11-12-2012 01:26 PM
I have the connection working with my ASA 5505 but cannot ping the internal network. (Note external interface is getting the IP via DHCP)
Please help - Thank-you.
ASA Version 8.2(5)
!
hostname JasonFirewall
domain-name Jason.local
enable password 60XMoEi4PKKHiqxX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description physical connection to Cogeco CableModem
!
interface Ethernet0/1
switchport access vlan 10
!
interface Ethernet0/2
switchport access vlan 10
!
interface Ethernet0/3
switchport access vlan 10
!
interface Ethernet0/4
switchport access vlan 10
!
interface Ethernet0/5
switchport access vlan 15
!
interface Ethernet0/6
switchport access vlan 10
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan1
description to outside interface (DHCP Modem)
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan10
description to inside VLAN
nameif inside
security-level 100
ip address 192.168.241.1 255.255.255.0
!
interface Vlan15
description to outside interface DHCP to Servers
no nameif
security-level 0
ip address dhcp setroute
!
ftp mode passive
clock timezone EST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name Jason.local
object-group icmp-type DefaultICMP
description Default ICMP Types permitted
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list acl-outside extended permit icmp any any object-group DefaultICMP
access-list acl_outside extended permit icmp any any object-group DefaultICMP
access-list acl_outside extended permit tcp any interface outside eq https
access-list acl_outside extended permit tcp any interface outside eq www
access-list acl_outside extended permit tcp any interface outside eq smtp
access-list nonat remark ACL for Nat Bypass
access-list nonat extended permit ip 192.168.241.0 255.255.255.0 10.11.12.0 255.255.255.0
access-list vpn_SplitTunnel remark ACL for VPN Split Tunnel
access-list vpn_SplitTunnel standard permit 192.168.241.0 255.255.255.0
access-list vpn_SplitTunnel standard permit 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
ip local pool vpnpool 10.11.12.1-10.11.12.255
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.241.0 255.255.255.0
static (inside,outside) tcp interface https 192.168.241.50 https netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.241.50 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.241.50 56789 netmask 255.255.255.255
access-group acl_outside in interface outside
route inside 10.0.0.0 255.255.255.0 192.168.241.0 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.241.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 30 set transform-set strong-des
crypto map ScoobyDoo 65535 ipsec-isakmp dynamic dynmap
crypto map ScoobyDoo interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.241.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 24.226.10.193 24.226.10.194
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain Jason.local
!
dhcpd address 192.168.241.100-192.168.241.131 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy ScoobyDoo internal
group-policy ScoobyDoo attributes
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_SplitTunnel
username admin password KsqUgrhmZhkLHfTx encrypted privilege 15
username jratter password 0fzma7xnAA3b4Iag encrypted privilege 15
username jason password ZzwBgpZVaeKSQD18 encrypted privilege 15
tunnel-group ScoobyDoo-VPN type remote-access
tunnel-group ScoobyDoo-VPN general-attributes
address-pool vpnpool
default-group-policy ScoobyDoo
tunnel-group ScoobyDoo-VPN ipsec-attributes
pre-shared-key *****
!
!
!
policy-map global-policy
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5d1409e9d642fa3fe41c79dd7b6fae9e
: end
11-12-2012 11:21 PM
Is it really only Pings that don't work? For that I don't see a reason in your config. But the following command in your config can cause general trouble for out-to-in communication (what VPNs are) and should be removed:
nat (outside) 1 0.0.0.0 0.0.0.0
Sent from Cisco Technical Support iPad App
11-13-2012 08:41 AM
Is nat (outside) 1 0.0.0.0 0.0.0.0 like a default route command (gateway of last resort as in routers)
Thank-you for your response.
Jason.
11-13-2012 08:57 AM
Actually I checked the assigned Ips and I am able to ping them, what I can't ping though is the router itself for some reason and so I also cannot ssh into it. Router number is 192.168.241.1
Thanks again.
11-13-2012 10:24 AM
Never mind I got it, it was
managment-access inside
Thanks again.
Jason.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide