Hi all,
I am trying to get VPN set up on an ASA 5510 w\ Advanced Security. The login in the client succeeds, but all connections fail. In the VPN client window, the Bytes In is stuck at zero. In the status window, "encrypted" changes, but "decrypted" is constantly 0 and "discarded" and "bypassed" are changing. I think this has something to do with NAT-T (btw transparent tunneling shows as disabled in the client, even though I think I enabled it in ASDM).
Any help appreciated. Config is below:
I am trying to get VPN set up on an ASA 5510 w\ Advanced Security. The login in the client succeeds, but all connections fail. In the VPN client window, the Bytes In is stuck at zero. In the status window, "encrypted" changes, but "decrypted" is constantly 0 and "discarded" and "bypassed" are changing. I think this has something to do with NAT-T (btw transparent tunneling shows as disabled in the client, even though I think I enabled it in ASDM).
Any help appreciated. Config is below:
Code:
: Saved
:
ASA Version 7.2(2)
!
hostname fw01
domain-name XXX.net
enable password removed encrypted
names
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.70.80.100 255.0.0.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd removed encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name beztech.net
access-list inside_access_in remark Local Connection Created
access-list inside_access_in extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 log notifications
access-list inside_access_out extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
access-list bzttg_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list beztechprod_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
ip local pool vpnpool 1.8.0.0-1.8.0.255 mask 255.255.255.0
no failover
monitor-interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
asdm history enable
arp timeout 14400
global (inside) 101 interface
nat (inside) 101 10.0.0.0 255.0.0.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
route inside 0.0.0.0 0.0.0.0 10.70.80.1 tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy beztechprod internal
group-policy beztechprod attributes
dns-server value 10.70.80.1 10.70.81.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value beztechprod_splitTunnelAcl
default-domain value beztech1.local
username xxx password removed encrypted privilege 0
username xxx attributes
vpn-group-policy beztechprod
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map inside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 21 set pfs
crypto dynamic-map inside_dyn_map 21 set transform-set ESP-3DES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group beztechprod type ipsec-ra
tunnel-group beztechprod general-attributes
address-pool vpnpool
default-group-policy beztechprod
tunnel-group beztechprod ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
webvpn
port 9987
enable inside
prompt hostname context
Cryptochecksum: removed: end
asdm image disk0:/asdm-523.bin
asdm history enable