10-16-2010 11:36 AM
Hello, I have an Asa5505 that I am trying to configure it to be a site to site vpn. I can get to the internet behind the asa and I can connect to the VPN, so it must be an issue with just the way that I am trying to connect site to site. IP of the VPN is 1.1.1.1 and my group is test and username test1. When I try to go to http://10.241.113.194 I cannot access the page. IP is changed for security. Thanks for your help in advance.
Here is my config....ASA Version 7.2(3)
!
hostname ciscoasa
domain-name comcast.net
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.200 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 4Wtw78CIa2UJQxhM encrypted
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 205.171.2.65
name-server 205.171.3.65
domain-name comcast.net
access-list Home_Users_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended deny ip any host 207.225.227.242
access-list inside_nat0_outbound extended deny ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any any
access-list inside_nat0_outbound extended permit ip any 192.168.1.64 255.255.255.192
access-list Home_Users_splitTunnelAcl_1 standard permit any
access-list Home_Users_splitTunnelAcl_2 standard permit any
access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.241.113.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool hoe_addressed 192.168.1.75-192.168.1.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map0 1 match address outside_1_cryptomap
crypto map outside_map0 1 set pfs
crypto map outside_map0 1 set peer 1.1.1.1
crypto map outside_map0 1 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
!
vpnclient server 1.1.1.1
vpnclient mode client-mode
vpnclient vpngroup test password ********
vpnclient username test1 password ********
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect icmp error
!
service-policy global_policy global
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:98ac6f4e89af2535963c6a2de08d9132
: end
11-03-2010 07:57 PM
Is anyone able to lend a hand with this issue.
Thanks!
11-03-2010 10:49 PM
Seems like your outside and inside interfaces are in the same subnet:
Interface Vlan1 "inside", is up, line protocol is up
IP address 192.168.1.199, subnet mask 255.255.255.0
Interface Vlan2 "outside", is up, line protocol is up
IP address 192.168.1.103, subnet mask 255.255.0.0
Can you please change your inside subnet to a different subnet all together? and also please make sure that it is unique from the VPN Concentrator point of view as well. Please don't use 192.168.0.0 subnet because it appears that your outside interface (which is DHCP assigned by your ISP) has /16 subnet so you can't use 192.168.0.0 anymore for your internal network.
I would suggest that you use unique range from 10.0.0.0 subnet, or 172.16.0.0 subnet.
11-04-2010 01:45 PM
Thanks for the reply, and sticking with me on this. Here are a few outputs, but still no luck
Still same issue with pinging 10.241.113.194 the " #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4" increases, but when I go ping inside 10.241.113.194 those numbers remain the same.
Also, tried connecting directly to the modem and taking out the router. Still same result.
Thanks!
I tired this to see if I could ping from inside, to 8.8.8.8 ( Google's DNS servers) and I cannot. Could something be wrong with my inside interfaces?
ciscoasa# ping inside 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa# ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/22/30 ms
ciscoasa#
ciscoasa# ping inside 10.241.113.194
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.241.113.194, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa# ping 10.241.113.194
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.241.113.194, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ciscoasa#
ciscoasa# show interface
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001e.be9e.592a, MTU 1500
IP address 10.240.112.0, subnet mask 255.255.0.0
Traffic Statistics for "inside":
0 packets input, 0 bytes
1 packets output, 28 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Vlan2 "outside", is up, line protocol is up
Hardware is EtherSVI
MAC address 001e.be9e.592a, MTU 1500
IP address 24.19.86.222, subnet mask 255.255.240.0
Traffic Statistics for "outside":
2851 packets input, 135871 bytes
26 packets output, 6841 bytes
3 packets dropped
1 minute input rate 18 pkts/sec, 872 bytes/sec
1 minute output rate 0 pkts/sec, 14 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001e.be9e.5922, MTU not set
IP address unassigned
2935 packets input, 192619 bytes, 0 no buffer
Received 2915 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
81 switch ingress policy drops
26 packets output, 7345 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/1 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001e.be9e.5923, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
1 packets output, 64 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
Interface Ethernet0/2 "", is administratively down, line protocol is down
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex, Auto-Speed
Available but not configured via nameif
MAC address 001e.be9e.5924, MTU not set
IP address unassigned
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
0 switch ingress policy drops
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
ciscoasa# show ipsec sa
interface: outside
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 24.19.86.222
access-list _vpnc_acl permit ip host 24.19.86.222 10.241.113.0 255.255.255.0
local ident (addr/mask/prot/port): (24.19.86.222/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.241.113.0/255.255.255.0/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 24.19.86.222, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 4154721D
inbound esp sas:
spi: 0x792C1A6D (2032933485)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28541
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x4154721D (1096053277)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28541
IV size: 8 bytes
replay detection support: Y
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 24.19.86.222
access-list _vpnc_acl permit ip host 24.19.86.222 192.0.0.0 255.0.0.0
local ident (addr/mask/prot/port): (24.19.86.222/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.0.0.0/255.0.0.0/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 24.19.86.222, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 55651732
inbound esp sas:
spi: 0xDD5DCEFD (3713912573)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28525
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x55651732 (1432688434)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28525
IV size: 8 bytes
replay detection support: Y
Crypto map tag: _vpnc_cm, seq num: 10, local addr: 24.19.86.222
access-list _vpnc_acl permit ip host 24.19.86.222 host 1.1.1.1
local ident (addr/mask/prot/port): (24.19.86.222/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer: 1.1.1.1, username: 1.1.1.1
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 24.19.86.222, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 515F1CB3
inbound esp sas:
spi: 0x8140BAF4 (2168503028)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28505
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x515F1CB3 (1365187763)
transform: esp-3des esp-md5-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 1, crypto-map: _vpnc_cm
sa timing: remaining key lifetime (sec): 28505
IV size: 8 bytes
replay detection support: Y
11-07-2010 01:28 PM
Can someone please help me solve this?
I would really appreciate it if I could get this solved!
Thanks for the help!
11-11-2010 11:29 PM
Anyone who is able to help I would GREATLY appreciate it. Please chime in if you know how to help, again I would be very appreciative to whoever could help me solve this.
Thanks so much!
11-12-2010 04:53 AM
Correct me if i'm wrong, but it looks as if the traffic coming back from the vpn concentrator isn't encrypting the traffic back.
That is where i'd start.
11-12-2010 05:01 PM
Yes, that is exactly what seems to be my issue, but I do not know how to solve it.
Do you have any suggestions on what to do to solve this issue?
Thank you so much for your reply, I really appreciate it!
11-20-2010 11:48 PM
Anyone able to help me?
Please I would really it. Thanks a bunch.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide