Multiple ASA 5505 questions 1

[ESSulzer]

I have an ASA 5505 that I have been working on for about a month. I have it set up, and can access the Internet from within my internal network. I have port forwarding setup and I know that the traffic is getting to the required locations (via logs). But I am not receiving the information at the remote location, the process times out. I can ping the external IP of the ASA, but as soon as I try to access something else, the ping drops off and I still won't get a response.

Also, I can connect to a VPN, via the Cisco VPN client v5, but cannot access the internal network.

I am posting a scrubbed config file for examination.

Thanks for any help that can be provided.

ASA Version 8.0(2) 
!
hostname asa5505
domain-name myerstown.richmaidkabinetry.local
enable password aWGOGOySVJWsi8.W encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.10.248 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 70.xxx.xxx.225 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxx encrypted
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 68.xxx.xxx.194
 name-server 68.xxx.xxx.146
 domain-name myerstown.richmaidkabinetry.local
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.1.10.0 255.255.255.0 
access-list INBOUND extended permit tcp any interface outside log debugging 
access-list VPN_test_splitTunnelAcl standard permit 10.1.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 10.1.10.192 255.255.255.224 
access-list inside_nat0_outbound extended permit ip 10.1.10.0 255.255.255.0 10.1.10.192 255.255.255.224 
pager lines 24
logging enable
logging monitor informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_Pool 10.1.10.200-10.1.10.209 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2323 10.1.10.252 telnet netmask 255.255.255.255 
static (inside,outside) tcp interface 10022 10.1.10.247 ssh netmask 255.255.255.255 tcp 1 0 
static (inside,outside) tcp interface 13389 10.1.10.253 3389 netmask 255.255.255.255 tcp 1 0 
static (inside,outside) tcp interface 8081 10.1.10.253 10920 netmask 255.255.255.255 
access-group INBOUND in interface outside
route outside 0.0.0.0 0.0.0.0 70.xxx.xxx.226 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server W2K3 protocol nt
aaa-server W2K3 host 10.1.10.254
 nt-auth-domain-controller primarydc
eou allow none
aaa authentication enable console W2K3 LOCAL
aaa authentication http console W2K3 LOCAL
aaa authentication telnet console W2K3 LOCAL
http server enable
http 10.1.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 60
telnet 10.1.10.0 255.255.255.0 inside
telnet timeout 30
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 10.1.10.254 10.1.10.253
 vpn-tunnel-protocol l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value myerstown.richmaidkabinetry.local
group-policy VPN_test internal
group-policy VPN_test attributes
 dns-server value 10.1.10.254 10.1.10.253
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_test_splitTunnelAcl
 default-domain value myerstown.richmaidkabinetry.local
 address-pools value VPN_Pool
username xxxxx password xxxxxxxxxx encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_Pool
 authentication-server-group W2K3
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group VPN_test type remote-access
tunnel-group VPN_test general-attributes
 address-pool VPN_Pool
 authentication-server-group W2K3
 default-group-policy VPN_test
tunnel-group VPN_test ipsec-attributes
 pre-shared-key *
tunnel-group VPN_test ppp-attributes
 authentication ms-chap-v2
prompt hostname context 
Cryptochecksum:6c396bfa26ff4837ca995cf7eae670e2

*** Thanks! ***

 

[mletendre]

I had an issue with the VPN as well. The ting that helped me out the most was on the VPN Client there is a check box for allow local lan or something to that affect, make sure that is not checked (I know it seems backwards) Then connect to the VPN, and try start ->run "CMD" to open command interface and try to ping various resources on the internal network, if that works then you are definitely in and have access to it. I noticed that the computers don't always show up int he My network Places, which is frustrating, but you can use the IP address instead. I don't know if this has to do with a WINS server or DNS or what, but if you figure that out let me know!

 

[ESSulzer]

I have already tried the "Allow Local LAN" trick and it does not change anything.

This is aggravatingly frustrating to be so close, yet so far away from the goal.

 

[unclerico]

So this is supposed to also support a Site-to-Site VPN along side the remote access VPN??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ESSulzer]

No, this is only remote access. I never set up any site to site.

 

[unclerico]

I see you have two different groups configured, which group do you have set up in your Cisco client to authenticate with?? Also, it is best practice to give your remote access users IPs from a block separate from your internal IP block.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[ESSulzer]

Update> I finally was able to get my ASA up and functioning correctly. You all may laugh, but it's like real estate: location location location.

I worked with the Cisco TAC and verified that the configuration was correct (except of the ip pool for my VPN), but they were at a loss as well as to why everything was timing out.

Solution> pushed ASA into position in the network, instead of being in a testing position. Also had to disconnect everything else from the old gateway, and repoint everything to the ASA as the new gateway. 10 minutes after I did this, all my forwards were working, and the VPN was up and running perfectly when I tested it after hours.

Location, location, location.