11-29-2013 04:08 AM
ASA Version 8.2(5)
!
hostname FIREWALLP01
domain-name MYDOMAIN.local
enable password **** encrypted
passwd **** encrypted
names
name 192.168.90.2 SERVERP02
name 192.168.90.3 SERVERP03
name 192.168.92.4 SERVERP04
name XXX.YYY.ZZZ.91 Pubblica_HTTP
name XXX.YYY.ZZZ.88 Pubblica_SIADSL-network
name XXX.YYY.ZZZ.92 Pubblica_VOIP
name XXX.YYY.ZZZ.89 ROUTERP01
name XXX.YYY.ZZZ.90 Pubblica_FTP
name XXX.YYY.ZZZ.235 SRVPIN1
!
interface Ethernet0/0
nameif Pubblica_SIADSL
security-level 0
ip address XXX.YYY.ZZZ.94 255.255.255.248
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.90.254 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 98
ip address 192.168.92.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup Pubblica_SIADSL
dns domain-lookup LAN
dns domain-lookup DMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server SERVERP02
domain-name MYDOMAIN.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rtp udp
port-object range 9000 9049
port-object eq 10000
access-list LAN_nat0_outbound extended permit ip any 192.168.90.0 255.255.255.0
access-list Pubblica_SIADSL_access_in extended permit tcp any host Pubblica_HTTP eq ssh
access-list Pubblica_SIADSL_access_in extended permit udp any host Pubblica_VOIP object-group rtp
access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_VOIP eq sip
access-list Pubblica_SIADSL_access_in extended permit tcp any host Pubblica_HTTP eq www
access-list Pubblica_SIADSL_access_in extended permit tcp host SRVPIN1 host Pubblica_FTP eq ftp inactive
pager lines 24
logging enable
logging asdm informational
mtu Pubblica_SIADSL 1500
mtu LAN 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN_pool 192.168.90.120-192.168.90.129 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (Pubblica_SIADSL) 1 interface
global (DMZ) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 0.0.0.0 0.0.0.0
static (LAN,Pubblica_SIADSL) tcp Pubblica_FTP ftp SERVERP02 ftp netmask 255.255.255.255
static (DMZ,Pubblica_SIADSL) Pubblica_HTTP SERVERP04 netmask 255.255.255.255
static (LAN,Pubblica_SIADSL) Pubblica_VOIP SERVERP03 netmask 255.255.255.255
access-group Pubblica_SIADSL_access_in in interface Pubblica_SIADSL
route Pubblica_SIADSL 0.0.0.0 0.0.0.0 ROUTERP01 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list value Link
aaa-server SERVERP02 protocol ldap
aaa-server SERVERP02 (LAN) host SERVERP02
ldap-base-dn DC=MYDOMAIN,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Users,DC=MYDOMAIN,DC=local
server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto map Pubblica_SIADSL_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Pubblica_SIADSL_map interface Pubblica_SIADSL
crypto isakmp enable Pubblica_SIADSL
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access LAN
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 193.204.114.232 source Pubblica_SIADSL prefer
ntp server 193.204.114.233 source Pubblica_SIADSL
webvpn
enable Pubblica_SIADSL
enable LAN
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.90.2
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value MYDOMAIN.local
username test password P4ttSyrm33SV8TYp encrypted
username test attributes
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_pool
authentication-server-group SERVERP02
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group SERVERP02
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:208ae272636ca300da675cfc6120f97b
: end
11-29-2013 04:12 AM
Hi,
I would suggest changing your NAT Pool to something else than the LAN network just to avoid any possible problems.
I am also confused about what you mention about ICMP? You say that it goes through but next mention that all packets are dropped? So what is working and what is not?
Are the internal hosts on the LAN or DMZ that you are trying to reach through the VPN?
- Jouni
11-29-2013 06:17 AM
Thanks for your answer!
About ICMP: it sometime works and other times it doesn't; usually it works the first time I try, but doesn't work after that.
