Re: Asa5505 Site to Site Issue - Page 3

xr5054yz85 · ‎10-16-2010

Hello, I have an Asa5505 that I am trying to configure it to be a site to site vpn. I can get to the internet behind the asa and I can connect to the VPN, so it must be an issue with just the way that I am trying to connect site to site. IP of the VPN is 1.1.1.1 and my group is test and username test1. When I try to go to http://10.241.113.194 I cannot access the page. IP is changed for security. Thanks for your help in advance.

Here is my config....ASA Version 7.2(3)

!

hostname ciscoasa

domain-name comcast.net

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.200 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 4Wtw78CIa2UJQxhM encrypted

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 205.171.2.65

name-server 205.171.3.65

domain-name comcast.net

access-list Home_Users_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended deny ip any host 207.225.227.242

access-list inside_nat0_outbound extended deny ip 192.168.1.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip any any

access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192

access-list Home_Users_splitTunnelAcl_1 standard permit any

access-list Home_Users_splitTunnelAcl_2 standard permit any

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool hoe_addressed 192.168.1.75-192.168.1.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map0 1 match address outside_1_cryptomap

crypto map outside_map0 1 set pfs

crypto map outside_map0 1 set peer 1.1.1.1

crypto map outside_map0 1 set transform-set ESP-3DES-SHA

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd enable inside

!

vpnclient server 1.1.1.1

vpnclient mode client-mode

vpnclient vpngroup test password ********

vpnclient username test1 password ********

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect icmp error

!

service-policy global_policy global

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

prompt hostname context

Cryptochecksum:98ac6f4e89af2535963c6a2de08d9132

: end

Your help in this issue is very much appreciate. Thank you!

xr5054yz85 · ‎11-03-2010

Is anyone able to lend a hand with this issue.

Thanks!

Jennifer Halim · ‎11-03-2010

Seems like your outside and inside interfaces are in the same subnet:

Interface Vlan1 "inside", is up, line protocol is up

IP address 192.168.1.199, subnet mask 255.255.255.0

Interface Vlan2 "outside", is up, line protocol is up

IP address 192.168.1.103, subnet mask 255.255.0.0

Can you please change your inside subnet to a different subnet all together? and also please make sure that it is unique from the VPN Concentrator point of view as well. Please don't use 192.168.0.0 subnet because it appears that your outside interface (which is DHCP assigned by your ISP) has /16 subnet so you can't use 192.168.0.0 anymore for your internal network.

I would suggest that you use unique range from 10.0.0.0 subnet, or 172.16.0.0 subnet.

xr5054yz85 · ‎11-04-2010

Thanks for the reply, and sticking with me on this. Here are a few outputs, but still no luck

Still same issue with pinging 10.241.113.194 the " #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4" increases, but when I go ping inside 10.241.113.194 those numbers remain the same.

Also, tried connecting directly to the modem and taking out the router. Still same result.

Thanks!

I tired this to see if I could ping from inside, to 8.8.8.8 ( Google's DNS servers) and I cannot. Could something be wrong with my inside interfaces?

ciscoasa# ping inside 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa# ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/30 ms

ciscoasa#

ciscoasa# ping inside 10.241.113.194

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.241.113.194, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa# ping 10.241.113.194

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.241.113.194, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ciscoasa#

ciscoasa# show interface

Interface Vlan1 "inside", is up, line protocol is up

Hardware is EtherSVI

MAC address 001e.be9e.592a, MTU 1500

IP address 10.240.112.0, subnet mask 255.255.0.0

Traffic Statistics for "inside":

0 packets input, 0 bytes

1 packets output, 28 bytes

0 packets dropped

1 minute input rate 0 pkts/sec, 0 bytes/sec

1 minute output rate 0 pkts/sec, 0 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 0 bytes/sec

5 minute output rate 0 pkts/sec, 0 bytes/sec

5 minute drop rate, 0 pkts/sec

Interface Vlan2 "outside", is up, line protocol is up

Hardware is EtherSVI

MAC address 001e.be9e.592a, MTU 1500

IP address 24.19.86.222, subnet mask 255.255.240.0

Traffic Statistics for "outside":

2851 packets input, 135871 bytes

26 packets output, 6841 bytes

3 packets dropped

1 minute input rate 18 pkts/sec, 872 bytes/sec

1 minute output rate 0 pkts/sec, 14 bytes/sec

1 minute drop rate, 0 pkts/sec

5 minute input rate 0 pkts/sec, 0 bytes/sec

5 minute output rate 0 pkts/sec, 0 bytes/sec

5 minute drop rate, 0 pkts/sec

Interface Ethernet0/0 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 001e.be9e.5922, MTU not set

IP address unassigned

2935 packets input, 192619 bytes, 0 no buffer

Received 2915 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

81 switch ingress policy drops

26 packets output, 7345 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/1 "", is up, line protocol is up

Hardware is 88E6095, BW 100 Mbps

Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

Available but not configured via nameif

MAC address 001e.be9e.5923, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

1 packets output, 64 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 rate limit drops

0 switch egress policy drops

Interface Ethernet0/2 "", is administratively down, line protocol is down

Hardware is 88E6095, BW 100 Mbps

Auto-Duplex, Auto-Speed

Available but not configured via nameif

MAC address 001e.be9e.5924, MTU not set

IP address unassigned

0 packets input, 0 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

0 switch ingress policy drops

0 packets output, 0 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

0 rate limit drops

0 switch egress policy drops

ciscoasa# show ipsec sa

interface: outside

Crypto map tag: _vpnc_cm, seq num: 10, local addr: 24.19.86.222

access-list _vpnc_acl permit ip host 24.19.86.222 10.241.113.0 255.255.255.0

local ident (addr/mask/prot/port): (24.19.86.222/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.241.113.0/255.255.255.0/0/0)

current_peer: 1.1.1.1, username: 1.1.1.1

dynamic allocated peer ip: 0.0.0.0

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 24.19.86.222, remote crypto endpt.: 1.1.1.1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 4154721D

inbound esp sas:

spi: 0x792C1A6D (2032933485)

transform: esp-3des esp-md5-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 1, crypto-map: _vpnc_cm

sa timing: remaining key lifetime (sec): 28541

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x4154721D (1096053277)

transform: esp-3des esp-md5-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 1, crypto-map: _vpnc_cm

sa timing: remaining key lifetime (sec): 28541

IV size: 8 bytes

replay detection support: Y

Crypto map tag: _vpnc_cm, seq num: 10, local addr: 24.19.86.222

access-list _vpnc_acl permit ip host 24.19.86.222 192.0.0.0 255.0.0.0

local ident (addr/mask/prot/port): (24.19.86.222/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.0.0.0/255.0.0.0/0/0)

current_peer: 1.1.1.1, username: 1.1.1.1

dynamic allocated peer ip: 0.0.0.0

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 24.19.86.222, remote crypto endpt.: 1.1.1.1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 55651732

inbound esp sas:

spi: 0xDD5DCEFD (3713912573)

transform: esp-3des esp-md5-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 1, crypto-map: _vpnc_cm

sa timing: remaining key lifetime (sec): 28525

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x55651732 (1432688434)

transform: esp-3des esp-md5-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 1, crypto-map: _vpnc_cm

sa timing: remaining key lifetime (sec): 28525

IV size: 8 bytes

replay detection support: Y

Crypto map tag: _vpnc_cm, seq num: 10, local addr: 24.19.86.222

access-list _vpnc_acl permit ip host 24.19.86.222 host 1.1.1.1

local ident (addr/mask/prot/port): (24.19.86.222/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

current_peer: 1.1.1.1, username: 1.1.1.1

dynamic allocated peer ip: 0.0.0.0

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 24.19.86.222, remote crypto endpt.: 1.1.1.1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 515F1CB3

inbound esp sas:

spi: 0x8140BAF4 (2168503028)

transform: esp-3des esp-md5-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 1, crypto-map: _vpnc_cm

sa timing: remaining key lifetime (sec): 28505

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x515F1CB3 (1365187763)

transform: esp-3des esp-md5-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 1, crypto-map: _vpnc_cm

sa timing: remaining key lifetime (sec): 28505

IV size: 8 bytes

replay detection support: Y

xr5054yz85 · ‎11-07-2010

Can someone please help me solve this?

I would really appreciate it if I could get this solved!

Thanks for the help!

xr5054yz85 · ‎11-11-2010

Anyone who is able to help I would GREATLY appreciate it. Please chime in if you know how to help, again I would be very appreciative to whoever could help me solve this.

Thanks so much!

danny.carroll · ‎11-12-2010

Correct me if i'm wrong, but it looks as if the traffic coming back from the vpn concentrator isn't encrypting the traffic back.

That is where i'd start.

xr5054yz85 · ‎11-12-2010

Yes, that is exactly what seems to be my issue, but I do not know how to solve it.

Do you have any suggestions on what to do to solve this issue?

Thank you so much for your reply, I really appreciate it!

xr5054yz85 · ‎11-20-2010

Anyone able to help me?

Please I would really it. Thanks a bunch.