03-02-2011 05:21 PM
I recently upgraded my ASA5055 from 8.02 to 8.4 and since I upgraded to the new version I can no longer access my network at home through the VPN. I can connect to the VPN with no issues however I can no longer ping or connect to my 10.0 network. Would someone be so kind to look at my config and tell me what needs to be added for this to operate? In my old config I had a NAT statement for the VPN which is no longer here.
Also I wanted to configure WebVPN to work as well and this is one thing that I have never been able to figure out. Is there also a way that I can be on my 20.0 network and connect to the VPN and access the 10.0 network as well? When connected to my 20.0 network I am not presented with the credentials to connect to the VPN. I would be thankful if someone can help me out. The most important part of this is the first part of this question.
My configuration:
ASA Version 8.4(1)
!
hostname ASA5505
domain-name xxxxxxxx.dyndns.org
enable password xxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
name 192.168.10.2 server
name 192.168.10.3 desktop
name 192.168.10.5 canon
name 192.168.10.6 mvix
name 192.168.10.7 xbox
name 192.168.10.8 dvr
name 192.168.10.9 bluray
name 192.168.10.10 lcd
name 192.168.10.11 mp620
name 192.168.10.12 kayla
name 192.168.1.1 asa5505
name 192.168.1.2 ap1
name 192.168.10.4 mvix2
name 192.168.10.13 lcd2
name 192.168.10.14 dvr2
!
interface Vlan1
nameif Management
security-level 100
ip address asa5505 255.255.255.248
management-only
!
interface Vlan2
mac-address 0050.8db6.8287
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan10
nameif Private
security-level 100
ip address 192.168.10.1 255.255.255.224
!
interface Vlan20
nameif Public
security-level 100
ip address 192.168.20.1 255.255.255.224
!
interface Ethernet0/0
description Pointing towards WAN
switchport access vlan 2
!
interface Ethernet0/1
description Uplink to Linksys port 12
switchport access vlan 10
!
interface Ethernet0/2
description Server 192.168.10.2/27
switchport access vlan 10
!
interface Ethernet0/3
description Uplink to Eth1 Management
!
interface Ethernet0/4
switchport access vlan 30
!
interface Ethernet0/5
switchport access vlan 30
!
interface Ethernet0/6
switchport access vlan 30
!
interface Ethernet0/7
description Cisco 1200 Access Point
switchport trunk allowed vlan 1,10,20
switchport trunk native vlan 1
switchport mode trunk
!
banner motd Authorized users only, all others must disconnect now!
boot system disk0:/asa841-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name xxxxxxx.dyndns.org
object network obj-192.168.50.0
subnet 192.168.50.0 255.255.255.0
object network server
host 192.168.10.2
object network obj-192.168.10.0
subnet 192.168.10.0 255.255.255.224
object network obj-192.168.20.0
subnet 192.168.20.0 255.255.255.224
object network server-01
host 192.168.10.2
object network server-02
host 192.168.10.2
object network xbox
host 192.168.10.7
object network xbox-01
host 192.168.10.7
object network xbox-02
host 192.168.10.7
object network xbox-03
host 192.168.10.7
object network xbox-04
host 192.168.10.7
object network server-03
host 192.168.10.2
object network server-04
host 192.168.10.2
object network server-05
host 192.168.10.2
object network desktop
host 192.168.10.3
object network kayla
host 192.168.10.12
access-list Home_VPN_splitTunnelAcl standard permit 192.168.10.0 255.255.255.224
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq 2325
access-list outside_access_in extended permit tcp any object server eq ftp
access-list outside_access_in extended permit tcp any any eq 5851
access-list outside_access_in extended permit udp any any eq 5850
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit udp any any eq syslog
access-list outside_access_in extended permit udp any any eq 88
access-list outside_access_in extended permit udp any any eq 3074
access-list outside_access_in extended permit tcp any any eq 3074
access-list outside_access_in extended permit tcp any any eq domain
access-list outside_access_in extended permit udp any any eq domain
access-list outside_access_in extended permit tcp any any eq https
access-list outside_access_in extended permit tcp any object server eq ssh
access-list outside_access_in extended permit tcp any any eq 2322
access-list outside_access_in extended permit tcp any any eq 5900
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit udp any any eq 5852
access-list KaileY_splitTunnelAcl standard permit 192.168.10.0 255.255.255.224
pager lines 24
logging enable
logging timestamp
logging buffer-size 36000
logging buffered warnings
logging trap debugging
logging asdm informational
logging from-address xxxxxxx@yahoo.com
logging recipient-address xxxxxxxx@yahoo.com level errors
logging host Management server
mtu Management 1500
mtu outside 1500
mtu Private 1500
mtu Public 1500
ip local pool IPPOOL 192.168.50.2-192.168.50.10 mask 255.255.255.0
ip local pool VPN_POOL 192.168.100.2-192.168.100.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
!
