Remote Access VPN issue 1

[BrotherJones]

quick info ---
ASA 5510 running 7.2(2)
internal interface assigned 192.168.72.1
- one lan to lan tunnel connecting to remote address of 172.17.1.x
- the remote access config hands out addresses of 172.16.1.1 through 172.16.1.254

Remote Access VPNs (172.16.1.x) were working fine until I setup the site to site (172.17.1.x)

Now when I use the cisco client to create an IPSec vpn to the asa, it connects and shows Phase I complete, but then shows "IKE initiator unable to find Policy; Intf Outside, Src: 192.168.72.10, Dst: 172.16.1.1
(192.168.72.10 is a server and 172.16.1.1 is the address handed to the remote client)

not sure what changed. The site to site vpn works fine, but remote access vpns are no longer working.

Any help appreciated. Here is a copy of my config --------

ASA Version 7.2(2)
!
hostname xxxASA
domain-name int.x.com
enable password aQkA8DVXrw.A124f encrypted
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address x.x.109.208 255.255.255.0
!
interface Ethernet0/1
speed 100
duplex full
nameif Inside
security-level 100
ip address 192.168.72.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd aQkA8DVXrw.A124f encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name int.cd3.com
access-list outside_access_in extended permit gre any host x.x.109.208
access-list outside_access_in extended permit gre any host x.x.109.209
access-list outside_access_in extended permit tcp any host x.x.109.209 eq pptp
access-list outside_access_in extended permit tcp any host x.x.109.210 eq smtp
access-list outside_access_in extended permit tcp any host x.x.109.210 eq www
access-list outside_access_in extended permit tcp any host x.x.109.210 eq https
access-list outside_access_in extended permit tcp any host x.x.109.210 eq pop3
access-list nonat extended permit ip 192.168.72.0 255.255.255.0 172.17.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.72.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list SplitTunnel standard permit 192.168.72.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging console warnings
logging trap debugging
logging asdm errors
logging host Inside 192.168.72.10
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool rasvpnpool 172.16.1.1-172.16.1.254
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 192.168.72.0 255.255.255.0
static (Inside,Outside) tcp x.x.109.209 pptp 192.168.72.10 pptp netmask 255.255.255.255
static (Inside,Outside) x.x.109.210 192.168.72.11 netmask 255.255.255.255
access-group outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 204.57.109.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server AAA_ServerGroup protocol radius
aaa-server AAA_ServerGroup host 192.168.72.10
timeout 5
key xxx
group-policy xxxvpnclients internal
group-policy xxxpnclients attributes
wins-server value 192.168.72.13
dns-server value 192.168.72.10 192.168.72.13
vpn-idle-timeout 60
vpn-tunnel-protocol IPSec
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnel
default-domain value int.xxx.com
http server enable
http 192.168.72.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TripleDesSha esp-3des esp-sha-hmac
crypto ipsec transform-set TripleDesMd5 esp-3des esp-md5-hmac
crypto dynamic-map dynamicvpnmap 10 set transform-set TripleDesSha
crypto dynamic-map dynamicvpnmap 10 set reverse-route
crypto map VPNTUNNELS 10 match address nonat
crypto map VPNTUNNELS 10 set peer x.x.187.75
crypto map VPNTUNNELS 10 set transform-set TripleDesSha
crypto map VPNTUNNELS 10 set security-association lifetime seconds 86400
crypto map VPNTUNNELS 999 ipsec-isakmp dynamic dynamicvpnmap
crypto map VPNTUNNELS interface Outside
crypto isakmp enable Outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group xxxvpnclients type ipsec-ra
tunnel-group xxxvpnclients general-attributes
address-pool rasvpnpool
authentication-server-group AAA_ServerGroup
accounting-server-group AAA_ServerGroup
default-group-policy xxxvpnclients
tunnel-group xxxvpnclients ipsec-attributes
pre-shared-key *
tunnel-group x.x.187.75 type ipsec-l2l
tunnel-group x.x.187.75 ipsec-attributes
pre-shared-key *
no tunnel-group-map enable peer-ip
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 0.0.0.0 0.0.0.0 Inside
ssh timeout 30
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default1
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default1
inspect pptp
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect ipsec-pass-thru
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect snmp
inspect sqlnet
inspect sunrpc
inspect tftp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:0fa3b6949c94cc38904071c7a0f92edd
: end
xxxASA#

 

[BrotherJones]

also, just a quick follow up.

this only started once I created the lan to lan connection. Prior to that, it was working fine.

I haven't had a chance to sever the lan to lan tunnel (as it is in use) to see if I can regain access via the remote access connections.

 

[Supergrrover]

I haven't had a chance to read through yo9ur config, but take a look at this. See what they added and how it is different?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

I will have more time tomorrow to take a look if the answer doesn't jump out at you.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[BrotherJones]

thanks for the link Brent, I am going to read that tonight.

also, just an fyi, I cleared the security associations (and dropped the lan to lan tunnel) but the remote access issue persists. So at least that is now factored out!

 

[Supergrrover]

Here is a problem -
crypto map VPNTUNNELS 10 match address nonat

Your no nat ACL sends all traffic matching it down that tunnel to the other firewall.

Have a separate cryptomap ACL for each tunnel and for each VPN pool.

access-list L2LVPN-[City_Name] extended permit ip 192.168.72.0 255.255.255.0 172.17.1.0 255.255.255.0

access-list RAVPN-fullaccess extended permit ip 192.168.72.0 255.255.255.0 172.16.1.0 255.255.255.0

That should do her.

The split tunnel ACL looks off. I think you flipped it. Check out the doc and see.



Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[BrotherJones]

Outstanding!!
thank you Brent.

that completely was the issue.

Regards,
Kevin