04-16-2013 12:54 PM
OK, what am i missing? My VPN connects OK with the VPN Client Version 5.0.07.0290 but I'm unable to access anything on the 10.0.0.0 /24 network.
Any thoughts? I should be able to ping the server 10.0.0.90 if this was working correctly, from my laptop while I'm on VPN. Config follows:
ASA Version 7.2(4)
!
hostname XXXX
domain-name energy.com
enable password jp28ZvYIS1PQVK6M encrypted
passwd UmzM9i7pSqpXEdTR encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.9 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 74.x.x.150 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
dns server-group DefaultDNS
domain-name energy.com
access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list outside_in extended permit tcp any host 74.x.x.146 eq 35330
access-list outside_in extended permit tcp any host 74.x.x.147 eq 10000
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any host 74.x.x.148 eq 990
access-list outside_in extended permit udp any host 74.x.x.148 eq 900
access-list outside_in extended permit tcp any host 74.x.x.148 range 4000 4099
access-list outside_in extended permit udp any host 74.x.x.148 range 4000 4099
access-list outside_in extended permit udp any host 74.x.x.148 eq 990
pager lines 24
logging enable
logging timestamp
logging buffer-size 100000
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool dhcppptp-pool 192.168.150.1-192.168.150.20
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 74.x.x.146 10.0.0.90 netmask 255.255.255.255
static (inside,outside) 74.x.x.147 10.0.0.91 netmask 255.255.255.255
static (inside,outside) 74.x.x.148 10.0.0.3 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.x.x.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
tftp-server inside 10.0.0.109 cpix.cfg
group-policy BEVPN internal
group-policy BEVPN attributes
dns-server value 10.0.0.4 10.0.0.1
vpn-idle-timeout 30
split-tunnel-policy tunnelall
split-tunnel-network-list value 101
default-domain value maindomain.com
user-authentication disable
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group BEVPN type ipsec-ra
tunnel-group BEVPN general-attributes
address-pool dhcppptp-pool
default-group-policy BEVPN
tunnel-group BEVPN ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b379566df0e7f5213ad2396676763859
: end
Solved! Go to Solution.
04-17-2013 05:53 AM
Hi,
I dont see the NAT0 configuration anymore in this configuration
nat (inside) 0 access-list nonat
Can you also change the Split Tunnel ACL
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
group-policy BEVPN attributes
no split-tunnel-network-list value 101
split-tunnel-network-list value SPLIT-TUNNEL
You can also use the command "show run" which will generate a little less output
- Jouni
04-16-2013 01:07 PM
Hi,
Can you try adding this configuration
fixup protocol icmp
Or the same can be done with the following commands
policy-map global_policy
class inspection_default
inspect icmp
And then try again
- Jouni
04-16-2013 06:08 PM
Hi,
In addition to what Jouni recommends, if you would like to have split tunneling configured (acl 101) it has to be paired with the following command:
group-policy BEVPN attributes
split-tunnel-policy tunnelspecified
Right now is configured as tunnelall. As a best practice is better that this acl 101 (split tunnel ACL) is configured as a standard acl. If by any chance the Default Gateway in your network is not this ASA, then with this command you can test the communication between your VPN client and the Inside interface of the ASA:
management inside
This makes "pingueable" the interface. However, the icmp inspection might be needed. In the event that there's another L3 hop in the network, make sure this hop nows that 192.168.150.0/24 is across the 10.0.0.9 (ASA inside)
Hope it works!
Mariana
04-17-2013 05:46 AM
Thanks guys. I always forget the ICMP inspects, going to have to tie a string around my finger. So thats added.
I had actually changed split tunnel to tunnelspecified already, just didnt update my post. I have remote SSH access to this ASA (5505) so tunnelall was killing me. Still waiting on verification from the site, but it's all L2 switches and this ASA should be the gateway.
management inside is added.
Below is a sh run all, with the changes so far it's still not working. I'll give it a little while if anyone has thoughts, as i'd like to get it figured out why it's not working...but before COB I'll just create a new one since I'm now reverse engineering someone elses handy work. Figuring this one out just helps me learn better
ASA Version 7.2(4)
!
command-alias exec h help
command-alias exec lo logout
command-alias exec p ping
command-alias exec s show
terminal width 80
hostname cjbbefw
domain-name energy.com
enable password jp28ZvYIS1PQVK6M encrypted
no fips enable
passwd UmzM9i7pSqpXEdTR encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.9 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 74.x.x.150 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
switchport mode access
no switchport protected
speed auto
duplex auto
!
interface Ethernet0/1
switchport access vlan 1
switchport mode access
no switchport protected
speed auto
duplex auto
!
interface Ethernet0/2
switchport access vlan 1
switchport mode access
no switchport protected
speed auto
duplex auto
!
interface Ethernet0/3
switchport access vlan 1
switchport mode access
no switchport protected
speed auto
duplex auto
!
interface Ethernet0/4
switchport access vlan 1
switchport mode access
no switchport protected
speed auto
duplex auto
!
interface Ethernet0/5
switchport access vlan 1
switchport mode access
no switchport protected
speed auto
duplex auto
!
interface Ethernet0/6
switchport access vlan 1
switchport mode access
no switchport protected
speed auto
duplex auto
!
interface Ethernet0/7
switchport access vlan 1
switchport mode access
no switchport protected
speed auto
duplex auto
!
regex _default_gator "Gator"
regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"
regex _default_shoutcast-tunneling-protocol "1"
regex _default_http-tunnel "[/\\]HT_PortLog.aspx"
regex _default_x-kazaa-network "[xX]-[kK][aA][zZ][aA][aA]-[nN][eE][tT][wW][oO][rR][kK]"
regex _default_msn-messenger "[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"
regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"
regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"
regex _default_aim-messenger "[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"
regex _default_gnu-http-tunnel_arg "crap"
regex _default_icy-metadata "[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"
regex _default_GoToMyPC-tunnel "machinekey"
regex _default_windows-media-player-tunnel "NSPlayer"
regex _default_yahoo-messenger "YMSG"
regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"
regex _default_firethru-tunnel_1 "firethru[.]com"
checkheaps check-interval 60
checkheaps validate-checksum 60
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 60
dns server-group DefaultDNS
domain-name energy.com
access-list 101 extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.224
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 192.168.150.0 255.255.255.224
access-list outside_in extended permit tcp any host 74.x.x.146 eq 35330
access-list outside_in extended permit tcp any host 74.x.x.147 eq 10000
access-list outside_in extended permit icmp any any
access-list outside_in extended permit tcp any host 74.x.x.148 eq 990
access-list outside_in extended permit udp any host 74.x.x.148 eq 900
access-list outside_in extended permit tcp any host 74.x.x.148 range 4000 4099
access-list outside_in extended permit udp any host 74.x.x.148 range 4000 4099
access-list outside_in extended permit udp any host 74.x.x.148 eq 990
pager lines 24
logging enable
logging timestamp
logging buffer-size 250000
logging asdm-buffer-size 100
logging buffered debugging
logging asdm informational
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 201013
logging rate-limit 1 10 message 201012
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 421007
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 421001
logging rate-limit 1 10 message 421002
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 431002
logging rate-limit 1 10 message 431001
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
logging rate-limit 1 10 message 450001
mtu inside 1500
mtu outside 1500
ip local pool dhcppptp-pool 192.168.150.1-192.168.150.30 mask 255.255.255.224
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
no nat-control
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 74.x.x.146 10.0.0.90 netmask 255.255.255.255
static (inside,outside) 74.x.x.147 10.0.0.91 netmask 255.255.255.255
static (inside,outside) 74.x.x.148 10.0.0.3 netmask 255.255.255.255
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.x.x.145 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable 443
http 10.0.0.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable traps syslog
no snmp-server enable traps ipsec start stop
no snmp-server enable traps entity config-change fru-insert fru-remove
no snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable
snmp-server listen-port 161
fragment size 200 inside
fragment chain 24 inside
fragment timeout 5 inside
no fragment reassembly full inside
fragment size 200 outside
fragment chain 24 outside
fragment timeout 5 outside
no fragment reassembly full outside
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside
service password-recovery
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 64
crypto ipsec fragmentation before-encryption inside
crypto ipsec fragmentation before-encryption outside
crypto ipsec df-bit copy-df inside
crypto ipsec df-bit copy-df outside
crypto dynamic-map cisco 1 set transform-set myset
crypto dynamic-map cisco 1 set security-association lifetime seconds 28800
crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp identity auto
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local
no vpn-sessiondb max-session-limit
no vpn-sessiondb max-webvpn-session-limit
no remote-access threshold
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
l2tp tunnel hello 60
no vpnclient enable
priority-queue inside
queue-limit 0
tx-ring-limit -1
priority-queue outside
queue-limit 0
tx-ring-limit -1
tftp-server inside 10.0.0.109 cpix.cfg
ssl server-version any
ssl client-version any
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1 rc4-md5
webvpn
memory-size percent 25
port 443
character-encoding none
no http-proxy
no https-proxy
default-idle-timeout 1800
no csd enable
no svc enable
customization DfltCustomization
title text WebVPN Service
title style background-color:white;color:maroon;border-bottom:5px groove #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:bold
username-prompt text USERNAME:
username-prompt style color:black;font-weight:bold;text-align:right
password-prompt text PASSWORD:
password-prompt style color:black;font-weight:bold;text-align:right
group-prompt text GROUP:
group-prompt style color:black;font-weight:bold;text-align:right
login-button text Login
login-button style border:1px solid black;background-color:white;font-weight:bold;font-size:80%
clear-button text Clear
clear-button style border:1px solid black;background-color:white;font-weight:bold;font-size:80%
login-title text Login
login-title style background-color:#666666;color:white
login-message text Please enter your username and password.
login-message style background-color:#CCCCCC;color:black
logout-title text Logout
logout-title style background-color:#666666;color:white
logout-message text Goodbye.
logout-message style background-color:#999999;color:black
web-applications title text Web Applications
web-applications title style background-color:#99CCCC;color:black;font-weight:bold;text-transform:uppercase
web-applications message text Enter Web Address (URL)
web-applications message style background-color:#99CCCC;color:maroon;font-size:smaller
web-applications dropdown text Web Bookmarks
web-applications dropdown style border:1px solid black;font-weight:bold;color:black;font-size:80%
browse-networks title text Browse Networks
browse-networks title style background-color:#99CCCC;color:black;font-weight:bold;text-transform:uppercase
browse-networks message text Enter Network Path
browse-networks message style background-color:#99CCCC;color:maroon;font-size:smaller
browse-networks dropdown text File Folder Bookmarks
browse-networks dropdown style border:1px solid black;font-weight:bold;color:black;font-size:80%
application-access title text Application Access
application-access title style background-color:#99CCCC;color:black;font-weight:bold;text-transform:uppercase
application-access message text Start Application Client
application-access message style background-color:#99CCCC;color:maroon;font-size:smaller
application-access window text Close this window when you finish using Application Access.
Please wait for the table to be displayed before starting applications.
