Michael

There are several things that I wonder about in the config. Probably the most serious is your configuration of nat0 on the inside interface. Why do you have two nat0 commands? And why do both of them use a host for the destination instead of a network?

access-list inside_nat0_outbound_1 extended permit ip 192.168.2.0 255.255.255.0 host 192.168.0.0

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 host 192.168.0.0

What you have got here will result in the ASA doing address translation of traffic going through the VPN and is likely the reason why no traffic goes through. So my first suggestion would be to simplify to one nat0 and having it look something like this

access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0

I also suggest that you remove these lines from the crypto ACL

access-list outside_1_cryptomap extended permit ip interface inside any

access-list outside_1_cryptomap extended permit ip any interface inside

and I question why this line is in the crypto ACL

access-list outside_1_cryptomap extended permit ip object-group net-remote object-group net-local

In setting up site to site VPN the crypto ACL on each side should mirror the ACL on the other side and keeping extraneous entries out of the ACL will simplify accomplishing this.

While I do not think that it impacts the VPN I will suggest that since you are not using this ACL that it should be removed from the config.

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit tcp any any

access-list inside_access_in extended permit udp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit udp any any eq isakmp

And I find your outside ACL to be quite strange

access-list outside_access_in extended permit icmp any any

I do not think that it impacts the VPN but suggest that you might want to permit more than just ICMP traffic.

HTH

Rick

I added the nat command you suggested. However when I removed the command...

       access-list outside_1_cryptomap extended permit ip interface inside any, I lost my remote connection into the network...have to go down to site physically tomorrow and reboot to startup config...

Here is the config with the changes...I did permit ip, udp, and tcp outside traffic as well that may not be reflected in here. However, still cannot ping or resolve dns to see my network and domain.

Thanks for all your help...I have been dealing with this for 3 weeks!

User Access Verification

Password:
Type help or '?' for a list of available commands.
PFDowntown> enable
Password: **************
PFDowntown# sho run
: Saved
:
ASA Version 8.2(5)
!
hostname PFDowntown
domain-name golds.local
enable password s4sg6AZKKWez7RdB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.3 Server description dns server
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.xx 255.255.255.252
!
ftp mode passive
dns server-group DefaultDNS
domain-name golds.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network net-local
network-object 192.168.2.0 255.255.255.0
object-group network net-remote
network-object 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 19
2.168.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group net-local object
-group net-remote
access-list outside_1_cryptomap extended permit ip object-group net-remote objec
t-group net-local
access-list inside_access_in_1 extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list global_mpc extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound outside
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in_1 in interface inside control-plane
access-group outside_access_in in interface outside
!
router rip
network 192.168.0.0
!
route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1
route inside 0.0.0.0 0.0.0.0 192.168.0.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection preserve-vpn-flows
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer xx.xx.xx.xx
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA

quit
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp ipsec-over-tcp port 10000
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcp-client update dns server both
dhcpd auto_config outside
!
dhcpd address 192.168.2.50-192.168.2.100 inside
dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside
dhcpd domain golds.local interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-filter value inside_nat0_outbound
vpn-tunnel-protocol IPSec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
username admin password Rras1ufhYNBlonui encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
tunnel-group xx.xx.xx.xx type ipsec-l2l
tunnel-group xx.xx.xx.xx general-attributes
default-group-policy GroupPolicy1
tunnel-group xx.xx.xx.xx ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive disable
no tunnel-group-map enable ou
no tunnel-group-map enable ike-id
tunnel-group-map default-group xx.xx.xx.xx
!
class-map global-class
match access-list global_mpc
!
!
policy-map global-policy
class global-class
  inspect icmp
!
service-policy global-policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:79078712b2dcc28a1c653dbbb42d825f
: end

--

Thanks for posting the updated config. Since you seem to be able to login to the ASA again do I assume that you were able to resolve the problem that you mentioned in your previous post?

One issue that I see is in this route statement

route inside 0.0.0.0 0.0.0.0 192.168.0.1 tunneled

You are routing through the inside interface but the next hop that you specify is in the remote network. And I see a similar issue in your configuration of rip

router rip
network 192.168.0.0

If you address these and still have I problem then I suggest that (as a test) you remove this line from the config and let us know if it makes a difference

vpn-filter value inside_nat0_outbound

HTH

Rick

I thought about these route statements as well. Should I remove the one or change it? What about the rip statement?

router rip

network 0.0.0.0

Thanks for helping us on this forum...sure is nice to have experienced people help you through the tough issues.

