Dear Altaf,

thanks a lot for your help.

I will try it later since I do not have access to the server. In my site I only have access to the ASA-client.

regards,

Fabio

Hi Altaf,

it still does not work :-(

Taking a look in the packet tracer of both devices it seems that they are always dropping the incoming packets. The sent ones are sent without problems. (also after doing the split-tunnel changes!)

If I change the security level of the interface vlan1 (inside) would it make any difference? I do not mind having it with the lowest security value. Is there any way to bypass the ACL for incoming traffic?

Best regards,

Fabio

Hi Altaf,

I somehow managed to find the solution for the problems I saw with the PacketTracer. I just put an ACL List permitting ip traffic in the outside interface (inbound). Apparently the traffic was being sent but not being received.

Now I got a Problem, that the incoming traffic on both ASAs is recognized as "IPSEC Spoof". Therefore it is also being dropped........... I do not know if I should cry or just throw the ASA out of the window... :-((((

regards,

Fabio

Hi Fabio,

Could I get your contact# we could check this in remote session.

-Altaf

Hi Altaf,

thanks for your offering. Unfortunately due to enterprise policy I am not allowed to do this. Furthermore there is no public internet access where the ASAs are located. However, thank you very much for your offer!

I took a look and read about this IPSEC Spoof problem and in most of the cases has to do with NAT or the Routing Table. Since I am not natting, I suppose that there is something wrong with the routing tables. Is there something specific that has to be done when routing through the tunnel? I took a look at the routing tables, and they seem correct to me. I do not know if in the ASA the behavior is different as in the routers. All my Cisco experience has to do with routers and switches and not ASA.

Thanks again!

Fabio

This is the configuration from the device:

If I put security-level 0 in the inside interface, would it work? (independently of the security issues)

ASA# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ASA
enable password *************** encrypted
passwd ******************* encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.160.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 1.1.1.2 255.255.255.224
!
ftp mode passive
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
route outside 2.2.2.0 255.255.255.224 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.160.0 255.255.224.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.160.11-192.168.160.20 inside
dhcpd enable inside
!
vpnclient server 2.2.2.2
vpnclient mode network-extension-mode
vpnclient vpngroup groupname password ********
vpnclient username user password ********
vpnclient enable
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
 

You don't have ICMP inspection on your default inpection map.

Cisco Firewalls and PING

Pete

Hi Pete,

but the problem is not there when I got the ASAs connected to my test scenario via the 2911 as "internet simulation".

thanks!

Fabio