asa 5505 + l2l vpn + cisco client vpn

Discussion in 'Cisco' started by lesniak81, Jan 13, 2009.

  1. lesniak81

    lesniak81 Guest

    Hi,

    I'm trying to replace PIX 506[working ok] with asa 5505. But just
    after swaping them some of the vpn links doesn't work. I can't ping
    sites. Cisco vpn client access doesn't work too. I was following few
    cisco manuals but I can't figure out what is missing in my config.
    Could you pls have a look at my config maybe sth obvious - I hope so.
    Many thanks.

    : Saved
    : Written by enable_15 at 01:48:02.989 UTC Tue Jan 13 2009
    !
    ASA Version 8.0(4)
    !
    hostname pb
    domain-name zzzzzzz
    enable password zzzzzzzzzzzzzz encrypted
    passwd zzzzzzzzzzzz encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.254 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address zzzzzzzzzzzzz 255.255.255.240
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    dns server-group DefaultDNS
    domain-name zzzzzz
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.5.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.2.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.9.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.12.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.18.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.22.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.19.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 192.168.1.0
    255.255.255.0 192.168.1.64 255.255.255.224
    access-list outside_20_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.5.0 255.255.255.0
    access-list outside_30_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.2.0 255.255.255.0
    access-list outside_40_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.9.0 255.255.255.0
    access-list outside_50_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.12.0 255.255.255.0
    access-list outside_60_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.18.0 255.255.255.0
    access-list outside_70_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.22.0 255.255.255.0
    access-list outside_access_in extended permit tcp any host zzzzzzzzzzz
    eq smtp
    access-list outside_access_in extended permit tcp any host zzzzzzzzzzz
    eq https
    access-list outside_80_cryptomap extended permit ip 192.168.1.0
    255.255.255.0 192.168.19.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool ciscoClientPool 192.168.1.80-192.168.1.89
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-613.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 192.168.1.0 255.255.255.0
    static (inside,outside) zzzzzzzzzzzz 192.168.1.2 netmask
    255.255.255.255
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 zzzzzzzzzzzzzz 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server vpn protocol radius
    aaa-server vpn (inside) host 192.168.1.9
    key zzzzzzzzzz
    url-server (inside) vendor websense host 192.168.1.7 timeout 30
    protocol TCP version 4 connections 5
    url-cache src_dst 128
    filter url http 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0 allow
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ciscoClientSet esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dynmap 10 set transform-set ciscoClientSet
    crypto dynamic-map dynmap 10 set security-association lifetime seconds
    28800
    crypto dynamic-map dynmap 10 set security-association lifetime
    kilobytes 4608000
    crypto dynamic-map dynmap 10 set reverse-route
    crypto map outside_map 10 ipsec-isakmp dynamic dynmap
    crypto map outside_map 20 match address outside_20_cryptomap
    crypto map outside_map 20 set peer zzzzzzzzzzzzz
    crypto map outside_map 20 set transform-set ESP-DES-MD5
    crypto map outside_map 20 set security-association lifetime seconds
    28800
    crypto map outside_map 20 set security-association lifetime kilobytes
    4608000
    crypto map outside_map 30 match address outside_30_cryptomap
    crypto map outside_map 30 set peer zzzzzzzzzzzzzz
    crypto map outside_map 30 set transform-set ESP-DES-MD5
    crypto map outside_map 30 set security-association lifetime seconds
    28800
    crypto map outside_map 30 set security-association lifetime kilobytes
    4608000
    crypto map outside_map 40 match address outside_40_cryptomap
    crypto map outside_map 40 set peer zzzzzzzzzzzzzz
    crypto map outside_map 40 set transform-set ESP-DES-MD5
    crypto map outside_map 40 set security-association lifetime seconds
    28800
    crypto map outside_map 40 set security-association lifetime kilobytes
    4608000
    crypto map outside_map 50 match address outside_50_cryptomap
    crypto map outside_map 50 set peer zzzzzzzzzzzz
    crypto map outside_map 50 set transform-set ESP-DES-MD5
    crypto map outside_map 50 set security-association lifetime seconds
    28800
    crypto map outside_map 50 set security-association lifetime kilobytes
    4608000
    crypto map outside_map 60 match address outside_60_cryptomap
    crypto map outside_map 60 set peer zzzzzzzzzzzzzzzz
    crypto map outside_map 60 set transform-set ESP-DES-MD5
    crypto map outside_map 60 set security-association lifetime seconds
    28800
    crypto map outside_map 60 set security-association lifetime kilobytes
    4608000
    crypto map outside_map 70 match address outside_70_cryptomap
    crypto map outside_map 70 set peer zzzzzzzzzzzz
    crypto map outside_map 70 set transform-set ESP-DES-MD5
    crypto map outside_map 70 set security-association lifetime seconds
    28800
    crypto map outside_map 70 set security-association lifetime kilobytes
    4608000
    crypto map outside_map interface outside
    crypto map outsite_map 80 match address outside_80_cryptomap
    crypto map outsite_map 80 set peer zzzzzzzzzzzz
    crypto map outsite_map 80 set transform-set ESP-DES-MD5
    crypto map outsite_map 80 set security-association lifetime seconds
    28800
    crypto map outsite_map 80 set security-association lifetime kilobytes
    4608000
    crypto map mymap 10 set security-association lifetime seconds 28800
    crypto map mymap 10 set security-association lifetime kilobytes
    4608000
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 30
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy client internal
    group-policy client attributes
    dns-server value 192.168.1.3
    default-domain value zzzzzzzzzz
    username ciscoClient password zzzzzzzzzzzzz encrypted
    tunnel-group zzzzzzzzzz type ipsec-l2l
    tunnel-group zzzzzzzzzzzz ipsec-attributes
    pre-shared-key zzzzzzzz
    tunnel-group zzzzzzzzzzz type ipsec-l2l
    tunnel-group zzzzzzzzzzz ipsec-attributes
    pre-shared-key zzzzzzzzzzz
    tunnel-group zzzzzzzzzzz type ipsec-l2l
    tunnel-group zzzzzzzzzz ipsec-attributes
    pre-shared-key zzzzzzzzz
    tunnel-group zzzzzzzzzzz type ipsec-l2l
    tunnel-group zzzzzzzzzzz ipsec-attributes
    pre-shared-key zzzzzzzzz
    tunnel-group zzzzzzzzzz type ipsec-l2l
    tunnel-group zzzzzzzzzzz ipsec-attributes
    pre-shared-key zzzzzzzzz
    tunnel-group zzzzzzzzzzzzz type ipsec-l2l
    tunnel-group zzzzzzzzzzzzz ipsec-attributes
    pre-shared-key zzzzzzzzzzzz
    tunnel-group zzzzzzzzzzzzz type ipsec-l2l
    tunnel-group zzzzzzzzzzzzz ipsec-attributes
    pre-shared-key zzzzzzzzzzz
    tunnel-group client type remote-access
    tunnel-group client general-attributes
    address-pool ciscoClientPool
    authentication-server-group vpn
    default-group-policy client
    tunnel-group client ipsec-attributes
    pre-shared-key zzzzzzzzzz
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:63c0936e6ca2805b829700b219116f5e
    : end
     
    lesniak81, Jan 13, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    3,428
  2. Replies:
    4
    Views:
    9,159
    Darren Green
    Nov 9, 2007
  3. Martin Bilgrav
    Replies:
    0
    Views:
    577
    Martin Bilgrav
    May 6, 2008
  4. David Kerber
    Replies:
    4
    Views:
    3,200
    venkatb76
    Mar 27, 2009
  5. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    716
    Dogg Child
    Jun 7, 2010
Loading...

Share This Page