Hello,
We are experiencing an issue with a Software VPN tunnel to one of our client’s systems. Whenever we attempt to connect using this software VPN tunnel (using the Cisco VPN client) from behind one of our Cisco ASA or PIX firewalls (this has been attempted at 3 different sites, one with a PIX 515, 2 with Cisco ASA-5505s) it shows the following behavior:
1. VPN Tunnel Connects, User Authentication is prompted, accepts username and password the tunnel is established.
2. VPN Tunnel does not appear to pass data. Cannot ping resource on other network (198.190.252.203).
When connected with a direct connection to the internet (bypassing our firewalls), it works as intended:
1. VPN Tunnel Connects, User Authentication is prompted, accepts username and password the tunnel is established.
2. VPN Tunnel passed data. Can ping network resource(198.190.252.203).
3. Tracert shows:
Tracing route to 198.190.252.203 over a maximum of 30 hops
1 85 ms 91 ms 86 ms 172.21.128.41
2 83 ms 84 ms 87 ms 198.190.252.203
I have been unable to determine why this is occurring. It has been speculated by our client’s IT department that it is a routing issue.
We have a very basic setup at the site we intend to use this software VPN tunnel, and I have been unable to isolate the cause and determine a fix. Any help would be appreciated.
Software VPN Tunnel Host: 63.149.74.9
CISCO ASA-5505 CONFIG
============================================================
!
ASA Version 7.2(3)
!
hostname MinneapolisASA
domain-name minneapolis.pacificmedicaid.com
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 219.181.232.162 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
dns server-group DefaultDNS
domain-name minneapolis.pacificmedicaid.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Spokane_Traffic extended permit ip 192.168.1.0 255.255.255.0 172.27.174.0 255.255.255.0
access-list VPN_Split extended permit ip 192.168.1.0 255.255.255.0 any
access-list Tunnel_Traffic extended permit ip 192.168.1.0 255.255.255.0 172.27.174.0 255.255.255.0
access-list Tunnel_Traffic extended permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.252
access-list 101 extended permit tcp any host 219.181.232.163 eq access-list 101 extended permit tcp any host 219.181.232.164 eq access-list 101 extended permit tcp any host 219.181.232.165 eq access-list 101 extended permit tcp any host 219.181.232.163 eq https inactive
access-list 101 extended permit tcp any host 219.181.232.164 eq https inactive
access-list 101 extended permit tcp any host 219.181.232.165 eq https inactive
pager lines 24
logging list MonitorTraffic level debugging class ip
logging list TrafficMon message 302014
logging asdm TrafficMon
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list Tunnel_Traffic
nat (inside) 1 0.0.0.0 0.0.0.0 dns
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 219.181.232.161 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 67.134.37.96 255.255.255.240 outside
http 172.27.174.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Tunnel_Map 30 match address Spokane_Traffic
crypto map Tunnel_Map 30 set peer 67.134.37.110
crypto map Tunnel_Map 30 set transform-set ESP-3DES-SHA
crypto map Tunnel_Map interface outside
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication rsa-sig
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 172.27.174.0 255.255.255.0 inside
ssh 67.134.37.96 255.255.255.240 outside
ssh timeout 5
ssh version 1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
!
!
class-map type inspect im match-all IMMAP
match protocol msn-im yahoo-im
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http httpMap
parameters
protocol-violation action drop-connection
match request uri regex _default_aim-messenger
drop-connection log
match request uri regex _default_gator
drop-connection log
match request uri regex _default_firethru-tunnel_1
drop-connection log
match request uri regex _default_firethru-tunnel_2
drop-connection log
match request uri regex _default_msn-messenger
drop-connection log
match request uri regex _default_windows-media-player-tunnel
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
match request uri regex _default_yahoo-messenger
drop-connection log
policy-map type inspect mgcp MGCPMap
parameters
policy-map type inspect h323 h323Map
parameters
policy-map type inspect ipsec-pass-thru IPSec
parameters
esp
ah
policy-map global_policy
class inspection_default
inspect skinny
inspect ctiqbe
inspect ftp
inspect h323 h225
inspect h323 ras
inspect mgcp
inspect rtsp
inspect sip
inspect sunrpc
inspect xdmcp
policy-map type inspect sip SIPMap
parameters
max-forwards-validation action drop log
policy-map type inspect im imMap
parameters
policy-map type inspect dcerpc DCERPCMap
parameters
endpoint-mapper lookup-operation timeout 0:05:00
policy-map type inspect netbios NetBiosMap
parameters
protocol-violation action drop
!
service-policy global_policy global
tunnel-group 67.134.37.110 type ipsec-l2l
tunnel-group 67.134.37.110 ipsec-attributes
pre-shared-key *
prompt hostname context
============================================================
Thanks
We are experiencing an issue with a Software VPN tunnel to one of our client’s systems. Whenever we attempt to connect using this software VPN tunnel (using the Cisco VPN client) from behind one of our Cisco ASA or PIX firewalls (this has been attempted at 3 different sites, one with a PIX 515, 2 with Cisco ASA-5505s) it shows the following behavior:
1. VPN Tunnel Connects, User Authentication is prompted, accepts username and password the tunnel is established.
2. VPN Tunnel does not appear to pass data. Cannot ping resource on other network (198.190.252.203).
When connected with a direct connection to the internet (bypassing our firewalls), it works as intended:
1. VPN Tunnel Connects, User Authentication is prompted, accepts username and password the tunnel is established.
2. VPN Tunnel passed data. Can ping network resource(198.190.252.203).
3. Tracert shows:
Tracing route to 198.190.252.203 over a maximum of 30 hops
1 85 ms 91 ms 86 ms 172.21.128.41
2 83 ms 84 ms 87 ms 198.190.252.203
I have been unable to determine why this is occurring. It has been speculated by our client’s IT department that it is a routing issue.
We have a very basic setup at the site we intend to use this software VPN tunnel, and I have been unable to isolate the cause and determine a fix. Any help would be appreciated.
Software VPN Tunnel Host: 63.149.74.9
CISCO ASA-5505 CONFIG
============================================================
!
ASA Version 7.2(3)
!
hostname MinneapolisASA
domain-name minneapolis.pacificmedicaid.com
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 219.181.232.162 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
dns server-group DefaultDNS
domain-name minneapolis.pacificmedicaid.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Spokane_Traffic extended permit ip 192.168.1.0 255.255.255.0 172.27.174.0 255.255.255.0
access-list VPN_Split extended permit ip 192.168.1.0 255.255.255.0 any
access-list Tunnel_Traffic extended permit ip 192.168.1.0 255.255.255.0 172.27.174.0 255.255.255.0
access-list Tunnel_Traffic extended permit ip 192.168.1.0 255.255.255.0 192.168.15.0 255.255.255.252
access-list 101 extended permit tcp any host 219.181.232.163 eq access-list 101 extended permit tcp any host 219.181.232.164 eq access-list 101 extended permit tcp any host 219.181.232.165 eq access-list 101 extended permit tcp any host 219.181.232.163 eq https inactive
access-list 101 extended permit tcp any host 219.181.232.164 eq https inactive
access-list 101 extended permit tcp any host 219.181.232.165 eq https inactive
pager lines 24
logging list MonitorTraffic level debugging class ip
logging list TrafficMon message 302014
logging asdm TrafficMon
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list Tunnel_Traffic
nat (inside) 1 0.0.0.0 0.0.0.0 dns
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 219.181.232.161 255
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 67.134.37.96 255.255.255.240 outside
http 172.27.174.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map Tunnel_Map 30 match address Spokane_Traffic
crypto map Tunnel_Map 30 set peer 67.134.37.110
crypto map Tunnel_Map 30 set transform-set ESP-3DES-SHA
crypto map Tunnel_Map interface outside
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication rsa-sig
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 172.27.174.0 255.255.255.0 inside
ssh 67.134.37.96 255.255.255.240 outside
ssh timeout 5
ssh version 1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 inside
!
!
class-map type inspect im match-all IMMAP
match protocol msn-im yahoo-im
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http httpMap
parameters
protocol-violation action drop-connection
match request uri regex _default_aim-messenger
drop-connection log
match request uri regex _default_gator
drop-connection log
match request uri regex _default_firethru-tunnel_1
drop-connection log
match request uri regex _default_firethru-tunnel_2
drop-connection log
match request uri regex _default_msn-messenger
drop-connection log
match request uri regex _default_windows-media-player-tunnel
drop-connection log
match request uri regex _default_x-kazaa-network
drop-connection log
match request uri regex _default_yahoo-messenger
drop-connection log
policy-map type inspect mgcp MGCPMap
parameters
policy-map type inspect h323 h323Map
parameters
policy-map type inspect ipsec-pass-thru IPSec
parameters
esp
ah
policy-map global_policy
class inspection_default
inspect skinny
inspect ctiqbe
inspect ftp
inspect h323 h225
inspect h323 ras
inspect mgcp
inspect rtsp
inspect sip
inspect sunrpc
inspect xdmcp
policy-map type inspect sip SIPMap
parameters
max-forwards-validation action drop log
policy-map type inspect im imMap
parameters
policy-map type inspect dcerpc DCERPCMap
parameters
endpoint-mapper lookup-operation timeout 0:05:00
policy-map type inspect netbios NetBiosMap
parameters
protocol-violation action drop
!
service-policy global_policy global
tunnel-group 67.134.37.110 type ipsec-l2l
tunnel-group 67.134.37.110 ipsec-attributes
pre-shared-key *
prompt hostname context
============================================================
Thanks
