08-04-2010 09:53 AM
I configure asa with remote access VPN.
VLAN 1:
ASA5505(config)# interface VLAN 1
ASA5505(config-if)# nameif inside
ASA5505(config-if)# security-level 100
ASA5505(config-if)# ip address 100.11.32.251 255.255.255.0
ASA5505(config-if)# no shutdown
VLAN 2:
ASA5505(config)# interface VLAN 2
ASA5505(config-if)# nameif outside
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 192.168.1.1 255.255.255.0
ASA5505(config-if)# no shutdown
Allow Ethernet 0/0 access VLAN 2 (outside)
ASA5505(config)# interface Ethernet 0/0
ASA5505(config-if)# switchport mode access
ASA5505(config-if)# switchport access VLAN 2
ASA5505(config-if)# no shutdown
Allow Ethernet 0/1-7 access VLAN 1 (inside)
ASA5505(config)# interface Ethernet 0/1
ASA5505(config-if)# switchport mode access
ASA5505(config-if)# switchport access VLAN 1
ASA5505(config-if)# no shutdown
ASA5505(config)# route outside 0.0.0.0 0.0.0.0 192.168.1.2 1
ASA5505(config)# isakmp policy 2
ASA5505(config-isakmp-policy)# authentication pre-share
ASA5505(config-isakmp-policy)# encryption des
ASA5505(config-isakmp-policy)# hash md5
ASA5505(config-isakmp-policy)# exit
Enable isakmp on interface outside
ASA5505(config)#crypto isakmp identity address
ASA5505(config)#crypto isakmp enable outside
Creat IP pool with name VPNclient and have IP range : 192.168.168.1-192.168.168.254/24
ASA5505(config)# ip local pool VPNclient 192.168.168.1-
192.168.168.254 mask 255.255.255.0
Creat username/password for VPN client that used for authentication on Local
ASA5505(config)# username xxxxx password xxxxxxx privilege 15
Creat transform-set with name myset
ASA5505(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac
Select tunnel-group type/attributes
ASA5505(config)# tunnel-group IM type ipsec-ra
ASA5505(config)# tunnel-group IM general-attributes
ASA5505(config-tunnel-general)# address-pool VPNclient
ASA5505(config-tunnel-general)# exit
Creat user/password for group authentication
ASA5505(config)# tunnel-group IM ipsec-attributes
ASA5505(config-tunnel-ipsec)# pre-shared-key xxxxxxx
Creat access-list for interesting traffic
ASA5505(config)# access-list Client permit ip 100.11.32.0 255.255.255.0 192.168.168.0 255.255.255.0
ASA5505(config)# nat (inside) 0 access-list Client
Creat dynamic map
ASA5505(config)# crypto dynamic-map dyn1 1 set transform-set myset
ASA5505(config)# crypto dynamic-map dyn1 1 set reverse-route
Creat crypto map and assign it on outside interface
ASA5505(config)# crypto map mymap 10 ipsec-isakmp dynamic dyn1
ASA5505(config)# crypto map mymap interface outside
But when i connect VPN to ASA , i can't ping to my server in inside. my server have got ip address 110.11.32.20/ (not set default gateway).
Please, help me!
08-04-2010 11:39 AM
check no nat or nat exemption
your nat 0 access-list should have acl permit from internal network to pool ip's
enter this command
sysopt connection permit-vpn
crypto isa nat-t
i am not sure whether you want it this way but you have your private ip in less secure zone and public ip in the more secure zone
enter this commad "management-access"and check if you can ping the inside interface ip
if all this doesnt work
and paste the output of the following
show cypto ipsec sa
08-04-2010 11:09 PM
Thanks.
I can ping to one inside. i still can't ping to the other ip inside.
when i show running configure. I see "icmp unreachable rate-limit 1 burst-size 1". I configured acl permit ip from inside to pool's ip.
how to do??
08-04-2010 11:18 PM
check if you have routes to reach 110.11.32.20 on asa
check on the other layer 3 devices that you have in between the asa and 110.11.32.20 if they have routes to get to the vpn pool ip's
please paste sh cry ips sa
08-04-2010 11:28 PM
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name aaaaa.com
enable password xxxxxx
passwd xxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.11.32.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 110.35.74.6 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name aaaaa.com
access-list client extended permit ip 10.11.32.0 255.255.255.0 192.168.168.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPNclient 192.168.168.1-192.168.168.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list client
route outside 0.0.0.0 0.0.0.0 110.35.74.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set myset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 10.11.32.20 255.255.255.255 inside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username cccccc password xxxxxx encrypted privilege 15
tunnel-group IM type remote-access
tunnel-group IM general-attributes
address-pool VPNclient
tunnel-group IM ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:47981e187a1fdfa8206d5aa14a5de0ad
: end
08-04-2010 11:32 PM
Yes,
This is my show run
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name aaaaa.com
enable password xxxxx encrypted
passwd xxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.11.32.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 110.35.74.6 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name aaaaa.com
access-list client extended permit ip 10.11.32.0 255.255.255.0 192.168.168.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPNclient 192.168.168.1-192.168.168.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list client
route outside 0.0.0.0 0.0.0.0 110.35.74.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set myset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 10.11.32.20 255.255.255.255 inside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username thac password xxxxx encrypted privilege 15
tunnel-group IM type remote-access
tunnel-group IM general-attributes
address-pool VPNclient
tunnel-group IM ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:47981e187a1fdfa8206d5aa14a5de0ad
: end
08-04-2010 11:37 PM
this is different from wht you had posted earlier
08-04-2010 11:51 PM
sorry,
i post show cry ipsec sa
interface: outside
Crypto map tag: dyn1, seq num: 1, local addr: 110.35.74.6
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.168.1/255.255.255.255/0/0)
current_peer: 110.35.74.5, username: thac86
dynamic allocated peer ip: 192.168.168.1
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 76, #pkts decrypt: 76, #pkts verify: 76
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 110.35.74.6/10000, remote crypto endpt.: 110.35.74.5/4120
path mtu 1500, ipsec overhead 94, media mtu 1500
current outbound spi: DFEA853D
inbound esp sas:
spi: 0xB5FFB642 (3053434434)
transform: esp-des esp-md5-hmac no compression
in use settings ={RA, Tunnel, TCP-Encaps, }
slot: 0, conn_id: 40960, crypto-map: dyn1
sa timing: remaining key lifetime (sec): 28751
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xDFEA853D (3756688701)
transform: esp-des esp-md5-hmac no compression
in use settings ={RA, Tunnel, TCP-Encaps, }
slot: 0, conn_id: 40960, crypto-map: dyn1
sa timing: remaining key lifetime (sec): 28749
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
08-05-2010 08:14 AM
hi thac,
can you please confirm which is the correct config as you have pasted 2 diff config's
08-05-2010 09:06 AM
Sorry for inconvenience
this is the correct configuration.
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name aaaaa.com
enable password xxxxx encrypted
passwd xxxxx encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.11.32.251 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 110.35.74.6 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name aaaaa.com
access-list client extended permit ip 10.11.32.0 255.255.255.0 192.168.168.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool VPNclient 192.168.168.1-192.168.168.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list client
route outside 0.0.0.0 0.0.0.0 110.35.74.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 1 set transform-set myset
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 10 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 10.11.32.20 255.255.255.255 inside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username thac password xxxxx encrypted privilege 15
tunnel-group IM type remote-access
tunnel-group IM general-attributes
address-pool VPNclient
tunnel-group IM ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:47981e187a1fdfa8206d5aa14a5de0ad
: end
08-05-2010 09:54 AM
Hello,
I am assuming that you are using remote vpn clients. I don't see a group
policy configured for the vpn clients.
group-policy ipsec-attributes
pre-shared-key *
Hope this helps.
Regards,
NT
08-05-2010 11:30 AM
i think the tunnel is fine bcoz we see spi's we can ping the inside ip with management-access inside
can you apply some captures and see
capture capin interface inside match ip host
after this ping the internal ip
sh cap capin
see if the traffic is leaving the firewall and coming back
because i see decaps but no encaps
this mean check natting and routing
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide