Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Help on Cisco ASA 5510 VPN IPsec

Reply
Thread Tools

Help on Cisco ASA 5510 VPN IPsec

 
 
Mag
Guest
Posts: n/a
 
      01-04-2009
Hi

i have a small problems with my new asa 5510:

I have configured a VPN IPSEC Service and no problems
at the connection but after, when i want ping the lan
i don't have a answer.

On one of my server, i see the packet with tcpdump, i see
the reply of the server but on the ASA i have a message of
the firewall ...

I have used the Wizard included into the 6.0 version.

Thanks for your help
Mag

 
Reply With Quote
 
 
 
 
Brian V
Guest
Posts: n/a
 
      01-04-2009

"Mag" <(E-Mail Removed)> wrote in message
news:49607868$0$6704$(E-Mail Removed)...
> Hi
>
> i have a small problems with my new asa 5510:
>
> I have configured a VPN IPSEC Service and no problems
> at the connection but after, when i want ping the lan
> i don't have a answer.
>
> On one of my server, i see the packet with tcpdump, i see
> the reply of the server but on the ASA i have a message of
> the firewall ...
>
> I have used the Wizard included into the 6.0 version.
>
> Thanks for your help
> Mag
>


You need to post a santized config for us to be able to help you.

 
Reply With Quote
 
 
 
 
Mag
Guest
Posts: n/a
 
      01-05-2009
Brian V a écrit :
>
> You need to post a santized config for us to be able to help you.


Ho yes sorry ;=) :
Configuration (sh run) genered with Wizard of the ADSM:




Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(3)
!
hostname ASA5510-1
domain-name asa1.xxx.org
enable password XXX
names
name 10.100.5.0 IPSec
!
interface Ethernet0/0
nameif wan
security-level 0
ip address 62.XX.XX.XX 255.255.255.224
!
interface Ethernet0/1
nameif lan
security-level 0
ip address 10.100.7.242 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd XXXX encrypted
ftp mode passive
dns domain-lookup lan
dns server-group DefaultDNS
name-server 10.100.7.250
domain-name asa1.xxx.org
access-list lan_nat0_outbound extended permit ip any IPSec 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu lan 1500
mtu wan 1500
ip local pool IpSec 10.100.5.10-10.100.5.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (wan) 101 interface
nat (lan) 0 access-list lan_nat0_outbound
nat (lan) 101 0.0.0.0 0.0.0.0
route wan 0.0.0.0 0.0.0.0 62.XX.XX.XX 1
route lan 10.0.0.0 255.0.0.0 10.100.7.250 1
route lan 172.26.0.0 255.255.0.0 10.100.7.250 1
route lan 172.27.0.0 255.255.0.0 10.100.7.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 wan
http 62.XX.XX.XX 255.255.255.224 wan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto isakmp enable wan
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access wan
threat-detection basic-threat
threat-detection statistics
group-policy ipsecvpn internal
group-policy ipsecvpn attributes
dns-server value 10.100.7.242
vpn-tunnel-protocol IPSec
default-domain value XXXX.fr
username magalie password 1YqAYSguYgIKdkUO encrypted privilege 0
username magalie attributes
vpn-group-policy ipsecvpn
tunnel-group ipsecvpn type remote-access
tunnel-group ipsecvpn general-attributes
address-pool IpSec
default-group-policy ipsecvpn
tunnel-group ipsecvpn ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:3c033e8f335604a9fa0af37e27ddf6d8
: end





and after connected, this is the log entry:

3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.100.7.248
dst wan:10.100.5.10 (type 0, code 0)

6|Jan 05 2009|05:30:10|302020|10.100.5.10|10.100.7.248|Buil t inbound
ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
10.100.7.248/0 (magalie)

6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.100.7.248|Tear down ICMP
connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
10.100.7.248/0 (magalie)





Thanks for your help
Magalie
 
Reply With Quote
 
Mag
Guest
Posts: n/a
 
      01-05-2009

Anyone ?



Mag a écrit :
> Brian V a écrit :
>>
>> You need to post a santized config for us to be able to help you.

>
> Ho yes sorry ;=) :
> Configuration (sh run) genered with Wizard of the ADSM:
>
>
>
>
> Result of the command: "show running-config"
>
> : Saved
> :
> ASA Version 8.0(3)
> !
> hostname ASA5510-1
> domain-name asa1.xxx.org
> enable password XXX
> names
> name 10.100.5.0 IPSec
> !
> interface Ethernet0/0
> nameif wan
> security-level 0
> ip address 62.XX.XX.XX 255.255.255.224
> !
> interface Ethernet0/1
> nameif lan
> security-level 0
> ip address 10.100.7.242 255.255.255.0
> !
> interface Ethernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> nameif management
> security-level 0
> ip address 192.168.1.1 255.255.255.0
> management-only
> !
> passwd XXXX encrypted
> ftp mode passive
> dns domain-lookup lan
> dns server-group DefaultDNS
> name-server 10.100.7.250
> domain-name asa1.xxx.org
> access-list lan_nat0_outbound extended permit ip any IPSec 255.255.255.0
> pager lines 24
> logging enable
> logging asdm informational
> mtu management 1500
> mtu lan 1500
> mtu wan 1500
> ip local pool IpSec 10.100.5.10-10.100.5.254
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-603.bin
> no asdm history enable
> arp timeout 14400
> global (wan) 101 interface
> nat (lan) 0 access-list lan_nat0_outbound
> nat (lan) 101 0.0.0.0 0.0.0.0
> route wan 0.0.0.0 0.0.0.0 62.XX.XX.XX 1
> route lan 10.0.0.0 255.0.0.0 10.100.7.250 1
> route lan 172.26.0.0 255.255.0.0 10.100.7.250 1
> route lan 172.27.0.0 255.255.0.0 10.100.7.250 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> http server enable
> http 0.0.0.0 0.0.0.0 wan
> http 62.XX.XX.XX 255.255.255.224 wan
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
> ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
> ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
> ESP-DES-MD5
> crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
> crypto map wan_map interface wan
> crypto isakmp enable wan
> crypto isakmp policy 5
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 10
> authentication pre-share
> encryption des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 65535
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> management-access wan
> threat-detection basic-threat
> threat-detection statistics
> group-policy ipsecvpn internal
> group-policy ipsecvpn attributes
> dns-server value 10.100.7.242
> vpn-tunnel-protocol IPSec
> default-domain value XXXX.fr
> username magalie password 1YqAYSguYgIKdkUO encrypted privilege 0
> username magalie attributes
> vpn-group-policy ipsecvpn
> tunnel-group ipsecvpn type remote-access
> tunnel-group ipsecvpn general-attributes
> address-pool IpSec
> default-group-policy ipsecvpn
> tunnel-group ipsecvpn ipsec-attributes
> pre-shared-key *
> !
> !
> prompt hostname context
> Cryptochecksum:3c033e8f335604a9fa0af37e27ddf6d8
> : end
>
>
>
>
>
> and after connected, this is the log entry:
>
> 3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.100.7.248
> dst wan:10.100.5.10 (type 0, code 0)
>
> 6|Jan 05 2009|05:30:10|302020|10.100.5.10|10.100.7.248|Buil t inbound
> ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
> 10.100.7.248/0 (magalie)
>
> 6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.100.7.248|Tear down ICMP
> connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
> 10.100.7.248/0 (magalie)
>
>
>
>
>
> Thanks for your help
> Magalie

 
Reply With Quote
 
Mag
Guest
Posts: n/a
 
      01-05-2009

It's not only the ICMP that deny:

Inbound TCP connection denied from 10.100.7.245/22 to 10.100.5.10/1953
flags SYN ACK on interface lan

what is the acl at put for accept all traffic between Lan to Ipsec and
Ipsec to lan

i see to that on my pc connected in IPSEC, the subnet are 255.0.0.0 and
not 255.255.255.0 ..





Mag a écrit :
> Brian V a écrit :
>>
>> You need to post a santized config for us to be able to help you.

>
> Ho yes sorry ;=) :
> Configuration (sh run) genered with Wizard of the ADSM:
>
>
>
>
> Result of the command: "show running-config"
>
> : Saved
> :
> ASA Version 8.0(3)
> !
> hostname ASA5510-1
> domain-name asa1.xxx.org
> enable password XXX
> names
> name 10.100.5.0 IPSec
> !
> interface Ethernet0/0
> nameif wan
> security-level 0
> ip address 62.XX.XX.XX 255.255.255.224
> !
> interface Ethernet0/1
> nameif lan
> security-level 0
> ip address 10.100.7.242 255.255.255.0
> !
> interface Ethernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet0/3
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface Management0/0
> nameif management
> security-level 0
> ip address 192.168.1.1 255.255.255.0
> management-only
> !
> passwd XXXX encrypted
> ftp mode passive
> dns domain-lookup lan
> dns server-group DefaultDNS
> name-server 10.100.7.250
> domain-name asa1.xxx.org
> access-list lan_nat0_outbound extended permit ip any IPSec 255.255.255.0
> pager lines 24
> logging enable
> logging asdm informational
> mtu management 1500
> mtu lan 1500
> mtu wan 1500
> ip local pool IpSec 10.100.5.10-10.100.5.254
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-603.bin
> no asdm history enable
> arp timeout 14400
> global (wan) 101 interface
> nat (lan) 0 access-list lan_nat0_outbound
> nat (lan) 101 0.0.0.0 0.0.0.0
> route wan 0.0.0.0 0.0.0.0 62.XX.XX.XX 1
> route lan 10.0.0.0 255.0.0.0 10.100.7.250 1
> route lan 172.26.0.0 255.255.0.0 10.100.7.250 1
> route lan 172.27.0.0 255.255.0.0 10.100.7.250 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> http server enable
> http 0.0.0.0 0.0.0.0 wan
> http 62.XX.XX.XX 255.255.255.224 wan
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
> ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
> ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
> ESP-DES-MD5
> crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
> crypto map wan_map interface wan
> crypto isakmp enable wan
> crypto isakmp policy 5
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 10
> authentication pre-share
> encryption des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 65535
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> management-access wan
> threat-detection basic-threat
> threat-detection statistics
> group-policy ipsecvpn internal
> group-policy ipsecvpn attributes
> dns-server value 10.100.7.242
> vpn-tunnel-protocol IPSec
> default-domain value XXXX.fr
> username magalie password 1YqAYSguYgIKdkUO encrypted privilege 0
> username magalie attributes
> vpn-group-policy ipsecvpn
> tunnel-group ipsecvpn type remote-access
> tunnel-group ipsecvpn general-attributes
> address-pool IpSec
> default-group-policy ipsecvpn
> tunnel-group ipsecvpn ipsec-attributes
> pre-shared-key *
> !
> !
> prompt hostname context
> Cryptochecksum:3c033e8f335604a9fa0af37e27ddf6d8
> : end
>
>
>
>
>
> and after connected, this is the log entry:
>
> 3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.100.7.248
> dst wan:10.100.5.10 (type 0, code 0)
>
> 6|Jan 05 2009|05:30:10|302020|10.100.5.10|10.100.7.248|Buil t inbound
> ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
> 10.100.7.248/0 (magalie)
>
> 6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.100.7.248|Tear down ICMP
> connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
> 10.100.7.248/0 (magalie)
>
>
>
>
>
> Thanks for your help
> Magalie

 
Reply With Quote
 
Mag
Guest
Posts: n/a
 
      01-06-2009
Brian V a écrit :
>
> "Mag" <(E-Mail Removed)> wrote in message
> news:49607868$0$6704$(E-Mail Removed)...
>> Hi
>>
>> i have a small problems with my new asa 5510:
>>
>> I have configured a VPN IPSEC Service and no problems
>> at the connection but after, when i want ping the lan
>> i don't have a answer.
>>
>> On one of my server, i see the packet with tcpdump, i see
>> the reply of the server but on the ASA i have a message of
>> the firewall ...
>>
>> I have used the Wizard included into the 6.0 version.
>>
>> Thanks for your help
>> Mag
>>

>
> You need to post a santized config for us to be able to help you.


Hi,

i add this:

sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list lan_nat0_outbound; 1 elements
access-list lan_nat0_outbound line 1 extended permit ip any IPSec
255.255.255.0 (hitcnt=0) 0xf555dd22
access-list All; 1 elements
access-list All line 1 extended permit ip any IPSec 255.255.255.0
(hitcnt=0) 0x71dc000e
 
Reply With Quote
 
Techno_Guy
Guest
Posts: n/a
 
      01-06-2009
On Jan 5, 11:02*pm, Mag <(E-Mail Removed)> wrote:
> Brian V a écrit :
>
>
>
>
>
>
>
> > "Mag" <(E-Mail Removed)> wrote in message
> >news:49607868$0$6704$(E-Mail Removed)...
> >> Hi

>
> >> i have a small problems with my new asa 5510:

>
> >> I have configured a VPN IPSEC Service and no problems
> >> at the connection but after, when i want ping the lan
> >> i don't have a answer.

>
> >> On one of my server, i see the packet with tcpdump, i see
> >> the reply of the server but on the ASA i have a message of
> >> the firewall ...

>
> >> I have used the Wizard included into the 6.0 version.

>
> >> Thanks for your help
> >> Mag

>
> > You need to post a santized config for us to be able to help you.

>
> Hi,
>
> i add this:
>
> sh access-list
>
> * access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
> * * * * * * *alert-interval 300
> access-list lan_nat0_outbound; 1 elements
> access-list lan_nat0_outbound line 1 extended permit ip any IPSec
> 255.255.255.0 (hitcnt=0) 0xf555dd22
> access-list All; 1 elements
> access-list All line 1 extended permit ip any IPSec 255.255.255.0
> (hitcnt=0) 0x71dc000e- Hide quoted text -
>
> - Show quoted text -


Are you trying to do a L2L ipsec or a remote access? You currently
have a remote access vpn setup according to your config

tunnel-group ipsecvpn type remote-access
tunnel-group ipsecvpn general-attributes
address-pool IpSec
default-group-policy ipsecvpn
tunnel-group ipsecvpn ipsec-attributes
pre-shared-key *

Before I tell you anything I just want to be sure.

here is the link from Cisco on how to do it via command line. I am
personally not a fan of the gui for anything other than watching logs
and cpu load.
http://www.cisco.com/en/US/docs/secu.../site2sit.html
 
Reply With Quote
 
Mag
Guest
Posts: n/a
 
      01-06-2009
Techno_Guy a écrit :
> On Jan 5, 11:02 pm, Mag <(E-Mail Removed)> wrote:
>> Brian V a écrit :
>>
>>
>>
>>
>>
>>
>>
>>> "Mag" <(E-Mail Removed)> wrote in message
>>> news:49607868$0$6704$(E-Mail Removed)...
>>>> Hi
>>>> i have a small problems with my new asa 5510:
>>>> I have configured a VPN IPSEC Service and no problems
>>>> at the connection but after, when i want ping the lan
>>>> i don't have a answer.
>>>> On one of my server, i see the packet with tcpdump, i see
>>>> the reply of the server but on the ASA i have a message of
>>>> the firewall ...
>>>> I have used the Wizard included into the 6.0 version.
>>>> Thanks for your help
>>>> Mag
>>> You need to post a santized config for us to be able to help you.

>> Hi,
>>
>> i add this:
>>
>> sh access-list
>>
>> access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
>> alert-interval 300
>> access-list lan_nat0_outbound; 1 elements
>> access-list lan_nat0_outbound line 1 extended permit ip any IPSec
>> 255.255.255.0 (hitcnt=0) 0xf555dd22
>> access-list All; 1 elements
>> access-list All line 1 extended permit ip any IPSec 255.255.255.0
>> (hitcnt=0) 0x71dc000e- Hide quoted text -
>>
>> - Show quoted text -

>
> Are you trying to do a L2L ipsec or a remote access? You currently
> have a remote access vpn setup according to your config
>
> tunnel-group ipsecvpn type remote-access
> tunnel-group ipsecvpn general-attributes
> address-pool IpSec
> default-group-policy ipsecvpn
> tunnel-group ipsecvpn ipsec-attributes
> pre-shared-key *
>
> Before I tell you anything I just want to be sure.
>
> here is the link from Cisco on how to do it via command line. I am
> personally not a fan of the gui for anything other than watching logs
> and cpu load.
> http://www.cisco.com/en/US/docs/secu.../site2sit.html


Hi

Thanks for your answer, it's Remote Access IPSEC with the Cisco IPSEC
Client.

i read your link
mag
 
Reply With Quote
 
Mag
Guest
Posts: n/a
 
      01-06-2009
Mag a écrit :
> Hi
>
> i have a small problems with my new asa 5510:
>
> I have configured a VPN IPSEC Service and no problems
> at the connection but after, when i want ping the lan
> i don't have a answer.
>
> On one of my server, i see the packet with tcpdump, i see
> the reply of the server but on the ASA i have a message of
> the firewall ...
>
> I have used the Wizard included into the 6.0 version.
>
> Thanks for your help
> Mag
>




Snifff anyone can help me ?

Mag
 
Reply With Quote
 
Mag
Guest
Posts: n/a
 
      01-07-2009
Mag a écrit :
> Hi
>
> i have a small problems with my new asa 5510:
>
> I have configured a VPN IPSEC Service and no problems
> at the connection but after, when i want ping the lan
> i don't have a answer.
>
> On one of my server, i see the packet with tcpdump, i see
> the reply of the server but on the ASA i have a message of
> the firewall ...
>
> I have used the Wizard included into the 6.0 version.
>
> Thanks for your help
> Mag
>





arg ... no answer !!! very thanks for your help :=<



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Deny TCP on ASA 5510 from VPN IPSec connection j1344 Cisco 0 07-23-2009 06:18 AM
IPSec VPN Cisco 1812 and ASA 5510 Dav Cisco 2 05-05-2009 07:32 AM
Cisco ASA 5510/5520 and VLAN ? Affect IPSEC Remote User at one vlan Mag Cisco 2 01-31-2009 03:48 PM
Cisco ASA 5510 to Cisco PIX 506E VPN Tunnel, Dropping RDP andypatterson24 Cisco 2 04-25-2008 07:41 PM
IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116 Tilman Schmidt Cisco 0 01-24-2008 10:49 AM



Advertisments