It is easier to look at the config and to find things that are inconsistent with what is in the config. That is how I identified these two problems. It is a bit more difficult to know what to do about them without knowing more about the network to which you are connected.

As far as the first prblem of

route inside 0.0.0.0 0.0.0.0 192.168.0.1 tunneled

the tunneled routes are typically used with Remote Access VPN. The config indicates that you are not running Remote Access VPN. If that is correct then just remove this line.

As far as network 0.0.0.0 under router rip is concerned, the result of using this would be that you would run rip on the outside interface as well as the inside interface. Unless there are things that you have not yet told us, I believe that running rip on the outside interface would be pretty bad and I suggest that you not do this.

I would suggest that the first question should be do you really need to run rip on this ASA? Perhaps the best way to answer this would be for you to tell us whether there is a router connected to the 192.168.2.0 network to share rip updates and are there other networks/subnets that the router knows about and that it needs to advertise to the ASA. If there is then you probably do need router rip and need to find an appropriate network statement. If there is no router connected through the inside interface and no other network/subnets that the ASA needs to learn then you do not need router rip at all.

HTH

Rick

Hi Rick,

The scenario is that I have one corporate site, 3 remote sites. All are needing to connect site-to-site vpn tunnel with DNS capabilities for accessing servers at corporate, they previously had sonicwalls configured as VPN and moving toward Cisco. Corporate will eventually get a 5510 installed, but for now the ASA5505 at each site is being installed to connect to a sonicwall TZ180.

There will be an eventual need for them to be a part of the same network through VPN and intercommunication will be essential. However for now inside network at corporate is 192.168.0.1 and all remote sites are 2.1, 20.1, and 200.1. All with varying service providers according to area.

There are no other routers other than these ASA firewalls on any of the subnets that are routing. (other than internal wireless access points).

So if my understanding is correct, no I am not running Remote Access VPN but Site-to-Site VPN...so I will remove this statement. Also, I have no need that I can think of for running RIP on outside interface at this point as it is just a simple firewall to firewall routing scenario with VPN tunnels, no routers behind ASA's at all....so I will remove this statement.

Still not sure why ping or DNS is not working through tunnel. I cannot get to my DNS server by ip or name resolution.

So do go ahead and remove both the route tunneled and the router rip statements. I am not optimistic that it will fix your problem but it will remove some issues of incompatibility in the configuration. If ping still does not work and if DNS still does not work then please provide some details of these problems:

- for ping what ip address is initiating the ping and what address is it attempting to ping.

- for DNS where is the server, where is the client? I see that in the configuration of DHCP that some DNS server is specified - is this the one that does not work? Id so we will need some detail about where it is (dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside in the config does not give us much to work with).

HTH

Rick

I am attempting to ping from the ASA 192.168.2.1 to the DNS server 192.168.0.3 accross the tunnel. DHCP for this remote site comes from the ASA. DHCP for the Corporate site 0.1 is done by the DNS server for that local subnet. DNS server is at corporate location and client is at remote location. Yes, the DNS server that is specified is the one that is not working for this remote site. I don't need DNS from the router only from the server at a remote location (corp).

RIP and route tunneled have both been removed. Thanks for your reply.

Can you verify that the VPN tunnel is being established correctly from the ASA to the Sonicwall? Can you post the output of the show command for the IPSec Security Associations?

HTH

Rick

PFDowntown(config)# show ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: xx.xx.xx.74

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255
.0 192.168.0.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer: xx.xx.xx.65

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 12432, #pkts decrypt: 12432, #pkts verify: 12432
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: xx.xx.xx.74, remote crypto endpt.: xx.xx.xx.65

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 1F0AA8CB
current inbound spi : 2EB562AA

inbound esp sas:
spi: 0x2EB562AA (783639210)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 106496, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 16023
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x1F0AA8CB (520792267)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 106496, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 16022
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Thank you for the additional information. I believe that these 2 lines are key in understanding what is going on

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 12432, #pkts decrypt: 12432, #pkts verify: 12432

These indicate that you are receiving data over the tunnel but are not sending any data over the tunnel. It is not clear what is causing this but I suspect that there may be some mismatch between your ASA and the corporate Sonicwall. What happens if you attempt to ping 192.168.0.3 from a PC connected in the LAN of the ASA?

HTH

Rick

Request times out...