Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can't ping anything beyond ASA after Remote VPN Client is connected 1

Status
Not open for further replies.

mingtmak

Technical User
Apr 5, 2006
101
CA
Same issue as thread1598-1415862

But this is ASA 5505 version 8.0.
I can connect and ping the internal interface but nothing past it.
Can anybody provide some insight for me? Thanks.

Scrubbed config:

asafirewall(config)# sh run
: Saved
:
ASA Version 8.0(2)
!
hostname ASAfirewall
domain-name domain.com
enable password xe/ZPViEcjpM8CDs encrypted
names
name 10.20.0.0 ServerNetwork
name 10.10.0.0 DCNetwork
name 10.20.30.10 iSeries
name 10.30.0.0 TerminalNetwork
name 172.22.0.0 VLAN22
name 172.23.0.0 VLAN23
name 172.24.0.0 VLAN24
name 10.10.30.5 Terminal
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.3 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Vlan3
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
switchport access vlan 3
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xe/ZPViEcjpM8CDs encrypted
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name domain.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside extended permit tcp any interface outside eq ssh
access-list outside extended permit tcp any interface outside eq www
access-list outside extended permit tcp any interface outside eq ftp-data
access-list outside extended permit tcp any interface outside eq ftp
access-list outside extended permit icmp any interface outside echo-reply
access-list outside extended permit icmp any interface outside unreachable
access-list outside extended permit icmp any interface outside time-exceeded
access-list outside extended permit tcp x.x.x.0 255.255.240.0 interface outside eq smtp
access-list outside extended permit tcp x.x.x.0 255.255.254.0 interface outside eq smtp
access-list outside extended permit tcp x.x.x.0 255.255.254.0 interface outside eq smtp
access-list outside extended permit tcp x.x.x.0 255.255.254.0 interface outside eq smtp
access-list outside extended permit tcp x.x.x.0 255.255.248.0 interface outside eq smtp
access-list outside extended permit tcp host x.x.x.x interface outside eq smtp
access-list outside extended permit udp host x.x.x.x interface outside eq isakmp
access-list outside extended permit udp host x.x.x.x interface outside eq 4500
access-list outside extended permit esp host x.x.x.x interface outside
access-list outside extended permit ah host x.x.x.x interface outside
access-list outside extended permit tcp any interface outside eq https
access-list outside extended permit tcp any interface outside eq pop3
access-list nonat extended permit ip DCNetwork 255.255.0.0 10.200.0.0 255.255.0.0
access-list nonat extended permit ip VLAN23 255.255.0.0 10.200.0.0 255.255.0.0
access-list outside_cryptomap_20 extended permit ip TerminalNetwork 255.255.0.0 VLAN23 255.255.0.0
access-list 100 extended permit ip 10.200.0.0 255.255.0.0 VLAN23 255.255.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool 10.200.0.1-10.200.0.5 mask 255.255.0.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 10.200.0.0 255.255.0.0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside ServerNetwork 255.255.0.0 10.10.10.1 1
route inside ServerNetwork 255.255.255.255 10.10.10.1 1
route inside 10.20.20.31 255.255.255.255 10.10.10.1 1
route inside iSeries 255.255.255.255 10.10.10.1 1
route inside 10.20.30.20 255.255.255.255 10.10.10.1 1
route inside TerminalNetwork 255.255.0.0 10.10.10.1 1
route inside VLAN23 255.255.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http DCNetwork 255.255.0.0 inside
http VLAN23 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set pfs
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 20
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
!
!
group-policy BHSvpn internal
group-policy BHSvpn attributes
dns-server value 10.10.30.100 x.x.x.x
vpn-tunnel-protocol IPSec
default-domain value bhs.com
username user1 password C5PBMGf9wDaq3hg3 encrypted
username user2 password YyM1pTV1xINv7htz encrypted
tunnel-group BHSvpn type remote-access
tunnel-group BHSvpn general-attributes
address-pool vpnpool
default-group-policy BHSvpn
tunnel-group BHSvpn ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:961271990071983295b7b0f32aee6f2d
: end
asafirewall(config)#


- Jon
 
Try adding this:
Code:
ASA(config)# isakmp nat-traversal 10
Also note that you are only allowing the 10.200.0.0/16 network access to your VLAN23 (172.23.0.0/16). I'm not sure if this is causing problems or not.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
thanks unclerico.

I entered the above command previously. In ASA 8.x, it accepts the command but doesn't seem to show in the running config (similar to the "sysopt connection permit-ipsec" command).

If you are talking about:
"access-list 100 extended permit ip 10.200.0.0 255.255.0.0 VLAN23 255.255.0.0", I had added that as a test with the appropriate access to the 10.10.0.0/16 network without success...forgot to remove it from the post



- Jon
 
I'm assuming that the 10.10.10.1 device has a route back to the ASA?

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Try turning on VPN debugging (debug crypto ipsec 255).

I do not see your VPn termination command:
"isakmp enable outside"

This specifies what interface can terminate tunnels.

I do see the crypto map interface designation however.


Not sure if this link is any help to you:



IT Security news and information
In plain English
 
I entered the above command previously. In ASA 8.x, it accepts the command but doesn't seem to show in the running config (similar to the "sysopt connection permit-ipsec" command).

This is a known issue, 8.0(4) has corrected the problem. If you don't upgrade, you will need to re-enter the command after each reload.

 
The nat-traversal command showed up without an upgrade.

After looking at internal setup, my issue turned out being that a new vlan was created on a port/switch the ASA was connected to without the proper route entries.

Thanks for pointing me in the right direction guys! Much appreciated.

- Jon
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top