SysAdmininAZ
Technical User
Hey everyone,
This is my first post. I will try to be as thorough as possible.
Currently we have a pix 501 that we are using for remote access vpn. We are now adding an ASA 5505 in hopes of ditching the 501 once I can get it up and running. Both devices sit between a dsl modem and our Internal Gateway which is actually a Netscreen Firewall. My problem is I can ping the netscreen from the Pix but I can not ping the netscreen from the ASA. I have no problems connecting to the vpn on either device. I just can not get any further when I connect to the ASA. I have posted both configs below. I have tried running the packet tracer to go from the 10.10.5.0 network to the 192.168.25.0 network and it always bombs on the access-list step and says the action is dropped due to the implicit rule that deny's any any for service ip. If you have any questions please let me know.
Pix 501 config
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password AJExuzaVQaBMXxAc encrypted
passwd D3SB9HN5QknY8Evr encrypted
hostname DECK-PIX-501
domain-name XXXX
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.38.4.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list 101 permit ip 192.168.25.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list 102 permit ip 10.10.10.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list 102 permit ip 10.38.4.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list 102 permit ip 192.168.25.0 255.255.255.0 192.168.75.0 255.255.255.0
pager lines 20
icmp deny any echo-reply outside
icmp deny any unreachable outside
icmp deny any source-quench outside
icmp deny any redirect outside
icmp deny any alternate-address outside
icmp deny any echo outside
icmp deny any router-advertisement outside
icmp deny any router-solicitation outside
icmp deny any parameter-problem outside
icmp deny any time-exceeded outside
icmp deny any timestamp-request outside
icmp deny any timestamp-reply outside
icmp deny any information-request outside
icmp deny any information-reply outside
icmp deny any mask-request outside
icmp deny any mask-reply outside
icmp deny any conversion-error outside
icmp deny any mobile-redirect outside
mtu outside 1500
mtu inside 1500
ip address outside XXXX
ip address inside 10.10.10.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 192.168.75.1-192.168.75.15
ip local pool vpnpool2 192.168.75.150
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 XXXX 1
route inside 10.38.4.0 255.255.255.0 192.168.25.1 1
route inside 192.168.25.0 255.255.255.0 192.168.25.1 1
route inside 192.168.75.0 255.255.255.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup groupmarketing idle-time 1800
vpngroup Katherine address-pool vpnpool2
vpngroup Katherine dns-server 192.168.25.20
vpngroup Katherine default-domain teva.com
vpngroup Katherine split-tunnel 101
vpngroup Katherine idle-time 1800
vpngroup Katherine password ********
vpngroup John address-pool vpnpool1
vpngroup John dns-server 192.168.25.20
vpngroup John default-domain teva.com
vpngroup John split-tunnel 101
vpngroup John idle-time 1800
vpngroup John password ********
vpngroup Josh address-pool vpnpool1
vpngroup Josh dns-server 192.168.25.20
vpngroup Josh default-domain teva.com
vpngroup Josh split-tunnel 101
vpngroup Josh idle-time 1800
vpngroup Josh password ********
vpngroup Robin address-pool vpnpool1
vpngroup Robin dns-server 192.168.25.20
vpngroup Robin default-domain teva.com
vpngroup Robin split-tunnel 101
vpngroup Robin idle-time 1800
vpngroup Robin password ********
telnet timeout 5
ssh timeout 5
console timeout 0
username jmihoda password VNc9VICrcM1179ns encrypted privilege 0
terminal width 80
Cryptochecksum:4e8cc9d9932f183620169d50f76dbe8a
: end
DECK-PIX-501#
ASA Config:
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password DA/XdYzg0Br1QfiL encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.5.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXXX 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip any any
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit tcp any any log
access-list inside_access_in extended permit icmp any any log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteUsers 192.168.75.100-192.168.75.115 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route inside 192.168.25.0 255.255.255.0 19.168.25.1 1
route inside 192.168.75.0 255.255.255.0 10.10.5.10 1
route outside 0.0.0.0 0.0.0.0 65.101.4.188 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.10.5.11-10.10.5.254 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy Deckers internal
group-policy Deckers attributes
wins-server value 192.168.25.20 192.168.25.21
dns-server value 192.168.25.20 192.168.25.21
vpn-tunnel-protocol IPSec
default-domain value XXXX
username Ben password uDHx/IuGJouHkNYn encrypted privilege 0
username Ben attributes
vpn-group-policy Deckers
tunnel-group Deckers type ipsec-ra
tunnel-group Deckers general-attributes
address-pool RemoteUsers
default-group-policy Deckers
tunnel-group Deckers ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:2e592d91e66d5237124e3adeedbb15d8
: end
asdm image disk0:/asdm-523.bin
no asdm history enable
This is my first post. I will try to be as thorough as possible.
Currently we have a pix 501 that we are using for remote access vpn. We are now adding an ASA 5505 in hopes of ditching the 501 once I can get it up and running. Both devices sit between a dsl modem and our Internal Gateway which is actually a Netscreen Firewall. My problem is I can ping the netscreen from the Pix but I can not ping the netscreen from the ASA. I have no problems connecting to the vpn on either device. I just can not get any further when I connect to the ASA. I have posted both configs below. I have tried running the packet tracer to go from the 10.10.5.0 network to the 192.168.25.0 network and it always bombs on the access-list step and says the action is dropped due to the implicit rule that deny's any any for service ip. If you have any questions please let me know.
Pix 501 config
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password AJExuzaVQaBMXxAc encrypted
passwd D3SB9HN5QknY8Evr encrypted
hostname DECK-PIX-501
domain-name XXXX
fixup protocol dns maximum-length 512
no fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.38.4.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list 101 permit ip 192.168.25.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list 102 permit ip 10.10.10.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list 102 permit ip 10.38.4.0 255.255.255.0 192.168.75.0 255.255.255.0
access-list 102 permit ip 192.168.25.0 255.255.255.0 192.168.75.0 255.255.255.0
pager lines 20
icmp deny any echo-reply outside
icmp deny any unreachable outside
icmp deny any source-quench outside
icmp deny any redirect outside
icmp deny any alternate-address outside
icmp deny any echo outside
icmp deny any router-advertisement outside
icmp deny any router-solicitation outside
icmp deny any parameter-problem outside
icmp deny any time-exceeded outside
icmp deny any timestamp-request outside
icmp deny any timestamp-reply outside
icmp deny any information-request outside
icmp deny any information-reply outside
icmp deny any mask-request outside
icmp deny any mask-reply outside
icmp deny any conversion-error outside
icmp deny any mobile-redirect outside
mtu outside 1500
mtu inside 1500
ip address outside XXXX
ip address inside 10.10.10.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool1 192.168.75.1-192.168.75.15
ip local pool vpnpool2 192.168.75.150
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 XXXX 1
route inside 10.38.4.0 255.255.255.0 192.168.25.1 1
route inside 192.168.25.0 255.255.255.0 192.168.25.1 1
route inside 192.168.75.0 255.255.255.0 10.10.10.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup groupmarketing idle-time 1800
vpngroup Katherine address-pool vpnpool2
vpngroup Katherine dns-server 192.168.25.20
vpngroup Katherine default-domain teva.com
vpngroup Katherine split-tunnel 101
vpngroup Katherine idle-time 1800
vpngroup Katherine password ********
vpngroup John address-pool vpnpool1
vpngroup John dns-server 192.168.25.20
vpngroup John default-domain teva.com
vpngroup John split-tunnel 101
vpngroup John idle-time 1800
vpngroup John password ********
vpngroup Josh address-pool vpnpool1
vpngroup Josh dns-server 192.168.25.20
vpngroup Josh default-domain teva.com
vpngroup Josh split-tunnel 101
vpngroup Josh idle-time 1800
vpngroup Josh password ********
vpngroup Robin address-pool vpnpool1
vpngroup Robin dns-server 192.168.25.20
vpngroup Robin default-domain teva.com
vpngroup Robin split-tunnel 101
vpngroup Robin idle-time 1800
vpngroup Robin password ********
telnet timeout 5
ssh timeout 5
console timeout 0
username jmihoda password VNc9VICrcM1179ns encrypted privilege 0
terminal width 80
Cryptochecksum:4e8cc9d9932f183620169d50f76dbe8a
: end
DECK-PIX-501#
ASA Config:
: Saved
:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password DA/XdYzg0Br1QfiL encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.5.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXXX 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list inside_nat0_outbound extended permit ip any any
access-list inside_access_in extended permit ip any any log
access-list inside_access_in extended permit tcp any any log
access-list inside_access_in extended permit icmp any any log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteUsers 192.168.75.100-192.168.75.115 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route inside 192.168.25.0 255.255.255.0 19.168.25.1 1
route inside 192.168.75.0 255.255.255.0 10.10.5.10 1
route outside 0.0.0.0 0.0.0.0 65.101.4.188 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.10.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.10.5.11-10.10.5.254 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy Deckers internal
group-policy Deckers attributes
wins-server value 192.168.25.20 192.168.25.21
dns-server value 192.168.25.20 192.168.25.21
vpn-tunnel-protocol IPSec
default-domain value XXXX
username Ben password uDHx/IuGJouHkNYn encrypted privilege 0
username Ben attributes
vpn-group-policy Deckers
tunnel-group Deckers type ipsec-ra
tunnel-group Deckers general-attributes
address-pool RemoteUsers
default-group-policy Deckers
tunnel-group Deckers ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:2e592d91e66d5237124e3adeedbb15d8
: end
asdm image disk0:/asdm-523.bin
no asdm history enable