07-09-2012 03:27 PM - edited 02-21-2020 06:11 PM
hello
i dont know what might has happen, vpn users can ping the outside and inside interface of the Cisco ASA but cannot connect to servers or ping the servers inside the LAN.
please kindly heck config and let me know what might has happen.
hostname horse
domain-name evergreen.com
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
ins-guard
!
interface GigabitEthernet0/0
description LAN
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet0/1
description CONNECTION_TO_FREEMAN
nameif outside
security-level 0
ip address 196.1.1.1 255.255.255.248
!
interface GigabitEthernet0/2
description CONNECTION_TO_TIGHTMAN
nameif backup
security-level 0
ip address 197.1.1.1 255.255.255.248
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa844-1-k8.bin
boot system disk0:/asa707-k8.bin
ftp mode passive
clock timezone WAT 1
dns server-group DefaultDNS
domain-name green.com
object network NETWORK_OBJ_192.168.2.0_25
subnet 192.168.2.0 255.255.255.128
object network NETWORK_OBJ_192.168.202.0_24
subnet 192.168.202.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object-group network DM_INLINE_NETWORK_1
network-object 192.168.200.0 255.255.255.0
network-object 192.168.202.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.200.0 255.255.255.0
network-object 192.168.202.0 255.255.255.0
access-list INSIDE_OUT extended permit ip 192.168.202.0 255.255.255.0 any
access-list INSIDE_OUT extended permit ip 192.168.200.0 255.255.255.0 any
access-list OUTSIDE_IN extended permit ip any any
access-list gbnlvpntunnel_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
access-list gbnlvpntunnel_splitTunnelAcl standard permit 192.168.202.0 255.255.255.0
access-list gbnlvpntunnell_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
access-list gbnlvpntunnell_splitTunnelAcl standard permit 192.168.202.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
ip local pool VPNPOOL 192.168.2.0-192.168.2.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup
nat (inside,backup) source static NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup
nat (inside,backup) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,backup) dynamic interface
access-group INSIDE_OUT in interface inside
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 196.1.1..2 1 track 10
route outside 0.0.0.0 0.0.0.0 197.1.1.2 254
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.200.0 255.255.255.0 inside
http 192.168.202.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 212.58.244.71 interface outside
timeout 3000
frequency 5
sla monitor schedule 100 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map backup_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map backup_map interface backup
crypto ikev1 enable outside
crypto ikev1 enable backup
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
!
track 10 rtr 100 reachability
telnet 192.168.200.0 255.255.255.0 inside
telnet 192.168.202.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.202.0 255.255.255.0 inside
ssh 192.168.200.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy vpntunnel internal
group-policy vpntunnel attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpntunnel_splitTunnelAcl
default-domain value green.com
group-policy vpntunnell internal
group-policy vpntunnell attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value gbnlvpntunnell_splitTunnelAcl
default-domain value green.com
username green password BoEFKkDtbnX5Uy1Q encrypted privilege 15
username LA attributes
vpn-group-policy gbnlvpn
tunnel-group vpntunnel type remote-access
tunnel-group vpntunnel general-attributes
address-pool VPNPOOL
default-group-policy vpntunnel
tunnel-group vpntunnel ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group vpntunnell type remote-access
tunnel-group vpntunnell general-attributes
address-pool VPNPOOL2
default-group-policy vpntunnell
tunnel-group vpntunnell ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7c1b1373bf2e2c56289b51b8dccaa565
Solved! Go to Solution.
07-10-2012 02:05 PM
Hi,
1- Please issue these commands:
"crypto isakmp nat-traversal 30"
"crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route"
The main issue here is that you have two floating routes and the outside one has a better metric than the backup, that is why I added the "reverse-route" command.
Please let me know.
Thanks.
07-09-2012 03:44 PM
Hello,
May I know why you have two Nat statements for the same flow? One says from inside to backupand the other one from inside to outside... This may cause issues... Please remove the unneeded statements and try again.
What do the logs tell you?
A packet-tracer?
A packet-capture?
Thanks.
Sent from Cisco Technical Support Android App
07-10-2012 06:45 AM
sh crypto ipsec sa
interface: backup
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 197.255.63.181
local ident (addr/mask/prot/port): (192.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)
current_peer: 60.125.63.33, username: Hassan
dynamic allocated peer ip: 192.168.2.1
#pkts encaps: 9601, #pkts encrypt: 9601, #pkts digest: 9601
#pkts decaps: 10336, #pkts decrypt: 10336, #pkts verify: 10336
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9601, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 197.1.1.1/4500, remote crypto endpt.: 197.1.1.1/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 0351A70F
current inbound spi : C41E3EEF
inbound esp sas:
spi: 0xC41E3EEF (3290316527)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 782
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x0351A70F (55682831)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 781
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
debug icmp trace
reply is hitting the ASA but cant ping the inside network
07-10-2012 10:34 AM
Hi,
Please remove the following lines with the "no" command:
nat (inside,outside) source static NETWORK_OBJ_192.168.202.0_24 NETWORK_OBJ_192.168.202.0_24 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup
nat (inside,backup) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup
And add the following commands:
object network obj-192.168.200.0_24
subnet 192.168.200.0 255.255.255.0
!
nat (inside,backup) source static obj-192.168.200.0_24 obj-192.168.200.0_24 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup
Then please place a capture:
capture cap_backup1 interface backup match ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0
capture cap_backup1 interface backup match ip 192.168.202.0 255.255.255.0 192.168.2.0 255.255.255.0
Run "clear crypto ipsec sa counters" and try to access the 192.168.202.0/24 & 192.168.202.0/24 network with a ping (if allowed) through the tunnel, please attach these outputs:
1- show crypto ipsec sa
2- show capture cap_backup
3- show capture cap_backup1
Thanks
07-10-2012 01:47 PM
Hello,
i reconfigured everything again and its from this new config i got the "sh crypto ipsec sa" and the ping in my previous post, pleasee discard the first config, let us work with this new one.
we have two LAN----192.168.200.0 and 192.168.202.0 but i still cant ping the my two LAN IPs from VPN client. i have some questions to ask
1. do i need to permit traffic from VPN to inside IPs.?
2. my two LAN subnets is already bridged, what might go wrong inside this config.
3. need thorough checking on this config because i have been battling with it for almost 60hours now.
4.new config below, is there anything wrong inside this config?
5. Note: i can ping the LAN and public leg from VPN but cant ping inside.
Thanks
config below;
______________________________________________________________________________________________________
ASA Version 8.3(1)
!
hostname horse
domain-name evergreen.com
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface GigabitEthernet0/0
description LAN
nameif inside
security-level 100
ip address 192.168.202.100 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 196.1.1.1 255.255.255.248
!
interface GigabitEthernet0/2
nameif backup
security-level 0
ip address 197.1.1.1 255.255.255.248
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
boot system disk0:/asa831-k8.bin
boot system disk0:/asa707-k8.bin
ftp mode passive
clock timezone WAT 1
dns server-group DefaultDNS
domain-name greatbrandsng.com
same-security-traffic permit inter-interface
object network NETWORK_OBJ_192.168.2.0_25
subnet 192.168.2.0 255.255.255.128
object-group network DM_INLINE_NETWORK_1
network-object 192.168.200.0 255.255.255.0
network-object 192.168.202.0 255.255.255.0
access-list INSIDE_OUT extended permit tcp 192.168.202.0 255.255.255.0 any
access-list INSIDE_OUT extended permit tcp 192.168.200.0 255.255.255.0 any
access-list INSIDE_OUT extended permit tcp 192.168.2.0 255.255.255.0 any
access-list OUTSIDE_IN extended permit icmp any any
access-list gbnl1234_splitTunnelAcl standard permit 192.168.200.0 255.255.255.0
access-list gbnl1234_splitTunnelAcl standard permit 192.168.202.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
ip local pool GBNLVPNPOOL 192.168.2.0-192.168.2.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-206.bin
no asdm history enable
arp timeout 14400
nat (inside,backup) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25
!
nat (inside,outside) after-auto source dynamic any interface
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 196.1.1.2 1 track 10
route backup 0.0.0.0 0.0.0.0 197.1.1.2 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable 441
http 192.168.200.0 255.255.255.0 inside
http 192.168.202.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 196.1.1.2 interface outside
timeout 3000
frequency 5
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map backup_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map backup_map interface backup
crypto isakmp enable backup
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
!
track 10 rtr 100 reachability
telnet 192.168.200.0 255.255.255.0 inside
telnet 192.168.202.0 255.255.255.0 inside
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.202.0 255.255.255.0 inside
ssh 192.168.200.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy gbnl1234 internal
group-policy gbnl1234 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value gbnl1234_splitTunnelAcl
default-domain value greatbrandsng.com
username gbnl password BoEFKkDtbnX5Uy1Q encrypted privilege 15
tunnel-group gbnl1234 type remote-access
tunnel-group gbnl1234 general-attributes
address-pool GBNLVPNPOOL
default-group-policy gbnl1234
tunnel-group gbnl1234 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8f7dad0c62c03cb7ae312b3700ee086a
07-10-2012 02:05 PM
Hi,
1- Please issue these commands:
"crypto isakmp nat-traversal 30"
"crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route"
The main issue here is that you have two floating routes and the outside one has a better metric than the backup, that is why I added the "reverse-route" command.
