Solved: Urgent Issue: vpn remote users cant reach dmz server

Mohammed Al-odhari · ‎03-03-2015

Dear all,

I have a firewall asa5510 in which remote vpn client users can connect but they cant ping or access the dmz server (192.168.3.5)

they cant also ping the out side interface (192.168.2.10),,,, below is the show run,, please help.

sh run

asa5510(config)# sh run
: Saved
:
: Serial Number: JMX1243L2BE
: Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1599 MHz
:
ASA Version 8.2(5)55
!
hostname Majed
enable password UFWSxxKWdnx8am8f encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.2.10 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.10 255.255.255.0
!
interface Ethernet0/2
nameif servers
security-level 90
ip address 192.168.3.10 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa825-55-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list acl_outside extended permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl_outside extended permit icmp 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl_outside extended permit ip any any
access-list acl_outside extended permit icmp any any
access-list acl_inside extended permit ip host 192.168.1.150 192.168.5.0 255.255.255.0
access-list acl_inside extended permit icmp host 192.168.1.150 192.168.5.0 255.255.255.0
access-list acl_inside extended permit ip host 192.168.1.200 192.168.5.0 255.255.255.0
access-list acl_inside extended permit icmp host 192.168.1.200 192.168.5.0 255.255.255.0
access-list acl_inside extended permit ip host 192.168.1.13 192.168.5.0 255.255.255.0
access-list acl_inside extended permit icmp host 192.168.1.13 192.168.5.0 255.255.255.0
access-list acl_inside extended permit ip 192.168.1.0 255.255.255.0 host 192.168.3.5
access-list acl_inside extended permit icmp 192.168.1.0 255.255.255.0 host 192.168.3.5
access-list acl_inside extended deny ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list acl_inside extended deny icmp 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list acl_inside extended permit ip any any
access-list acl_inside extended permit icmp any any
access-list acl_server extended permit ip any any
access-list acl_server extended permit icmp any any
access-list Local_LAN_Access standard permit 10.0.0.0 255.0.0.0
access-list Local_LAN_Access standard permit 172.16.0.0 255.240.0.0
access-list Local_LAN_Access standard permit 192.168.0.0 255.255.0.0
access-list nat0 extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list acl_servers extended permit ip any any
access-list acl_servers extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
mtu servers 1500
ip local pool vpnpool 192.168.5.1-192.168.5.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (servers) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 192.168.1.4 255.255.255.255
nat (inside) 1 192.168.1.9 255.255.255.255
nat (inside) 1 192.168.1.27 255.255.255.255
nat (inside) 1 192.168.1.56 255.255.255.255
nat (inside) 1 192.168.1.150 255.255.255.255
nat (inside) 1 192.168.1.200 255.255.255.255
nat (inside) 1 192.168.2.5 255.255.255.255
nat (inside) 1 192.168.1.0 255.255.255.0
nat (inside) 1 192.168.1.96 192.168.1.96
nat (servers) 0 access-list nat0
nat (servers) 1 192.168.3.5 255.255.255.255
static (inside,servers) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (servers,inside) 192.168.3.5 192.168.3.5 netmask 255.255.255.255
access-group acl_outside in interface outside
access-group acl_servers in interface servers
route outside 0.0.0.0 0.0.0.0 192.168.2.15 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.3.5 255.255.255.255 servers
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds288000
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map Outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map Outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.2.0 255.255.255.0 outside
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.3.0 255.255.255.0 servers
telnet 192.168.38.0 255.255.255.0 servers
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_LAN_Access
nem enable
username qaedah password Ipsf4W9G6cGueuSu encrypted
username moneef password FLlCyoJakDnWMxSQ encrypted
username sabeen password X7ESmrqNBIo5eQO9 encrypted
username sanaa2 password zHa8FdVVTkIgfomY encrypted
username sanaa password x5fVXsDxboIhq68A encrypted
username sanaa1 password x5fVXsDxboIhq68A encrypted
username bajel password DygNLmMkXoZQ3.DX encrypted privilege 15
username daris password BgGTY7d1Rfi8P2zH encrypted
username taiz password Ip3HNgc.pYhYGaQT encrypted
username damt password gz1OUfAq9Ro2NJoR encrypted privilege 15
username aden password MDmCEhcRe64OxrQv encrypted
username hodaidah password IYcjP/rqPitKHgyc encrypted
username yareem password ctC9wXl2EwdhH2XY encrypted
username mdmd password ZwYsE3.Hs2/vAChB encrypted
username haja password Q25wF61GjmyJRkjS encrypted
username cisco password 3USUcOPFUiMCO4Jk encrypted
username ibbmr password CNnADp0CvQzcjBY5 encrypted
username IBBR password oJNIDNCT0fBV3OSi encrypted
username ibbr password 2Mx3uA4acAbE8UOp encrypted
username ibbr1 password wiq4lRSHUb3geBaN encrypted
username TORBA password C0eUqr.qWxsD5WNj encrypted
username shibam password xJaTjWRZyXM34ou. encrypted
username ibbreef password 2Mx3uA4acAbE8UOp encrypted
username torbah password r3IGnotSy1cddNer encrypted
username thamar password 1JatoqUxf3q9ivcu encrypted
username dhamar password pJdo55.oSunKSvIO encrypted
username main password jsQQRH/5GU772TkF encrypted
username main1 password ef7y88xzPo6o9m1E encrypted
username maeen password OYXnAYHuV80bB0TH encrypted
username majed password 7I3uhzgJNvIwi2qS encrypted
username lahj password qOAZDON5RwD6GbnI encrypted
tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpnpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!

rizwanr74 · ‎03-12-2015

Hello Br. Mohammed,

"my asa5510 to work easy vpn as server & client at the same time.???"

Yes, it can function as a client and server at the same time.

I never seen anyone doing it but many years of my understanding, I have no reason think why it cannot be, since both (client/server) configurations are independent from each other.

Your ASA function as a server uses the "DefaultL2LGroup" or it uses standard group-policy and tunnel-group are mapped to remote ASA-clients ?

Thanks

View solution in original post

rizwanr74 · ‎03-03-2015

I checked your config and they all seems to be fine.

Can you remove this line and try it "global (servers) 1 interface".

I am not sure, what does it do?

thanks

Mohammed Al-odhari · ‎03-04-2015

Thanks for your replay,

but my issue is with the site to site vpn, i cant add the command tunnel-group vpn type ipsec-l2l ,,,in the 5510 hq.

Attached is for both hq sh run and the branch 5505.

can you help please,,

rizwanr74 · ‎03-04-2015

Here is an example how you can set type to a tunnel group.

type must be followed by the actual IP address.

tunnel-group 152.145.125.120 type ipsec-l2l
tunnel-group 152.145.125.120 ipsec-attributes
pre-shared-key abcdefegh

Mohammed Al-odhari · ‎03-04-2015

Hi Rizwan,

am trying to set easyvpn Server/client.

the EZvpn server/client between Hq(5510) and branch(5510) issue unfortunately doest work, despite i checked every thing:

Config seems to be ok (i also check the preshared key), but may be you can glance something as u more experienced than me,,, ????

EZvpn client 5505:

vpnclient server 82.114.183.53
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup vpn password *****
vpnclient username sabeen password *****
vpnclient enable

EZvpn Server 5510:

access-list Local_LAN_Access standard permit 10.0.0.0 255.0.0.0
access-list Local_LAN_Access standard permit 172.16.0.0 255.240.0.0
access-list Local_LAN_Access standard permit 192.168.0.0 255.255.0.0

!
group-policy vpn internal
group-policy vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Local_LAN_Access
nem enable

username sabeen password X7ESmrqNBIo5eQO9 encrypted

!

tunnel-group vpn type remote-access
tunnel-group vpn general-attributes
address-pool vpnpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *****
!

Rest of the EZvpn server config in the attached with 5505.

Looking forward to hearing from you.

regards,

rizwanr74 · ‎03-05-2015

Br. Mohammed,

Do you aware, when you setup server/client site-to-site vpn setup, only client can initiate traffic?

When tunnel is not established, from server-side you never can initiate the tunnel or establish the tunnel from server-side but it is always from client side alone.

Let me know if this what you want to achieve?

thanks

Rizwan Rafeek.

Mohammed Al-odhari · ‎03-12-2015

Dear Brother Rizwan,

sorry for being late, Yes i aware your above info

i want to ask you please if i can you my asa5510 to work easy vpn as server & client at the same time.???

means it act as a client to another asa5510 and as a server for asa5505- IS this possible??? OR configure both asa5510 site2site as both having static public ip address and at the same time it act as server for asa5505!!???

thanks again???

rizwanr74 · ‎03-12-2015

Hello Br. Mohammed,

"my asa5510 to work easy vpn as server & client at the same time.???"

Yes, it can function as a client and server at the same time.

I never seen anyone doing it but many years of my understanding, I have no reason think why it cannot be, since both (client/server) configurations are independent from each other.

Your ASA function as a server uses the "DefaultL2LGroup" or it uses standard group-policy and tunnel-group are mapped to remote ASA-clients ?

Thanks

Mohammed Al-odhari · ‎03-18-2015

Dear Rizwan,

my current asa is function as easy vpn server and as you said it can work as client at the same time but when i try to add the command vpnclient server 82.114.183.53, i cant. it doesnt recognize the command vpnclient.???

is this mean it cant work as client at the same time??

if yes, what command i have to remove to make the command vpnclient recognized.??? is it the below or what?

tunnel-group vpn type remote-access
tunnel-group vpn general-attributes

thanks again,

rizwanr74 · ‎03-18-2015

Are you using server mode under the "DefaultL2LGroup" ?

Have you tried this command before "vpnclient enable"

Mohammed Al-odhari · ‎03-18-2015

Hi Mr. Rizwan,

yes i tried the command before "vpnclient enable" but it doesnt recognize the vpnclient command while the attached config exists.

what do you mean by defaultL2LGroup, i need using the attached config to enable the vpnclient, is it possible or i have to remove the commands which relates to the server easy vpn like

tunnel-group
group-policy
crypto maps
ISAKMP policies
transform-sets ??????

rizwanr74 · ‎03-18-2015

Try using dynamic DefaultL2LGroup in the place of group-policy and tunnel-group for remote vpn-client. Below URL shows, a simple example. On the server side, there is no need for group-policy and tunnel-group and remote-vpn-client side you would use a static tunnel to dynamic vpn-server.

And so, your vpn-server functions as a vpn-server and it can function has a static client as well.

It is more flexible than your current setup.

https://www.fir3net.com/Firewalls/Cisco/how-to-configure-a-cisco-asa-site-to-site-vpn-between-a-static-and-dynamic-ip-based-peers.html

Mohammed Al-odhari · ‎03-18-2015

ok Rizwan,

i`ll try doing it, thank for your permanent help.

regards,

Mohammed Al-odhari · ‎03-23-2015

Dear Rizwan,

can you help please regarding below: thanks in advance.

HQ which is configured to accecpt remote vpn client using crypto map is configured for dynamic vpn with branch.

HQ static public ip is 82.114.179.120, tunnel 10 ip 172.16.10.1 and local lan is 192.168.1.0

Branch has dynamic public ip ,tunnel 10 ip 172.16.10.32 and local lan is 192.168.32.0. It is also configured using tunnel 0 with another Hq which works fine.

Branch Lan(192.168.32.0) is needed to access HQ lan(192.168.1.0)....

HQ:

aaa authentication login acs local
aaa authorization network acs local
!
aaa session-id common
!
ip cef
!

ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!

redundancy
!

controller VDSL 0/1/0
!

crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key users@NAMA
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 3600 5
crypto isakmp nat keepalive 3600
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group NAMA
key namanama
pool mypool
acl 101
save-password
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-AES-MD5
set isakmp-profile ccp-dmvpn-isakmprofile
!

crypto dynamic-map map 10
set transform-set test
reverse-route
!
crypto map i-map client authentication list acs
crypto map i-map isakmp authorization list acs
crypto map i-map client configuration address respond
crypto map i-map 10 ipsec-isakmp dynamic map

!
interface Tunnel10
bandwidth 1000
ip address 172.16.10.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
delay 1000
shutdown
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface ATM0/1/0
description DSL Interface
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1

!
interface Dialer0
no ip address
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname nama20004
ppp chap password 0 220004
ppp pap sent-username nama20004 password 0 220004
crypto map i-map
!
ip local pool mypool 192.168.30.1 192.168.30.100
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat inside source list 171 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.32.0 255.255.255.0 172.16.10.32
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.35.0 0.0.0.2
access-list 171 deny ip 192.168.1.0 0.0.0.255 192.168.32.0 0.0.0.2
access-list 171 permit ip any any
dialer-list 2 protocol ip permit
!

HQ#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
82.114.179.120 78.137.84.92 CONF_XAUTH 1486 ACTIVE
82.114.179.120 78.137.84.92 MM_NO_STATE 1483 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 1482 ACTIVE (deleted)

Branch show run:

!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key users@NAMA address 82.114.179.105
crypto isakmp key users@NAMA address 82.114.179.120
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac comp-lzs
mode transport
crypto ipsec transform-set To-Taiz esp-aes esp-md5-hmac comp-lzs
mode transport
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-AES-MD5
!
crypto ipsec profile To-Taiz-Profile
set transform-set To-Taiz
!
interface Tunnel0
bandwidth 1000
ip address 172.16.0.32 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 172.16.0.1 82.114.179.105
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 82.114.179.105
tunnel key 100000
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Tunnel10
bandwidth 1000
ip address 172.16.10.32 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 172.16.10.1 82.114.179.120
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.10.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 82.114.179.120
tunnel key 22334455
tunnel protection ipsec profile To-Taiz-Profile
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
description ## CONNECT TO LAN ##
no ip address
!
interface FastEthernet1
description ## CONNECT TO LAN ##
no ip address
!
interface FastEthernet2
description ## CONNECT TO LAN ##
no ip address
!
interface FastEthernet3
description ## CONNECT TO LAN ##
no ip address
!
interface Vlan1
description ## LAN INTERFACE ##
ip dhcp client hostname none
ip address 192.168.32.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname mohammadaa
ppp chap password 0 123456
ppp pap sent-username mohammadaa password 0 123456
!
ip forward-protocol nd
ip http server
ip http access-class 10
ip http authentication local
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.255.0 172.16.0.1
ip route 192.168.1.0 255.255.255.0 172.16.10.1
!
ip sla auto discovery
dialer-list 1 protocol ip permit
!
access-list 1 permit 192.168.32.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.0.0 0.0.0.255
!

Branch#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
82.114.179.120 78.137.84.92 MM_NO_STATE 2061 ACTIVE (deleted)
82.114.179.120 78.137.84.92 MM_NO_STATE 2060 ACTIVE (deleted)

rizwanr74 · ‎03-23-2015

Hello Mohammed,

Please delete your very last post on this thread, kindly open up a new thread on this request and I will look into this for you.

Mixing different request and issues into one thread is extremely confusing to readers and it will not help you and help readers to resolve your technical issue.

Kindly if this thread has been resolved, please make it has answered.

thanks