IPSEC VPN+DHCP WINDOWS

fibozolan · ‎06-05-2012

Hello,

I need a help. It´s my first time configuring an ASA FIREWALL and have some trouble to find out. When a finshed the VPN configuration everything is working fine, IP from windows server dhcp, user authentication with radius, but I have a question Why I can´t ping any host from Inside and another office where I created an route???

follow the config.

hostname ciscoasa

domain-name domain.com.br

enable password 6U3abDgKXIPEI3sD encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.129.133.23 255.255.255.128

!

interface Ethernet0/1

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

shutdown

no nameif

no security-level

no ip address

management-only

!

ftp mode passive

clock timezone BRST -3

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name domain.com.br

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list VPN_Funcionarios standard permit 10.129.133.0 255.255.255.128

access-list inside_nat0_outbound extended permit ip any 10.129.133.0 255.255.255 .128

access-list outside_nat0_outbound extended permit ip 10.129.133.0 255.255.255.128 8 any

access-list inside_access_in extended permit ip any 10.129.133.0 255.255.255.128

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp deny any outside

no asdm history enable

arp timeout 14400

global (inside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 201.x.x.x 1

route inside 10.129.133.128 255.255.255.128 10.129.133.122 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server VPNTOTALBR protocol radius

aaa-server VPNTOTALBR (inside) host 10.129.133.10

timeout 5

key ******

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt noproxyarp inside

sysopt noproxyarp outside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128 -SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256 -MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption 3des-sha1 aes128-sha1

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy VPNTOTALBR internal

group-policy VPNTOTALBR attributes

dns-server value 10.129.133.10 10.129.133.130

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-lock value VPNTOTALBR

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_Funcionarios

username admin password BxbZW5I.NuwPZrmP encrypted privilege 15

username totalbr password Jm66i5yb9WnTmMbG encrypted privilege 15

tunnel-group VPNTOTALBR type remote-access

tunnel-group VPNTOTALBR general-attributes

authentication-server-group VPNTOTALBR

default-group-policy VPNTOTALBR

dhcp-server 10.129.133.10

tunnel-group VPNTOTALBR ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

policy-map TrafficVPN-policy

!

service-policy global_policy global

prompt hostname context

Jennifer Halim · ‎06-05-2012

what pool of address do you assign to the VPN client? it needs to be a unique subnet.

if you are assigning 10.129.133.128/25 to the vpn client, then the following route needs to be removed:

route inside 10.129.133.128 255.255.255.128 10.129.133.122 1