Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5505 conning to VPN 3000 Concentraitor in Network extension Mode

Status
Not open for further replies.
Dec 27, 2002
167
US
Ok, I've set up a group and a user on my concentraitor to allow access to my network.

I originally set the ASA in a remore site in just client mode. It connected and could use any resource at the home network, but I could not see the network on the insdie of the ASA.

I swithced to Network Extension Mode. It shows there is a tunnel. I can see the session created on the concentraitor, but no traffic (ICMP) seems to be going through.

Suggestions?
 
have you created remote and local networks on concentrator? any rules that have been created to prevent traffic flow on either ASA or concentrator
 
It is an existing network.

My internal network is 172.20/16
The ASA I am trying to configure is 172.26.201/24
I have a route on my DG that points
172.26/16 to the Concentraitor

I have an existing 501e Pix that is on the 172.20.1/24 network and it connects fine. I would have used the same group as teh pix but I don't know the shared password and didn't want to disrupt the existing connection it was on.

 
has it ever worked? what are you seeing in the logs? are you getting passed phase 1?
 
It is a new install on the Asa, but it has worked on a different Pix 501e

Here are the logs from the Live event Monitor

56793 10/15/2009 14:57:37.150 SEV=5 IKE/50 RPT=60449 XXX.XXX.28.13
Group [sohoasa] User [asa]
Connection terminated for peer asa.
Reason: IPSec SA Idle Timeout
Remote Proxy 192.168.1.120, Local Proxy 0.0.0.0

56796 10/15/2009 14:57:40.230 SEV=5 IKE/25 RPT=32756 XXX.XXX.28.13
Group [sohoasa] User [asa]
Received remote Proxy Host data in ID Payload:
Address 192.168.1.120, Protocol 0, Port 0

56799 10/15/2009 14:57:40.230 SEV=5 IKE/34 RPT=53996 XXX.XXX.28.13
Group [sohoasa] User [asa]
Received local IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0

56802 10/15/2009 14:57:40.230 SEV=5 IKE/66 RPT=56392 XXX.XXX.28.13
Group [sohoasa] User [asa]
IKE Remote Peer configured for SA: ESP-3DES-MD5

56803 10/15/2009 14:57:40.240 SEV=5 IKE/75 RPT=16501 XXX.XXX.28.13
Group [sohoasa] User [asa]
Overriding Initiator's IPSec rekeying duration from 2147483647 to 28800 seconds

56805 10/15/2009 14:57:40.320 SEV=4 IKE/173 RPT=48925 XXX.XXX.28.13
Group [sohoasa] User [asa]
NAT-Traversal successfully negotiated!
IPSec traffic will be encapsulated to pass through NAT devices.

56808 10/15/2009 14:57:40.320 SEV=4 IKE/49 RPT=56845 XXX.XXX.28.13
Group [sohoasa] User [asa]
Security negotiation complete for User (asa)
Responder, Inbound SPI = 0x512c9bd7, Outbound SPI = 0xe32973e2

56811 10/15/2009 14:57:40.330 SEV=4 IKE/120 RPT=56846
56811 10/15/2009 14:57:40.330 SEV=4 IKE/120 RPT=56846 76.180.28.13
Group [sohoasa] User [asa]
PHASE 2 COMPLETED (msgid=600c128c)
Group [sohoasa] User [asa]
PHASE 2 COMPLETED (msgid=600c128c)



Note 192.168.1.120 is the IP address the ASA gets from my personal router at home. (I's plugged in at home so I can configure it from an outside connection).
 
appears that you are passing phase two and have a tunnel. can you post a scrubbed config of the ASA?
 
Here it is.





ASA Version 7.2(4)
!
hostname XXX-ASA1
domain-name XX.XXX.org
enable password xxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxx encrypted
names
name 172.20.0.0 Main
name 172.19.0.0 Site_2
name 172.21.0.0 Site_3
name 172.16.0.0 Site_4
name 172.18.0.0 Site_5
name 10.41.0.0 Site_6
name 172.30.0.0 Site_7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.26.201.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name XX.XXXX.org
object-group network MyGROUP
network-object Site_6 255.255.0.0
network-object Site_4 255.255.0.0
network-object Site_5 255.255.0.0
network-object Site_2 255.255.0.0
network-object Main 255.255.0.0
network-object Site_3 255.255.0.0
network-object Site_7 255.255.0.0
access-list outside_access_in extended permit ip object-group MyGROUP 172.26.201.0 255.255.255.0
access-list inside_access_in extended permit ip any object-group MyGROUP
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 172.26.201.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.26.201.11-172.26.201.42 inside
dhcpd dns 172.20.20.1 172.20.0.23 interface inside
dhcpd lease 259200 interface inside
dhcpd domain xx.xxxxx.org interface inside
dhcpd update dns interface inside
dhcpd enable inside
!
vpnclient server XXX.XXX.XXX.XXX
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup sohoasa password ********
vpnclient username asa password ********
vpnclient enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bee48680415b3bf580eff743f879ddf8
: end
 
crypto isakmp nat-traversal 120 is missing and I do not see a gateway of last resort??
 
I put it in and it would not allow me because I have easy VPN enabled.
 
FYI,

I resolved it.

I recreated the config from Scratch giving it a name and IP.
I went to the VPN wizard and put it in Network Extension Mode with the proper remote groups and IP.

I created the DHCP Range.

I added the following 2 lines.

icmp permit any inside
icmp permit any outside

Starting working. I could ping through, RDP started working and so did printing.
 
for later, you should be able to tftp the config from the pix and get the password in clear text.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top