12-09-2013 04:50 PM - edited 02-21-2020 07:22 PM
Setting up another remote access vpn, and I cannot access the remote network from the client. I've gotten this to work fine over other ASAs, but those were 5510's. This time it's a 5505, and for whatever reason it's not liking it. I've made sure I have a static route on the connected switch to return the traffic back to the ASA, and it must be doing that, because it packet captures I can see the echo reply.
I don't think it's an acl that's blocking it, because I'm monitoring for message 106023 and not seeing anything get dropped. Although it's a little more difficult because the asdm is having problems with saying the syslog connection is lost. So, I've been trying to log to the terminal on ssh. Nothing is coming up with that filter, so I'm assuming nothing is getting dropped.
Any help is appreciated.
ausasa01-5505# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ausasa01-5505
names
!
interface Ethernet0/0
description outside
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
description inside
speed 100
duplex full
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.37.194.2 255.255.255.252
!
interface Vlan2
nameif outside
security-level 0
ip address <outside ip> 255.255.255.248
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network DM_INLINE_NETWORK_1
network-object 10.37.0.0 255.255.0.0
network-object 192.168.37.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host 209.242.145.130
network-object host 216.115.85.212
access-list inside_access_in extended permit ip 192.168.37.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip 10.37.1.0 255.255.255.0 any log warnings
access-list outside_1_cryptomap extended permit ip 10.37.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.37.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.37.0.0 255.255.0.0 10.254.37.0 255.255.255.240
access-list inside_access_in_1 extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
access-list SLOW-PRINTING extended permit ip 10.37.5.0 255.255.255.0 any
access-list outside_access_in extended permit icmp object-group DM_INLINE_NETWORK_2 host <outside ip> log warnings
access-list RemoteAccess_splitTunnelAcl standard permit 10.37.0.0 255.255.0.0
pager lines 24
logging enable
logging list acl-drop message 106023
logging monitor acl-drop
logging asdm acl-drop
mtu inside 1500
mtu outside 1500
ip local pool vpn_ip_ppol 10.254.37.0-10.254.37.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.37.1.0 255.255.255.0
nat (inside) 1 192.168.37.0 255.255.255.0
access-group inside_access_in_1 in interface inside
access-group outside_access_in in interface outside
!
router eigrp 100
network 10.0.0.0 255.0.0.0
network 0.0.0.0 0.0.0.0
passive-interface default
no passive-interface inside
!
route outside 0.0.0.0 0.0.0.0 <outside> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server location
snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer <some IP>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.200.1.41
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
default-domain value procopio.local
split-tunnel-all-dns disable
vlan none
tunnel-group <some ip> type ipsec-l2l
tunnel-group <some ip> ipsec-attributes
pre-shared-key *****
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_ppol
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
!
class-map SLOW-PRINTING
description Throttles upload speed from 10.37.5.0/24
match access-list SLOW-PRINTING
!
!
policy-map SLOW-PRINTING
class SLOW-PRINTING
police input 2048000
!
service-policy SLOW-PRINTING interface inside
prompt hostname context
no call-home reporting anonymous
Packet Trace...
14 packets captured
1: 23:54:06.578156 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request
2: 23:54:06.579544 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply
3: 23:54:07.577255 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request
4: 23:54:07.578171 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply
5: 23:54:08.576843 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request
6: 23:54:08.578262 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply
7: 23:54:09.576813 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request
8: 23:54:09.578613 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply
9: 23:54:10.577088 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request
10: 23:54:10.578735 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply
11: 23:54:11.576706 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request
12: 23:54:11.577316 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply
13: 23:54:12.576615 802.1Q vlan#1 P0 10.254.37.1 > 10.37.194.1: icmp: echo request
14: 23:54:12.578125 802.1Q vlan#1 P0 10.37.194.1 > 10.254.37.1: icmp: echo reply
14 packets shown
12-09-2013 06:37 PM
Hi Ryan,
What networks from the internal switch behind your firewall are you trying to reach from RA network? the packet capture you provided is towards your switch gateway IP 10.37.194.1 which is directly connected interface to the firewall , but you have not shown what other subnets from your switch your RA Pool is unable to reach .
You also have a routing process in place for eigrp , are you eigrp peering with your internal switch? if you are doing static routing make sure your RA IP Pool network 10.254.37.0/24 is indeed routed back to the FW inside interface IP 10.37.194.2, and perhaps provide more details on your inside L3 logical topology and what networks the RA pool is required to access.
Regards
12-10-2013 10:47 AM
Thanks for the reply. At this point I'm just trying to access the networks that are on the connected switch. The packet capture I gave shows that reply packets are sent, but my VPN client never sees them. At this point, I would just be happy for my VPN client to be able to access the connected switch at 10.37.194.1, which it cannot do, even though the packet capture shows that the switch is replying.
Thanks
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide