I have a test environment with 2 hours fireval 5505: The first firewall is remote acces VPN server and the inside side of this firewall is a domain network with a domain controller, DNS server and one workstation. DHCP is off and the PCs have a static address.outside of the VPN server is attached to the outside of the other ASA 5505 firewall. on inner side of the firewall there's one workstation.the workstation would to connect through remote acces vpn on domain network. I have configured remote acces VPN server through a wizard, and his
configuration is as follows
Result of the command: "show running-config"
ASA Version 8.2(1)
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
ip address 10.13.74.5 255.255.255.0
ip address 192.168.30.1 255.255.255.0
switchport access vlan 2
ftp mode passive
dns server-group DefaultDNS
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240
access-list outside_access_in extended permit tcp 192.168.50.0 255.255.255.240 10.13.74.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.50.1-192.168.50.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.30.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
aaa-server vpn protocol ldap
aaa-server vpn (inside) host 10.13.74.20
http server enable
http 10.13.74.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 10.13.74.9-10.13.74.40 inside
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy drivpn internal
group-policy drivpn attributes
dns-server value 10.13.74.20 10.8.2.5
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value dri.local
tunnel-group drivpn type remote-access
tunnel-group drivpn general-attributes
tunnel-group drivpn ipsec-attributes
policy-map type inspect dns preset_dns_map
message-length maximum 512
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
service-policy global_policy global
prompt hostname context
when i tryed from workstation from inner side of the second firewall(not remote access vpn server) to connect on vpn all is ok. i used cisco vpn client but i can't ping domain controller, workstation, i can't use shared folder on them. why?
plz help me
Solved! Go to Solution.
Can you ping the DC etc from the ASA? I suppose yes since your LDAP auth appears to work ok.
Do the inside hosts have the ASA as their default gateway, or do they have a route to 192.168.50.0 pointing to the ASA?
If that's not it, I would start by getting captures on the inside interface of the ASA (the one configured for RA VPN) when you ping the DC, to see if your echo requests go out and if there is any reply.
yes i can ping the DC from the ASA. the inside hosts have the ASA as their default gateway.
i work the ping from workstation from the innerside of other asa 5505 firewall (remote access VPN users):
i can ping the inside hosts which connect directly on the ASA, but i can't ping the inside hosts which connect on the ASA over the switch.also, i can't ping the DC because of he is behind the switch.
so you have :
DC ---switch --- ASA1 --- ASA2 --- client
and from the client, when it is connected via VPN to ASA1, you can ping host2 but not DC ?
but you *can* ping DC from the ASA?
the switch is it just layer 2 or is it a L3 switch?
can you do a capture on the inside of ASA1 ?
problem solved. my the DC had faulty the default gateway.when i puted correct the default gateway. all is alright. thanks for help