Solved: VPN Connection Problems...

toddyboman · ‎04-12-2011

I'm not sure what is going on or what I am missing...

I have set up a vpn connection at my remote offices with a 5505. At my main office I have a 5510.

From my remote offices I can PING my Main office server. However when I go to set up a vpn connection through windows network and sharing center I can't seem to have the connection connect.....

Am I doing something wrong or what step am I missing???

Thanks!!

matthewhsmith · ‎04-18-2011

Can you try adding this:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

I'd put it on both unless you have a reason not to. If there's no love after this we'll break down the pppoe and vpn configuration.

Matt

View solution in original post

Shrikant Sundaresh · ‎04-12-2011

Hi Toddy,

I just wanted to clarify the problem:

You have a lan-to-lan tunnel between the remote office 5505 and the main office 5510.

From the remote office you can access a server on the internal network of the 5510, across the vpn tunnel.

However you cannot access the remote office internal machines from the server behind the 5510??

Kindly correct me if I have understood the problem incorrectly.

-Shrikant

toddyboman · ‎04-12-2011

Here is a little info on my setup

5510 - 192.168.10.x

5505 - 192.168.20.x

From my remote office I can go to the command and ping 192.168.10.3. Which is my server ip address in my main office.

But to go to my network setting on that same pc in my remote office and set up a vpn connection I always get an error that I fail to connect to the IP I have entered. Which is the same ip I just successfully pinged.

Sorry for the confusion.

matthewhsmith · ‎04-12-2011

Hi toddy,

I think your Microsoft VPN is unnecessary. Try mapping a drive to that server, or opening it's web page if it's set up. The ASA handles all the Encryption so as far as the your remote office is concerned it's just regular traffic. That's why ping works.

Matt

Sent from Cisco Technical Support iPhone App

toddyboman · ‎04-12-2011

Matt

Thanks.....that seems to have gotten me closer but still not there.....

I see the following error:

the file and print sharing resource (server) is online but isn't responding to connection attempts.
The remote computer isn’t responding to connections on port 445, possibly due to firewall or security policy settings, or because it might be temporarily unavailable. Windows couldn’t find any problems with the firewall on your computer.

matthewhsmith · ‎04-13-2011

So now it sounds like the connection attempt is made from the remote office, but the service isn't running on the server, or it's being blocked.

From the main office I'd check if local hosts can connect to the server. If so, make sure that it doesn't use some windows built in firewall that prevents your network from access.

Once that's verified we'll have to make sure there is no access list on your ASAs that is preventing it. For troubleshooting, temporarily open all tcp and udp (or IP) on both ASAs and test again. Double check your access-groups to make sure they're applied correctly.

That should help.

Permitting active directory through the firewall requires more ports than just ldap, so we can narrow down your access lists once we prove that's the problem.

If it's not, on to NATs and Routing.

Matt

Sent from Cisco Technical Support iPhone App

toddyboman · ‎04-14-2011

My main office client pcs can connect to the server.

Here is the ACL from the 5505 in the remote office

Result of the command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_1_cryptomap; 1 elements
access-list outside_1_cryptomap line 1 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0xf30ad244
access-list inside_nat0_outbound; 1 elements
access-list inside_nat0_outbound line 1 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0x1dd411e3
access-list outside_cryptomap_2; 1 elements
access-list outside_cryptomap_2 line 1 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0x06030d1a
access-list 121_list; 1 elements
access-list 121_list line 1 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=28) 0x2785bc40

Here is the ACL from the 5510 in the main office.

Result of the command: "show access-list"

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list inside_mpc; 1 elements
access-list inside_mpc line 1 extended permit tcp any any inactive (hitcnt=1026) (inactive) 0xb4ad8d21
access-list nonat; 1 elements
access-list nonat line 1 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 (hitcnt=0) 0xe505c66d
access-list inside_nat0_outbound; 1 elements
access-list inside_nat0_outbound line 1 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 (hitcnt=0) 0x46af4e4b
access-list 121_list; 1 elements
access-list 121_list line 1 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 (hitcnt=37) 0xbbb807a3

matthewhsmith · ‎04-14-2011

Hey,

What's interesting to me is that the only access list with any hits is the one that says to permit traffic between the two sites. Neither the nat nor crypto map access lists are getting any hits. That makes me wonder if this traffic is being encyrpted or natted at all when it leaves the ASA, like it's just routing it.

Can you include the configurations from both devices? You can scrub any IP address and password information. It would make it easier to troubleshoot.

If that's not cool, try out the packet-tracer command on the remote office.

packet-tracer input inside tcp 192.168.10.X 1025 192.168.20.Y http

Change the X to the last octet of the IP address of the host in the remote office, and Y to the server's part of its IP. If you're not talking about opening a web page, then change http to whatever protocol you're trying to encrypt.

Matt

toddyboman · ‎04-18-2011

Sorry it took so long.......long weekend

Trying a packet tracer on my 5505 which is my remote office......I receive a packet dropped. (acl-drop) Flow is denied by configured rule.

config for my devices is as followed....

5510 in my main office:

: Saved
:
ASA Version 8.0(5)
!
hostname ****
enable password mrNAzLB3WoDGll7l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
pppoe client vpdn group cl
ip address pppoe setroute
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.5 255.255.255.0
management-only
!
regex domainlist1 "\.myspace\.com"
regex urlist4 ".*\([Zz][Ii][Pp][Tt][Aa][Rr][Tt][Gg][Zz]) HTTP/1.[01])"
regex applicationheader "application/.*"
boot system disk0:/asa805-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
access-list inside_mpc extended permit tcp any any inactive
access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list 121_list extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
logging debug-trace
mtu outside 1492
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list nonat
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 192.168.20.0 255.255.255.0 209.142.191.13 1
route outside 222.222.222.222 255.255.255.252 111.111.111.111 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 333.333.333.333
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map mcmap 1 match address 121_list
crypto map mcmap 1 set peer 222.222.222.222
crypto map mcmap 1 set transform-set FirstSet
crypto map mcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
vpdn group cl request dialout pppoe
vpdn group cl localname learning361
vpdn group cl ppp authentication pap
vpdn username **** password ********* store-local
dhcpd dns 208.67.222.222 208.67.220.220
!
dhcpd address 192.168.10.3-192.168.10.25 inside
dhcpd enable inside
!
dhcpd address 192.168.1.6-192.168.1.47 management
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
username admin password vx8BkOWfWwvYuBKw encrypted
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 222.222.222.222 type ipsec-l2l
tunnel-group 222.222.222.222 ipsec-attributes
pre-shared-key *
tunnel-group 333.333.333.333 type ipsec-l2l
tunnel-group 333.333.333.333 ipsec-attributes
pre-shared-key *
!
class-map type regex match-any domainblocklist1
match regex domainlist1
class-map type inspect http match-all BlockDomainsClass
match request header host regex class domainblocklist1
class-map type regex match-any URLBlockList
match regex urlist4
class-map type inspect http match-all BlockURLsCLass
match request uri regex class URLBlockList
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all AppHeaderClass
match request header regex applicationheader regex applicationheader
class-map httptraffic
match access-list inside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class AppHeaderClass
drop-connection log
class BlockDomainsClass
reset log
class BlockURLsCLass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
!
service-policy global_policy global
service-policy inside-policy interface inside
prompt hostname context
Cryptochecksum:7f94c40388468cae56c81c8ff1ba4048
: end
asdm image disk0:/asdm-631.bin
no asdm history enable

5505 Remote office.

: Saved
:
ASA Version 7.2(4)
!
hostname Macon-LOQW
domain-name default.domain.invalid
enable password mrNAzLB3WoDGll7l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group centurylink
ip address pppoe setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_2 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list 121_list extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1492
ip local pool Macon 192.168.20.2-192.168.20.15 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 111.111.111.111
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 192.168.10.3
crypto map outside_map 2 set transform-set ESP-DES-SHA
crypto map macmap 1 match address 121_list
crypto map macmap 1 set peer 111.111.111.111
crypto map macmap 1 set transform-set FirstSet
crypto map macmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn group ***** request dialout pppoe
vpdn group ***** localname ******
vpdn group ***** ppp authentication pap
vpdn username ******** password *********
dhcpd auto_config outside
!
dhcpd address 192.168.20.2-192.168.20.25 inside
dhcpd dns 208.67.222.222 208.67.220.220 interface inside
dhcpd enable inside
!

tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key *
tunnel-group 222.222.222.222 type ipsec-l2l
tunnel-group 222.222.222.222 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:f59ed2b2c0002ebf54facccb1b401cde
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

matthewhsmith · ‎04-18-2011

Can you try adding this:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

I'd put it on both unless you have a reason not to. If there's no love after this we'll break down the pppoe and vpn configuration.

Matt

toddyboman · ‎04-18-2011

oops....didn't mean to click the correct answer button........

toddyboman · ‎04-18-2011

I think those commands helped but something is still off....

Using one of my remote offices pc and trying the packet tracer I get the following info....everything passes......packet is allowed.

At that same remote office pc I can go to cmd and ping 192.168.10.13. Which is my server's ip.

Still at that same remote office pc if I go to my computer and map network drives. I input 192.168.10.13\documents. (Documents being the shared folder). I get the following error: Windows Cannot access 192.168.10.13\documents. Check the spelling of the name. Or it might be a network problem...I click the diagnose button. And told....... Windows confirmed 192.168.10.13 is current online but not responding to connections attempts. It then says the windows firewall could be blocking smb.......or your firewall could be blocking tcp port.......

matthewhsmith · ‎04-19-2011

Hello,

I think you are running into either a syntax error or some kind of server firewall.

The syntax is like this:

\\192.168.20.13\documents

Did you say the server is not a windows box?

Matt

toddyboman · ‎04-19-2011

My server is on a windows machine.....

My main office has the 5510 with ip ranges of 192.168.10.x and my server is 192.168.10.13

The remote office as the 5505 with ip ranges of 192.168.20.x.

On one of my remote office pc I went to the map network drive and input \\192.168.10.13\docuements

toddyboman · ‎04-19-2011

Good news......WE have solved the problem....

It appears the windows firewall was blocking the connection.....I had to change the scope of the TCP 445 port connection.....It was only allowing connections within my network (subnet) only. I added a custom list and bingo I was able to have my remote office pc connect!!!

SO SO SO Happy it works now!!!!

However I have some questions. Should I keep windows firewall up or should I just turn it off and not worry about. IF I keep it up and running I am going to have to add 4 different subnet lists......

My next question is how much different will these settings be when I move from this test server to my real server?

This test server is nothing more than an old server with very little data on it and NOT running a windows server os.

The new/real server is running Server 2008 r2?

Thanks again for ALL your help!!!