Solved: ASA5505 VPN - Page 2

rallernt9 · ‎01-20-2012

Can anyone help me with this vpn? I am not sure if it is different on the 8.2 or if I am missing something.

I can connect to the vpn but cannot get to the inside computers. I can ping them from the ASA but not from the vpn client.

Thanks!!

Here's my config

ASA Version 8.2(5)

!

hostname testingwall

domain-name testing.com

enable password encrypted

passwd encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.160.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 60.77.44.22 255.255.255.252

!

ftp mode passive

dns server-group DefaultDNS

domain-name testing.com

same-security-traffic permit intra-interface

object-group network vpngroup

network-object 192.168.161.0 255.255.255.0

object-group network inside

network-object 192.168.160.0 255.255.255.0

object-group icmp-type icmp-grp

description ICMP Types allowed

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list inside_nat0_outbound extended permit ip any 192.168.161.0 255.255.255.240

access-list split-acl standard permit 192.168.160.0 255.255.255.0

access-list outside_access_in extended permit icmp any any object-group icmp-grp

pager lines 24

logging enable

logging timestamp

logging trap alerts

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool testinggroup_vpn_pool 192.168.161.100-192.168.161.130 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 10

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 60.77.44.23 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.160.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set pfs

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 14400

crypto isakmp nat-traversal 3600

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

dhcpd dns 75.75.75.75 75.75.76.76

dhcpd ping_timeout 750

dhcpd domain testing.com

!

dhcpd address 192.168.160.100-192.168.160.200 inside

dhcpd enable inside

!

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1 rc4-md5

webvpn

group-policy testinggroup internal

group-policy testinggroup attributes

wins-server value 192.168.160.10

dns-server value 75.75.75.75 75.75.76.76

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-acl

default-domain value testinggroup

split-dns value 75.75.75.75 75.75.76.76

username testing password fUG encrypted privilege 5

username testing attributes

vpn-group-policy testinggroup

tunnel-group testinggroup type remote-access

tunnel-group testinggroup general-attributes

address-pool testinggroup_vpn_pool

default-group-policy testinggroup

tunnel-group testinggroup ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect esmtp

inspect sqlnet

inspect tftp

inspect dns preset_dns_map

inspect sunrpc

inspect xdmcp

inspect netbios

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Here is the vpn connection:

show cry ipsec sa

interface: outside

Crypto map tag: dynmap, seq num: 10, local addr: 60.77.44.22

local ident (addr/mask/prot/port): (192.168.160.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.161.100/255.255.255.255/0/0)

current_peer: 67.178.89.90, username: testing

dynamic allocated peer ip: 192.168.161.100

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 83, #pkts decrypt: 83, #pkts verify: 83

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 60.77.44.22/4500, remote crypto endpt.: 67.178.89.90/26936

path mtu 1500, ipsec overhead 66, media mtu 1500

current outbound spi: 0CA9D64B

current inbound spi : 980D8B6A

inbound esp sas:

spi: 0x980D8B6A (2551024490)

transform: esp-3des esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 65536, crypto-map: dynmap

sa timing: remaining key lifetime (sec): 2399

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x0CA9D64B (212457035)

transform: esp-3des esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 65536, crypto-map: dynmap

sa timing: remaining key lifetime (sec): 2399

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

rallernt9 · ‎01-21-2012

Here it is.

Thanks for your help!

ASA Version 8.2(5)

!

hostname testingwall

domain-name testing.com

enable password encrypted

passwd encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.160.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 60.77.44.22 255.255.255.252

!

ftp mode passive

dns server-group DefaultDNS

domain-name testing.com

same-security-traffic permit intra-interface

object-group network vpngroup

network-object 192.168.161.0 255.255.255.0

object-group network inside

network-object 192.168.160.0 255.255.255.0

object-group icmp-type icmp-grp

description ICMP Types allowed

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

access-list inside_nat0_outbound extended permit ip any 192.168.161.0 255.255.255.0

access-list split-acl standard permit 192.168.160.0 255.255.255.0

access-list outside_access_in extended permit icmp any any object-group icmp-grp

pager lines 24

logging enable

logging timestamp

logging trap alerts

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool testinggroup_vpn_pool 192.168.161.100-192.168.161.130 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 10

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 60.77.44.23 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.160.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dynmap 10 set pfs

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 14400

crypto isakmp nat-traversal 3600

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

console timeout 0

dhcpd dns 75.75.75.75 75.75.76.76

dhcpd ping_timeout 750

dhcpd domain testing.com

!

dhcpd address 192.168.160.100-192.168.160.200 inside

dhcpd enable inside

!

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption des-sha1 rc4-md5

webvpn

group-policy testinggroup internal

group-policy testinggroup attributes

wins-server value 192.168.160.10

dns-server value 75.75.75.75 75.75.76.76

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-acl

default-domain value testinggroup

split-dns value 75.75.75.75 75.75.76.76

username testing password fUG encrypted privilege 5

username testing attributes

vpn-group-policy testinggroup

tunnel-group testinggroup type remote-access

tunnel-group testinggroup general-attributes

address-pool testinggroup_vpn_pool

default-group-policy testinggroup

tunnel-group testinggroup ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect http

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect esmtp

inspect sqlnet

inspect tftp

inspect dns preset_dns_map

inspect sunrpc

inspect xdmcp

inspect netbios

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Julio Carvajal · ‎01-21-2012

Please provide:

packet-tracer input inside icmp 8 0 < client ip from pool 192.168.161.x> detailed.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

intercommerz2 · ‎01-22-2012

HI Julio,

does not work so I had already tried to do a translation of documentation described exactly

In this example, there is no need to allow traffic acces list?