VPN Help

[subzerocool]

Hello, I'm still new on this site and hope one of you can help me with this. I have an ASA 5505 at the main and remote sites. The remote site can reach the main site but the main can't reach the remote. I was wondering if one of you can tell me what I did wrong, here is the config for the remote site:

SA Version 7.2(4)
!
hostname RiversEdge2
domain-name riversedge
enable password ZBU5tT8/6Cuyn5My encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface Ethernet0/0
switchport acce
speed 10
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name riversedge
access-list outside_1_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list VPN_cryptomap extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.1.0 255.255.255.0
access-group outside_1_cryptomap i
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 10.0.1.4 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map CLIENTMAP 1 match address outside_1_cryptomap
crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer xxx.xxx.xxx.xxx
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 10.0.1.10-10.0.1.25 inside
dhcpd dns 71.252.0.12 71.242.10.12 interface inside
dhcpd enable inside
!

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9c42273126fb4d737f00e8459273d284
: end

 

[North323]

is the tunnel up? can you post a config of the home site?

 

[subzerocool]

Sorry I forgot, here is the config for the main site:

RiversEdgeASA> enable
Username: admin
Password: *******
RiversEdgeASA# show running-config
: Saved
:
ASA Version 8.2(1)
!
hostname RiversEdgeASA
enable password ZBU5tT8/6Cuyn5My encrypted
passwd ZBU5tT8/6Cuyn5My enc
no names
name 10.0.100.0 VPNPOOL
!
interface Vlan1
description TO_SWITCH
nameif inside
security-level 100
ip address 10.0.0.5 255.255.255.0
!
interface Vlan2
description TO_ROUTER
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface Ethernet0/0
description TO_ROUTER
switchport access vlan 2
speed 10
duplex full
!
interface Ethernet0/1
description TO_SWITCH
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
access-list OUTSIDE-ACCESS-IN extended deny tcp host 75.150.80.105 interface out
side eq smtp log debugging
access-list OUTSIDE-ACCESS-IN extended permit tcp any interface outside eq smtp
log debugging
access-list OUTSIDE-ACCESS-IN extended permit tcp any interface outside eq https

access-list OUTSIDE-ACCESS-IN extended permit tcp any interface outside eq 3389

access-list OUTSIDE-ACCESS-IN extended permit tcp any inter
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.25
4.254.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 10.0.
1.0 255.255.255.0
access-list SPLIT-TUN-NW-LIST standard permit 10.0.0.0 255.255.0.0
access-list IN-2-OUT extended permit tcp host 10.0.0.8 any eq smtp log
access-list IN-2-OUT extended permit tcp host 10.0.0.8 eq smtp any log
access-list IN-2-OUT extended deny tcp any any eq smtp log
access-list IN-2-OUT extended deny tcp any eq
access-list IN-2-OUT extended permit ip any any
access-list VPN_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255
.255.255.0
pager lines 24
logging enable
logging buffer-size 30000
logging buffered debugging
logging asdm informational
logging flash-bufferwrap
mtu inside 1500
mtu outside 1500
ip local pool VPNPOOL 10.254.254.100-10.254.254.150 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list i
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 10.0.0.8 smtp netmask 255.255.255.255

static (inside,outside) tcp interface https 10.0.0.60 https netmask 255.255.255.
255
static (inside,outside) tcp interface

http://www 10.0.0.8

http://www netmask

255.255.255.255
access-group IN-2-OUT in interface inside
access-group OUTSIDE-ACCESS-IN in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
http 66.207.69.0 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer xxx.xxx.xxx.xxx
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet 10.0.0.0 255.255.255.0 inside
telnet timeout 15
ssh 10.0.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
console timeout 15
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
group-policy SSLGROUPPOL internal
group-policy SSLGROUPPOL attributes
vpn-tunnel-protocol svc webvpn
group-policy VPNCLIENT internal
group-policy VPNCLIENT attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUN-NW-LIST
username admin password 4q9CV.7crd4WX2DC encrypted privilege 15
username glenn password gKAkkf4UbCPKuvrQ encrypted privilege 0
username glenn attributes
vpn-group-policy SSLGROUPPOL
username alitech password w7ca/aifUZXjFdYA encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool (inside) VPNPOOL
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool (inside) VPNPOOL
tunnel-group RiversEdgeVPN type remote-access
tunnel-group RiversEdgeVPN general-attributes
address-pool (in
address-pool VPNPOOL
default-group-policy SSLGROUPPOL
tunnel-group RIVERSEDGEVPN type remote-access
tunnel-group RIVERSEDGEVPN general-attributes
address-pool (inside) VPNPOOL
address-pool VPNPOOL
default-group-policy SSLGROUPPOL
tunnel-group VPNCLIENT type remote-access
tunnel-group VPNCLIENT general-attributes
address-pool VPNPOOL
default-group-policy VPNCLIENT
tunnel-group VPNCLIENT ipsec-attributes
pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attribute
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:506a852794338ded49f4578dfde17836
: end

 

[North323]

you have two route outsides with same cost. are they different IP addresses?

route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1

 

[subzerocool]

Yes, they are. The tunnel is up. Only problem is that the main site can't see the remote site. The remote site can see everything on the main site fine.

 

[Supergrrover]

These ACEs are off

access-list SPLIT-TUN-NW-LIST standard permit 10.0.0.0 255.255.0.0 ********
access-list IN-2-OUT extended permit tcp host 10.0.0.8 any eq smtp log
access-list IN-2-OUT extended permit tcp host 10.0.0.8 eq smtp any log ********
access-list IN-2-OUT extended deny tcp any any eq smtp log
access-list IN-2-OUT extended deny tcp any eq *******
access-list IN-2-OUT extended permit ip any any


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[subzerocool]

Is there anything else I have to do? I can only see the main site from the remote but the main can't see the remote. Is there anthing else I need to add?

 

[subzerocool]

Supergrrover, I was wondering if there was another ACL I need to create. Please let me know, thanks.

 

[Supergrrover]

Remove these lines
access-list IN-2-OUT extended permit tcp host 10.0.0.8 eq smtp any log
access-list IN-2-OUT extended deny tcp any eq

and remove this
nat (inside) 0 access-list i

and do this instead

nat (inside) 0 access-list inside_nat0_outbound

and kill the second outside route (only have one in place)

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[subzerocool]

I checked the nat (inside) 0 access-list inside_nat0_outbound and it's correct. For some reason it didn't past the whole command. Is there anything else I'm missing? These VPN set ups are such a headache, only one side can see the other. I can't seem to see what is wrong, the remote can see the main, the main can't see the remote site.

 

[subzerocool]

I'm sorry to bother you guys so much. Just wondering if there is anything else I'm missing. Please help, thanks.