE -> INSIDE packet-tracer test by using the destination address of the Core Switch IP address?

Could you also perhaps connect the VPN Client connection, open ASDM log monitoring and filter logs with your VPN Client assigned IP address and attempt some of the TCP connections and copy paste that (screencapture) that output here.

- Jouni

Content for Community-Ad