Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

5505: Win7+Vista not talking to internal server

Status
Not open for further replies.
jboncek

jboncek

IS-IT--Management
Jan 19, 2011
3
0
0
US
Hey Folks,

Although i'm a noob with the ASA, this seems to be a quirky issue. any help is greatly appreciated.

Only on my Win 7 and Vista machines, i'm not getting any connection to our local domain server ( most the time )...

all XP machines are working fine.

I have ruled out switches dropping packets as the server and win7 PC are directly on interface ports.

I feel like i've exhausted all possibilities.

I did read somewhere to try hardcoding the speed and duplex. but when i entered them in the CLI because they're defaults they don't show as hard coded. either way, the PC and config are both on auto and there doesn't seem to be a conflict.

I can't seem to understand the Reset-O in the log!? Who is outside, and why are they reseting my connection! this is all internal, same security level.

There have been a few random occurances where i do get connectivity! but it doesn't last, and once i reboot, i'm lost again. there my be some added mess in this config, but see below.
~~~~~~~~~~~~~~~~~~~~~~~~~~~log
6 Jan 19 2011 17:24:44 106015 192.168.1.7 2515 192.168.1.249 135 Deny TCP (no connection) from 192.168.1.7/2515 to 192.168.1.249/135 flags RST on interface inside

6 Jan 19 2011 17:24:45 302014 192.168.1.7 2516 192.168.1.249 445 Teardown TCP connection 10263 for inside:192.168.1.7/2516 to inside:192.168.1.249/445 duration 0:00:00 bytes 0 TCP Reset-O
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~CONFIG~~~~~~~~~~~~~~~~~~



: Saved
:
ASA Version 8.2(1)
!
hostname ftcasa
domain-name FTC.local
enable password ************** encrypted
passwd ***************** encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
timeout 5
name-server 192.168.1.249
name-server 167.206.251.129
name-server 167.206.251.130
domain-name FTC.local
same-security-traffic permit intra-interface
object-group service RAW tcp
description printing
port-object eq 9100
object-group service Printuri tcp
port-object eq 631
object-group service b tcp-udp
port-object range 1 20000
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object udp
service-object tcp
service-object tcp-udp eq talk
object-group service RDP tcp
port-object eq 3389
object-group service toserver tcp-udp
port-object range 1 30000
access-list inside_access_in extended permit object-group TCPUDP 192.168.1.0 255.255.255.0 host 192.168.1.249 range 1 30000
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 host 192.168.1.249
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 host 192.168.1.229 any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit ip host 192.168.1.195 host 192.168.0.200
access-list outside_authentication extended permit tcp any any
access-list inside_authentication extended permit tcp any any inactive
access-list outside_access_in extended permit tcp any host 192.168.1.249 object-group RDP
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip host 192.168.1.195 host 192.168.0.200
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 192.168.1.200-192.168.1.210 mask 255.255.255.0
ipv6 access-list inside_access_ipv6_in permit ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 2 192.168.1.245-192.168.1.250 netmask 255.0.0.0
global (inside) 1 interface
global (outside) 101 192.168.1.5-192.168.1.250
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group inside_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list value FTCbookmarks
aaa-server NTDomain protocol nt
aaa-server NTDomain (inside) host 192.168.1.249
nt-auth-domain-controller FTC.local
aaa authentication match inside_authentication inside LOCAL
aaa authentication match outside_authentication outside LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ftcasa
proxy-ldc-issuer
crl configure
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain ASDM_TrustPoint0
***************
quit
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.248 inside
dhcpd dns 192.168.1.249 167.206.251.129 interface inside
dhcpd wins 192.168.1.249 167.206.251.129 interface inside
dhcpd lease 50000 interface inside
dhcpd ping_timeout 2000 interface inside
dhcpd domain FTC.local interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 300 burst-rate 40000 average-rate 20000
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1 regex "Windows NT"
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 2 regex "Intel Mac OS X"