application-access window style background-color:#99CCCC;color:black;font-weight:bold
web-bookmarks link style color:#669999;border-bottom: 1px solid #669999;text-decoration:none
web-bookmarks title text Web Bookmarks
web-bookmarks title style color:#669999;background-color:#99CCCC;font-weight:bold
file-bookmarks link style color:#669999;border-bottom: 1px solid #669999;text-decoration:none
file-bookmarks title text File Folder Bookmarks
file-bookmarks title style color:#669999;background-color:#99CCCC;font-weight:bold
page style background-color:white;font-family:Arial,Helv,sans-serif
border style background-color:#669999;color:white
dialog title style background-color:#669999;color:white
dialog message style background-color:#99CCCC;color:black
dialog border style border:1px solid black;border-collapse:collapse
no logo
application-access hide-details disable
no tunnel-group-list enable
rewrite order 65535 enable resource-mask *
cache
disable
max-object-size 1000
min-object-size 0
cache-compressed
no cache-static-content
lmfactor 20
expiry-time 1
no auto-signon
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact
your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
no vpn-nac-exempt
group-policy BEVPN internal
group-policy BEVPN attributes
dns-server value 10.0.0.4 10.0.0.1
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 101
default-domain value maindomain.com
user-authentication disable
no vpn-nac-exempt
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2
tunnel-group DefaultRAGroup type ipsec-ra
tunnel-group DefaultRAGroup general-attributes
no address-pool
authentication-server-group LOCAL
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no nac-authentication-server-group
no strip-realm
no password-management
no override-account-disable
no strip-group
no authorization-required
authorization-dn-attributes CN OU
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 300 retry 2
no radius-sdi-xauth
isakmp ikev1-user-authentication none
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
tunnel-group DefaultWEBVPNGroup type webvpn
tunnel-group DefaultWEBVPNGroup general-attributes
no address-pool
authentication-server-group LOCAL
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no password-management
no override-account-disable
no authorization-required
authorization-dn-attributes CN OU
tunnel-group DefaultWEBVPNGroup webvpn-attributes
hic-fail-group-policy DfltGrpPolicy
customization DfltCustomization
authentication aaa
dns-group DefaultDNS
tunnel-group BEVPN type ipsec-ra
tunnel-group BEVPN general-attributes
address-pool dhcppptp-pool
authentication-server-group LOCAL
no accounting-server-group
default-group-policy BEVPN
no dhcp-server
no nac-authentication-server-group
no strip-realm
no password-management
no override-account-disable
no strip-group
no authorization-required
authorization-dn-attributes CN OU
tunnel-group BEVPN ipsec-attributes
pre-shared-key *
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 300 retry 2
no radius-sdi-xauth
isakmp ikev1-user-authentication none
tunnel-group BEVPN ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
!
class-map type inspect http match-all _default_gator
match request header user-agent regex _default_gator
class-map type inspect http match-all _default_msn-messenger
match response header content-type regex _default_msn-messenger
class-map type inspect http match-all _default_yahoo-messenger
match request body regex _default_yahoo-messenger
class-map type inspect http match-all _default_windows-media-player-tunnel
match request header user-agent regex _default_windows-media-player-tunnel
class-map type inspect http match-all _default_gnu-http-tunnel
match request args regex _default_gnu-http-tunnel_arg
match request uri regex _default_gnu-http-tunnel_uri
class-map type inspect http match-all _default_firethru-tunnel
match request header host regex _default_firethru-tunnel_1
match request uri regex _default_firethru-tunnel_2
class-map type inspect http match-all _default_aim-messenger
match request header host regex _default_aim-messenger
class-map type inspect http match-all _default_http-tunnel
match request uri regex _default_http-tunnel
class-map type inspect http match-all _default_kazaa
match response header regex _default_x-kazaa-network count gt 0
class-map type inspect http match-all _default_shoutcast-tunneling-protocol
match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol
class-map class-default
match any
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all _default_GoToMyPC-tunnel
match request args regex _default_GoToMyPC-tunnel
match request uri regex _default_GoToMyPC-tunnel_2
class-map type inspect http match-all _default_httport-tunnel
match request header host regex _default_httport-tunnel
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
no message-length maximum server
no message-length maximum client
dns-guard
protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
policy-map type inspect h323 _default_h323_map
description Default H.323 policymap
parameters
no rtp-conformance
policy-map type inspect esmtp _default_esmtp_map
description Default ESMTP policy-map
parameters
mask-banner
no mail-relay
no special-character
no allow-tls
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log
match header line length gt 998
drop-connection log
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match ehlo-reply-parameter others
mask
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225 _default_h323_map
inspect h323 ras _default_h323_map
inspect rsh
inspect rtsp
inspect esmtp _default_esmtp_map
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
inspect icmp
class class-default
policy-map type inspect sip _default_sip_map
description Default SIP policymap
parameters
im
no ip-address-privacy
traffic-non-sip
no rtp-conformance
policy-map type inspect dns _default_dns_map
description Default DNS policy-map
parameters
no message-length maximum
no message-length maximum server
no message-length maximum client
dns-guard
protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
policy-map type inspect ipsec-pass-thru _default_ipsec_passthru_map
description Default IPSEC-PASS-THRU policy-map
parameters
esp per-client-max 0 timeout 0:10:00
!
