02-27-2014 03:08 AM
Hello
I apologise in advance for my lack of knowledge on this matter but I have been handed an ASA 5510 running software version 7.2 (2) and been asked to configure a site-site with a client, I managed to get this configured and all is working well. Additionally I created an ipsec-ra tunnel group for users to connect to a particular server 192.168.10.100/24 remotely, although the connection establishes succesfully I cannot ping any IP on the LAN 192.168.10.0/24 that sits behind the ASA and when I ping the inside interface on the ASA it returns the public IP of the outside intreface.
If someone out there could give me a nudge in the right direction it would be hugely appreciated! Below is the running config of the device.
Thanks in advance.
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa5510
domain-name domain.local
enable password .123456789/ encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address 12.34.56.789 255.255.255.255 pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 123456789 encrypted
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name domain.local
access-list outside_20_cryptomap extended permit ip 192.168.10.0 255.255.255.0 host 10.16.2.124
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 host 10.16.2.124
access-list Split_Tunnel_List remark The corporate network behind the ASA
access-list Split_Tunnel_List standard permit 192.168.10.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool domain_vpn_pool 192.168.11.1-192.168.11.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 12.34.56.789 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy domain_vpn internal
group-policy domain_vpn attributes
dns-server value 212.23.3.100 212.23.6.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
username domain_ra_vpn password 123456789 encrypted
username domain_ra_vpn attributes
vpn-group-policy domain_vpn
username user password .123456789 encrypted
username user password .123456789 encrypted
username user password .123456789 encrypted privilege 15
username user password .123456789 encrypted
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 987.65.43.21
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 3600
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 987.65.43.21 type ipsec-l2l
tunnel-group 987.65.43.21 ipsec-attributes
pre-shared-key *
tunnel-group domain_vpn type ipsec-ra
tunnel-group domain_vpn general-attributes
address-pool domain_vpn_pool
default-group-policy domain_vpn
tunnel-group domain_vpn ipsec-attributes
pre-shared-key *
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname ISP@ISP
vpdn group ISP ppp authentication chap
vpdn username ISP@ISP password *********
dhcpd dns 212.23.3.100 212.23.6.100
dhcpd lease 691200
dhcpd ping_timeout 500
dhcpd domain domain.local
!
dhcpd address 192.168.10.10-192.168.10.200 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1234567890987654321
: end
Solved! Go to Solution.
02-27-2014 03:40 AM
Hi,
Seems to me that you are atleast missing the NAT0 configuration for your VPN Client connection.
This configuration is meant to enable the VPN Client to communicate with the LAN with their original IP addresses. Though the main reason this is required is to avoid matching this traffic to the normal Dynamic PAT rule which would drop this traffic and is dropping this traffic at the moment.
You can add a single ACL rule to the existing NAT0 ACL you have above and the NAT configuration should be fine then
Add this
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
Hope this helps
Let me know how it goes
- Jouni
02-27-2014 03:40 AM
Hi,
Seems to me that you are atleast missing the NAT0 configuration for your VPN Client connection.
This configuration is meant to enable the VPN Client to communicate with the LAN with their original IP addresses. Though the main reason this is required is to avoid matching this traffic to the normal Dynamic PAT rule which would drop this traffic and is dropping this traffic at the moment.
You can add a single ACL rule to the existing NAT0 ACL you have above and the NAT configuration should be fine then
Add this
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
Hope this helps
Let me know how it goes
- Jouni
02-27-2014 05:57 AM
Hi JouniForss
Thank you so much for your help, that was exactly what was missing from the config. It now works a treat.
Thanks again, your assistance is very much appreciated.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide