11-18-2015 06:00 AM
Hello
I started and new job and did not have past experance with ASA/VPN. I'm trying to learn on the fly. But i'm stuck, My tunnel is up, but i dont get anytraffic passing.
I looked and I see packet being encrypted but no recive packets
the VPN3000 shows the same thing a tunnel but only transmit or nothing.
I compared the config from a known good working box and matched them as close as possible. I have tried diffenert ASA and different conentrators to rule out hardware
non work box
!
hostname sa-hostname
names
!
!
interface Vlan1
nameif inside
security-level 100
dhcp client update dns server both
ip address 172.25.x.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
no shut
!
interface Ethernet0/1
no shut
!
interface Ethernet0/2
shut
!
interface Ethernet0/3
shut
!
interface Ethernet0/4
shut
!
interface Ethernet0/5
shut
!
interface Ethernet0/6
no shut
!
interface Ethernet0/7
no shut
!
boot system disk0:/version on device
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group xxxx.xxx.com
retries 4
timeout 10
name-server 10.1.1.110
name-server 10.8.16.110
domain-name xxxx.xxx.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/version on device
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
snmp-server location Indvidual assigned to device
snmp-server contact Network Services
no snmp-server enable
telnet timeout 1
ssh 10.0.0.0 255.0.0.0 inside
ssh 172.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 5
management-access inside
dhcpd dns 10.1.1.110 10.8.16.110
dhcpd lease 43200
dhcpd ping_timeout 750
dhcpd domain xxxx.xxx.com
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 172.25.x.5-172.25.x.6 inside
dhcpd update dns interface inside
dhcpd enable inside
!
vpnclient server 66.x.x.x
vpnclient mode network-extension-mode
vpnclient vpngroup xxxx password xxxx
vpnclient username xxxx password xxxx
vpnclient enable
priority-queue inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authentication-key 5 md5 serve-only
ntp authenticate
ntp server 10.0.0.2 source inside
ntp server 10.0.0.3 source inside
ntp server 10.3.0.2 source inside
ntp server 10.3.0.3 source inside
username xxxx password xxxx privilege 15
enable password xxxx
!
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.0.1.4
timeout 15
key Clonewars*
aaa-server TACACS+ (inside) host 10.3.1.4
timeout 15
key Clonewars*
aaa-server RADIUS protocol radius
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting ssh console TACACS+
aaa accounting command TACACS+
aaa accounting enable console TACACS+
!
class-map Voice
match dscp cs5
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect dns preset_dns_map
inspect http
inspect ip-options
policy-map Voicepolicy
class Voice
priority
!
service-policy global_policy global
service-policy Voicepolicy interface inside
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crypto key generate rsa general-keys modulus 1024
working- i comparde these and added anything to the above that was missing. I also configured the VPN 3000 to work with the above. witch was basically just a user name set to the group configs.
sh run
: Saved
:
: Serial Number: JMX1527Z02F
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(2)4
!
hostname xxxxx
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
dhcp client update dns server both
ip address 172.25.x.1 255.255.255.248
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
boot system disk0:/asa922-4-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group xxxx.xxx.com
retries 4
timeout 10
name-server 10.1.1.110
name-server 10.8.16.110
domain-name xxxx.xxx.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.0.1.4
timeout 15
key *****
aaa-server TACACS+ (inside) host 10.3.1.4
timeout 15
key *****
user-identity default-domain LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa accounting command TACACS+
aaa accounting enable console TACACS+
snmp-server location xxxxxxx
snmp-server contact Network Services
no snmp-server enable
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto isakmp identity hostname
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 inside
ssh 172.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 5
management-access inside
vpnclient server 66.x.x.x
vpnclient mode network-extension-mode
vpnclient vpngroup xxxxx password *****
vpnclient username xxxxxx password *****
vpnclient enable
dhcpd dns 10.1.1.110 10.8.16.110
dhcpd lease 43200
dhcpd ping_timeout 750
dhcpd domain xxxx.xxx.com
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 172.25.x.5-172.25.x.6 inside
dhcpd update dns interface inside
dhcpd enable inside
!
priority-queue inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authentication-key 5 md5 *****
ntp authenticate
ntp server 10.252.252.57 source inside
ntp server 10.252.252.1 source inside prefer
tftp-server inside 10.1.5.240 /
username xxxxxxxxxx password xxxxxxxxxx encrypted privilege 15
!
class-map Voice
match dscp cs5
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
policy-map Voicepolicy
class Voice
priority
!
service-policy global_policy global
service-policy Voicepolicy interface inside
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c7873639013b549e649c773faaa179b8
: end
11-18-2015 09:38 AM
I noticed and few things: there was no NAT and the object list was wrong so i did a write erase and pasted in the working config with different user and such and it still does not work
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide