Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
1
Replies

IPSec RA connects, no traffic to internal network

Thomas Phipps
Level 1
Level 1

‎05-18-2013 12:36 PM - edited ‎02-21-2020 06:54 PM

Hello all, I hope you can help with this problem. I have a ASA 5505, which has two IPSec RA tunnels build, for each one the user is able to authenticate  and get an IP address is the designated IP pool, but they are not able to ping the Firewall, or RDP to any internal servers. Here is a copy of the running config:

: Saved

:

ASA Version 7.2(2)

!

hostname ciscoasa

enable password xxxx encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport monitor Ethernet0/2

switchport monitor Ethernet0/3

switchport monitor Ethernet0/4

switchport monitor Ethernet0/5

switchport monitor Ethernet0/6

switchport monitor Ethernet0/7

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name integre.us

object-group network VM-Host

description Virtural Machines for VPN users

network-object host 192.168.1.11

network-object host 192.168.1.27

network-object host 192.168.1.40

access-list integre-vpn_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.15.192 255.255.255.224

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list cap_out extended permit ip host 192.168.1.3 any

access-list cap_out extended permit ip any host 195.168.1.3

access-list 100 extended permit tcp any host 70.91.246.17 eq smtp

access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 100 extended permit tcp 192.168.15.192 255.255.255.224 object-group VM-Host eq 3389

access-list IntegreUS_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any

access-list outside_cryptomap-integrevpn extended permit ip 192.168.2.0 255.255.255.0 any

mtu inside 1500

mtu outside 1500

ip local pool vpn-pool 192.168.2.1-192.168.2.100 mask 255.255.255.0

ip local pool VPNUsers 192.168.15.194-192.168.15.220 mask 255.255.255.224

ip local pool Pool 192.168.1.100-192.168.1.150 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit host 192.168.1.101 outside

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 70.91.246.17 smtp 192.168.1.6 smtp netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group 100 in interface outside

route outside 0.0.0.0 0.0.0.0 70.91.246.22 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy IntegreUS internal

group-policy IntegreUS attributes

dns-server value 68.87.72.130 68.87.77.130

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value integre-vpn_splitTunnelAcl

group-policy integre-vpn internal

group-policy integre-vpn attributes

vpn-tunnel-protocol IPSec

username user1 password  encrypted privilege 15

username user1 attributes

vpn-group-policy integre-vpn

username dlaplant password  encrypted privilege 15

username dlaplant attributes

vpn-group-policy integre-vpn

username cisco password  encrypted privilege 15

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap-integrevpn

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption x

hash x

group x

lifetime x

crypto isakmp policy 30

authentication pre-share

encryption xxx

hash x

group x

lifetime x

tunnel-group integre-vpn type ipsec-ra

tunnel-group integre-vpn general-attributes

address-pool (inside) vpn-pool

address-pool vpn-pool

default-group-policy integre-vpn

tunnel-group integre-vpn ipsec-attributes

pre-shared-key *

tunnel-group IntegreUS type ipsec-ra

tunnel-group IntegreUS general-attributes

address-pool VPNUsers

default-group-policy IntegreUS

tunnel-group IntegreUS ipsec-attributes

pre-shared-key *

telnet 192.168.1.41 255.255.255.255 inside

telnet timeout 5

ssh 192.168.1.13 255.255.255.255 inside

ssh 192.168.1.17 255.255.255.255 inside

ssh 192.168.1.18 255.255.255.255 inside

ssh 192.168.1.30 255.255.255.255 inside

ssh timeout 60

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.1.11-192.168.1.42 inside

dhcpd dns 192.168.1.6 interface inside

dhcpd update dns both override interface inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect icmp

!

service-policy global_policy global

Labels:
0 Helpful
1 Reply 1

Thomas Phipps
Level 1
Level 1

‎05-19-2013 10:41 AM

no crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap-integrevpn

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap-integrevpn

access-list integre-vpn_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

group-policy integre-vpn attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value integre-vpn_splitTunnelAcl

0 Helpful
Customers Also Viewed These Support Documents