Cisco Client IPSec VPN to ASA 5505

smicale32 · ‎09-27-2012

I am having a issue getting my clients to connect to our network

from home using the Cisco IPSec VPN client. On the ASA I have went through the VPN Wizard to set it up but when my clients connect they get connected but cannot ping anything on the network. I can't ping the clients either from the ASA. The inside network is 10.0.3.0 and the VPN network is 192.168.254.0.

I am not good with command line so I use the ASDM to configure. Hopefully by looking at my config someone can tell me what my problem is.

Thanks

-Scott

Result of the command: "show config"

: Saved

: Written by admin at 08:21:15.815 EDT Thu Sep 27 2012

!

ASA Version 8.0(2)

!

hostname HT-ASA5505

domain-name HartvilleTool.local

enable password dHIBzkcAr1a25OXB

encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.3.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 208.40.106.154 255.255.255.252

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd dHIBzkcAr1a25OXB encrypted

boot system disk0:/asa802-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns server-group DefaultDNS

domain-name HartvilleTool.local

object-group network DM_INLINE_NETWORK_1

network-object 10.10.21.0 255.255.255.0

network-object 10.10.50.0 255.255.255.0

network-object 10.10.10.0 255.255.255.0

network-object 10.10.23.0 255.255.255.0

network-object 192.168.254.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.0.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 10.0.3.4 host 216.207.200.60

access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 10.0.4.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip host 10.0.3.4 host 172.16.20.26

access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 10.10.22.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 10.10.21.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 10.10.50.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 10.10.23.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.3.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host 208.40.106.154 eq 3389

access-list outside_access_in extended permit tcp any host 208.40.106.154 eq https inactive

access-list outside_access_in extended permit tcp any host 208.40.106.154 eq 1 inactive

access-list outside_access_in extended permit tcp host 12.94.141.118 host 208.40.106.154 eq 1433 inactive

access-list outside_access_in extended permit tcp any host 208.40.106.154 eq ftp-data inactive

access-list outside_access_in extended permit tcp any host 208.40.106.154 eq ftp inactive

access-list outside_access_in extended permit tcp any host 208.40.106.154 eq ssh

access-list outside_access_in extended permit tcp any host 208.40.106.154 eq 3390

access-list outside_3_cryptomap extended permit ip host 10.0.3.4 host 172.16.20.26

access-list outside_cryptomap_65535.2 extended permit ip 10.0.3.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list outside_4_cryptomap extended permit ip 10.0.3.0 255.255.255.0 10.10.22.0 255.255.255.0

access-list global_mpc extended permit ip host 192.168.1.1 any

access-list global_mpc extended permit ip any host 192.168.1.1

access-list global_mpc extended permit ip host 192.168.2.2 any

access-list global_mpc extended permit ip any host 192.168.2.2

access-list outside_cryptomap extended permit ip 10.0.3.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list outside_cryptomap extended permit ip 10.0.3.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list HRM_splitTunnelAcl standard permit 10.0.3.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN-Pool 192.168.254.1-192.168.254.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 3389 10.0.3.4 3389 netmask 255.255.255.255

static (inside,outside) tcp interface https 10.0.3.4 https netmask 255.255.255.255

static (inside,outside) tcp interface 1 10.0.3.18 1 netmask 255.255.255.255

static (inside,outside) tcp interface 1433 10.0.3.4 1433 netmask 255.255.255.255

static (inside,outside) tcp interface ftp-data 10.0.3.4 ftp-data netmask 255.255.255.255

static (inside,outside) tcp interface ftp 10.0.3.4 ftp netmask 255.255.255.255

static (inside,outside) tcp interface ssh 10.0.3.4 ssh netmask 255.255.255.255

static (inside,outside) tcp interface 3390 10.0.3.3 3389 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 208.40.106.153 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http

server

enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.3.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 2 match address outside_cryptomap_65535.2

crypto dynamic-map outside_dyn_map 2 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 21 set pfs

crypto dynamic-map outside_dyn_map 21 set transform-set ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 208.40.104.58

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set pfs

crypto map outside_map 3 set peer 12.94.141.118

crypto map outside_map 3 set transform-set ESP-3DES-SHA

crypto map outside_map 4 match address outside_4_cryptomap

crypto map outside_map 4 set peer 99.88.223.17

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 6 match address outside_cryptomap

crypto map outside_map 6 set pfs

crypto map outside_map 6 set peer 96.11.183.222

crypto map outside_map 6 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 6 set phase1-mode aggressive

crypto map outside_map 65534 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

telnet 10.0.3.0 255.255.255.0 inside

telnet 192.168.1.0 255.255.255.0 inside

telnet 10.10.21.0 255.255.255.0 inside

telnet 10.10.50.0 255.255.255.0 inside

telnet 10.10.22.0 255.255.255.0 inside

telnet 24.106.142.2 255.255.255.255 outside

telnet timeout 5

ssh 216.207.201.197 255.255.255.255 outside

ssh 171.68.225.213 255.255.255.255 outside

ssh 24.106.142.2 255.255.255.255 outside

ssh timeout 60

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 10.0.3.20-10.0.3.40 inside

dhcpd dns 10.0.3.4 10.10.21.20 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map global-class

match access-list global_mpc

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class

inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class global-class

set connection timeout dcd 0:15:00 5

!

service-policy global_policy global

ntp server 192.5.41.41 source outside prefer

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

group-policy HRM internal

group-policy HRM attributes

dns-server

value

10.0.3.4 10.0.3.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value HRM_splitTunnelAcl

default-domain value ht.hrm.lan

username admin password w20d0tLPgjaTj/.A encrypted privilege 15

username cisco password 3USUcOPFUiMCO4Jk encrypted

username mshelly password ZOD4cVyYEXcmtoTp encrypted privilege 0

username mshelly attributes

vpn-group-policy HRM

username smicale password WogHXVRV./MzF8ot encrypted privilege 0

username smicale attributes

vpn-group-policy HRM

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group 208.40.104.58 type ipsec-l2l

tunnel-group 208.40.104.58 ipsec-attributes

pre-shared-key *

tunnel-group 12.94.141.118 type ipsec-l2l

tunnel-group 12.94.141.118 ipsec-attributes

pre-shared-key *

tunnel-group 99.88.223.17 type ipsec-l2l

tunnel-group 99.88.223.17 ipsec-attributes

pre-shared-key *

tunnel-group 96.11.183.222 type ipsec-l2l

tunnel-group 96.11.183.222 ipsec-attributes

pre-shared-key *

tunnel-group HRM type remote-access

tunnel-group HRM general-attributes

address-pool VPN-Pool

default-group-policy HRM

tunnel-group HRM ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:d0a4f2c2818fb0f786a617e339044bfe

Julio Carvajal · ‎10-10-2012

Hello Scott,

Can you remove the following ACL lines:

no access-list outside_cryptomap extended permit ip 10.0.3.0 255.255.255.0 192.168.254.0 255.255.255.0

Now here are my questions:

If you are intending to create a RA IPSec session why do you have a static crypto map for the destination:

access-list outside_1_cryptomap extended permit ip 10.0.3.0 255.255.255.0 192.168.1.0 255.255.255.0

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 208.40.104.58

crypto map outside_map 1 set transform-set ESP-3DES-SHA

You do not need that as this is going to be just a remote access connection based on clients so the peers can be more than one IP address, do you follow me?

So let me know why are you doing that and we will beging from there?

Regards,

Remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

smicale32 · ‎10-10-2012

Julio,

I removed the

'access-list outside_cryptomap extended permit ip 10.0.3.0 255.255.255.0 192.168.254.0 255.255.255.0'

that you mentioned and I still can't ping anything on the 10.0.3.0 network. The other info that you asked about are left over code from a old VPN that I used to have setup between this site and another ASA that had a internal network of 192.168.1.0. So that Site-to-Site VPN no longer exists.

Julio Carvajal · ‎10-10-2012

Hello Scott,

Take out that configuration as well please!

access-list outside_1_cryptomap extended permit ip 10.0.3.0 255.255.255.0 192.168.1.0 255.255.255.0

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 208.40.104.58

crypto map outside_map 1 set transform-set ESP-3DES-SHA

tunnel-group 208.40.104.58 type ipsec-l2l

tunnel-group 208.40.104.58 ipsec-attributes

pre-shared-key *

All of that need to be out as you do not need it anymore.

Remember to rate all of my answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

smicale32 · ‎10-11-2012

What are the commands to remove these lines?

tunnel-group 208.40.104.58 type ipsec-l2l

tunnel-group 208.40.104.58 ipsec-attributes

pre-shared-key *

Can't seem to get them out.

nkarthikeyan · ‎10-11-2012

Hi Scott,

Use clear configure tunnel-group 208.40.104.58 or no tunnel-group 208.40.104.58 ipsec-attributes to remove the tunnel group configurations.

Hope this helps.

Please do rate if the given information helps

By

Karthik