User cant access the remote VPN beside ASA

shoaibfarooq82 · ‎05-18-2011

Dear Fellows,

I have a question that my users cant dial to remote vpn beside asa. They are some financial guys and need to access the vpn of some bank but they cant dial.

I have a setup in which on front there is Router--->ASA--->Core---->User

But users are complaining that they cant access the VPN. below is the configuration that i have done on my asa:

=======================================

ASA Version 7.2(4)

interface Ethernet0/0
nameif Outside
security-level 90
ip address 221.120.194.18 255.255.255.240
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.1.10.2 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only

access-list 1 extended permit icmp any host x.x.x.x echo-reply
access-list 1 extended permit tcp any host x.x.x.x eq www
access-list 1 extended permit tcp any host x.x.x.x eq 1533
access-list 1 extended permit icmp any host x.x.x.x echo
access-list 1 extended permit tcp any host x.x.x.x eq www
access-list 1 extended permit tcp any host x.x.x.x eq 8642
access-list 1 extended permit tcp any host x.x.x.x eq 4500
access-list 1 extended permit tcp any host x.x.x.x eq 5000

global (Outside) 1 interface
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) x.x.x.x 10.1.10.9 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 10.1.10.3 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 10.1.10.4 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 10.1.10.8 netmask 255.255.255.255
static (Inside,Outside) x.x.x.x 10.1.10.10 netmask 255.255.255.255
access-group 1 in interface Outside
route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp

=====================================================================

x represent the public ip addresses.

Waiting for the reply.

Regards,

shoaibfarooq82 · ‎05-19-2011

Kindly see the error file attached.

avishanmuz · ‎05-19-2011

Shoaib this the more updated copy of my ASA

================================================================

ASA Version 7.2(4)

interface Ethernet0/0

nameif Outside

security-level 90

ip address x.x.x.x 255.255.255.240

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 10.1.10.2 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

clock timezone PKT 5

dns server-group DefaultDNS

domain-name default.domain.invalid

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

access-list 1 extended permit icmp any host x.x.x.x echo-reply

access-list 1 extended permit tcp any host x.x.x.x eq www

access-list 1 extended permit tcp any host x.x.x.x eq 1533

access-list 1 extended permit icmp any host x.x.x.x echo

access-list 1 extended permit tcp any host x.x.x.x eq www

access-list 1 extended permit tcp any host x.x.x.x eq 8642

access-list 1 extended permit tcp any host x.x.x.x

access-list 1 extended permit ip any host x.x.x.x

access-list 1 extended permit ip any any

access-list 1 extended permit gre any host x.x.x.x

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu Inside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (Inside) 1 0.0.0.0 0.0.0.0

static (Inside,Outside) x.x.x.x 10.1.10.9 netmask 255.255.255.255

static (Inside,Outside) x.x.x.x 10.1.10.3 netmask 255.255.255.255

static (Inside,Outside) x.x.x.x 10.1.10.4 netmask 255.255.255.255

static (Inside,Outside) x.x.x.x 10.1.10.8 netmask 255.255.255.255

static (Inside,Outside) x.x.x.x 10.1.10.10 netmask 255.255.255.255

access-group 1 in interface Outside

route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.0.0.0 255.0.0.0 Inside

http 10.1.10.0 255.255.255.255 Inside

http 58.27.246.10 255.255.255.255 Outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet 10.1.10.0 255.255.255.0 Inside

telnet timeout 1000

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

inspect pptp

====================================================================================================

X represent the public IP address