TechRepublic|Forums|Networks

Networks

Question

  • Creator
    Topic
  • September 4, 2008 at 1:49 pm #2154608

    ASA 5505 trouble with VPN Remote Acces

    Locked

    by mikael · about 14 years, 6 months ago

    Hi.

    I have set up an ASA 5505 with 2 sorts of VPN one L2L tunnel over Ipsec and it works fine. Then I have set up a VPN remote access for windows clients (not cisco clients). Well I can connect, and thats it. I cant reach anythin on LAN or on the internet.
    And now I am stuck cant get any further.

    When I do a IPconfig /all on the client, when its logged on the VPN, I get 192.168.1.xx 255.255.255.255 and default Gateway 0.0.0.0.

    This is the show run: (it is just a test, if you se alot of strange things, but some of you mabye can get me on the right track?)

    Result of the command: “sh ru”

    : Saved
    :
    ASA Version 8.0(2)
    !
    hostname ciscoasa
    enable password Xr09ggbRRsmk3tu5 encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list 100 extended permit ip 192.168.1.0 255.255.255.0 192.168.51.0 255.255.255.0
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.51.0 255.255.255.0
    access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.1.32 255.255.255.240
    access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
    access-list Local_LAN_access standard permit any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool RAip 192.168.1.34-192.168.1.40 mask 255.255.255.0
    ip local pool DiffSub 192.168.20.2-192.168.20.5 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 85.228.220.149 tunneled
    route outside xxx.227.235.0 255.255.255.0 xxx.227.235.xx 1
    route outside 192.168.51.0 255.255.255.0 xxx.227.235.xx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
    crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
    crypto map outside_map 20 match address 100
    crypto map outside_map 20 set pfs
    crypto map outside_map 20 set peer 90.227.235.15
    crypto map outside_map 20 set transform-set myset
    crypto map outside_map 20 set security-association lifetime seconds 3600
    crypto map outside_map 20 set security-association lifetime kilobytes 100000
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map inside_map interface inside
    crypto isakmp enable inside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    no crypto isakmp nat-traversal
    crypto isakmp am-disable
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd domain customer.it-network.local
    !
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd dns 192.168.51.2 interface inside
    dhcpd option 3 ip 192.168.1.1 interface inside
    dhcpd enable inside
    !
    dhcpd dns 1xx.54.1xx.200 interface outside
    !

    threat-detection basic-threat
    threat-detection statistics access-list
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    webvpn
    enable outside
    group-policy DefaultRAGroup internal
    group-policy DefaultRAGroup attributes
    dns-server value 195.54.122.200 192.168.51.2
    vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
    split-tunnel-policy excludespecified
    split-tunnel-network-list value Local_LAN_access
    default-domain value customer.it-network.local
    group-policy testssl internal
    group-policy testssl attributes
    vpn-tunnel-protocol webvpn
    webvpn
    url-list none
    username misv1 password HfgAbmbPR90GsbNi2IjKKg== nt-encrypted
    username misv password 9l2FldbJIb0sqj2gXJHbVg== nt-encrypted privilege 0
    username misv attributes
    vpn-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup general-attributes
    address-pool DiffSub
    default-group-policy DefaultRAGroup
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group DefaultRAGroup ppp-attributes
    no authentication chap
    no authentication ms-chap-v1
    authentication ms-chap-v2
    tunnel-group xxx.227.235.xx type ipsec-l2l
    tunnel-group xxx.227.235.xx ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group testssl type remote-access
    tunnel-group testssl general-attributes
    default-group-policy testssl
    prompt hostname context
    Cryptochecksum:3f0296deee00f5e3acbc0c2bd761dfb3
    : end

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Answers

Viewing 0 reply threads