Cisco ASA5505 VPN Issue

[kevmullet]

Hi

I have a Cisco ASA providing VPN connections.

The VPNs connect but i cannot ping the internal network once connected or browse RDP etc.

Config is below. I must be missing something fairly obvious I think:

Thanks in advance


: Saved
:
ASA Version 7.2(4)
!
hostname RedditchASA5505
domain-name ad
enable password y/Pr2LedIYfv7ya4 encrypted
passwd y/Pr2LedIYfv7ya4 encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.59.8.19 255.255.255.0
!
interface Vlan2
description Outside NAT
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 12
shutdown
!
ftp mode passive
dns server-group DefaultDNS
domain-name ad
same-security-traffic permit inter-interface
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip 10.59.8.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip 192.168.1.0 255.255.255.0 10.59.8.0 255.255.255.0
access-list RadiusTunnel_splitTunnelAcl standard permit 10.59.8.0 255.255.255.0
access-list RadiusTunnel_splitTunnelAcl standard permit any
access-list RadiusTunnel_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list NonRadius_splitTunnelAcl standard permit 10.59.8.0 255.255.255.0
access-list NonRadius_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.59.8.0 255.255.255.0
access-list GroveHealth_splitTunnelAcl standard permit 10.59.8.0 255.255.255.0
access-list GroveHealth_splitTunnelAcl standard permit any
access-list GroveHealth_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list test_splitTunnelAcl standard permit any
access-list GrosvenorConnection_access_in extended permit ip any any
access-list test_splitTunnelAcl_1 standard permit any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNUsers 10.59.8.51-10.59.8.174 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route inside 192.168.1.0 255.255.255.0 10.59.8.8 1
route outside 0.0.0.0 0.0.0.0 82.163.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server RadiusGroup protocol radius
aaa-server RadiusGroup (inside) host 10.59.8.20
timeout 5
key s3rc0
authentication-port 1812
accounting-port 1813
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 213.208.111.219 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs group1
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs group1
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs group1
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs group1
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

group-policy test internal
group-policy test attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl_1
group-policy NonRadius internal
group-policy NonRadius attributes
dns-server value 10.59.8.20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value GroveHealth_splitTunnelAcl
default-domain value ad
group-policy RadiusTunnel internal
group-policy RadiusTunnel attributes
dns-server value 10.59.8.23 10.240.2.10
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value GroveHealth_splitTunnelAcl
default-domain value AD
group-policy GroveHealth internal
group-policy GroveHealth attributes
dns-server value 10.59.8.23 10.59.8.20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value GroveHealth_splitTunnelAcl
default-domain value ad
username scotland2 password TeKcFs1wnDWiogds encrypted privilege 15
username scotland1 password Q98ZnfjGohd2k2Hi encrypted privilege 15
username mobile password Bwm6HMWdnDvOA7P3 encrypted privilege 15
username khaywood password 8rB3uG2gaQHNV0E4 encrypted privilege 15
username frank password YXIKx9jp/MLl8gus encrypted privilege 15
username admin password qvpFgi72CGb0cxkD encrypted privilege 15
username Taunton password FDg1JCcpOOeDP.kU encrypted privilege 15
username homeoha password HeF2SZs/fKWMPTHc encrypted privilege 15
username homeworker password 202WEMhe2jj13uA/ encrypted privilege 15
username medical password FaI/ofLIwTotPN7o encrypted privilege 15
username unify password akJlbe8uQBYwbSIm encrypted privilege 15
username tony password ipMhl3WOdHCMyFxg encrypted privilege 15
username jeff password kuoX/6HDfC/i0oav encrypted privilege 15
tunnel-group RadiusTunnel type ipsec-ra
tunnel-group RadiusTunnel general-attributes
address-pool VPNUsers
authentication-server-group RadiusGroup
default-group-policy RadiusTunnel
tunnel-group RadiusTunnel ipsec-attributes
pre-shared-key *
tunnel-group NonRadius type ipsec-ra
tunnel-group NonRadius general-attributes
address-pool VPNUsers
default-group-policy NonRadius
tunnel-group NonRadius ipsec-attributes
pre-shared-key *
tunnel-group GroveHealth type ipsec-ra
tunnel-group GroveHealth general-attributes
address-pool VPNUsers
default-group-policy GroveHealth
tunnel-group GroveHealth ipsec-attributes
pre-shared-key *
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
address-pool VPNUsers
default-group-policy test
tunnel-group test ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:56b3b8265e03d1e6d27041be2d68e09b
: end
asdm image disk0:/asdm-524.bin
no asdm history enable

 

[North323]

***REMOVE*** or DONT POST
telnet 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 outside
http 213.208.111.219 255.255.255.255 outside
************************************************

need an access list that puts the traffic in the tunnel, something like
access-list crypto10 extended permit ip 10.59.8.0 any

crypto map NAME 10 match address crypto10

 

[kevmullet]

So i added:

access-list crypto10 extended permit ip 10.59.8.0 255.255.255.0 any

and

crypto map GroveHealth 10 match address crypto10

Tried connecting with the policy using GroveHealth and I still get the same issue.

Thanks

 

[North323]

the NAME should match one of your crypto map policies. I dont see grovehealth as one of your crypto map policies?

 

[kevmullet]

Ok thanks for this,

I have tried

crypto map outside_map 10 match address crytpo10

I get the following error: WARNING: The crypto map entry is incomplete!

Should I be doing this on one of the other crypto maps? What would you reccomend?

Thanks

 

[North323]

this is one complete crypto map:
crypto ipsec transform-set crypto_NAME esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MAP_NAME 10 match address crypto10
crypto map MAP_NAME 10 set peer 1.2.3.4
crypto map MAP_NAME 10 set transform-set crypto_NAME
crypto map MAP_NAME 10 set security-association lifetime seconds 28800
crypto map MAP_NAME 10 set security-association lifetime kilobytes 4608000
crypto map MAP_NAME interface MAP_NAME
crypto isakmp enable MAP_NAME
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

so you may have to adjust somethings

 

[unclerico]

try to enable NAT traversal

crypto isakmp nat-traversal

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)