Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > ASA VPN Quick hint?

Reply
Thread Tools

ASA VPN Quick hint?

 
 
Ingot
Guest
Posts: n/a
 
      06-08-2007
Chad already helped me a lot with my initial configuration problem. Now I'm
at the point of trying to configure a VPN connection.

I've run the wizard, and gotten a successful authentication to an internal
user...

I've gotten it to forward the DNS request to an "Inside" network DNS server.

For some reason I can't connect to anything though. Pings don't work, name
resolution doesn't work...

I just want a simple VPN Remot Access setup, so remote users can connect,
get an "inside" (private) IP, and operate like that were on the network
locally. Anything more sophistacated can wait.

With these symptoms, can someone tell me where to do my reading and
troubleshooting? I was just hoping someone could tell me the most likely
areas for where I messed up.

Group Policy?

ISAKMP?

Tunnel groups?

Ingot



 
Reply With Quote
 
 
 
 
Chad Mahoney
Guest
Posts: n/a
 
      06-08-2007
Ingot wrote:
> Chad already helped me a lot with my initial configuration problem. Now I'm
> at the point of trying to configure a VPN connection.
>
> I've run the wizard, and gotten a successful authentication to an internal
> user...
>
> I've gotten it to forward the DNS request to an "Inside" network DNS server.
>
> For some reason I can't connect to anything though. Pings don't work, name
> resolution doesn't work...
>
> I just want a simple VPN Remot Access setup, so remote users can connect,
> get an "inside" (private) IP, and operate like that were on the network
> locally. Anything more sophistacated can wait.
>
> With these symptoms, can someone tell me where to do my reading and
> troubleshooting? I was just hoping someone could tell me the most likely
> areas for where I messed up.
>
> Group Policy?
>
> ISAKMP?
>
> Tunnel groups?
>
> Ingot
>
>
>


Hey Ignot,

Are you using PPTP or IPSEC? You might want to post your config, remove
any public IP info.
 
Reply With Quote
 
 
 
 
Ingot
Guest
Posts: n/a
 
      06-08-2007
"Chad Mahoney" <(E-Mail Removed)0ney.com> wrote
>
> Are you using PPTP or IPSEC? You might want to post your config, remove
> any public IP info.


I'm using IPSEC.

Well, I didn't want to ask anyone to do all of THAT, I just wanted to know
if someone had a hint as to where I might have misconfigured.

But... Here it is.

Ingot


--- Begin Paste ---




User Access Verification

Password:
Type help or '?' for a list of available commands.
issciscoasa> en
Password: *********
issciscoasa# sh run
: Saved
:
ASA Version 7.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.34 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxxxxxxxxxx encrypted
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_access_in extended permit icmp any host x.x.x.34 echo-r
eply log
access-list outside_access_in extended permit icmp any host x.x.x.34 time-e
xceeded log
access-list outside_access_in_1 extended permit icmp any host x.x.x.34
access-list inside_nat0_outbound extended permit ip any 192.168.5.192
255.255.255.192
access-list outside_cryptomap extended permit ip any 192.168.5.192
255.255.255.192
access-list outside_cryptomap_1 extended permit ip any 192.168.5.192
255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
global (inside) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.5.0 255.255.255.0
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
group-policy psatunnel internal
group-policy psatunnel attributes
dns-server value 192.168.5.5 x.x.x.x
vpn-tunnel-protocol IPSec
username Name1 password xxxxxxxxx encrypted privilege 15
username Name1 attributes
vpn-group-policy psatunnel
username Name2 password xxxxxxx encrypted privilege 15
username Name2 attributes
vpn-group-policy psatunnel
http server enable
http 192.168.5.0 255.255.255.0 management
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
tunnel-group DefaultWEBVPNGroup general-attributes
dhcp-server 192.168.5.5
password-management password-expire-in-days 10
tunnel-group psatunnel type ipsec-ra
tunnel-group psatunnel general-attributes
default-group-policy psatunnel
dhcp-server 192.168.5.5
tunnel-group psatunnel ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa
telnet 192.168.5.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.5.2-192.168.5.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksumxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end
issciscoasa#


 
Reply With Quote
 
Ingot
Guest
Posts: n/a
 
      06-08-2007

"Chad Mahoney" <(E-Mail Removed)0ney.com> wrote

> Are you using PPTP or IPSEC? You might want to post your config, remove
> any public IP info.


Ok, more info on this...

I'm getting "No translation group found for src outside x.x.x.x/xx dst
inside y.y.y.y/yy

They're both the ip range of my inside network.

I wouldn't have thought I NEEDED a translation group for a VPN tunnel, since
the address I served to the connecting client is the same network as the
internal one.

I tried applying a NAT exemption for that IP on the outside interface, with
no luck.

Obviously I'm missing something key.

Ingot


 
Reply With Quote
 
Chad Mahoney
Guest
Posts: n/a
 
      06-08-2007
Ingot wrote:
> "Chad Mahoney" <(E-Mail Removed)0ney.com> wrote
>
>> Are you using PPTP or IPSEC? You might want to post your config, remove
>> any public IP info.

>
> Ok, more info on this...
>
> I'm getting "No translation group found for src outside x.x.x.x/xx dst
> inside y.y.y.y/yy
>
> They're both the ip range of my inside network.
>
> I wouldn't have thought I NEEDED a translation group for a VPN tunnel, since
> the address I served to the connecting client is the same network as the
> internal one.
>
> I tried applying a NAT exemption for that IP on the outside interface, with
> no luck.
>
> Obviously I'm missing something key.
>
> Ingot
>
>


Ignot,

What is happening here is that the IP's you are being issued when you
connect are trying to perform NAT, you need to exclude the IP range you
are using from NAT.

The command below is your issue:

nat (inside) 0 access-list inside_nat0_outbound

You do not have inside_nat0_outbound applied anywhere in your config,
you may remove.

I would suggest using a statement such as:

nat (inside) 0 access-list outside_cryptomap_1



Also how are your IP address' being assigned when the users connect, I
would not have them assign an address already in use on your local LAN
(192.168.5.X) I would make up a completely new subnet 192.168.6.0 and
assign address from that range, the reason behind this is that with the
statement nat (inside) 0 access-list outside_cryptomap_1, that means any
IP address from 192.168.5.192 - 192.168.5.254 will now loose internet
connectivity because you have excluded them from the NAT process, this
could be an issue.

HTH,

Chad


 
Reply With Quote
 
Ingot
Guest
Posts: n/a
 
      06-08-2007

"Chad Mahoney" <(E-Mail Removed)0ney.com> wrote > Ignot,
>
> What is happening here is that the IP's you are being issued when you
> connect are trying to perform NAT, you need to exclude the IP range you
> are using from NAT.
>
> The command below is your issue:
>
> nat (inside) 0 access-list inside_nat0_outbound
>
> You do not have inside_nat0_outbound applied anywhere in your config,
> you may remove.
>
> I would suggest using a statement such as:
>
> nat (inside) 0 access-list outside_cryptomap_1
>
>
>
> Also how are your IP address' being assigned when the users connect, I
> would not have them assign an address already in use on your local LAN
> (192.168.5.X) I would make up a completely new subnet 192.168.6.0 and
> assign address from that range, the reason behind this is that with the
> statement nat (inside) 0 access-list outside_cryptomap_1, that means any
> IP address from 192.168.5.192 - 192.168.5.254 will now loose internet
> connectivity because you have excluded them from the NAT process, this
> could be an issue.
>
> HTH,
>
> Chad



Thanks Chad...

Still having problems, but I'm getting closer, I'll keep you apprised...

Meanwhile... The powers that be here are doing the classic. No training
for five years, dump a complex piece of equipment on your desk, and expect
you to get it running in three days.

I'll play hell getting any money for training too.

Is there a book anyone can recommend for the ASA 5510 ?

Ingot


 
Reply With Quote
 
Chad Mahoney
Guest
Posts: n/a
 
      06-08-2007
Ingot wrote:
> Thanks Chad...
>
> Still having problems, but I'm getting closer, I'll keep you apprised...
>
> Meanwhile... The powers that be here are doing the classic. No training
> for five years, dump a complex piece of equipment on your desk, and expect
> you to get it running in three days.
>
> I'll play hell getting any money for training too.
>
> Is there a book anyone can recommend for the ASA 5510 ?
>
> Ingot


Exactly how I learned as well

I would suggest:

http://www.ciscopress.com/bookstore/...587052148&rl=1
 
Reply With Quote
 
M
Guest
Posts: n/a
 
      06-09-2007
Try this:

static (int1,int2) <inside network> <inside network> netmask A.B.C.D

example:

static (inside,DMZ2) 172.21.4.0 172.21.4.0 netmask 255.255.255.0


"Ingot" <(E-Mail Removed)> wrote in message
news:46698c2e$0$16267$(E-Mail Removed)...
>
> "Chad Mahoney" <(E-Mail Removed)0ney.com> wrote
>
>> Are you using PPTP or IPSEC? You might want to post your config, remove
>> any public IP info.

>
> Ok, more info on this...
>
> I'm getting "No translation group found for src outside x.x.x.x/xx dst
> inside y.y.y.y/yy
>
> They're both the ip range of my inside network.
>
> I wouldn't have thought I NEEDED a translation group for a VPN tunnel,
> since
> the address I served to the connecting client is the same network as the
> internal one.
>
> I tried applying a NAT exemption for that IP on the outside interface,
> with
> no luck.
>
> Obviously I'm missing something key.
>
> Ingot
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
asa 5505 + l2l vpn + cisco client vpn lesniak81 Cisco 0 01-13-2009 09:59 AM
ASA 5505 VPN making crazy. How to build single VPN on ATT dynIP/static IP pool system pclposts@yahoo.com Cisco 3 12-11-2007 03:11 AM
question regarding creating a site-to-site VPN between an ASA 5505and a VPN 3030 Mike Rahl Cisco 1 11-29-2007 04:09 AM
ASA 5505 as hardware vpn client to PIX 501 or ASA 5505 with network extension mode activated bjorn@kumlait.se Cisco 1 06-17-2007 12:43 PM
VPN to ASA from Cisco VPN Client Getting Error K.J. 44 Cisco 2 10-20-2006 08:22 PM



Advertisments