object network server
nat (Private,outside) static interface service tcp ftp 5851
object network obj-192.168.10.0
nat (Private,outside) dynamic interface
object network obj-192.168.20.0
nat (Public,outside) dynamic interface
object network server-01
nat (Private,outside) static interface service tcp 2325 2325
object network server-02
nat (Private,outside) static interface service udp syslog syslog
object network xbox
nat (Private,outside) static interface service udp 88 88
object network xbox-01
nat (Private,outside) static interface service udp 3074 3074
object network xbox-02
nat (Private,outside) static interface service tcp 3074 3074
object network xbox-03
nat (Private,outside) static interface service tcp domain domain
object network xbox-04
nat (Private,outside) static interface service udp domain domain
object network server-03
nat (Private,outside) static interface service tcp https https
object network server-04
nat (Private,outside) static interface service tcp ssh 2322
object network server-05
nat (Private,outside) static interface service tcp 5900 5900
object network desktop
nat (Private,outside) static interface service tcp 3389 3389
object network kayla
nat (Private,outside) static interface service udp 5852 5852
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.1.0 255.255.255.248 Management
http redirect outside 80
snmp-server location Upstairs Office
snmp-server contact xxxxxxxx@yahoo.com
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.248 Management
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 30
management-access Management
dhcpd dns 24.205.1.14 66.215.64.14
dhcpd ping_timeout 750
dhcpd domain xxxxxxxx.dyndns.org
dhcpd auto_config outside
!
dhcpd address 192.168.1.4-192.168.1.5 Management
dhcpd enable Management
!
dhcpd address 192.168.10.20-192.168.10.30 Private
dhcpd enable Private
!
dhcpd address 192.168.20.2-192.168.20.30 Public
dhcpd enable Public
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.43.244.18
ntp server 129.6.15.28
webvpn
group-policy Home_VPN internal
group-policy Home_VPN attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol ikev1 ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Home_VPN_splitTunnelAcl
default-domain value www.xxxxxx.com
address-pools value IPPOOL
webvpn
url-list value ClientlessBookmark
group-policy KaileY internal
group-policy KaileY attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value KaileY_splitTunnelAcl
default-domain value xxxxxxx.dyndns.org
username scottrog password xxxxxxxxxxxxxx encrypted privilege 0
username john password xxxxxxxxxxxxxxx encrypted privilege 0
username joek password xxxxxxxxxxxx encrypted privilege 0
username eostrike password xxxxxxxxxxxx encrypted privilege 15
username almostsi password xxxxxxxxxxxxxx encrypted privilege 0
username ezdelarosa password xxxxxxxxxxxxxxencrypted privilege 0
tunnel-group Home_VPN type remote-access
tunnel-group Home_VPN general-attributes
address-pool IPPOOL
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
default-group-policy Home_VPN
authorization-required
tunnel-group Home_VPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group ClientLESS type remote-access
tunnel-group KaileY type remote-access
tunnel-group KaileY general-attributes
address-pool VPN_POOL
default-group-policy KaileY
tunnel-group KaileY ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group-map default-group Home_VPN
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:438ed6084bb3dc956574b1ce83f52b86
: end
ASA5505#
Solved! Go to Solution.
03-02-2011 05:31 PM
Here is the NAT statements for your first question:
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
nat (Private,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.50.0 obj-192.168.50.0
nat (Private,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0
And "clear xlate" after the above, and that should resolve your first issue.
Let me check out your second question and get back to you shortly.
03-02-2011 05:31 PM
Here is the NAT statements for your first question:
object network obj-192.168.100.0
subnet 192.168.100.0 255.255.255.0
nat (Private,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.50.0 obj-192.168.50.0
nat (Private,outside) source static obj-192.168.10.0 obj-192.168.10.0 destination static obj-192.168.100.0 obj-192.168.100.0
And "clear xlate" after the above, and that should resolve your first issue.
Let me check out your second question and get back to you shortly.
03-02-2011 05:43 PM
Jennifer,
Thank you for helping me on this. The obj- are completely throwing me off. I cannot test at the moment as I am at home so I will try and test it tomorrow when at work or even goto a hotspot this eveing. I did believe it was a nat statement issue as well I just could not figure out how to write it.
Again thank you and I will let you know if this fixed me up :-)
EricO
03-02-2011 05:57 PM
Great, and thanks for the update.
On your second and third questions:
2) WebVPN - please advise what you are planning to use the WebVPN for, and also if you have license for WebVPN?
3) I am not quite sure I understand the purpose of VPN when you are connected to 20.0 to access 10.0 because as per the current config, both network is directly connected to the ASA with the same security level, so with a few configurations you can access 10.0 from 20.0 directly and vice versa without any VPN required.
03-02-2011 09:01 PM
Update:
The reason I asked about being able to VPN from my directly connected device was to save me trips to my local hot spot to test this out. I am keeping my private and public network seperated. I no longer need this request as I was able to install the VPN client on my parents PC and RDP to them and VPN back to test the connection.
When I connected back to my network through a remote VPN connection I was still not able to ping or connect to my 10.0 network. I believe I had an ACL for this however it did not work on the 8.02 to 8.4(1) upgrade. I did however add this statement just now and it started to work (sysopt connection permit-vpn). I am not sure if this is a good solution or if I should replace it with an ACL but at this time it is doing what I want it to.
As for WebVPN I have been wanting to set up the clientless browser based SSH VPN connection to my network. This way I can access my resources from anywhere on any PC.
Here is my ASA's licenses:
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 20 DMZ Unrestricted
Dual ISPs : Enabled perpetual
VLAN Trunk Ports : 8 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Standby perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 25 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5505 Security Plus license.
ASA5505# sh flash
--#-- --length-- -----date/time------ path
107 4096 Apr 15 2009 07:16:08 sdesktop
121 1462 Apr 15 2009 07:16:08 sdesktop/data.xml
108 4181246 Sep 10 2008 06:51:48 securedesktop-asa-3.2.1.103-k9.pkg
109 398305 Sep 10 2008 06:52:08 sslclient-win-1.1.0.154.pkg
110 24938496 Feb 05 2011 20:43:28 asa841-k8.bin
6 4096 Sep 10 2008 06:54:46 crypto_archive
112 14137344 Apr 14 2009 20:31:32 asa804-k8.bin
113 15841428 Feb 05 2011 20:44:18 asdm-641.bin
3 4096 Apr 14 2009 20:48:58 log
114 7605252 Apr 14 2009 21:15:30 asdm-61551.bin
115 3032497 Apr 14 2009 22:14:34 anyconnect-win-2.3.0254-k9.pkg
116 8548 Feb 05 2011 20:47:16 8_0_4_0_startup_cfg.sav
12 4096 Feb 05 2011 20:47:24 coredumpinfo
13 59 Feb 05 2011 20:47:24 coredumpinfo/coredump.cfg
117 1757 Feb 05 2011 20:47:24 upgrade_startup_errors_201102060447.log
127111168 bytes total (56422400 bytes free)
ASA5505#
I want to thank you for helping me on this. Sad to admit that i have been working on my first issue off and on for over a week and could not figure it out.
03-05-2011 02:44 AM
Correct, you should enable "sysopt connection permit-vpn" to allow VPN traffic through, as it will only allow traffic through if it's from the VPN tunnel.
OK, based on your license, yes, you can configure and connect via WebVPN, however, you can only have 2 concurrent Web VPN connection.
You can configure SSH plugin with WebVPN to access your SSH device.
Here is a sample configuration on WebVPN to get started on the WebVPN configuration:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
Here is the sample configuration to import RDP Plug-in (but in your case, you will want to import SSH Plug-in):
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c0603.shtml
(The URL provides the same method for importing RDP Plug-in or SSH Plug-in, there is no sample config specifically for SSH Plugin but the process to import it is exactly the same)
Hope that helps.
03-05-2011 08:12 AM
Thank you Jennifer. I will give these examples a try and let you know the outcome. Again I appreicate your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide