Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ASA 5510 Allow Inside Hosts access to VPN Clients

Status
Not open for further replies.
smudley

smudley

MIS
Nov 10, 2002
16
US
We have a ASA 5510 and it's setup to allow remote Cisco VPN clients access to our inside network.

How do we set up the ASA to allow inside hosts access to the VPN clients.

We want to use remote desktop software called 'Dameware' to provide desktop assistance to VPN clients.

My VPN clients are assigned a 10.70.8.0 address and we cannot ping any 10.70.8.0 address from inside a 10.70.0.0 network.

Any tips that lead me into the right direction will be greatly appreciated.


 
Sort by date Sort by votes
Tried that, unless what we did wasn't correct.

Smudley
 
Upvote 0 Downvote
access-list INSIDE_nat_inbound extended permit ip 10.70.0.0 255.255.0.0 10.70.8.0 255.255.255.0 log debugging

Smudley
 
Upvote 0 Downvote
can you try to be more specific in your source of that access list? what does the routing look like?
 
Upvote 0 Downvote
route OUTSIDE 0.0.0.0 0.0.0.0 63.68.201.241 1
route INSIDE 10.70.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 10.80.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 10.81.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 10.83.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 10.84.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 140.140.128.0 255.255.240.0 10.70.2.3 1

Smudley
 
Upvote 0 Downvote
you should have your traffic traversing your inside to your vpn pool bypassing nat; something like this:
Code: 
access-list nonat_inside extended permit ip <inside_ip_range> <mask> <vpn_pool> <mask>

nat (inside) 0 access-list nonat_inside


I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
I've tried that too and I tried again and still no access.

Smudley
 
Upvote 0 Downvote
ok, time to post your whole config for review

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Code: 
ASA Version 8.0(4) 
!
hostname atiepvpn
domain-name default.domain.invalid
enable password ****** encrypted
passwd ********** encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 63.68.201.242 255.255.255.240 
!
interface Ethernet0/1
 nameif INSIDE
 security-level 0
 ip address 10.70.2.24 255.255.240.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
banner exec ******************************************************************
banner exec *                         LEGAL   NOTICE                         *
banner exec ******************************************************************
banner exec *                                                                *
banner exec * THIS COMPUTER SYSTEM INCLUDING ALL RELATED EQUIPMENT, NETWORKS *
banner exec * AND NETWORK DEVICES ARE PROVIDED FOR LEGITIMATE BUSINESS       *
banner exec * PURPOSES ONLY.  UNAUTHORIZED ACCESS, USE, OR MODIFICATION OF   *
banner exec * THIS SYSTEM IS STRICTLY PROHIBITED.                            *
banner exec *                                                                *
banner exec * USE OF THIS COMPUTER SYSTEM CONSTITUTES EXPRESS CONSENT TO     *
banner exec * MONITORING AND RECORDING OF ANY ACTIONS TAKEN WHILE USING THIS *
banner exec * SYSTEM. EVIDENCE COLLECTED DURING MONITORING MAY BE USED IN    *
banner exec * LEGAL PROCEEDINGS OR DISCIPLINARY ACTIONS. UNAUTHORIZED USE    *
banner exec * MAY BE PUNISHABLE BY TERMINATION OR CRIMINAL OR CIVIL          *
banner exec * LITIGATION.                                                    *
banner exec *                                                                *
banner exec ******************************************************************
banner exec *                         LEGAL   NOTICE                         *
banner exec ******************************************************************
banner login ******************************************************************
banner login *                         LEGAL   NOTICE                         *
banner login ******************************************************************
banner login *                                                                *
banner login * THIS COMPUTER SYSTEM INCLUDING ALL RELATED EQUIPMENT, NETWORKS *
banner login * AND NETWORK DEVICES ARE PROVIDED FOR LEGITIMATE BUSINESS       *
banner login * PURPOSES ONLY.  UNAUTHORIZED ACCESS, USE, OR MODIFICATION OF   *
banner login * THIS SYSTEM IS STRICTLY PROHIBITED.                            *
banner login *                                                                *
banner login * USE OF THIS COMPUTER SYSTEM CONSTITUTES EXPRESS CONSENT TO     *
banner login * MONITORING AND RECORDING OF ANY ACTIONS TAKEN WHILE USING THIS *
banner login * SYSTEM. EVIDENCE COLLECTED DURING MONITORING MAY BE USED IN    *
banner login * LEGAL PROCEEDINGS OR DISCIPLINARY ACTIONS. UNAUTHORIZED USE    *
banner login * MAY BE PUNISHABLE BY TERMINATION OR CRIMINAL OR CIVIL          *
banner login * LITIGATION.                                                    *
banner login *                                                                *
banner login ******************************************************************
banner login *                         LEGAL   NOTICE                         *
banner login ******************************************************************
boot system disk0:/asa804-k8.bin
ftp mode passive
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns domain-lookup management
dns server-group DefaultDNS
 name-server 10.70.1.254
 name-server 10.70.1.1
 domain-name default.domain.invalid
same-security-traffic permit inter-interface
access-list OUTSIDE_nat_outbound extended permit ip any 10.70.0.0 255.255.0.0 
access-list OUTSIDE_nat_outbound extended permit ip any 140.140.140.0 255.255.255.0 
access-list OUTSIDE_nat_outbound extended permit ip any 10.80.0.0 255.255.0.0 
access-list OUTSIDE_nat_outbound extended permit ip any 10.81.0.0 255.255.0.0 
access-list OUTSIDE_nat_outbound extended permit ip any 10.83.0.0 255.255.0.0 
access-list OUTSIDE_nat_outbound extended permit ip any 10.84.0.0 255.255.0.0 
access-list HomeLan remark For Home Lan Access
access-list HomeLan standard permit host 0.0.0.0 
[highlight]access-list nonat_inside extended permit ip 10.70.0.0 255.255.0.0 10.70.8.0 255.255.255.0 [/highlight]
no pager
logging enable
logging asdm informational
logging from-address vpn@atiep.com
logging recipient-address ****** level critical
logging recipient-address ****** level alerts
logging host INSIDE 10.70.6.108
logging class vpn asdm debugging 
logging rate-limit 1 15 level 0
logging rate-limit 1 15 level 1
logging rate-limit 1 15 level 2
logging rate-limit 1 15 level 3
logging rate-limit 1 15 level 4
logging rate-limit 1 15 level 5
logging rate-limit 1 15 level 6
logging rate-limit 1 15 level 7
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu management 1500
ip local pool ATIEP_POOL 10.70.8.10-10.70.8.160 mask 255.255.240.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any INSIDE
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat-control
global (INSIDE) 1 interface
nat (OUTSIDE) 1 access-list OUTSIDE_nat_outbound
[highlight]nat (INSIDE) 0 access-list nonat_inside[/highlight]
nat (management) 0 0.0.0.0 0.0.0.0
route OUTSIDE 0.0.0.0 0.0.0.0 63.68.***.*** 1
route INSIDE 10.70.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 10.80.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 10.81.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 10.83.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 10.84.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 140.140.128.0 255.255.240.0 10.70.2.3 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server ATIEP protocol nt
aaa-server ATIEP (INSIDE) host 10.70.1.254
 nt-auth-domain-controller mwpadctr3
aaa-server ATIEP (INSIDE) host 10.70.1.1
 nt-auth-domain-controller mwpadctr6
http server enable
http 10.70.0.0 255.255.0.0 INSIDE
http 192.168.1.0 255.255.255.0 management
snmp-server host INSIDE 10.70.6.108 trap community VPNTRAP
snmp-server location USA
no snmp-server contact
snmp-server community VPNTRAP
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_map interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 90
crypto isakmp ipsec-over-tcp port 10000 
group-delimiter !
no vpn-addr-assign dhcp
telnet 10.70.6.27 255.255.255.255 INSIDE
telnet timeout 30
ssh 10.70.6.27 255.255.255.255 INSIDE
ssh timeout 30
console timeout 10
vpn load-balancing 
 interface lbpublic OUTSIDE
 interface lbprivate INSIDE
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.70.1.85 source INSIDE prefer
tftp-server INSIDE 10.70.1.102 TFTP-Root
webvpn
 enable OUTSIDE
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
 svc enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 wins-server value 10.70.1.1 10.70.1.254
 dns-server value 10.70.1.254 10.70.1.1
 default-domain value mwp
 webvpn
  hidden-shares visible
group-policy ATIEPVPN internal
group-policy ATIEPVPN attributes
 banner value YOU ARE CONNECTED TO THE ATIEPVPN GROUP
 wins-server value 10.70.1.1 10.70.1.254
 dns-server value 10.70.1.254 10.70.1.1
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy excludespecified
 split-tunnel-network-list value HomeLan
 default-domain value mwp
 address-pools value ATIEP_POOL
tunnel-group GIS type remote-access
tunnel-group GIS general-attributes
 address-pool (INSIDE) ATIEP_POOL
 address-pool ATIEP_POOL
 authentication-server-group ATIEP
 authentication-server-group (INSIDE) ATIEP
 default-group-policy ATIEPVPN
tunnel-group GIS webvpn-attributes
 nbns-server 10.70.1.254 master timeout 2 retry 2
 group-alias GIS enable
tunnel-group GIS ipsec-attributes
 pre-shared-key *
!
class-map sqlnet-port
 match port tcp eq sqlnet
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map sqlnet_policy
 class sqlnet-port
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
service-policy sqlnet_policy interface OUTSIDE
prompt hostname context 
Cryptochecksum:****
: end
asdm image disk0:/asdm-613.bin
asdm location 10.70.8.0 255.255.255.0 management
no asdm history enable


Smudley
 
Upvote 0 Downvote
what do your logs say??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Here's just a sample

Code: 
6|Jul 29 2009|09:42:34|302016|10.70.8.77|2562|10.70.1.254|53|Teardown UDP connection 653063 for OUTSIDE:10.70.8.77/2562 to INSIDE:10.70.1.254/53 duration 0:00:00 bytes 90 (allesusb)
6|Jul 29 2009|09:42:34|302014|10.70.8.88|1892|10.70.6.200|1661|Teardown TCP connection 652998 for OUTSIDE:10.70.8.88/1892 to INSIDE:10.70.6.200/1661 duration 0:01:28 bytes 16920 TCP FINs (timbmikx)
6|Jul 29 2009|09:42:33|302013|10.70.8.77|3468|10.70.6.200|135|Built inbound TCP connection 653061 for OUTSIDE:10.70.8.77/3468 (10.70.2.24/41392) to INSIDE:10.70.6.200/135 (10.70.6.200/135) (allesusb)
4|Jul 29 2009|09:42:29|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 10942
3|Jul 29 2009|09:42:29|305005|62.253.167.57|443|||No translation group found for tcp src OUTSIDE:10.70.8.89/1513 dst OUTSIDE:62.253.167.57/443
6|Jul 29 2009|09:42:26|302015|10.70.8.89|1512|10.70.1.254|53|Built inbound UDP connection 653057 for OUTSIDE:10.70.8.89/1512 (10.70.2.24/30507) to INSIDE:10.70.1.254/53 (10.70.1.254/53) (whitgarm)
6|Jul 29 2009|09:42:26|305011|10.70.8.89|1512|10.70.2.24|30507|Built dynamic UDP translation from OUTSIDE:10.70.8.89/1512 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/30507
7|Jul 29 2009|09:42:20|715046|||||Group = GIS, Username = allesusb, IP = 69.230.178.8, constructing blank hash payload
7|Jul 29 2009|09:42:20|715036|||||Group = GIS, Username = allesusb, IP = 69.230.178.8, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa87f2a96)
7|Jul 29 2009|09:42:20|715075|||||Group = GIS, Username = allesusb, IP = 69.230.178.8, Received keep-alive of type DPD R-U-THERE (seq number 0xa87f2a96)
7|Jul 29 2009|09:42:20|715047|||||Group = GIS, Username = allesusb, IP = 69.230.178.8, processing hash payload
7|Jul 29 2009|09:42:20|713236|||||IP = 69.230.178.8, IKE_DECODE RECEIVED Message (msgid=fa283608) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
6|Jul 29 2009|09:42:20|106015|10.70.6.27|1457|10.70.2.24|443|Deny TCP (no connection) from 10.70.6.27/1457 to 10.70.2.24/443 flags FIN ACK  on interface INSIDE
6|Jul 29 2009|09:42:20|305012|10.70.8.88|1896|10.70.2.24|33428|Teardown dynamic TCP translation from OUTSIDE:10.70.8.88/1896 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/33428 duration 0:00:30
6|Jul 29 2009|09:42:18|302016|10.70.8.82|2776|10.70.1.254|389|Teardown UDP connection 652968 for OUTSIDE:10.70.8.82/2776 to INSIDE:10.70.1.254/389 duration 0:02:01 bytes 327 (franoli)
4|Jul 29 2009|09:42:13|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 10933
3|Jul 29 2009|09:42:11|305005|10.60.11.190|135|||No translation group found for tcp src OUTSIDE:10.70.8.88/1899 dst OUTSIDE:10.60.11.190/135
6|Jul 29 2009|09:42:05|302014|10.70.8.88|1896|10.70.6.200|135|Teardown TCP connection 653042 for OUTSIDE:10.70.8.88/1896 to INSIDE:10.70.6.200/135 duration 0:00:15 bytes 440 TCP FINs (timbmikx)
6|Jul 29 2009|09:41:59|305012|10.70.8.77|3462|10.70.2.24|57177|Teardown dynamic TCP translation from OUTSIDE:10.70.8.77/3462 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/57177 duration 0:00:30
6|Jul 29 2009|09:41:51|302016|10.70.8.77|2562|10.70.1.254|53|Teardown UDP connection 653045 for OUTSIDE:10.70.8.77/2562 to INSIDE:10.70.1.254/53 duration 0:00:00 bytes 535 (allesusb)
4|Jul 29 2009|09:41:51|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 11036
6|Jul 29 2009|09:41:51|302015|10.70.8.77|2562|10.70.1.254|53|Built inbound UDP connection 653045 for OUTSIDE:10.70.8.77/2562 (10.70.2.24/53949) to INSIDE:10.70.1.254/53 (10.70.1.254/53) (allesusb)
3|Jul 29 2009|09:41:50|305005|10.60.11.190|135|||No translation group found for tcp src OUTSIDE:10.70.8.88/1898 dst OUTSIDE:10.60.11.190/135
6|Jul 29 2009|09:41:49|305011|10.70.8.88|1896|10.70.2.24|33428|Built dynamic TCP translation from OUTSIDE:10.70.8.88/1896 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/33428
5|Jul 29 2009|09:41:45|111008|||||User 'enable_15' executed the 'dir disk0:/dap.xml' command.
6|Jul 29 2009|09:41:43|606001|10.70.6.27||||ASDM session number 1 from 10.70.6.27 started
6|Jul 29 2009|09:41:41|606003|10.70.6.27||||ASDM logging session number 1 from 10.70.6.27 started
6|Jul 29 2009|09:41:41|106015|10.70.6.27|1447|10.70.2.24|443|Deny TCP (no connection) from 10.70.6.27/1447 to 10.70.2.24/443 flags FIN ACK  on interface INSIDE
6|Jul 29 2009|09:41:41|302014|10.70.6.27|1447|10.70.2.24|443|Teardown TCP connection 653031 for INSIDE:10.70.6.27/1447 to identity:10.70.2.24/443 duration 0:00:00 bytes 605 TCP Reset-O
6|Jul 29 2009|09:41:38|605005|10.70.6.27|1445|10.70.2.24|https|Login permitted from 10.70.6.27/1445 to INSIDE:10.70.2.24/https for user "enable_15"
6|Jul 29 2009|09:41:38|725003|10.70.6.27|1445|||SSL client INSIDE:10.70.6.27/1445 request to resume previous session.
6|Jul 29 2009|09:41:38|302013|10.70.6.27|1445|10.70.2.24|443|Built inbound TCP connection 653028 for INSIDE:10.70.6.27/1445 (10.70.6.27/1445) to identity:10.70.2.24/443 (10.70.2.24/443)
6|Jul 29 2009|09:41:38|725007|10.70.6.27|1444|||SSL session with client INSIDE:10.70.6.27/1444 terminated.
6|Jul 29 2009|09:41:37|305012|10.70.8.77|3457|10.70.2.24|27143|Teardown dynamic TCP translation from OUTSIDE:10.70.8.77/3457 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/27143 duration 0:00:30
6|Jul 29 2009|09:41:36|725002|10.70.6.27|1444|||Device completed SSL handshake with client INSIDE:10.70.6.27/1444
6|Jul 29 2009|09:41:36|725001|10.70.6.27|1444|||Starting SSL handshake with client INSIDE:10.70.6.27/1444 for TLSv1 session.
4|Jul 29 2009|09:41:32|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 10947
6|Jul 29 2009|09:41:29|305011|10.70.8.77|3462|10.70.2.24|57177|Built dynamic TCP translation from OUTSIDE:10.70.8.77/3462 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/57177
3|Jul 29 2009|09:41:28|305005|10.25.2.186|135|||No translation group found for tcp src OUTSIDE:10.70.8.88/1895 dst OUTSIDE:10.25.2.186/135
5|Jul 29 2009|09:41:27|111008|||||User 'enable_15' executed the 'perfmon interval 10' command.
6|Jul 29 2009|09:41:26|106015|10.70.6.27|1439|10.70.2.24|443|Deny TCP (no connection) from 10.70.6.27/1439 to 10.70.2.24/443 flags FIN ACK  on interface INSIDE
6|Jul 29 2009|09:41:26|302014|10.70.6.27|1439|10.70.2.24|443|Teardown TCP connection 653015 for INSIDE:10.70.6.27/1439 to identity:10.70.2.24/443 duration 0:00:00 bytes 277 TCP Reset-O
6|Jul 29 2009|09:41:22|725003|10.70.6.27|1437|||SSL client INSIDE:10.70.6.27/1437 request to resume previous session.
6|Jul 29 2009|09:41:22|302013|10.70.6.27|1437|10.70.2.24|443|Built inbound TCP connection 653014 for INSIDE:10.70.6.27/1437 (10.70.6.27/1437) to identity:10.70.2.24/443 (10.70.2.24/443)
6|Jul 29 2009|09:41:22|725007|10.70.6.27|1436|||SSL session with client INSIDE:10.70.6.27/1436 terminated.
6|Jul 29 2009|09:41:22|605005|10.70.6.27|1436|10.70.2.24|https|Login permitted from 10.70.6.27/1436 to INSIDE:10.70.2.24/https for user "enable_15"
6|Jul 29 2009|09:41:21|725002|10.70.6.27|1436|||Device completed SSL handshake with client INSIDE:10.70.6.27/1436
6|Jul 29 2009|09:41:21|725001|10.70.6.27|1436|||Starting SSL handshake with client INSIDE:10.70.6.27/1436 for TLSv1 session.
7|Jul 29 2009|09:41:18|715046|||||Group = GIS, Username = allesusb, IP = 69.230.178.8, constructing blank hash payload
7|Jul 29 2009|09:41:18|715036|||||Group = GIS, Username = allesusb, IP = 69.230.178.8, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa87f2a95)
7|Jul 29 2009|09:41:18|715075|||||Group = GIS, Username = allesusb, IP = 69.230.178.8, Received keep-alive of type DPD R-U-THERE (seq number 0xa87f2a95)
7|Jul 29 2009|09:41:18|715047|||||Group = GIS, Username = allesusb, IP = 69.230.178.8, processing hash payload
7|Jul 29 2009|09:41:18|713236|||||IP = 69.230.178.8, IKE_DECODE RECEIVED Message (msgid=e695bbaa) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
4|Jul 29 2009|09:41:10|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 11026
6|Jul 29 2009|09:41:08|302016|10.70.8.77|2562|10.70.1.254|53|Teardown UDP connection 653001 for OUTSIDE:10.70.8.77/2562 to INSIDE:10.70.1.254/53 duration 0:00:00 bytes 94 (allesusb)
6|Jul 29 2009|09:41:07|302014|10.70.8.88|1893|10.70.6.200|1051|Teardown TCP connection 653002 for OUTSIDE:10.70.8.88/1893 to INSIDE:10.70.6.200/1051 duration 0:00:00 bytes 2229 TCP FINs (timbmikx)
6|Jul 29 2009|09:41:07|302015|10.70.8.77|2562|10.70.1.254|53|Built inbound UDP connection 653001 for OUTSIDE:10.70.8.77/2562 (10.70.2.24/14868) to INSIDE:10.70.1.254/53 (10.70.1.254/53) (allesusb)
3|Jul 29 2009|09:41:06|305005|10.70.8.88|1821|||No translation group found for udp src INSIDE:10.70.6.204/3311 dst OUTSIDE:10.70.8.88/1821
6|Jul 29 2009|09:41:05|302013|10.70.8.88|1891|10.70.6.200|135|Built inbound TCP connection 652995 for OUTSIDE:10.70.8.88/1891 (10.70.2.24/48324) to INSIDE:10.70.6.200/135 (10.70.6.200/135) (timbmikx)
6|Jul 29 2009|09:41:05|305011|10.70.8.88|1891|10.70.2.24|48324|Built dynamic TCP translation from OUTSIDE:10.70.8.88/1891 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/48324
6|Jul 29 2009|09:41:02|305012|10.70.8.82|2792|10.70.2.24|59798|Teardown dynamic TCP translation from OUTSIDE:10.70.8.82/2792 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/59798 duration 0:00:30
4|Jul 29 2009|09:40:54|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 10945
4|Jul 29 2009|09:40:52|418001|10.70.1.254|1469|10.70.8.82|139|Through-the-device packet to/from management-only network is denied: tcp src management:10.70.1.254/1469 dst OUTSIDE:10.70.8.82/139
3|Jul 29 2009|09:40:49|305005|10.70.8.82|139|||No translation group found for tcp src INSIDE:10.70.1.254/1469 dst OUTSIDE:10.70.8.82/139
6|Jul 29 2009|09:40:47|106015|10.70.8.82|2787|10.70.1.254|445|Deny TCP (no connection) from 10.70.8.82/2787 to 10.70.1.254/445 flags RST  on interface OUTSIDE
6|Jul 29 2009|09:40:46|305012|10.70.8.77|138|10.70.2.24|442|Teardown dynamic UDP translation from OUTSIDE:10.70.8.77/138 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/442 duration 0:02:30
6|Jul 29 2009|09:40:39|302015|10.70.8.89|138|10.70.15.255|138|Built inbound UDP connection 652992 for OUTSIDE:10.70.8.89/138 (10.70.2.24/371) to INSIDE:10.70.15.255/138 (10.70.15.255/138) (whitgarm)
6|Jul 29 2009|09:40:39|305011|10.70.8.89|138|10.70.2.24|371|Built dynamic UDP translation from OUTSIDE:10.70.8.89/138 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/371
6|Jul 29 2009|09:40:35|302014|10.70.8.82|2793|10.70.1.254|139|Teardown TCP connection 652988 for OUTSIDE:10.70.8.82/2793 to INSIDE:10.70.1.254/139 duration 0:00:03 bytes 4716 TCP FINs (franoli)
4|Jul 29 2009|09:40:31|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 11081
6|Jul 29 2009|09:40:30|106015|10.70.8.82|2785|10.70.1.254|139|Deny TCP (no connection) from 10.70.8.82/2785 to 10.70.1.254/139 flags RST  on interface OUTSIDE
6|Jul 29 2009|09:40:25|305012|10.70.8.77|1044|10.70.2.24|45361|Teardown dynamic UDP translation from OUTSIDE:10.70.8.77/1044 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/45361 duration 0:02:30
6|Jul 29 2009|09:40:21|302015|10.70.8.82|137|10.70.1.1|137|Built inbound UDP connection 652974 for OUTSIDE:10.70.8.82/137 (10.70.2.24/506) to INSIDE:10.70.1.1/137 (10.70.1.1/137) (franoli)
6|Jul 29 2009|09:40:19|302021|10.70.8.82|1280|10.70.1.254|0|Teardown ICMP connection for faddr 10.70.8.82/1280 gaddr 10.70.1.254/0 laddr 10.70.1.254/0 (franoli)
6|Jul 29 2009|09:40:19|302014|10.70.8.82|2780|10.70.1.254|88|Teardown TCP connection 652972 for OUTSIDE:10.70.8.82/2780 to INSIDE:10.70.1.254/88 duration 0:00:00 bytes 2516 TCP FINs (franoli)
6|Jul 29 2009|09:40:18|305011|10.70.8.82|2780|10.70.2.24|27731|Built dynamic TCP translation from OUTSIDE:10.70.8.82/2780 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/27731
6|Jul 29 2009|09:40:17|302016|10.70.8.77|138|10.70.15.255|138|Teardown UDP connection 652948 for OUTSIDE:10.70.8.77/138 to INSIDE:10.70.15.255/138 duration 0:02:02 bytes 212 (allesusb)
6|Jul 29 2009|09:40:17|302013|10.70.8.82|2777|10.70.1.254|135|Built inbound TCP connection 652969 for OUTSIDE:10.70.8.82/2777 (10.70.2.24/47826) to INSIDE:10.70.1.254/135 (10.70.1.254/135) (franoli)
6|Jul 29 2009|09:40:15|302020|10.70.8.82|1280|10.70.1.254|0|Built inbound ICMP connection for faddr 10.70.8.82/1280 gaddr 10.70.1.254/0 laddr 10.70.1.254/0 (franoli)
4|Jul 29 2009|09:40:11|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 10943
3|Jul 29 2009|09:40:02|305005|62.253.167.57|443|||No translation group found for tcp src OUTSIDE:10.70.8.89/1510 dst OUTSIDE:62.253.167.57/443
6|Jul 29 2009|09:40:02|302015|10.70.8.89|1509|10.70.1.254|53|Built inbound UDP connection 652959 for OUTSIDE:10.70.8.89/1509 (10.70.2.24/47189) to INSIDE:10.70.1.254/53 (10.70.1.254/53) (whitgarm)
6|Jul 29 2009|09:40:02|305011|10.70.8.89|1509|10.70.2.24|47189|Built dynamic UDP translation from OUTSIDE:10.70.8.89/1509 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/47189
6|Jul 29 2009|09:39:57|302016|10.70.8.77|1044|10.70.60.22|161|Teardown UDP connection 652944 for OUTSIDE:10.70.8.77/1044 to INSIDE:10.70.60.22/161 duration 0:02:01 bytes 159 (allesusb)
4|Jul 29 2009|09:39:51|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 11015
6|Jul 29 2009|09:39:36|302010|||||20 in use, 168 most used
6|Jul 29 2009|09:39:27|302015|98.198.203.96|1793|63.68.***.***|4500|Built inbound UDP connection 652958 for OUTSIDE:98.198.203.96/1793 (98.198.203.96/1793) to identity:63.68.***.***/4500 (63.68.***.***/4500)
4|Jul 29 2009|09:39:26|733100|||||[ Scanning] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 8; Current average rate is 18 per second, max configured rate is 4; Cumulative total count is 66403
6|Jul 29 2009|09:39:23|302016|69.230.178.8|2092|63.68.***.***|500|Teardown UDP connection 652916 for OUTSIDE:69.230.178.8/2092 to identity:63.68.***.***/500 duration 0:02:50 bytes 672
6|Jul 29 2009|09:38:59|305012|10.70.8.82|2774|10.70.2.24|25039|Teardown dynamic UDP translation from OUTSIDE:10.70.8.82/2774 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/25039 duration 0:00:30
4|Jul 29 2009|09:38:58|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 11013
4|Jul 29 2009|09:38:42|733100|||||[ Scanning] drop rate-1 exceeded. Current burst rate is 10 per second, max configured rate is 10; Current average rate is 18 per second, max configured rate is 5; Cumulative total count is 11034
6|Jul 29 2009|09:38:40|305012|10.70.8.88|138|10.70.2.24|504|Teardown dynamic UDP translation from OUTSIDE:10.70.8.88/138 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/504 duration 0:02:30
6|Jul 29 2009|09:38:29|302016|10.70.8.82|2774|10.70.1.254|53|Teardown UDP connection 652954 for OUTSIDE:10.70.8.82/2774 to INSIDE:10.70.1.254/53 duration 0:00:00 bytes 162 (franoli)
6|Jul 29 2009|09:38:21|302021|10.70.8.82|1280|10.70.1.254|0|Teardown ICMP connection for faddr 10.70.8.82/1280 gaddr 10.70.1.254/0 laddr 10.70.1.254/0 (franoli)
4|Jul 29 2009|09:38:20|733100|||||[ Scanning] drop rate-2 exceeded. Current burst rate is 8 per second, max configured rate is 8; Current average rate is 18 per second, max configured rate is 4; Cumulative total count is 66465
6|Jul 29 2009|09:38:17|302020|10.70.8.82|1280|10.70.1.254|0|Built inbound ICMP connection for faddr 10.70.8.82/1280 gaddr 10.70.1.254/0 laddr 10.70.1.254/0 (franoli)
6|Jul 29 2009|09:38:16|305012|10.70.8.77|3450|10.70.2.24|2786|Teardown dynamic TCP translation from OUTSIDE:10.70.8.77/3450 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/2786 duration 0:00:30
6|Jul 29 2009|09:38:15|302015|10.70.8.77|138|10.70.15.255|138|Built inbound UDP connection 652948 for OUTSIDE:10.70.8.77/138 (10.70.2.24/442) to INSIDE:10.70.15.255/138 (10.70.15.255/138) (allesusb)
6|Jul 29 2009|09:38:15|305011|10.70.8.77|138|10.70.2.24|442|Built dynamic UDP translation from OUTSIDE:10.70.8.77/138 to INSIDE(OUTSIDE_nat_outbound):10.70.2.24/442


Smudley
 
Upvote 0 Downvote
I just want to test something. Enter no nat-control and then just for kicks enter a new ACE into your inside_nonat ACL:
Code: 
access-list inside_nonat extended permit ip 10.80.0.0 255.255.0.0 10.70.8.0 255.255.255.0
then try to connect to a host on the 10.70.8.0 network from a host on the 10.80.0.0 network. Post the log output sh logging asdm | in <ip_of_vpn_host_that_you_are_trying_to_communicate_with>.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
I tried ping 10.70.8.90
RDP
And from Run \\10.70.8.90\c$
This is all that showed in the logs.

Code: 
4|Jul 29 2009|11:33:43|418001|10.80.1.27|2816|10.70.8.90|445|Through-the-device packet to/from management-only network is denied: tcp src management:10.80.1.27/2816 dst OUTSIDE:10.70.8.90/445
2|Jul 29 2009|11:33:34|106001|10.80.1.27|2816|10.70.8.90|445|Inbound TCP connection denied from 10.80.1.27/2816 to 10.70.8.90/445 flags SYN  on interface OUTSIDE
4|Jul 29 2009|11:31:46|418001|10.80.1.27|2770|10.70.8.90|3389|Through-the-device packet to/from management-only network is denied: tcp src management:10.80.1.27/2770 dst OUTSIDE:10.70.8.90/3389
4|Jul 29 2009|11:31:06|418001|10.80.1.27||10.70.8.90||Through-the-device packet to/from management-only network is denied: icmp src management:10.80.1.27 dst OUTSIDE:10.70.8.90 (type 8, code 0)
4|Jul 29 2009|11:30:49|418001|10.80.1.27||10.70.8.90||Through-the-device packet to/from management-only network is denied: icmp src management:10.80.1.27 dst OUTSIDE:10.70.8.90 (type 8, code 0)
4|Jul 29 2009|11:30:33|418001|10.80.1.27||10.70.8.90||Through-the-device packet to/from management-only network is denied: icmp src management:10.80.1.27 dst OUTSIDE:10.70.8.90 (type 8, code 0)
4|Jul 29 2009|11:30:16|418001|10.80.1.27||10.70.8.90||Through-the-device packet to/from management-only network is denied: icmp src management:10.80.1.27 dst OUTSIDE:10.70.8.90 (type 8, code 0)
4|Jul 29 2009|11:30:00|418001|10.80.1.27||10.70.8.90||Through-the-device packet to/from management-only network is denied: icmp src management:10.80.1.27 dst OUTSIDE:10.70.8.90 (type 8, code 0)


Smudley
 
Upvote 0 Downvote
ok, so it looks like your 10.80.0.0 network is for your management network. Do you have any other internal networks that are not in the 10.70.0.0/16 address space and is not a management network?? if so replace the ACE that i mentioned above with this network.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Actually, 10.80.0.0 in not suppose to be the management network.
10.70.0.0 is our main network for our business unit.

10.80.0.0
10.81.0.0
10.83.0.0
10.84.0.0

Are separate sister company's under a corporate umbrella.


Smudley
 
Upvote 0 Downvote
What device corresponds to 10.80.1.27 and where is it located/what device is it plugged into?? It definitely thinks it is a management-only network.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
It's a server in Indiana pluged into a Cisco router tied to a MPLS network. I'm in Tennessee.

Smudley
 
Upvote 0 Downvote
Double check these and make sure they make sense...

route INSIDE 10.70.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 10.80.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 10.81.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 10.83.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 10.84.0.0 255.255.0.0 10.70.2.3 1
route INSIDE 140.140.128.0 255.255.240.0 10.70.2.3 1

from your config this doesn't look even remotely correct.

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
@Supergrrover - If I remove these routes, my VPN clients cannot access data on hosts from these networks.

10.70.0.0
10.80.0.0
10.81.0.0
10.83.0.0
10.84.0.0
140.140.128.0

Right now as it sits, our VPN clients can access these networks but we cannot access them.

Smudley
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
294
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
333
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
303
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
89
WhosYourDiffie
WhosYourDiffie
ITSUPPORTIT
  • Locked
  • Question
VPN from ASA 5510 and RV215W problem
Replies
0
Views
80
ITSUPPORTIT
ITSUPPORTIT

Part and Inventory Search

Sponsor

Back
Top