computerjock33
Technical User
I currently have our 5520 working with remote access vpn successfully. Now I have to add a couple of our remote sites. When I go through the vpn site to site wizard it kills my remote access users that were working. I then removed the site to site wizards entries and tried adding the site to site manually through cli and it to kills the remote access users. Here is the working config, and the manual s2s entries that I made are below that. Any suggestions are appreciated. thanks
User Access Verification
Password:
Type help or '?' for a list of available commands.
cdpasa1> en
Password: *******
cdpasa1# show config
: Saved
: Written by enable_15 at 05:32:08.575 UTC Tue Mar 25 2008
!
ASA Version 8.0(3)
!
hostname cdpasa1
domain-name xx.com
enable password BWaQlcykry5AAxTH encrypted
names
name 10.249.48.0 Hgnwhse description Hgnwhse
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 74.x.x.x 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.2.30.13 255.255.192.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.3 255.255.255.0
management-only
!
passwd BWaQlcykry5AAxTH encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list cecovpn_splitTunnelAcl standard permit 10.2.0.0 255.255.192.0
access-list cecovpn_splitTunnelAcl remark DGSC 244.x
access-list cecovpn_splitTunnelAcl standard permit 10.244.0.0 255.255.0.0
access-list cecovpn_splitTunnelAcl standard permit 10.212.10.0 255.255.255.0
access-list cecovpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list cecovpn_splitTunnelAcl standard permit 172.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.192.0 10.2.23.0 255.255.255.
access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.192.0 any
access-list inside_nat0_outbound extended permit ip 10.244.0.0 255.255.0.0 10.2.23.0 255.255.255.
access-list inside_nat0_outbound extended permit ip 10.244.0.0 255.255.0.0 any
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 any
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool cdppool 10.2.23.50-10.2.23.100 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
asdm location Hgnwhse 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 101 74.x.x.x-74.x.x.x netmask x.x.x.x
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 74.x.x.x 1
route inside 10.0.0.0 255.0.0.0 10.2.30.9 1
route inside 10.244.12.0 255.255.255.0 10.2.30.12 1
route inside 172.0.0.0 255.0.0.0 10.2.30.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.2.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.2.0.0 255.255.0.0 inside
telnet 10.2.69.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.4-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy cecovpn internal
group-policy cecovpn attributes
wins-server value 10.2.20.226
dns-server value 10.2.20.226 10.2.30.28
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cecovpn_splitTunnelAcl
default-domain value xx.com
**local user db omitted from this config **
tunnel-group cecovpn type remote-access
tunnel-group cecovpn general-attributes
address-pool cdppool
default-group-policy cecovpn
tunnel-group cecovpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4d3e5bc0d8ca97967aeba7542c16ea1a
I run the site to site vpn wizard and it kills my remote access users.
I then try to add a site to site manually using the below additions to the config and get same results
it kills my remote access user connections
site to site manual config additions that I made and then removed:
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
tunnel-group (ip address of peer) type ipsec-l2l
tunnel-group (ip address of peer) ipsec-attributes
pre-shared-key XXXXX
crypto ipsec transform-set s2s esp-3des esp-sha-hmac
crypto map 5520 50 set transform-set s2s
crypto map 5520 50 set peer (ip of peer)
crypto map 5520 50 match address hgn
crypto map 5520 interface outside
access-list hgn extended permit ip 10.x.x.x 255.255.255.0 10.x.x.x 255.x.x.x
access-list nonat extended permit ip 10.x.x.x 255.255.255.0 10.x.x.x 255.x.x.x
nat (inside) 0 access-list nonat
thanks for taking a look any suggestions are appreciated
User Access Verification
Password:
Type help or '?' for a list of available commands.
cdpasa1> en
Password: *******
cdpasa1# show config
: Saved
: Written by enable_15 at 05:32:08.575 UTC Tue Mar 25 2008
!
ASA Version 8.0(3)
!
hostname cdpasa1
domain-name xx.com
enable password BWaQlcykry5AAxTH encrypted
names
name 10.249.48.0 Hgnwhse description Hgnwhse
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 74.x.x.x 255.255.255.224
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.2.30.13 255.255.192.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.3 255.255.255.0
management-only
!
passwd BWaQlcykry5AAxTH encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name xx.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list cecovpn_splitTunnelAcl standard permit 10.2.0.0 255.255.192.0
access-list cecovpn_splitTunnelAcl remark DGSC 244.x
access-list cecovpn_splitTunnelAcl standard permit 10.244.0.0 255.255.0.0
access-list cecovpn_splitTunnelAcl standard permit 10.212.10.0 255.255.255.0
access-list cecovpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list cecovpn_splitTunnelAcl standard permit 172.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.192.0 10.2.23.0 255.255.255.
access-list inside_nat0_outbound extended permit ip 10.2.0.0 255.255.192.0 any
access-list inside_nat0_outbound extended permit ip 10.244.0.0 255.255.0.0 10.2.23.0 255.255.255.
access-list inside_nat0_outbound extended permit ip 10.244.0.0 255.255.0.0 any
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 any
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 10.2.23.0 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.0.0.0 255.0.0.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool cdppool 10.2.23.50-10.2.23.100 mask 255.255.255.192
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
asdm location Hgnwhse 255.255.255.0 inside
no asdm history enable
arp timeout 14400
global (outside) 101 74.x.x.x-74.x.x.x netmask x.x.x.x
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 74.x.x.x 1
route inside 10.0.0.0 255.0.0.0 10.2.30.9 1
route inside 10.244.12.0 255.255.255.0 10.2.30.12 1
route inside 172.0.0.0 255.0.0.0 10.2.30.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.2.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.2.0.0 255.255.0.0 inside
telnet 10.2.69.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.4-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
group-policy cecovpn internal
group-policy cecovpn attributes
wins-server value 10.2.20.226
dns-server value 10.2.20.226 10.2.30.28
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cecovpn_splitTunnelAcl
default-domain value xx.com
**local user db omitted from this config **
tunnel-group cecovpn type remote-access
tunnel-group cecovpn general-attributes
address-pool cdppool
default-group-policy cecovpn
tunnel-group cecovpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:4d3e5bc0d8ca97967aeba7542c16ea1a
I run the site to site vpn wizard and it kills my remote access users.
I then try to add a site to site manually using the below additions to the config and get same results
it kills my remote access user connections
site to site manual config additions that I made and then removed:
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 28800
tunnel-group (ip address of peer) type ipsec-l2l
tunnel-group (ip address of peer) ipsec-attributes
pre-shared-key XXXXX
crypto ipsec transform-set s2s esp-3des esp-sha-hmac
crypto map 5520 50 set transform-set s2s
crypto map 5520 50 set peer (ip of peer)
crypto map 5520 50 match address hgn
crypto map 5520 interface outside
access-list hgn extended permit ip 10.x.x.x 255.255.255.0 10.x.x.x 255.x.x.x
access-list nonat extended permit ip 10.x.x.x 255.255.255.0 10.x.x.x 255.x.x.x
nat (inside) 0 access-list nonat
thanks for taking a look any suggestions are appreciated