I've attached a log from the firewall; please, tell me if you can understand the problem from it and from my configuration.
(i have changed the vpn pool too, to test from .120/129 to .13/139)
11-29-2013 07:27 AM
Hi,
I suggest you change your VPN Pool first and then try again.
The changes you would need are the following
What we do is
tunnel-group DefaultRAGroup general-attributes
no address-pool VPN_pool
no ip local pool VPN_pool 192.168.90.120-192.168.90.129 mask 255.255.255.0
ip local pool VPN_pool 192.168.190.120-192.168.190.129 mask 255.255.255.0
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_pool
access-list LAN_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0 192.168.190.0 255.255.255.0
no access-list LAN_nat0_outbound extended permit ip any 192.168.90.0 255.255.255.0
The above changes are in the order they should be entered.
I think the problem is simply due to the fact that your VPN Pool and LAN network overlap.
- Jouni
11-29-2013 07:50 AM
I too had thought it was conflicting ip adresses, and had tried changing the pool. However, I tried your instructions step by step, but it still doesn't work: I could ping none of my servers from remote.
Still, thank you very much for your answers.
ASA Version 8.2(5)
!
hostname FIREWALLP01
domain-name MYDOMAIN.local
enable password **** encrypted
passwd **** encrypted
names
name 192.168.90.2 SERVERP02
name 192.168.90.3 SERVERP03
name 192.168.92.4 SERVERP04
name XXX.YYY.ZZZ.91 Pubblica_HTTP
name XXX.YYY.ZZZ.88 Pubblica_SIADSL-network
name XXX.YYY.ZZZ.92 Pubblica_VOIP
name XXX.YYY.ZZZ.89 ROUTERP01
name XXX.YYY.ZZZ.90 Pubblica_FTP
name XXX.YYY.ZZZ.235 SRVPIN1
!
interface Ethernet0/0
nameif Pubblica_SIADSL
security-level 0
ip address XXX.YYY.ZZZ.94 255.255.255.248
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.90.254 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 98
ip address 192.168.92.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup Pubblica_SIADSL
dns domain-lookup LAN
dns domain-lookup DMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server SERVERP02
domain-name MYDOMAIN.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rtp udp
port-object range 9000 9049
port-object eq 10000
access-list LAN_nat0_outbound extended permit ip 192.168.90.0 255.255.255.0 192.168.190.0 255.255.255.0
access-list Pubblica_SIADSL_access_in extended permit tcp any host Pubblica_HTTP eq ssh
access-list Pubblica_SIADSL_access_in extended permit udp any host Pubblica_VOIP object-group rtp
access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_VOIP eq sip
access-list Pubblica_SIADSL_access_in extended permit tcp any host Pubblica_HTTP eq www
access-list Pubblica_SIADSL_access_in extended permit tcp host SRVPIN1 host Pubblica_FTP eq ftp inactive
pager lines 24
logging enable
logging asdm informational
mtu Pubblica_SIADSL 1500
mtu LAN 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN_pool 192.168.190.120-192.168.190.129 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (Pubblica_SIADSL) 1 interface
global (DMZ) 1 interface
nat (LAN) 1 0.0.0.0 0.0.0.0
static (LAN,Pubblica_SIADSL) tcp Pubblica_FTP ftp SERVERP02 ftp netmask 255.255.255.255
static (DMZ,Pubblica_SIADSL) Pubblica_HTTP SERVERP04 netmask 255.255.255.255
static (LAN,Pubblica_SIADSL) Pubblica_VOIP SERVERP03 netmask 255.255.255.255
access-group Pubblica_SIADSL_access_in in interface Pubblica_SIADSL
route Pubblica_SIADSL 0.0.0.0 0.0.0.0 ROUTERP01 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list value Link
aaa-server SERVERP02 protocol ldap
aaa-server SERVERP02 (LAN) host SERVERP02
ldap-base-dn DC=MYDOMAIN,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Users,DC=MYDOMAIN,DC=local
server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto map Pubblica_SIADSL_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Pubblica_SIADSL_map interface Pubblica_SIADSL
crypto isakmp enable Pubblica_SIADSL
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 193.204.114.232 source Pubblica_SIADSL prefer
ntp server 193.204.114.233 source Pubblica_SIADSL
webvpn
enable Pubblica_SIADSL
enable LAN
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.90.2
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value MYDOMAIN.local
username test password P4ttSyrm33SV8TYp encrypted
username test attributes
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_pool_new
address-pool VPN_pool
authentication-server-group SERVERP02
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group SERVERP02
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1d8ead766bba4efea3d40468ee47741e
11-29-2013 08:01 AM
Hi,
It seems you have removed your LANs NAT0 configuration
You need to add this back and test again
nat (LAN) 0 access-list LAN_nat0_outbound
I guess you must have removed the existing NAT0 ACL first rather than add the new one. That would explain the above command from dissapearing
- Jouni
11-29-2013 08:05 AM
Also,
Can you tell us if ALL the hosts that you are trying to reach through the VPN Client connection are behind the interface "LAN"?
If there are some hosts behind the "DMZ" for example then you would need a NAT0 configuration for that interface too for connections to work.
- Jouni
11-29-2013 08:11 AM
i'm adding the nat rule, and try!
the pc that i try to connect (or ping) are all behind the LAN interface!
11-29-2013 08:40 AM
unfortunately it not works!
11-29-2013 08:47 AM
Hi,
I guess you manage the ASA locally?
If so then could you remove this setting
no management-access management
And add
management-access LAN
You could also add
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
And then try to ping the "LAN" interface IP address of 192.168.90.254 through the VPN connection.
- Jouni
11-29-2013 08:57 AM
ok, from remote VPN PC or VPN MOBILE PHONE i can ping the ip of firewall, 192.168.90.254 but i cant use any service of server (rdp, vopi, ping) on 192.168.90.2 or 192.168.90.3
i ping also the ip phone on office .40 and .41
if i try to ping the switch .253 it not works.
if i try to ping vm-ware server .1 it not works.
i have restored the vpn pool on 90.120-90.129, See the config.
ASA Version 8.2(5)
!
hostname FIREWALLP01
domain-name MYDOMAIN.local
enable password **** encrypted
passwd **** encrypted
names
name 192.168.90.2 SERVERP02
name 192.168.90.3 SERVERP03
name 192.168.92.4 SERVERP04
name XXX.YYY.ZZZ.91 Pubblica_HTTP
name XXX.YYY.ZZZ.88 Pubblica_SIADSL-network
name XXX.YYY.ZZZ.92 Pubblica_VOIP
name XXX.YYY.ZZZ.89 ROUTERP01
name XXX.YYY.ZZZ.90 Pubblica_FTP
name XXX.YYY.ZZZ.235 SRVPIN1
!
interface Ethernet0/0
nameif Pubblica_SIADSL
security-level 0
ip address XXX.YYY.ZZZ.94 255.255.255.248
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.90.254 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 98
ip address 192.168.92.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup Pubblica_SIADSL
dns domain-lookup LAN
dns domain-lookup DMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server SERVERP02
domain-name MYDOMAIN.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rtp udp
port-object range 9000 9049
port-object eq 10000
access-list Pubblica_SIADSL_access_in extended permit tcp any host Pubblica_HTTP eq ssh
access-list Pubblica_SIADSL_access_in extended permit udp any host Pubblica_VOIP object-group rtp
access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_VOIP eq sip
access-list Pubblica_SIADSL_access_in extended permit tcp any host Pubblica_HTTP eq www
access-list Pubblica_SIADSL_access_in extended permit tcp host SRVPIN1 host Pubblica_FTP eq ftp inactive
access-list LAN_nat0_outbound extended permit ip any 192.168.90.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Pubblica_SIADSL 1500
mtu LAN 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN_pool 192.168.90.120-192.168.90.129 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (Pubblica_SIADSL) 1 interface
global (DMZ) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 0.0.0.0 0.0.0.0
static (LAN,Pubblica_SIADSL) tcp Pubblica_FTP ftp SERVERP02 ftp netmask 255.255.255.255
static (DMZ,Pubblica_SIADSL) Pubblica_HTTP SERVERP04 netmask 255.255.255.255
static (LAN,Pubblica_SIADSL) Pubblica_VOIP SERVERP03 netmask 255.255.255.255
access-group Pubblica_SIADSL_access_in in interface Pubblica_SIADSL
route Pubblica_SIADSL 0.0.0.0 0.0.0.0 ROUTERP01 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list value Link
aaa-server SERVERP02 protocol ldap
aaa-server SERVERP02 (LAN) host SERVERP02
ldap-base-dn DC=MYDOMAIN,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Users,DC=MYDOMAIN,DC=local
server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto map Pubblica_SIADSL_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Pubblica_SIADSL_map interface Pubblica_SIADSL
crypto isakmp enable Pubblica_SIADSL
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access LAN
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 193.204.114.232 source Pubblica_SIADSL prefer
ntp server 193.204.114.233 source Pubblica_SIADSL
webvpn
enable Pubblica_SIADSL
enable LAN
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.90.2
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value MYDOMAIN.local
username test password P4ttSyrm33SV8TYp encrypted
username test attributes
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_pool
authentication-server-group SERVERP02
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group SERVERP02
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:32a96ad0d25ca834d043798a5aad7df2
11-29-2013 09:05 AM
Hi,
I wouldnt change the VPN pool to the old since it doesnt make sense. Its an overlapping network and even though the hosts are on the same network/subnet it doesnt mean that they are actually on the same L2 segment of the network.
Since your ICMP goes through the VPN Client connection to the ASA "LAN" interface IP address that means the traffic goes through the VPN and back through the VPN to the client. That raises a question if the actual servers are blocking the connection from this VPN Pool network.
Since you changed the VPN Pool we might be in the same starting situation again.
I would have next checked the logs to see what happens to the connection attempts.
The last time the logs hinted to a sitaution where the NAT configuration was the problem. It might have also meant that you were connecting to the server on their public IP address. Since we saw NAT reverse path failure it means the traffic matched one rule going in and another NAT rule for the other direction.
- Jouni
11-29-2013 09:15 AM
if i try to ping the ip phone on office .40 and .41 it works.
if i try to ping my printer on .50 it not works.
if i try to ping the switch .253 it not works.
if i try to ping vm-ware server .1 it not works.
on the other devices only first ping is successful
thanks
11-29-2013 09:27 AM
Hi,
What I meant with the overlap is that this is your LAN interface
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.90.254 255.255.255.0
This is your original VPN Pool
ip local pool VPN_pool 192.168.90.120-192.168.90.129 mask 255.255.255.0
They are the exact same subnet.
From the VPN Clients perspective I guess it might even be that it sends the traffic to the other IP address on this subnet to the VPN connection since its a Full Tunnel VPN. Return traffic from the host on the LAN would probably result in the host sending an ARP request since it sees the traffic coming from the same subnet. If this works then I guess it means the firewall must be answering the ARP requests and forwarding the traffic to the VPN Client.
If you can ping some hosts on your LAN network then I dont see the firewall configurations being the problem.
I am not sure if you tested with the original VPN Pool or the new one but I would suggest checking the default gateway setting of both the Printer and the switch. I would also check that the local software firewall on the VMware is not blocking the connections.
You already sent the some logs that were taken from the ASDM. You can attempt a TCP connection to the server and show both the Build and Teardown messages for the TCP connection attempts so we can see what happens to the RDP connection attempt for example.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide