Solved: Urgent Issue: vpn remote users cant reach dmz server - Page 2

Mohammed Al-odhari · ‎03-03-2015

Dear all,

I have a firewall asa5510 in which remote vpn client users can connect but they cant ping or access the dmz server (192.168.3.5)

they cant also ping the out side interface (192.168.2.10),,,, below is the show run,, please help.

sh run

asa5510(config)# sh run
: Saved
:
: Serial Number: JMX1243L2BE
: Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1599 MHz
:
ASA Version 8.2(5)55
!
hostname Majed
enable password UFWSxxKWdnx8am8f encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.2.10 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0
!
interface Ethernet0/2
nameif servers
security-level 90
ip address 192.168.3.10 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa825-55-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_outside extended permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl_outside extended permit icmp 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl_outside extended permit ip any any
access-list acl_outside extended permit icmp any any
access-list acl_inside extended permit ip host 192.168.1.150 192.168.5.0 255.255.255.0
access-list acl_inside extended permit icmp host 192.168.1.150 192.168.5.0 255.255.255.0
access-list acl_inside extended permit ip host 192.168.1.200 192.168.5.0 255.255.255.0
access-list acl_inside extended permit icmp host 192.168.1.200 192.168.5.0 255.255.255.0
access-list acl_inside extended permit ip host 192.168.1.13 192.168.5.0 255.255.255.0
access-list acl_inside extended permit icmp host 192.168.1.13 192.168.5.0 255.255.255.0
access-list acl_inside extended permit ip 192.168.1.0 255.255.255.0 host 192.168.3.5
access-list acl_inside extended permit icmp 192.168.1.0 255.255.255.0 host 192.168.3.5
access-list acl_inside extended deny ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list acl_inside extended deny icmp 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list acl_inside extended permit ip any any
access-list acl_inside extended permit icmp any any
access-list acl_server extended permit ip any any
access-list acl_server extended permit icmp any any
access-list Local_LAN_Access standard permit 10.0.0.0 255.0.0.0
access-list Local_LAN_Access standard permit 172.16.0.0 255.240.0.0
access-list Local_LAN_Access standard permit 192.168.0.0 255.255.0.0
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list acl_servers extended permit ip any any
access-list acl_servers extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu servers 1500
ip local pool vpnpool 192.168.5.1-192.168.5.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (servers) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 192.168.1.4 255.255.255.255
nat (inside) 1 192.168.1.9 255.255.255.255
nat (inside) 1 192.168.1.27 255.255.255.255
nat (inside) 1 192.168.1.56 255.255.255.255
nat (inside) 1 192.168.1.150 255.255.255.255
nat (inside) 1 192.168.1.200 255.255.255.255
nat (inside) 1 192.168.2.5 255.255.255.255
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.1.96 192.168.1.96
nat (servers) 0 access-list nat0
nat (servers) 1 192.168.3.5 255.255.255.255
static (inside,servers) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (servers,inside) 192.168.3.5 192.168.3.5 netmask 255.255.255.255
access-group acl_outside in interface outside
access-group acl_servers in interface servers
route outside 0.0.0.0 0.0.0.0 192.168.2.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.5 255.255.255.255 servers
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds288000
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map Outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map Outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 servers
telnet 192.168.38.0 255.255.255.0 servers
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_LAN_Access
nem enable
username qaedah password Ipsf4W9G6cGueuSu encrypted
username moneef password FLlCyoJakDnWMxSQ encrypted
username sabeen password X7ESmrqNBIo5eQO9 encrypted
username sanaa2 password zHa8FdVVTkIgfomY encrypted
username sanaa password x5fVXsDxboIhq68A encrypted
username sanaa1 password x5fVXsDxboIhq68A encrypted
username bajel password DygNLmMkXoZQ3.DX encrypted privilege 15
username daris password BgGTY7d1Rfi8P2zH encrypted
username taiz password Ip3HNgc.pYhYGaQT encrypted
username damt password gz1OUfAq9Ro2NJoR encrypted privilege 15
username aden password MDmCEhcRe64OxrQv encrypted
username hodaidah password IYcjP/rqPitKHgyc encrypted
username yareem password ctC9wXl2EwdhH2XY encrypted
username mdmd password ZwYsE3.Hs2/vAChB encrypted
username haja password Q25wF61GjmyJRkjS encrypted
username cisco password 3USUcOPFUiMCO4Jk encrypted
username ibbmr password CNnADp0CvQzcjBY5 encrypted
username IBBR password oJNIDNCT0fBV3OSi encrypted
username ibbr password 2Mx3uA4acAbE8UOp encrypted
username ibbr1 password wiq4lRSHUb3geBaN encrypted
username TORBA password C0eUqr.qWxsD5WNj encrypted
username shibam password xJaTjWRZyXM34ou. encrypted
username ibbreef password 2Mx3uA4acAbE8UOp encrypted
username torbah password r3IGnotSy1cddNer encrypted
username thamar password 1JatoqUxf3q9ivcu encrypted
username dhamar password pJdo55.oSunKSvIO encrypted
username main password jsQQRH/5GU772TkF encrypted
username main1 password ef7y88xzPo6o9m1E encrypted
username maeen password OYXnAYHuV80bB0TH encrypted
username majed password 7I3uhzgJNvIwi2qS encrypted
username lahj password qOAZDON5RwD6GbnI encrypted
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpnpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!

Mohammed Al-odhari · ‎03-23-2015

Ok brother,

i`ll do it in another post, please try to help as still my issue exists since days.

regards,