Hi All,
I am having a problem with a Cisco ASA 5510 that is terminating remote VPN client users.
The VPN always connects weather using the local authentication or the RADIUS authentication but it does not always allow traffic to pass. I would say its about 50/50 as to wheater, when connected, it will allow me to browse/RDP.
Below is the config, has anyone seen this before?
Thanks in advance
asdm image disk0:/asdm-507.bin
asdm group Non_Server inside
no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname ####
domain-name ####
enable password #### encrypted
names
name 10.46.49.0 Network49
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address #### 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.46.48.254 255.255.254.0
!
interface Ethernet0/2
shutdow
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd #### encrypted
ftp mode passive
object-group network Non_Server
description Non Server Devices Denied Internet Access
network-object Network49 255.255.255.0
network-object 10.46.48.0 255.255.255.128
network-object 10.46.48.128 255.255.255.224
object-group network SERVER
network-object 10.46.48.192 255.255.255.192
network-object 10.46.48.176 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.46.49.144 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.46.49.128 255.255.255.128
access-list Split_Tunnel_List remark ####Network
access-list Split_Tunnel_List standard permit 10.46.48.0 255.255.254.0
access-list Split_Tunnel_List remark ####Network
access-list Split_Tunnel_List standard permit 10.46.34.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.36.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.38.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.42.0 255.255.254.0
access-list Split_Tunnel_List remark ####Network
access-list Split_Tunnel_List standard permit 10.46.40.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.44.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.46.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.16.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.0.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.46.5.0 255.255.255.0
access-list outside_access extended permit ip 10.46.48.192 255.255.255.192 any
access-list outside_access extended permit ip 10.46.48.176 255.255.255.240 any
access-list outside_access extended permit tcp any eq smtp any eq smtp
access-list outside_access extended permit udp any eq 25 any eq 25
access-list outside_access remark New Server Range
access-list outside_access extended permit ip Network49 255.255.255.240 any
access-list outside_access remark Netsupport
access-list outside_access extended permit tcp any eq 5405 any eq 5405
access-list outside_access remark netsupport
access-list outside_access extended permit udp any eq 5405 any eq 5405
access-list outside_access_in extended permit udp any eq 995 any eq 995
access-list outside_access_in extended permit tcp any eq 995 any eq 995
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Radius 10.46.49.160-10.46.49.200 mask 255.255.254.0
ip local pool remote 10.46.49.201-10.46.49.202 mask 255.255.254.0
icmp permit any traceroute outside
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) #### 10.46.48.212 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access in interface inside
route outside 0.0.0.0 0.0.0.0 62.172.134.177 1
route inside 10.0.0.0 255.255.254.0 10.46.48.253 1
route inside 10.46.36.0 255.255.254.0 10.46.48.253 1
route inside 10.46.38.0 255.255.254.0 10.46.48.253 1
route inside 10.46.42.0 255.255.254.0 10.46.48.253 1
route inside 10.46.44.0 255.255.254.0 10.46.48.253 1
route inside 10.46.46.0 255.255.254.0 10.46.48.253 1
route inside 10.46.16.0 255.255.255.0 10.46.48.253 1
route inside 10.46.0.0 255.255.255.0 10.46.48.253 1
route inside 10.46.5.0 255.255.255.0 10.46.48.253 1
route inside 10.46.34.0 255.255.254.0 10.46.48.253 1
route inside 10.46.40.0 255.255.254.0 10.46.48.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Radius protocol radius
max-failed-attempts 5
aaa-server Radius host 10.46.49.1
key ####
authentication-port 1812
accounting-port 1813
group-policy ####internal
group-policy ####attributes
dns-server value 10.46.49.1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
webvpn
group-policy ####internal
group-policy ####attributes
dns-server value 10.46.49.1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
webvpn
username #### password ####encrypted privilege 0
username #### attributes
vpn-group-policy ####
webvpn
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
snmp-server location ####
snmp-server contact ####
snmp-server community ####
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change fru-insert fru-remove
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime none
tunnel-group ####type ipsec-ra
tunnel-group ####general-attributes
address-pool remote
default-group-policy ####
tunnel-group #### ipsec-attributes
pre-shared-key *
tunnel-group ####type ipsec-ra
tunnel-group ####general-attributes
address-pool Radius
authentication-server-group Radius
default-group-policy ####
strip-realm
strip-group
tunnel-group #### ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.253 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:00a09077e63c9484f2e675e26eade8b0
: end
I am having a problem with a Cisco ASA 5510 that is terminating remote VPN client users.
The VPN always connects weather using the local authentication or the RADIUS authentication but it does not always allow traffic to pass. I would say its about 50/50 as to wheater, when connected, it will allow me to browse/RDP.
Below is the config, has anyone seen this before?
Thanks in advance
asdm image disk0:/asdm-507.bin
asdm group Non_Server inside
no asdm history enable
: Saved
:
ASA Version 7.0(7)
!
hostname ####
domain-name ####
enable password #### encrypted
names
name 10.46.49.0 Network49
dns-guard
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address #### 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.46.48.254 255.255.254.0
!
interface Ethernet0/2
shutdow
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd #### encrypted
ftp mode passive
object-group network Non_Server
description Non Server Devices Denied Internet Access
network-object Network49 255.255.255.0
network-object 10.46.48.0 255.255.255.128
network-object 10.46.48.128 255.255.255.224
object-group network SERVER
network-object 10.46.48.192 255.255.255.192
network-object 10.46.48.176 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.46.49.144 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.46.49.128 255.255.255.128
access-list Split_Tunnel_List remark ####Network
access-list Split_Tunnel_List standard permit 10.46.48.0 255.255.254.0
access-list Split_Tunnel_List remark ####Network
access-list Split_Tunnel_List standard permit 10.46.34.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.36.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.38.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.42.0 255.255.254.0
access-list Split_Tunnel_List remark ####Network
access-list Split_Tunnel_List standard permit 10.46.40.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.44.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.46.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.16.0 255.255.254.0
access-list Split_Tunnel_List standard permit 10.46.0.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.46.5.0 255.255.255.0
access-list outside_access extended permit ip 10.46.48.192 255.255.255.192 any
access-list outside_access extended permit ip 10.46.48.176 255.255.255.240 any
access-list outside_access extended permit tcp any eq smtp any eq smtp
access-list outside_access extended permit udp any eq 25 any eq 25
access-list outside_access remark New Server Range
access-list outside_access extended permit ip Network49 255.255.255.240 any
access-list outside_access remark Netsupport
access-list outside_access extended permit tcp any eq 5405 any eq 5405
access-list outside_access remark netsupport
access-list outside_access extended permit udp any eq 5405 any eq 5405
access-list outside_access_in extended permit udp any eq 995 any eq 995
access-list outside_access_in extended permit tcp any eq 995 any eq 995
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Radius 10.46.49.160-10.46.49.200 mask 255.255.254.0
ip local pool remote 10.46.49.201-10.46.49.202 mask 255.255.254.0
icmp permit any traceroute outside
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) #### 10.46.48.212 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group outside_access in interface inside
route outside 0.0.0.0 0.0.0.0 62.172.134.177 1
route inside 10.0.0.0 255.255.254.0 10.46.48.253 1
route inside 10.46.36.0 255.255.254.0 10.46.48.253 1
route inside 10.46.38.0 255.255.254.0 10.46.48.253 1
route inside 10.46.42.0 255.255.254.0 10.46.48.253 1
route inside 10.46.44.0 255.255.254.0 10.46.48.253 1
route inside 10.46.46.0 255.255.254.0 10.46.48.253 1
route inside 10.46.16.0 255.255.255.0 10.46.48.253 1
route inside 10.46.0.0 255.255.255.0 10.46.48.253 1
route inside 10.46.5.0 255.255.255.0 10.46.48.253 1
route inside 10.46.34.0 255.255.254.0 10.46.48.253 1
route inside 10.46.40.0 255.255.254.0 10.46.48.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Radius protocol radius
max-failed-attempts 5
aaa-server Radius host 10.46.49.1
key ####
authentication-port 1812
accounting-port 1813
group-policy ####internal
group-policy ####attributes
dns-server value 10.46.49.1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
webvpn
group-policy ####internal
group-policy ####attributes
dns-server value 10.46.49.1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
webvpn
username #### password ####encrypted privilege 0
username #### attributes
vpn-group-policy ####
webvpn
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
snmp-server location ####
snmp-server contact ####
snmp-server community ####
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps entity config-change fru-insert fru-remove
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime none
tunnel-group ####type ipsec-ra
tunnel-group ####general-attributes
address-pool remote
default-group-policy ####
tunnel-group #### ipsec-attributes
pre-shared-key *
tunnel-group ####type ipsec-ra
tunnel-group ####general-attributes
address-pool Radius
authentication-server-group Radius
default-group-policy ####
strip-realm
strip-group
tunnel-group #### ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.253 management
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:00a09077e63c9484f2e675e26eade8b0
: end