Please let me know.
Thanks.
07-10-2012 04:10 PM
Hi,
i have not gone back to where the device is but do you still want me to add the config in your previous post and the new post?
check below:
And add the following commands:
object network obj-192.168.200.0_24
subnet 192.168.200.0 255.255.255.0
!
nat (inside,backup) source static obj-192.168.200.0_24 obj-192.168.200.0_24 destination static NETWORK_OBJ_192.168.2.0_25 NETWORK_OBJ_192.168.2.0_25 no-proxy-arp route-lookup
Then please place a capture:
capture cap_backup1 interface backup match ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0
capture cap_backup1 interface backup match ip 192.168.202.0 255.255.255.0 192.168.2.0 255.255.255.0
Run "clear crypto ipsec sa counters" and try to access the 192.168.202.0/24 & 192.168.202.0/24 network with a ping (if allowed) through the tunnel, please attach these outputs:
1- show crypto ipsec sa
2- show capture cap_backup
3- show capture cap_backup1
Please, let me know.
Thanks
07-11-2012 02:09 PM
Hello,
Thanks for your command and trick...+5, i can access LAN users now but inside users cannot browse the internet. i think the global is in my config. below is the (show crypto ipsec sa and show capture cap_backup);
show crypto ipsec sa
interface: backup
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 197.1.1.1
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.2/255.255.255.255/0/0)
current_peer: 197.1.1.1, username: Hassan
dynamic allocated peer ip: 192.168.2.2
#pkts encaps: 1819, #pkts encrypt: 1819, #pkts digest: 1819
#pkts decaps: 1039, #pkts decrypt: 1039, #pkts verify: 1039
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1819, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 197.1.1.1/4500, remote crypto endpt.: 197.1.1.1/1828
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: CF60F145
current inbound spi : C2AA800C
inbound esp sas:
spi: 0xC2AA800C (3265953804)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 81920, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 27971
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xA7FE681F 0xE3FEEEEF
outbound esp sas:
spi: 0xCF60F145 (3479236933)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 81920, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 27969
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 197.1.1.1
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)
current_peer: 197.1.1.1, username: Hassan
dynamic allocated peer ip: 192.168.2.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 197.1.1.1/4500, remote crypto endpt.: 197.1.1.1/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 0531E413
current inbound spi : 0ECC9791
inbound esp sas:
spi: 0x0ECC9791 (248289169)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 86016, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3250
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x0531E413 (87155731)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 86016, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3245
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 197.1.1.1
local ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.255/0/0)
current_peer: 197.1.1.1, username: Hassan
dynamic allocated peer ip: 192.168.2.1
#pkts encaps: 2017, #pkts encrypt: 2016, #pkts digest: 2016
#pkts decaps: 2205, #pkts decrypt: 2205, #pkts verify: 2205
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2017, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 197.1.1.1/4500, remote crypto endpt.: 197.1.1.1/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 059ABD4A
current inbound spi : 0F47C499
inbound esp sas:
spi: 0x0F47C499 (256361625)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 86016, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3225
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x9E02FD00 0x3FB73FFA
outbound esp sas:
spi: 0x059ABD4A (94027082)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 86016, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3220
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
________________
sh capture cap_backup
0 packet
0
07-11-2012 03:00 PM
Hi!
I am glad to hear that, thanks for rating the answer
On the other hand, please attach a packet-tracer from an inside IP to the Internet, probably 4.2.2.2. It will let us know whether the FW is dropping the traffic or not.
Thanks in advance.
07-11-2012 03:47 PM
Hello,
just a quick one,
TOPOLOGY
ASA ISP1---------197.1.1.1-----------outside
ASA ISP2---------196.1.1.1-----------backup
LAN IP-------------192.168.202.100---inside
i have configured Tunnel on both (outside and backup) interfaces but is thare a way to bind the two public legs to serve as one as a redundancy for vpn users and let vpn tunnel users point to the inside IP whenever they want to establish vpn sssion, we want it to be one so if one interface fails vpn users will not know but it will try the second for connection. instead of creating profile for the two outside leg on vpn client.
is it possible?
10-09-2019 04:53 PM
Hello Javiar,
I'm running into similar kind of issue. The config I'm working with is very little. Please advise.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide