Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
0
Helpful
1
Replies

Unable to browse the web with iPad/iPhone using ipsec or l2tp ipsec vpn setups

seckinozbayraktar
Level 1
Level 1

‎04-05-2013 02:46 AM - edited ‎02-21-2020 06:48 PM

Hi everyone,

I really worked hard not to write this question here but here I am. I am trying to route all traffic through vpn but I cant browse the web. It seems no traffic goes through the vpn tunnel. Split tunneling works but it doesnt route the traffic through vpn tunnel.  I have a cisco asa5505 with base license,

When I try to browse the web with one of the clients  I see lots of 

6Apr 07 201309:40:55
10.10.50.136088410.10.10.153

Built inbound UDP connection 834 for outside:10.10.50.13/60884 (10.10.50.13/60884) to outside:10.10.10.1/53 (10.10.10.1/53) (xxxx

messages but at the end I see " Safari could not open the page because the server stopped responding" message or smth similar.

My setup is 

       Vpn Clients         ======  asa5505   ==========   CiscoLinksysEA4500 Router   ========  ISPProvidedFiberConverterDevice(huawei)

10.10.30.10-10.10.30.50            10.10.10.2(outside int)               10.10.10.1(inside)  PPOE(outside)

sshqasa# show run

: Saved

:

ASA Version 8.4(2)

!

hostname sshqasa

enable password xxxxx encrypted

passwd xxxxxx encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!            

interface Vlan1

description INSIDE NETWORK

nameif inside

security-level 100

ip address 10.10.20.1 255.255.255.0

!

interface Vlan2

description OUTSIDE NETWORK

nameif outside

security-level 0

ip address 10.10.10.2 255.255.255.0

!

ftp mode passive

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_10.10.30.0_27

subnet 10.10.30.0 255.255.255.224

object network Router

host 10.10.10.1

description SSHQ ROUTER

access-list outside-in extended permit icmp any any

access-list outside-in extended permit tcp any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool VPNPOOL 10.10.30.1-10.10.30.30 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (outside,outside) source static any any destination static NETWORK_OBJ_10.10.30.0_27 NETWORK_OBJ_10.10.30.0_27 no-proxy-arp route-lookup

nat (outside,outside) source static NETWORK_OBJ_10.10.30.0_27 NETWORK_OBJ_10.10.30.0_27 destination static Router Router

!

object network obj_any

nat (inside,outside) dynamic interface

object network Router

nat (any,outside) dynamic interface

route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy sshqvpngroup internal

group-policy sshqvpngroup attributes

wins-server value 8.8.8.8 8.8.4.4

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol ikev1

username penguen password xxxxx encrypted

username slyone password xxxxx encrypted privilege 15

tunnel-group sshqvpngroup type remote-access

tunnel-group sshqvpngroup general-attributes

address-pool VPNPOOL

default-group-policy sshqvpngroup

tunnel-group sshqvpngroup ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:644588c1566c9f3e899e3837d0b7c260

: end 

Any help will be truly appreciated.

Message was edited by: seckin ozbayraktar

Labels:
0 Helpful
1 Reply 1

seckinozbayraktar
Level 1
Level 1

‎04-08-2013 08:17 AM

I fixed it. thank you for reading.

0 Helpful
Customers Also Viewed These Support Documents