service-policy global_policy global
imap4s
port 993
no server
outstanding 20
name-separator :
server-separator @
authentication-server-group LOCAL
no authorization-server-group
no accounting-server-group
default-group-policy DfltGrpPolicy
no authentication
no authorization-required
authorization-dn-attributes CN OU
pop3s
port 995
no server
outstanding 20
name-separator :
server-separator @
authentication-server-group LOCAL
no authorization-server-group
no accounting-server-group
default-group-policy DfltGrpPolicy
no authentication
no authorization-required
authorization-dn-attributes CN OU
smtps
port 988
no server
outstanding 20
name-separator :
server-separator @
authentication-server-group LOCAL
no authorization-server-group
no accounting-server-group
default-group-policy DfltGrpPolicy
authentication aaa
no authorization-required
authorization-dn-attributes CN OU
prompt hostname context
auto-update device-id hostname
auto-update poll-period 720 0 5
auto-update timeout 0
compression svc http-comp
Cryptochecksum:0205b5f052807872ee954a44641c9e9e
: end
04-17-2013 05:53 AM
Hi,
I dont see the NAT0 configuration anymore in this configuration
nat (inside) 0 access-list nonat
Can you also change the Split Tunnel ACL
access-list SPLIT-TUNNEL standard permit 10.0.0.0 255.255.255.0
group-policy BEVPN attributes
no split-tunnel-network-list value 101
split-tunnel-network-list value SPLIT-TUNNEL
You can also use the command "show run" which will generate a little less output
- Jouni
04-17-2013 06:17 AM
LOL. I just did the sh run all in case there was something stupid I was missing, but since all the extra garbage is unconfigured stuff...
Nat 0, not sure what happened there unless there's someone else monkeying around, but thanks for noticing! That's back.
ACL is updated, with what logically seems more correct. I have to remote into the VPN client machine from where i'm at, so testing is a bit limited for the next 2 hours, when i'm back to my office I'll test this config out.
Thank you as always.
04-17-2013 09:12 AM
Looks like the last round of changes fixed it. I have access to the LAN while VPN'd in. So the SPLIT-TUNNEL acl, is that what
Mariana was referring to as a best practice above, to make it a Standard ACL?
I attached the final config as it's working now for reference. There's some apparent clean up that needs to happen, but all I'm supposed to do is get the VPN working, which it is now.
Thanks a bunch guys!
04-17-2013 09:33 AM
Hi,
Yes the Standard type ACL which Mariana mentioned is the simplest way to do it and there is no need to use Extended ACLs in this case.
You simply add a ACL line for each network/host for which you want the traffic to be forwarded to the VPN from the VPN Client users perspective.
The above ACL basically tells the ASA and VPN Client "Tunnel all connections to destination network 10.0.0.0/24 to the VPN client connection".
For example if you were to add a network 10.0.1.0/24 to your LAN and needed VPN client connectivity there you would simply add the following line
access-list SPLIT-TUNNEL permit 10.0.1.0 255.255.255.0
Naturally you would also need
access-list nonat extended permit ip 10.0.1.0 255.255.255.0 192.168.150.0 255.255.255.224
You can see the network 10.0.1.0/24 on the VPN client software when its connected. Just find the section mentioning the routes.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide