• Creator
  • #2154608

    ASA 5505 trouble with VPN Remote Acces


    by mikael ·


    I have set up an ASA 5505 with 2 sorts of VPN one L2L tunnel over Ipsec and it works fine. Then I have set up a VPN remote access for windows clients (not cisco clients). Well I can connect, and thats it. I cant reach anythin on LAN or on the internet.
    And now I am stuck cant get any further.

    When I do a IPconfig /all on the client, when its logged on the VPN, I get 192.168.1.xx and default Gateway

    This is the show run: (it is just a test, if you se alot of strange things, but some of you mabye can get me on the right track?)

    Result of the command: “sh ru”

    : Saved
    ASA Version 8.0(2)
    hostname ciscoasa
    enable password Xr09ggbRRsmk3tu5 encrypted
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list 100 extended permit ip
    access-list nonat extended permit ip
    access-list nonat extended permit ip
    access-list DefaultRAGroup_splitTunnelAcl standard permit
    access-list Local_LAN_access standard permit any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool RAip mask
    ip local pool DiffSub mask
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1
    route outside tunneled
    route outside xxx.227.235.0 xxx.227.235.xx 1
    route outside xxx.227.235.xx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http outside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
    crypto map outside_map 20 match address 100
    crypto map outside_map 20 set pfs
    crypto map outside_map 20 set peer
    crypto map outside_map 20 set transform-set myset
    crypto map outside_map 20 set security-association lifetime seconds 3600
    crypto map outside_map 20 set security-association lifetime kilobytes 100000
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    no crypto isakmp nat-traversal
    crypto isakmp am-disable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd domain
    dhcpd address inside
    dhcpd dns interface inside
    dhcpd option 3 ip interface inside
    dhcpd enable inside
    dhcpd dns 1xx.54.1xx.200 interface outside

    threat-detection basic-threat
    threat-detection statistics access-list
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    enable outside
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    split-tunnel-policy excludespecified
    split-tunnel-network-list value Local_LAN_access
    default-domain value
    group-policy testssl internal
    group-policy testssl attributes
    vpn-tunnel-protocol webvpn
    url-list none
    username misv1 password HfgAbmbPR90GsbNi2IjKKg== nt-encrypted
    username misv password 9l2FldbJIb0sqj2gXJHbVg== nt-encrypted privilege 0
    username misv attributes
    vpn-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup general-attributes
    address-pool DiffSub
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    no authentication ms-chap-v1
    authentication ms-chap-v2
    tunnel-group xxx.227.235.xx type ipsec-l2l
    tunnel-group xxx.227.235.xx ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group testssl type remote-access
    tunnel-group testssl general-attributes
    default-group-policy testssl
    prompt hostname context
    : end

All Answers

Viewing 0 reply threads