12-26-2012 07:10 PM - edited 03-11-2019 05:41 PM
Hi there/Greetings,
I have a Cisco ASA model 5520 setup in the office environment. The ASA's running version is ASA Version 8.2(5)33. I have been encountering a weird issue lately. Previously, users could Remote Desktop/SSH/etc to the internal nework via VPN IPSEC, but, just recently, a couple of weeks back, all of sudden, they can't do that anymore. I have been trying to diagnose and sort of the issues, but it came to a dead end. Well, this is how my office setup environment looks like, as below;
Internal Network ---------- Core Switch ---------- (Interface 0/3) Cisco ASA 5520 (Interface 0/0) ---------- Internet
172.16.0.0/22 172.16.0.254/22 172.16.0.252/22 x.x.x.x
Config as below;
: Saved
: Written by admin at 17:09:45.651 MYT Mon Dec 24 2012
!
ASA Version 8.2(5)33
!
hostname CISCO-ASA-5520
domain-name FQDN-DOMAIN.DOMAIN.com
enable password ############## level 5 encrypted
enable password ############## encrypted
passwd ############## encrypted
names
name xxx.xxx.xxx.xxx INFRA_Spamfilter-1
name xxx.xxx.xxx.xxx INFRA_Spamfilter-2
name xxx.xxx.xxx.xxx SVR_Asterisk-1
name xxx.xxx.xxx.xxx SVR_Asterisk-2
name xxx.xxx.xxx.xxx SVR_Asterisk-3
name xxx.xxx.xxx.xxx SVR_Backup-1
name xxx.xxx.xxx.xxx SVR_Backup-2
name xxx.xxx.xxx.xxx SVR_ClientAccess
name xxx.xxx.xxx.xxx SVR_Conferencing
name xxx.xxx.xxx.xxx SVR_Contracts
name xxx.xxx.xxx.xxx SVR_DC-1
name xxx.xxx.xxx.xxx SVR_DC-2
name xxx.xxx.xxx.xxx SVR_GoogleSync-1
name xxx.xxx.xxx.xxx SVR_GoogleSync-2
name xxx.xxx.xxx.xxx SVR_HRMS
name xxx.xxx.xxx.xxx SVR_Helpdesk
name xxx.xxx.xxx.xxx SVR_KPI-QAAS
name xxx.xxx.xxx.xxx SVR_Lotus-Sametime
name xxx.xxx.xxx.xxx SVR_Redmine
name xxx.xxx.xxx.xxx SVR_Requisitions
name xxx.xxx.xxx.xxx SVR_SPEC-1
name xxx.xxx.xxx.xxx SVR_SPEC-2
name xxx.xxx.xxx.xxx SVR_SalesInquiry
name xxx.xxx.xxx.xxx SVR_Vault
name xxx.xxx.xxx.xxx SITE2SITE_CNDOMAIN
name xxx.xxx.xxx.xxx SITE2SITE_UKDOMAIN
name xxx.xxx.xxx.xxx INSIDE_VLAN103
name 172.16.0.252 INSIDE
name xxx.xxx.xxx.xxx OUTSIDE
name xxx.xxx.xxx.xxx MANAGEMENT
name 192.168.10.0 VPN_MYDOMAIN
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
pppoe client vpdn group SERVICEPROVIDER
ip address OUTSIDE 255.255.255.255 pppoe
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 172.16.0.252 255.255.252.0
!
interface Management0/0
nameif management
security-level 100
ip address xxx.xxx.xxx.xxx 255.255.255.0
management-only
!
boot system disk0:/asa825-33-k8.bin
ftp mode passive
clock timezone MYT 8
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
retries 3
timeout 5
name-server SVR_DC-1
name-server SVR_DC-2
name-server 8.8.8.8
name-server 8.8.4.4
name-server xxx.xxx.xxx.xxx
name-server xxx.xxx.xxx.xxx
domain-name FQDN-DOMAIN.DOMAIN.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service PostgresSQL tcp-udp
port-object eq 5432
port-object eq 5433
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group icmp-type ICMP
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group service SPEC tcp-udp
port-object eq 82
object-group service Helpdesk tcp-udp
port-object eq 81
object-group service SMTP2 tcp
port-object eq 587
object-group service DM_INLINE_TCP_2 tcp
port-object eq smtp
group-object SMTP2
object-group service RequestTracker tcp-udp
port-object eq 1443
object-group service Asterisk tcp-udp
port-object eq 4569
object-group service DBSubsidiaries tcp-udp
port-object eq 85
object-group service Redmine tcp-udp
port-object eq 89
object-group service GoogleSync tcp-udp
port-object range 10006 10007
port-object range 8008 8009
object-group service Vault tcp-udp
port-object eq 1444
port-object eq 84
object-group service SelfupdatePassword tcp-udp
port-object range 8011 8012
object-group service Requisitions tcp-udp
port-object eq 83
object-group service DM_INLINE_SERVICE_1
service-object tcp eq www
service-object udp eq www
object-group service SalesInquiry tcp
port-object eq 88
object-group service HRMS_e-Leave tcp-udp
port-object eq 8080
object-group service Asterisk_Remote_Support tcp-udp
port-object range 10001 10002
port-object range 8081 8082
object-group service SPEC_Remote_Support tcp-udp
port-object range 10003 10004
object-group service Vault_Remote_Support tcp-udp
port-object eq 10005
object-group service RA_Teamviewer tcp-udp
port-object eq 5938
object-group service RA_VNC tcp-udp
port-object eq 5800
port-object eq 5801
port-object eq 5802
port-object eq 5803
port-object eq 5900
port-object eq 5901
port-object eq 5902
port-object eq 5903
object-group service RA_RemoteDesktop tcp
port-object eq 3389
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host OUTSIDE
access-list outside_access_in extended permit tcp any host OUTSIDE eq https
access-list outside_access_in extended permit tcp any host OUTSIDE object-group DM_INLINE_TCP_2 inactive
access-list outside_access_in extended permit tcp any host OUTSIDE eq ssh inactive
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group PostgresSQL
access-list outside_access_in extended permit icmp any host OUTSIDE object-group ICMP
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Vault
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Vault_Remote_Support inactive
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group SPEC
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group SPEC_Remote_Support inactive
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Helpdesk
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group RequestTracker
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Asterisk
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Asterisk_Remote_Support inactive
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group DBSubsidiaries inactive
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group RA_Teamviewer inactive
access-list outside_access_in extended permit tcp any host OUTSIDE object-group RA_RemoteDesktop
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group RA_VNC inactive
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Redmine
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group SelfupdatePassword
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group Requisitions
access-list outside_access_in extended permit tcp any host OUTSIDE object-group SalesInquiry
access-list outside_access_in extended permit object-group TCPUDP any host OUTSIDE object-group HRMS_e-Leave
access-list inside_nat0_outbound extended permit ip INSIDE 255.255.252.0 SITE2SITE_CNDOMAIN 255.255.252.0
access-list inside_nat0_outbound extended permit ip INSIDE 255.255.252.0 SITE2SITE_UKDOMAIN 255.255.252.0
access-list inside_nat0_outbound extended permit ip INSIDE 255.255.252.0 VPN_MYDOMAIN 255.255.255.0
access-list inside_nat0_outbound extended permit ip INSIDE_VLAN103 255.255.254.0 VPN_MYDOMAIN 255.255.255.0
access-list outside_2_cryptomap extended permit ip INSIDE 255.255.252.0 SITE2SITE_UKDOMAIN 255.255.252.0
access-list outside_3_cryptomap extended permit ip INSIDE 255.255.252.0 SITE2SITE_CNDOMAIN 255.255.252.0
access-list MYDOMAIN_splitTunnelAcl standard permit INSIDE 255.255.252.0
access-list MYDOMAIN_splitTunnelAcl standard permit INSIDE_VLAN103 255.255.254.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool MYDOMAINpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-649-103.bin
asdm location SITE2SITE_UKDOMAIN 255.255.252.0 inside
asdm location SVR_Backup-2 255.255.255.255 inside
asdm location SVR_Asterisk-1 255.255.255.255 inside
asdm location SVR_Asterisk-2 255.255.255.255 inside
asdm location SVR_SPEC-1 255.255.255.255 inside
asdm location SVR_Contracts 255.255.255.255 inside
asdm location SVR_Vault 255.255.255.255 inside
asdm location SVR_DC-1 255.255.255.255 inside
asdm location SVR_DC-2 255.255.255.255 inside
asdm location SVR_Conferencing 255.255.255.255 inside
asdm location SVR_KPI-QAAS 255.255.255.255 inside
asdm location SVR_Redmine 255.255.255.255 inside
asdm location SVR_HRMS 255.255.255.255 inside
asdm location SVR_GoogleSync-1 255.255.255.255 inside
asdm location SVR_GoogleSync-2 255.255.255.255 inside
asdm location SVR_Requisitions 255.255.255.255 inside
asdm location SVR_Asterisk-3 255.255.255.255 inside
asdm location SVR_SalesInquiry 255.255.255.255 inside
asdm location INSIDE_VLAN103 255.255.254.0 inside
asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0 dns
static (inside,outside) tcp interface smtp INFRA_Spamfilter-1 smtp netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 587 INFRA_Spamfilter-2 587 netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 81 SVR_Helpdesk 81 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 85 SVR_Helpdesk 85 netmask 255.255.255.255 norandomseq
static (inside,outside) udp interface 85 SVR_Helpdesk 85 netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 5432 SVR_SPEC-1 5432 netmask 255.255.255.255 dns
static (inside,outside) udp interface 5432 SVR_SPEC-1 5432 netmask 255.255.255.255 dns
static (inside,outside) tcp interface www SVR_SPEC-1 www netmask 255.255.255.255 dns
static (inside,outside) udp interface www SVR_SPEC-1 www netmask 255.255.255.255 dns
static (inside,outside) tcp interface 10003 SVR_SPEC-1 10003 netmask 255.255.255.255 norandomseq
static (inside,outside) udp interface 10003 SVR_SPEC-1 10003 netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 5433 SVR_SPEC-2 5433 netmask 255.255.255.255 dns
static (inside,outside) udp interface 5433 SVR_SPEC-2 5433 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 82 SVR_SPEC-2 82 netmask 255.255.255.255 dns
static (inside,outside) udp interface 82 SVR_SPEC-2 82 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 10004 SVR_SPEC-2 10004 netmask 255.255.255.255 norandomseq
static (inside,outside) udp interface 10004 SVR_SPEC-2 10004 netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 10005 SVR_Vault 10005 netmask 255.255.255.255 dns
static (inside,outside) udp interface 10005 SVR_Vault 10005 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 1444 SVR_Vault 1444 netmask 255.255.255.255 dns
static (inside,outside) udp interface 1444 SVR_Vault 1444 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 84 SVR_Vault 84 netmask 255.255.255.255 dns
static (inside,outside) udp interface 84 SVR_Vault 84 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 1443 SVR_Contracts 1443 netmask 255.255.255.255 dns
static (inside,outside) udp interface 1443 SVR_Contracts 1443 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 10001 SVR_Asterisk-3 10001 netmask 255.255.255.255 dns
static (inside,outside) udp interface 10001 SVR_Asterisk-3 10001 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 10002 SVR_Asterisk-3 10002 netmask 255.255.255.255 dns
static (inside,outside) udp interface 10002 SVR_Asterisk-3 10002 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 8081 SVR_Asterisk-3 8081 netmask 255.255.255.255 norandomseq
static (inside,outside) udp interface 8081 SVR_Asterisk-3 8081 netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 8082 SVR_Asterisk-3 8082 netmask 255.255.255.255 norandomseq
static (inside,outside) udp interface 8082 SVR_Asterisk-3 8082 netmask 255.255.255.255 norandomseq
static (inside,outside) tcp interface 4569 SVR_Asterisk-3 4569 netmask 255.255.255.255 dns
static (inside,outside) udp interface 4569 SVR_Asterisk-3 4569 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 3389 SVR_ClientAccess 3389 netmask 255.255.255.255 dns
static (inside,outside) udp interface 3389 SVR_ClientAccess 3389 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 89 SVR_Redmine 89 netmask 255.255.255.255 dns
static (inside,outside) udp interface 89 SVR_Redmine 89 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 8011 SVR_DC-1 8011 netmask 255.255.255.255 dns
static (inside,outside) udp interface 8011 SVR_DC-1 8011 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 8012 SVR_DC-2 8012 netmask 255.255.255.255 dns
static (inside,outside) udp interface 8012 SVR_DC-2 8012 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 83 SVR_Requisitions 83 netmask 255.255.255.255 dns
static (inside,outside) udp interface 83 SVR_Requisitions 83 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 88 SVR_SalesInquiry 88 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 8080 SVR_HRMS 8080 netmask 255.255.255.255 dns
static (inside,outside) udp interface 8080 SVR_HRMS 8080 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 0.0.0.0 0.0.0.0 172.16.0.254 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RAD_AUTH protocol radius
aaa-server RAD_AUTH (inside) host xxx.xxx.xxx.xxx
key ######################################
aaa-server RAD_AUTH (inside) host xxx.xxx.xxx.xxx
key ######################################
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server
http server enable
http INSIDE 255.255.252.0 inside
snmp-server location FQDN-DOMAIN.DOMAIN.com
snmp-server contact System Administrator
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer xxx.xxx.xxx.xxx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer xxx.xxx.xxx.xxx
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet INSIDE 255.255.252.0 inside
telnet MANAGEMENT 255.255.255.0 management
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 outside
ssh INSIDE 255.255.252.0 inside
ssh MANAGEMENT 255.255.255.0 management
ssh timeout 30
console timeout 0
management-access management
vpdn group SERVICEPROVIDER request dialout pppoe
vpdn group SERVICEPROVIDER localname MYUSERNAME
vpdn group SERVICEPROVIDER ppp authentication pap
vpdn username MYUSERNAME password ##########
dhcprelay server SVR_DC-2 inside
dhcprelay server SVR_DC-1 inside
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xxx.xxx.xxx.xxx source inside prefer
ntp server xxx.xxx.xxx.xxx source inside prefer
ntp server xxx.xxx.xxx.xxx source inside prefer
webvpn
group-policy MYDOMAIN internal
group-policy MYDOMAIN attributes
wins-server value xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
dns-server value xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value MYDOMAIN_splitTunnelAcl
default-domain value FQDN-DOMAIN.DOMAIN.com
username admin password ########## encrypted privilege 15
username sysop password ########## encrypted privilege 5
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key ##########
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key ##########
tunnel-group MYDOMAIN type remote-access
tunnel-group MYDOMAIN general-attributes
address-pool MYDOMAINpool
authentication-server-group RAD_AUTH
default-group-policy MYDOMAIN
tunnel-group MYDOMAIN ipsec-attributes
pre-shared-key ##########
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
privilege cmd level 5 mode exec command reload
privilege cmd level 5 mode exec command perfmon
privilege cmd level 5 mode exec command ping
privilege cmd level 5 mode exec command who
privilege cmd level 5 mode exec command logging
privilege cmd level 5 mode exec command failover
privilege cmd level 5 mode exec command packet-tracer
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command reload
privilege show level 5 mode exec command mode
privilege show level 5 mode exec command firewall
privilege show level 5 mode exec command conn
privilege show level 5 mode exec command cpu
privilege show level 5 mode exec command interface
privilege show level 5 mode exec command clock
privilege show level 5 mode exec command dns-hosts
privilege show level 5 mode exec command access-list
privilege show level 5 mode exec command logging
privilege show level 5 mode exec command vlan
privilege show level 5 mode exec command ip
privilege show level 5 mode exec command failover
privilege show level 5 mode exec command asdm
privilege show level 5 mode exec command arp
privilege show level 5 mode exec command route
privilege show level 5 mode exec command ospf
privilege show level 5 mode exec command aaa-server
privilege show level 5 mode exec command aaa
privilege show level 5 mode exec command eigrp
privilege show level 5 mode exec command crypto
privilege show level 5 mode exec command vpn-sessiondb
privilege show level 5 mode exec command ssh
privilege show level 5 mode exec command dhcpd
privilege show level 5 mode exec command vpn
privilege show level 5 mode exec command blocks
privilege show level 5 mode exec command wccp
privilege show level 5 mode exec command uauth
privilege show level 5 mode configure command interface
privilege show level 5 mode configure command clock
privilege show level 5 mode configure command access-list
privilege show level 5 mode configure command logging
privilege show level 5 mode configure command ip
privilege show level 5 mode configure command failover
privilege show level 5 mode configure command arp
privilege show level 5 mode configure command route
privilege show level 5 mode configure command aaa-server
privilege show level 5 mode configure command aaa
privilege show level 5 mode configure command crypto
privilege show level 5 mode configure command ssh
privilege show level 5 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 5 mode exec command dns-hosts
privilege clear level 5 mode exec command logging
privilege clear level 5 mode exec command arp
privilege clear level 5 mode exec command aaa-server
privilege clear level 5 mode exec command crypto
privilege cmd level 5 mode configure command failover
privilege clear level 5 mode configure command logging
privilege clear level 5 mode configure command arp
privilege clear level 5 mode configure command crypto
privilege clear level 5 mode configure command aaa-server
privilege cmd level 5 mode route-map command set
privilege cmd level 5 mode mpf-policy-map-class command set
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:760d143b4e0a39e858043dd6af9651d8
: end
The issues;
1) Remote VPN users CANNOT RemoteDesktop/SSH/etc to internal network resources (NOT port forwarding)
2) Even Port Forwading is NOT working (tested for RemoteDesktop for one of the server)
3) Remote VPN users CAN ping to any network resources, DNS is working fine (can ping servers by DNS/NETBIOS names)
Reported error on the ASDM;
1) portmap translation creation failed for tcp src inside
Please advise. Thanks.
Regards,
12-26-2012 08:42 PM
Hello Mohan,
Enable the following and let me know
crypto isakmp nat-traversal
Regards
12-27-2012 12:01 AM
nope, no luck
12-27-2012 12:13 AM
it seems there is a weird prob, when i issue the command sh startup-config, I can the command I inserted as you suggested, as below;
crypto isakmp enable outside
crypto isakmp nat-traversal
crypto isakmp policy 10
After reboot the firewall ASA 5520 device and when I run the sh run command, I only get the following;
crypto isakmp enable outside
crypto isakmp policy 10
Seems like the command "crypto isakmp nat-traversal" goes missing. Please advise. Thanks.
12-27-2012 12:37 AM
managed to fix the missing entry "crypto isakmp nat-traversal" after each reboot, tried to rdesktop and ssh, still no luck, any suggestion(s)? thanks.
12-27-2012 08:39 AM
Hello,
Is this for a L2L tunnel or RA tunnel?
What is the other side of the tunnel , what is the subnet being used on that side
Regards
12-27-2012 05:44 PM
It's a IPSec RA tunnel.
RA VPN Users
192.168.10.0/24
|
|
Internet Cloud
|
|
--------------------------------------------------
Cisco ASA External (Interface 0/0)
x.x.x.x
|
|
Cisco ASA Internal (Interface 0/3)
172.16.0.252/22
-------------------------------------------------
|
|
Core Switch
172.16.0.254/22
|
|
Internal Network
172.16.0.0/22
12-27-2012 10:39 PM
split-tunnel-network-list value MYDOMAIN_splitTunnelAcl
where is that acl in your config?
12-29-2012 11:21 PM
access-list inside_nat0_outbound extended permit ip INSIDE 255.255.252.0 VPN_MYDOMAIN 255.255.255.0
access-list inside_nat0_outbound extended permit ip INSIDE_VLAN103 255.255.254.0 VPN_MYDOMAIN 255.255.255.0
access-list MYDOMAIN_splitTunnelAcl standard permit INSIDE 255.255.252.0
access-list MYDOMAIN_splitTunnelAcl standard permit INSIDE_VLAN103 255.255.254.0
12-30-2012 06:56 PM
Could anyone assist me on this matter as I need to rectify this issue ASAP. Advance thanks.
12-31-2012 12:13 AM
can you provide the packet-tracer output for the specific source and destination (noth inbound and outbound) when a client is connected.
01-02-2013 07:14 PM
Sorry for the slight delay. Results as below;
Inside -> Outside
CISCO-ASA-5520# packet-tracer input inside tcp 172.16.0.21 3389 192.168.10.11 3976
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.10.11 255.255.255.255 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat-control
match ip inside INSIDE 255.255.252.0 outside VPN_DBMY 255.255.255.0
NAT exempt
translate_hits = 5442, untranslate_hits = 98005
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
static (inside,outside) tcp interface 3389 SVR_ClientAccess 3389 netmask 255.255.255.255 dns
nat-control
match tcp inside host SVR_ClientAccess eq 3389 outside any
static translation to OUTSIDE/3389
translate_hits = 0, untranslate_hits = 72
Additional Information:
Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface 3389 SVR_ClientAccess 3389 netmask 255.255.255.255 dns
nat-control
match tcp inside host SVR_ClientAccess eq 3389 outside any
static translation to OUTSIDE/3389
translate_hits = 0, untranslate_hits = 72
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 905758, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
Outside -> Inside
CISCO-ASA-5520# packet-tracer input outside tcp 192.168.10.11 3976 172.16.0.21 3389
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in INSIDE 255.255.252.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
01-03-2013 08:13 AM
Hi,
Don't really know the reason of the problem but thought I'd mention what things seem strange (but might not be wrong in any way)
Just for the sake of trying, could you do the same OUTSIDE -> INSIDE packet-tracer test by using the destination address of the Core Switch IP address?
Could you also perhaps connect the VPN Client connection, open ASDM log monitoring and filter logs with your VPN Client assigned IP address and attempt some of the TCP connections and copy paste that (screencapture) that output here.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide