09-21-2011 03:30 PM
I have an ASA 5520 running, user web trafic, incoming VPN and systems NAT for DMZ services. Nothing new for a standard firewall. I have upgraded the memory in it to 2GB, per Cisco so that I could install and run IOS 8.41. I have uploaded the both the IOS bn image and the ASDM 645 image and set it as the primary boot file. When I reload the ASA, everything boots fine, no errors and all traffic appears to be working fine.
But here is my problem:
ALL the previously configured VPN sessions will connect to the ASA and show that they are passing traffice (TX and RX increments through the monitor) but if I try to access a device on the other side of the VPN or they try to access services in the corporate network, the connection fails. Ping works, So I know I can reach the devices and the tunnel has been correctly created, but nothing else, . I did not change anything in the configurations for the VPN connectors.
But, if I reload the ASA with the 8.21 version image, everything works just as before and all connections are good.
Anyone have any ideas ?
Rod
09-22-2011 05:03 AM
Can you please share the current configuration when it's running version 8.4.1.
09-22-2011 08:29 AM
dynamic-access-policy-record "IPSEC Client DAP"
description "IPSEC Client access"
aaa-server Polo-Radius protocol radius
aaa-server Polo-Radius (inside) host 172.24.7.4
key *************
radius-common-pw *************
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside-primary_map 2 match address outside-primary_2_cryptomap
crypto map outside-primary_map 2 set pfs
crypto map outside-primary_map 2 set peer 71.39.236.29
crypto map outside-primary_map 2 set transform-set ESP-AES-256-SHA
crypto map outside-primary_map 2 set reverse-route
crypto map outside-primary_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-primary_map interface outside-primary
crypto isakmp enable outside-primary
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
dhcpd address 172.24.204.4-172.24.204.150 VPN
dhcpd dns 172.24.7.4 interface VPN
dhcpd lease 7200 interface VPN
dhcpd ping_timeout 150 interface VPN
dhcpd domain polos.safe interface VPN
dhcpd option 3 ip 172.24.204.1 interface VPN
dhcpd enable VPN
!
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy GS-IPSEC-FULL internal
group-policy GS-IPSEC-FULL attributes
wins-server value 172.24.7.4
dns-server value 172.24.7.4
vpn-idle-timeout 120
vpn-session-timeout 720
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value GS-IPSEC-FULL_splitTunnelAcl
default-domain value polos.safe
group-policy GS-IPSEC-ADMIN internal
group-policy GS-IPSEC-ADMIN attributes
wins-server value 172.24.7.4
dns-server value 172.24.7.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value GS-IPSEC-FULL_splitTunnelAcl
default-domain value polos.safe
group-policy Site-To-Site internal
group-policy Site-To-Site attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group GS-IPSEC-FULL type remote-access
tunnel-group GS-IPSEC-FULL general-attributes
address-pool VPN-IP-Pool
authentication-server-group Polo-Radius
default-group-policy GS-IPSEC-FULL
tunnel-group GS-IPSEC-FULL ipsec-attributes
pre-shared-key *
tunnel-group GS-IPSEC-ADMIN type remote-access
tunnel-group GS-IPSEC-ADMIN general-attributes
address-pool GS-Admin-Pool
authentication-server-group Polo-Radius
default-group-policy GS-IPSEC-ADMIN
tunnel-group GS-IPSEC-ADMIN ipsec-attributes
pre-shared-key *
09-24-2011 03:55 AM
Full config pls...
Interested to see the actual crypto ACL, tunnel-group for the site-to-site VPN, all the NAT statements, and all the interfaces ACL.
Plus the output of:
show cry isa sa
show cry ipsec sa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide