winston6071
Programmer
hello
anyone can help with this problem?...
i want to connect to a remote network where the Asa is located and a server behind.
on my pc in my network somewhere in the inet, i open connection with cisco client to asa(remotenetwork) --> WORKS tunnel established
try to connect to a cifs share in the remote network behind the asa through this tunnel --> WORKS
try to do RDP or Ping of any network devices in there --> DOES NOT WORK
here is the config, if anyone sees the problem, i would be happy to read some ideas .
many thanks in advance
Cryptochecksum: dc71dd1c 9b836b1a 55b528b0 06db9ebb
: Saved
: Writtenby enable_15 at 14:35:15.899 CEST Sun Jan 16 2011
!
ASA Version 8.3(1)
!
hostnameciscoasa
domain-name xx.local
enablepassword 4645645ddfgdg encrypted
passwd 45645645fghfhg encrypted
names
!
interface Vlan1
nameifinside
security-level 100
ipaddress 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ipaddress 192.168.3.66 255.255.255.240
!
interface Ethernet0/0
switchportaccessvlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clocktimezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name rr.local
objectnetworkobj_any
subnet 0.0.0.0 0.0.0.0
objectnetwork NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object-group service domain-service udp
description domain-service
port-objecteqdomain
object-group service http-service tcp
description http-service
port-objecteqwww
port-objecteq https
object-group service mail-service tcp
description mail-service
port-objecteq pop3
port-objecteqsmtp
object-group icmp-type ping-service
description ping-service
icmp-object echo
icmp-object echo-reply
access-list inside_access_inextendedpermittcpanyanyobject-group http-service
access-list inside_access_inextendedpermittcpanyanyobject-group mail-service
access-list inside_access_inextendedpermitudpanyanyobject-group domain-service
access-list inside_access_inextendedpermiticmpanyanyobject-group ping-service
access-list outside_access_inextendedpermiticmpanyanyobject-group ping-service
pagerlines 24
loggingasdminformational
mtu outside 1500
mtuinside 1500
iplocalpoolVPN_IP_Pool 192.168.2.1-192.168.2.254 mask 255.255.255.0
icmpunreachable rate-limit 1 burst-size 1
noasdmhistoryenable
arptimeout 14400
nat (inside,outside) sourcedynamicanyinterface
nat (inside,outside) sourcestaticanyanydestinationstatic NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24
!
objectnetworkobj_any
nat (inside,outside) dynamicinterface
access-group outside_access_in in interface outside
access-group inside_access_in in interfaceinside
route outside 0.0.0.0 0.0.0.0 192.168.3.65 1
timeoutxlate 3:00:00
timeoutconn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeoutsunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeoutsip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeoutsip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeouttcp-proxy-reassembly 0:01:00
dynamic-access-policy-recordDfltAccessPolicy
http serverenable
http 192.168.1.0 255.255.255.0 inside
nosnmp-server location
nosnmp-server contact
snmp-server enable traps snmpauthenticationlinkuplinkdowncoldstart
cryptoipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
cryptoipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
cryptoipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
cryptoipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
cryptoipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
cryptoipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
cryptoipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
cryptoipsec transform-set ESP-AES-128-SHA esp-aesesp-sha-hmac
cryptoipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
cryptoipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
cryptoipsecsecurity-associationlifetimeseconds 28800
cryptoipsecsecurity-associationlifetimekilobytes 4608000
cryptodynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 setpfs group1
cryptodynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
cryptomapoutside_map 65535 ipsec-isakmpdynamic SYSTEM_DEFAULT_CRYPTO_MAP
cryptomapoutside_mapinterface outside
cryptoisakmpenable outside
cryptoisakmppolicy 10
authenticationpre-share
encryption 3des
hashsha
group 2
lifetime 86400
telnettimeout 5
sshtimeout 5
consoletimeout 0
dhcpdauto_config outside
!
dhcpdaddress 192.168.1.5-192.168.1.254 inside
!
threat-detectionbasic-threat
threat-detectionstatistics access-list
nothreat-detectionstatisticstcp-intercept
webvpn
group-policyrrvpninternal
group-policyrrvpnattributes
dns-server value 192.168.1.11 192.168.1.12
vpn-tunnel-protocol IPSec
default-domain valuexx.local
usernamexxx.xxxpassword dg45646hfgh encryptedprivilege 0
usernamexxx.xxxattributes
vpn-group-policyrrvpn
tunnel-group rrvpn type remote-access
tunnel-group rrvpn general-attributes
address-pool VPN_IP_Pool
default-group-policyrrvpn
tunnel-group rrvpnipsec-attributes
pre-shared-keyvpnzugang
!
class-mapinspection_default
matchdefault-inspection-traffic
!
!
policy-map type inspectdnspreset_dns_map
parameters
message-lengthmaximumclientauto
message-lengthmaximum 512
policy-mapglobal_policy
classinspection_default
inspectdnspreset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspectrsh
inspectrtsp
inspectesmtp
inspectsqlnet
inspectskinny
inspectsunrpc
inspectxdmcp
inspectsip
inspectnetbios
inspecttftp
inspectip-options
!
service-policyglobal_policy global
prompt hostnamecontext
Cryptochecksum:dddddddddddddddddddddddddddd
: end
anyone can help with this problem?...
i want to connect to a remote network where the Asa is located and a server behind.
on my pc in my network somewhere in the inet, i open connection with cisco client to asa(remotenetwork) --> WORKS tunnel established
try to connect to a cifs share in the remote network behind the asa through this tunnel --> WORKS
try to do RDP or Ping of any network devices in there --> DOES NOT WORK
here is the config, if anyone sees the problem, i would be happy to read some ideas .
many thanks in advance
Cryptochecksum: dc71dd1c 9b836b1a 55b528b0 06db9ebb
: Saved
: Writtenby enable_15 at 14:35:15.899 CEST Sun Jan 16 2011
!
ASA Version 8.3(1)
!
hostnameciscoasa
domain-name xx.local
enablepassword 4645645ddfgdg encrypted
passwd 45645645fghfhg encrypted
names
!
interface Vlan1
nameifinside
security-level 100
ipaddress 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ipaddress 192.168.3.66 255.255.255.240
!
interface Ethernet0/0
switchportaccessvlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clocktimezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name rr.local
objectnetworkobj_any
subnet 0.0.0.0 0.0.0.0
objectnetwork NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object-group service domain-service udp
description domain-service
port-objecteqdomain
object-group service http-service tcp
description http-service
port-objecteqwww
port-objecteq https
object-group service mail-service tcp
description mail-service
port-objecteq pop3
port-objecteqsmtp
object-group icmp-type ping-service
description ping-service
icmp-object echo
icmp-object echo-reply
access-list inside_access_inextendedpermittcpanyanyobject-group http-service
access-list inside_access_inextendedpermittcpanyanyobject-group mail-service
access-list inside_access_inextendedpermitudpanyanyobject-group domain-service
access-list inside_access_inextendedpermiticmpanyanyobject-group ping-service
access-list outside_access_inextendedpermiticmpanyanyobject-group ping-service
pagerlines 24
loggingasdminformational
mtu outside 1500
mtuinside 1500
iplocalpoolVPN_IP_Pool 192.168.2.1-192.168.2.254 mask 255.255.255.0
icmpunreachable rate-limit 1 burst-size 1
noasdmhistoryenable
arptimeout 14400
nat (inside,outside) sourcedynamicanyinterface
nat (inside,outside) sourcestaticanyanydestinationstatic NETWORK_OBJ_192.168.2.0_24 NETWORK_OBJ_192.168.2.0_24
!
objectnetworkobj_any
nat (inside,outside) dynamicinterface
access-group outside_access_in in interface outside
access-group inside_access_in in interfaceinside
route outside 0.0.0.0 0.0.0.0 192.168.3.65 1
timeoutxlate 3:00:00
timeoutconn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeoutsunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeoutsip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeoutsip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeouttcp-proxy-reassembly 0:01:00
dynamic-access-policy-recordDfltAccessPolicy
http serverenable
http 192.168.1.0 255.255.255.0 inside
nosnmp-server location
nosnmp-server contact
snmp-server enable traps snmpauthenticationlinkuplinkdowncoldstart
cryptoipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
cryptoipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
cryptoipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
cryptoipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
cryptoipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
cryptoipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
cryptoipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
cryptoipsec transform-set ESP-AES-128-SHA esp-aesesp-sha-hmac
cryptoipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
cryptoipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
cryptoipsecsecurity-associationlifetimeseconds 28800
cryptoipsecsecurity-associationlifetimekilobytes 4608000
cryptodynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 setpfs group1
cryptodynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
cryptomapoutside_map 65535 ipsec-isakmpdynamic SYSTEM_DEFAULT_CRYPTO_MAP
cryptomapoutside_mapinterface outside
cryptoisakmpenable outside
cryptoisakmppolicy 10
authenticationpre-share
encryption 3des
hashsha
group 2
lifetime 86400
telnettimeout 5
sshtimeout 5
consoletimeout 0
dhcpdauto_config outside
!
dhcpdaddress 192.168.1.5-192.168.1.254 inside
!
threat-detectionbasic-threat
threat-detectionstatistics access-list
nothreat-detectionstatisticstcp-intercept
webvpn
group-policyrrvpninternal
group-policyrrvpnattributes
dns-server value 192.168.1.11 192.168.1.12
vpn-tunnel-protocol IPSec
default-domain valuexx.local
usernamexxx.xxxpassword dg45646hfgh encryptedprivilege 0
usernamexxx.xxxattributes
vpn-group-policyrrvpn
tunnel-group rrvpn type remote-access
tunnel-group rrvpn general-attributes
address-pool VPN_IP_Pool
default-group-policyrrvpn
tunnel-group rrvpnipsec-attributes
pre-shared-keyvpnzugang
!
class-mapinspection_default
matchdefault-inspection-traffic
!
!
policy-map type inspectdnspreset_dns_map
parameters
message-lengthmaximumclientauto
message-lengthmaximum 512
policy-mapglobal_policy
classinspection_default
inspectdnspreset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspectrsh
inspectrtsp
inspectesmtp
inspectsqlnet
inspectskinny
inspectsunrpc
inspectxdmcp
inspectsip
inspectnetbios
inspecttftp
inspectip-options
!
service-policyglobal_policy global
prompt hostnamecontext
Cryptochecksum:dddddddddddddddddddddddddddd
: end