Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Deny TCP, SYN ACK, IPSec VPN connection

Status
Not open for further replies.

j1344

IS-IT--Management
Jul 22, 2009
5
US
My environment and issue is as such.

My central network is at 192.168.0.0/24 (ASA5510). All networks route through this site.

I am in 192.168.1.0/24 (DS3 to 0.x network)
My remote network is 192.168.30.0/24 (ASA5510)
I have an IPSec VPN connection from 0.x to 30.x

Whenever I try to connect to a machine inside the 30.x from 1.x network with any protocol (HTTP, RDP, TELNET), I get presented with this error message on the 30.x ASA:


Deny TCP (no connection) from 192.168.30.200/3389 to 192.168.1.136/3893 flags SYN ACK on interface inside

Only protocol that gets through is ICMP. I can ping everything on that subnet.


All protocols work from the 0.x network.


please help!
 
can you post the configs??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Hub network at 192.168.0.x


interface Ethernet0/0
duplex full
nameif pubdmz
security-level 0
ip address 12.x.x.228 255.255.255.248
!
interface Ethernet0/1
duplex full
nameif pkr
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 0
ip address 10.20.30.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup pkr
dns server-group DefaultDNS
name-server 192.168.0.33
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list pkr_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_3 192.168.40.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.94.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.94.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.94.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.95.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.95.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.95.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.96.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.96.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.96.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.131.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip any 192.168.0.64 255.255.255.240
access-list pkr_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.93.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.93.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.94.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.92.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 192.168.30.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 192.168.40.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list pkr_nat0_outbound extended permit ip 192.168.11.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list pubdmz_cryptomap_2 extended permit ip 192.168.0.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list outbound extended deny tcp any any eq 2967
access-list outbound extended permit icmp any any
access-list outbound extended permit tcp host 192.168.1.44 any eq https
access-list outbound extended permit tcp host 192.168.1.44 any eq www
access-list outbound extended permit tcp host 192.168.1.79 any eq https
access-list outbound extended permit tcp host 192.168.1.194 any eq https
access-list outbound extended permit tcp host 192.168.1.194 any eq www
access-list outbound extended permit tcp host 192.168.1.79 any eq www
access-list outbound extended permit tcp host 192.168.3.44 any eq www
access-list outbound extended permit tcp host 192.168.3.44 any eq https
access-list outbound extended permit tcp host 192.168.4.44 any eq https
access-list outbound extended permit tcp host 192.168.4.44 any eq www
access-list outbound extended permit tcp host 192.168.5.44 any eq www
access-list outbound extended permit tcp host 192.168.5.44 any eq https
access-list outbound extended permit tcp host 192.168.6.44 any eq www
access-list outbound extended permit tcp host 192.168.6.44 any eq https
access-list outbound extended permit tcp host 192.168.7.44 any eq https
access-list outbound extended permit tcp host 192.168.7.44 any eq www
access-list outbound extended permit tcp host 192.168.8.44 any eq www
access-list outbound extended permit tcp host 192.168.8.44 any eq https
access-list outbound extended permit tcp host 192.168.10.44 any eq www
access-list outbound extended permit tcp host 192.168.10.44 any eq https
access-list outbound extended permit tcp host 192.168.90.44 any eq www
access-list outbound extended permit tcp host 192.168.90.44 any eq https
access-list outbound extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.93.202 eq www
access-list outbound extended permit tcp 192.168.1.0 255.255.255.0 host 192.168.93.203 eq www
access-list outbound extended deny tcp 192.168.1.0 255.255.255.0 any eq www
access-list outbound extended deny tcp 192.168.3.0 255.255.255.0 any eq www
access-list outbound extended deny tcp 192.168.4.0 255.255.255.0 any eq www
access-list outbound extended deny tcp 192.168.5.0 255.255.255.0 any eq www
access-list outbound extended deny tcp 192.168.6.0 255.255.255.0 any eq www
access-list outbound extended deny tcp 192.168.7.0 255.255.255.0 any eq www
access-list outbound extended deny tcp 192.168.8.0 255.255.255.0 any eq www
access-list outbound extended deny tcp 192.168.10.0 255.255.255.0 any eq www
access-list outbound extended deny tcp 192.168.90.0 255.255.255.0 any eq www
access-list outbound extended permit udp host 192.168.1.33 any eq ntp
access-list outbound extended deny udp 192.168.0.0 255.255.0.0 any eq ntp
access-list outbound extended permit udp host 192.168.0.62 any eq snmp
access-list outbound extended permit tcp 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 eq netbios-ssn
access-list outbound extended deny tcp any any eq 1433
access-list outbound extended deny tcp any any eq aol
access-list outbound extended permit tcp host 192.168.0.26 any eq smtp
access-list outbound extended permit tcp host 192.168.0.25 any eq smtp
access-list outbound extended permit tcp host 192.168.0.96 any eq smtp
access-list outbound extended permit tcp host 192.168.0.92 any eq smtp
access-list outbound extended permit tcp host 192.168.0.229 any eq smtp
access-list outbound extended permit tcp host 192.168.0.231 any eq smtp
access-list outbound extended permit tcp host 192.168.0.232 any eq smtp
access-list outbound extended permit tcp host 192.168.0.233 any eq smtp
access-list outbound extended deny ip host 192.168.90.133 any
access-list outbound extended deny tcp any any eq smtp
access-list outbound extended permit ip 192.168.0.0 255.255.0.0 any
access-list outbound extended permit tcp 192.168.0.0 255.255.0.0 any eq ftp
access-list outbound extended permit tcp 192.168.0.0 255.255.0.0 any eq www
access-list outbound extended permit tcp 192.168.0.0 255.255.0.0 any eq https
access-list outbound extended permit tcp 192.168.1.0 255.255.255.0 any eq 5200
access-list outbound extended deny udp any any eq snmp
access-list outbound extended permit tcp 192.168.0.0 255.255.0.0 any eq 135
access-list outbound extended deny tcp any any eq 135
access-list outbound extended permit udp 192.168.0.0 255.255.0.0 any eq 389
access-list outbound extended permit tcp 192.168.0.0 255.255.0.0 any eq ldap
access-list outbound extended permit tcp 192.168.0.0 255.255.0.0 any eq ldaps
access-list outbound extended permit tcp 192.168.0.0 255.255.0.0 any eq 3268
access-list outbound extended permit tcp 192.168.0.0 255.255.0.0 any eq 88
access-list outbound extended permit udp 192.168.0.0 255.255.0.0 any eq 88
access-list outbound extended permit tcp 192.168.0.0 255.255.0.0 any eq 445
access-list outbound extended permit udp 192.168.0.0 255.255.0.0 any eq 445
access-list outbound extended permit ip any any
access-list outbound extended deny tcp any any
access-list EXCEEDMSS extended permit tcp any any
access-list pubdmz_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list pubdmz_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list pubdmz_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.30.0 255.255.255.0
access-list pubdmz_60_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list pubdmz_60_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list pubdmz_60_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list pubdmz_60_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list pubdmz_80_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.95.0 255.255.255.0
access-list pubdmz_80_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.95.0 255.255.255.0
access-list pubdmz_80_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.95.0 255.255.255.0
access-list pubdmz_100_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.96.0 255.255.255.0
access-list pubdmz_100_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.96.0 255.255.255.0
access-list pubdmz_100_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.96.0 255.255.255.0
access-list pubdmz_140_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.99.0 255.255.255.0
access-list Vpn_Acl standard permit 192.168.0.0 255.255.0.0
access-list pubdmz_3_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.93.0 255.255.255.0
!
tcp-map mss-map
!
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm errors
logging host pkr 192.168.0.140
mtu pubdmz 1500
mtu pkr 1500
mtu management 1500
ip local pool VPN_IP_POOL 192.168.0.70-192.168.0.79 mask 255.255.255.0
no failover
failover polltime unit 15 holdtime 45
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
nat-control
global (pubdmz) 10 interface
nat (pkr) 0 access-list pkr_nat0_outbound
nat (pkr) 10 0.0.0.0 0.0.0.0
static (pkr,pubdmz) x.x.230.35 192.168.0.25 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.34 192.168.0.120 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.33 192.168.0.209 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.36 192.168.0.91 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.38 192.168.0.92 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.37 192.168.0.93 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.39 192.168.0.96 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.40 192.168.4.40 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.41 192.168.6.40 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.42 192.168.5.40 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.43 192.168.7.40 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.44 192.168.3.40 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.50 192.168.1.206 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.48 192.168.1.217 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.51 192.168.5.9 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.52 192.168.6.9 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.53 192.168.1.223 netmask 255.255.255.255
static (pkr,pubdmz) x.x.230.45 192.168.0.11 netmask 255.255.255.255
access-group inbound in interface pubdmz
access-group outbound in interface pkr
route pubdmz 0.0.0.0 0.0.0.0 12.x.x.225 1
route pkr 192.168.0.0 255.255.0.0 192.168.0.1 1
route pubdmz 192.168.30.0 255.255.255.0 12.x.x.225 1
route pubdmz 192.168.31.0 255.255.255.0 12.x.x.225 1
route pubdmz 192.168.40.0 255.255.255.0 12.x.x.225 1
route pubdmz 192.168.85.0 255.255.255.0 12.x.x.225 1
route pubdmz 192.168.93.0 255.255.255.0 12.x.x.255 1
route pubdmz 192.168.94.0 255.255.255.0 12.x.x.225 1
route pubdmz 192.168.95.0 255.255.255.0 12.x.x.225 1
route pubdmz 192.168.96.0 255.255.255.0 12.x.x.225 1
route pubdmz 192.168.99.0 255.255.255.0 12.x.x.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 pkr
http 192.168.1.0 255.255.255.0 pkr
http 192.168.0.0 255.255.0.0 pkr
http 192.168.1.0 255.255.255.0 management
crypto ipsec transform-set krpix esp-des esp-md5-hmac
crypto ipsec transform-set kr esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set krpix
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map pubdmz_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto dynamic-map pubdmz_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map pubdmz_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map pubdmz_dyn_map 40 set transform-set ESP-AES-128-SHA
crypto dynamic-map pubdmz_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map pubdmz_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map pubdmz_dyn_map 60 set transform-set kr
crypto dynamic-map pubdmz_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map pubdmz_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto map pubdmz_map 1 match address pubdmz_1_cryptomap
crypto map pubdmz_map 1 set peer 96.x.x.13
crypto map pubdmz_map 1 set transform-set ESP-AES-128-SHA
crypto map pubdmz_map 1 set security-association lifetime seconds 28800
crypto map pubdmz_map 1 set security-association lifetime kilobytes 4608000

crypto map pubdmz_map interface pubdmz
crypto isakmp identity address
crypto isakmp enable pubdmz
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 7
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 7
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 7
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 30
telnet 192.168.0.0 255.255.0.0 pkr
telnet 192.168.3.0 255.255.255.0 pkr
telnet 192.168.3.1 255.255.255.255 pkr
telnet 192.168.1.0 255.255.255.0 pkr
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 pkr
ssh timeout 60
console timeout 0
management-access pkr
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.1.33 source pkr prefer
group-policy DfltGrpPolicy attributes
dns-server value 192.168.0.33 192.168.0.200
vpn-simultaneous-logins 20
vpn-idle-timeout 240
vpn-tunnel-protocol IPSec
ip-comp enable
default-domain value group.local
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
group-policy Vpn internal
group-policy Vpn attributes
dns-server value 192.168.0.33 192.168.0.200
vpn-access-hours none
vpn-simultaneous-logins 20
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp disable
pfs disable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Vpn_Acl
default-domain value group.local
group-policy AGroup internal
group-policy AGroup attributes
dns-server value 192.168.0.33 192.168.0.200
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp enable
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Vpn_Acl
default-domain value group.local
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
nem enable
username AUser password hcIio.oeonfvLakBZjF encrypted privilege 0
username AUser attributes
vpn-group-policy AGroup
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group AGroup type remote-access
tunnel-group AGroup general-attributes
address-pool VPN_IP_Pool
default-group-policy AGroup

pre-shared-key *
tunnel-group 96.x.x.13 type ipsec-l2l
tunnel-group 96.x.x.13 ipsec-attributes
pre-shared-key *

pre-shared-key *
tunnel-group Vpn type remote-access
tunnel-group Vpn general-attributes
address-pool VPN_IP_Pool
authentication-server-group CORPVPN LOCAL
default-group-policy Vpn
tunnel-group Vpn ipsec-attributes
pre-shared-key *

!
class-map inspection_default
match default-inspection-traffic
class-map http-map1
match access-list EXCEEDMSS
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 2048
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
policy-map type inspect esmtp esmtp_map
parameters
no mask-banner
policy-map http-map1
class http-map1
set connection advanced-options mss-map
!
service-policy global_policy global
service-policy http-map1 interface pubdmz
prompt hostname context
Cryptochecksum:a97071da030be6b87e86d8bb069e13ce
: end
asdm image disk0:/asdm-61551.bin
asdm location 192.168.30.254 255.255.255.255 pkr
no asdm history enable

 
Remote network at 192.168.30.x
 

interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.30.254 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 96.x.x.13 255.255.252.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd Kq73TQdadapcE1i/wZp encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
timeout 30
name-server 192.168.30.200
domain-name van.kr.local
object-group network DM_INLINE_NETWORK_1
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
object-group service rdp tcp
description rdp
port-object eq 3389
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.90.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.91.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.85.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.11.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.31.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 192.168.30.64 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list outside_1_cryptomap extended permit ip 192.168.30.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
pager lines 24
logging enable
logging trap errors
logging asdm debugging
logging device-id hostname
logging host inside 192.168.30.254
mtu inside 1500
mtu outside 1500
mtu management 1500
ip local pool VANASADHCPPOOL 192.168.30.70-192.168.30.79 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 96.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server VANSVR-DC01 protocol kerberos
reactivation-mode timed
aaa-server VANSVR-DC01 host 192.168.30.200
timeout 30
kerberos-realm GROUP.LOCAL
aaa-server CORPVPN protocol radius
aaa-server CORPVPN host 192.168.30.200
key xxxxx
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.30.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
snmp-server host inside 192.168.0.62 community inside1
snmp-server location va corporate
snmp-server community inside1
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set TUNNEL_ESP_AES-128_None esp-aes esp-none
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 12.x.x.228
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 7
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 7
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 7
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 7
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet 192.168.30.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 192.168.30.200 192.168.0.200
!
dhcpd address 192.168.1.2-192.168.1.10 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics
ntp server 192.168.1.33 prefer
group-policy VanASA internal
group-policy VanASA attributes
dns-server value 192.168.30.200 192.168.30.33
vpn-tunnel-protocol IPSec
password-storage enable
ip-comp enable
pfs disable
ipsec-udp enable
split-tunnel-policy tunnelall
default-domain value group.local
split-dns value group.local
client-firewall none
webvpn
file-entry enable
file-browsing enable
username cisco password 5ij9pJeZvAxxxxgc encrypted privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
tunnel-group 12.x.x.228 type ipsec-l2l
tunnel-group 12.x.x.228 ipsec-attributes
pre-shared-key *
peer-id-validate cert
tunnel-group VanASA type remote-access
tunnel-group VanASA general-attributes
address-pool VANASADHCPPOOL
authentication-server-group CORPVPN LOCAL
default-group-policy VanASA
tunnel-group VanASA ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:22dc6a9c65fd980f0ea79b641c1bd138
: end
asdm image disk0:/asdm-603.bin
no asdm history enable

 
Ok, the only interface i see that references the 192.168.1.0/24 network is the management interface of your remote network asa
Code:
interface Management0/0 
  nameif management 
  security-level 100 
  ip address 192.168.1.1 255.255.255.0  
  [b]management-only[/b]
remove the management-only command and you should be good to go.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Just removed management only but still get the same error message.

Thanks for your help.

 
doh, i wasn't fully paying attention. you need to add same-security-traffic permit inter-interface to the config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top