svc enable
tunnel-group-list enable
certificate-group-map DefaultCertificateMap 10 DefaultWEBVPNGroup
group-policy DfltGrpPolicy attributes
wins-server value 192.168.1.249
dns-server value 192.168.1.249 167.206.251.129
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
address-pools value VPNPOOL
webvpn
url-list value FTCbookmarks
username lolson password****************encrypted
username jboncek password **********/*****encrypted privilege 15
username jboncek attributes
webvpn
smart-tunnel disable
smart-tunnel auto-signon disable
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPOOL
authentication-server-group NTDomain
authentication-server-group (inside) NTDomain
authentication-server-group (outside) NTDomain
dhcp-server 192.168.1.1
tunnel-group DefaultRAGroup webvpn-attributes
radius-reject-message
proxy-auth sdi
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (inside) VPNPOOL
address-pool (outside) VPNPOOL
address-pool VPNPOOL
authentication-server-group NTDomain
authentication-server-group (outside) NTDomain
authentication-server-group (inside) NTDomain
secondary-authentication-server-group (inside) NTDomain use-primary-username
secondary-authentication-server-group (outside) NTDomain use-primary-username
authorization-server-group (inside) LOCAL
authorization-server-group (outside) LOCAL
dhcp-server 192.168.1.1
username-from-certificate use-entire-name
secondary-username-from-certificate use-entire-name
tunnel-group DefaultWEBVPNGroup webvpn-attributes
proxy-auth sdi
nbns-server 192.168.1.249 master timeout 2 retry 2
group-alias "FTC VPN" enable
group-url ************* enable
!
!
prompt hostname context
Cryptochecksum:8cf87e91c67f60130962c5f72faa0b19
: end
no asdm history enable
 
Sort by date Sort by votes
::UPDATE::

Still no luck. What i have figured out is this:

1: I can ping the server by name and ip
2: The Log is consistently showing a Deny on ports 137, 138, 139 and 445. Which looks to be netbios and Active Directory...but why?

here is my ipconfig


Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : FTC.local
Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
Physical Address. . . . . . . . . : A4-BA-DB-FB-DB-41
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::301c:2039:dddb:6ffc%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.33(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, January 20, 2011 2:41:42 PM
Lease Expires . . . . . . . . . . : Friday, January 21, 2011 4:35:02 AM
Default Gateway . . . . . . . . . : 192.168.1.1
DHCP Server . . . . . . . . . . . : 192.168.1.1
DHCPv6 IAID . . . . . . . . . . . : 245676763
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-AA-1B-53-A4-BA-DB-FB-DB-41

DNS Servers . . . . . . . . . . . : 192.168.1.249
167.206.251.129
Primary WINS Server . . . . . . . : 192.168.1.249
NetBIOS over Tcpip. . . . . . . . : Enabled
 
Upvote 0 Downvote
With not having looked very hard at your config, one thing I notice is that your VPN pool is in the same address space as your internal network. Try changing the VPN pool and post back with your results.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Well, I did try that, but no luck there.

Now i'm really confused. I had it working with the above config, AND manually setting my DNS to my local server only; that was a dumb mistake on my part...

So, in order to fix it properly, i need to change the config to serve the proper DNS, right? Well, for whatever reason, i cannot recreate my solution, no matter how hard i try.

In fixing: i moved the DHCP serving to where it should be, on the server, which should help the logic in DHCP and DNS working together...

I've also tried all NetBios settings.

Interestingly, as i mentioned i can ping the server and connect RDP to other local machines, but i cannot "net view \\server" OR "net view \\192.168.1.249" the server ip.

odd quirk. After trying to do a net view, all of a sudden my explorer window decided to populate with network PCs!

i'm getting really tired of this. Any help?
I may need to move this to a Windows 7/SBS forum...
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
148
Sameer258
Sameer258
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
129
AllenH12
AllenH12
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
150
Johnkite
Johnkite
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
51
gbayi_omo
gbayi_omo
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
50
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top