ASA VPN Quick hint?

Discussion in 'Cisco' started by Ingot, Jun 8, 2007.

  1. Ingot

    Ingot Guest

    Chad already helped me a lot with my initial configuration problem. Now I'm
    at the point of trying to configure a VPN connection.

    I've run the wizard, and gotten a successful authentication to an internal
    user...

    I've gotten it to forward the DNS request to an "Inside" network DNS server.

    For some reason I can't connect to anything though. Pings don't work, name
    resolution doesn't work...

    I just want a simple VPN Remot Access setup, so remote users can connect,
    get an "inside" (private) IP, and operate like that were on the network
    locally. Anything more sophistacated can wait.

    With these symptoms, can someone tell me where to do my reading and
    troubleshooting? I was just hoping someone could tell me the most likely
    areas for where I messed up.

    Group Policy?

    ISAKMP?

    Tunnel groups?

    Ingot
    Ingot, Jun 8, 2007
    #1
    1. Advertising

  2. Ingot

    Chad Mahoney Guest

    Ingot wrote:
    > Chad already helped me a lot with my initial configuration problem. Now I'm
    > at the point of trying to configure a VPN connection.
    >
    > I've run the wizard, and gotten a successful authentication to an internal
    > user...
    >
    > I've gotten it to forward the DNS request to an "Inside" network DNS server.
    >
    > For some reason I can't connect to anything though. Pings don't work, name
    > resolution doesn't work...
    >
    > I just want a simple VPN Remot Access setup, so remote users can connect,
    > get an "inside" (private) IP, and operate like that were on the network
    > locally. Anything more sophistacated can wait.
    >
    > With these symptoms, can someone tell me where to do my reading and
    > troubleshooting? I was just hoping someone could tell me the most likely
    > areas for where I messed up.
    >
    > Group Policy?
    >
    > ISAKMP?
    >
    > Tunnel groups?
    >
    > Ingot
    >
    >
    >


    Hey Ignot,

    Are you using PPTP or IPSEC? You might want to post your config, remove
    any public IP info.
    Chad Mahoney, Jun 8, 2007
    #2
    1. Advertising

  3. Ingot

    Ingot Guest

    "Chad Mahoney" <0ney.com> wrote
    >
    > Are you using PPTP or IPSEC? You might want to post your config, remove
    > any public IP info.


    I'm using IPSEC.

    Well, I didn't want to ask anyone to do all of THAT, I just wanted to know
    if someone had a hint as to where I might have misconfigured.

    But... Here it is.

    Ingot


    --- Begin Paste ---




    User Access Verification

    Password:
    Type help or '?' for a list of available commands.
    issciscoasa> en
    Password: *********
    issciscoasa# sh run
    : Saved
    :
    ASA Version 7.2(1)
    !
    hostname ciscoasa
    domain-name default.domain.invalid
    enable password xxxxxxxxxxx encrypted
    names
    dns-guard
    !
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address x.x.x.34 255.255.255.248
    !
    interface Ethernet0/1
    nameif inside
    security-level 100
    ip address 192.168.5.1 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    passwd xxxxxxxxxxx encrypted
    boot system disk0:/asa721-k8.bin
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns server-group DefaultDNS
    domain-name default.domain.invalid
    access-list outside_access_in extended permit icmp any host x.x.x.34 echo-r
    eply log
    access-list outside_access_in extended permit icmp any host x.x.x.34 time-e
    xceeded log
    access-list outside_access_in_1 extended permit icmp any host x.x.x.34
    access-list inside_nat0_outbound extended permit ip any 192.168.5.192
    255.255.255.192
    access-list outside_cryptomap extended permit ip any 192.168.5.192
    255.255.255.192
    access-list outside_cryptomap_1 extended permit ip any 192.168.5.192
    255.255.255.192
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu management 1500
    no failover
    asdm image disk0:/asdm521.bin
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    global (inside) 2 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 192.168.5.0 255.255.255.0
    access-group outside_access_in_1 in interface outside
    route outside 0.0.0.0 0.0.0.0 x.x.x.33 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    group-policy psatunnel internal
    group-policy psatunnel attributes
    dns-server value 192.168.5.5 x.x.x.x
    vpn-tunnel-protocol IPSec
    username Name1 password xxxxxxxxx encrypted privilege 15
    username Name1 attributes
    vpn-group-policy psatunnel
    username Name2 password xxxxxxx encrypted privilege 15
    username Name2 attributes
    vpn-group-policy psatunnel
    http server enable
    http 192.168.5.0 255.255.255.0 management
    http 192.168.5.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
    crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 5
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp ipsec-over-tcp port 10000
    tunnel-group DefaultWEBVPNGroup general-attributes
    dhcp-server 192.168.5.5
    password-management password-expire-in-days 10
    tunnel-group psatunnel type ipsec-ra
    tunnel-group psatunnel general-attributes
    default-group-policy psatunnel
    dhcp-server 192.168.5.5
    tunnel-group psatunnel ipsec-attributes
    pre-shared-key *
    no vpn-addr-assign aaa
    telnet 192.168.5.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.5.2-192.168.5.254 management
    dhcpd enable management
    !
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    : end
    issciscoasa#
    Ingot, Jun 8, 2007
    #3
  4. Ingot

    Ingot Guest

    "Chad Mahoney" <0ney.com> wrote

    > Are you using PPTP or IPSEC? You might want to post your config, remove
    > any public IP info.


    Ok, more info on this...

    I'm getting "No translation group found for src outside x.x.x.x/xx dst
    inside y.y.y.y/yy

    They're both the ip range of my inside network.

    I wouldn't have thought I NEEDED a translation group for a VPN tunnel, since
    the address I served to the connecting client is the same network as the
    internal one.

    I tried applying a NAT exemption for that IP on the outside interface, with
    no luck.

    Obviously I'm missing something key.

    Ingot
    Ingot, Jun 8, 2007
    #4
  5. Ingot

    Chad Mahoney Guest

    Ingot wrote:
    > "Chad Mahoney" <0ney.com> wrote
    >
    >> Are you using PPTP or IPSEC? You might want to post your config, remove
    >> any public IP info.

    >
    > Ok, more info on this...
    >
    > I'm getting "No translation group found for src outside x.x.x.x/xx dst
    > inside y.y.y.y/yy
    >
    > They're both the ip range of my inside network.
    >
    > I wouldn't have thought I NEEDED a translation group for a VPN tunnel, since
    > the address I served to the connecting client is the same network as the
    > internal one.
    >
    > I tried applying a NAT exemption for that IP on the outside interface, with
    > no luck.
    >
    > Obviously I'm missing something key.
    >
    > Ingot
    >
    >


    Ignot,

    What is happening here is that the IP's you are being issued when you
    connect are trying to perform NAT, you need to exclude the IP range you
    are using from NAT.

    The command below is your issue:

    nat (inside) 0 access-list inside_nat0_outbound

    You do not have inside_nat0_outbound applied anywhere in your config,
    you may remove.

    I would suggest using a statement such as:

    nat (inside) 0 access-list outside_cryptomap_1



    Also how are your IP address' being assigned when the users connect, I
    would not have them assign an address already in use on your local LAN
    (192.168.5.X) I would make up a completely new subnet 192.168.6.0 and
    assign address from that range, the reason behind this is that with the
    statement nat (inside) 0 access-list outside_cryptomap_1, that means any
    IP address from 192.168.5.192 - 192.168.5.254 will now loose internet
    connectivity because you have excluded them from the NAT process, this
    could be an issue.

    HTH,

    Chad
    Chad Mahoney, Jun 8, 2007
    #5
  6. Ingot

    Ingot Guest

    "Chad Mahoney" <0ney.com> wrote > Ignot,
    >
    > What is happening here is that the IP's you are being issued when you
    > connect are trying to perform NAT, you need to exclude the IP range you
    > are using from NAT.
    >
    > The command below is your issue:
    >
    > nat (inside) 0 access-list inside_nat0_outbound
    >
    > You do not have inside_nat0_outbound applied anywhere in your config,
    > you may remove.
    >
    > I would suggest using a statement such as:
    >
    > nat (inside) 0 access-list outside_cryptomap_1
    >
    >
    >
    > Also how are your IP address' being assigned when the users connect, I
    > would not have them assign an address already in use on your local LAN
    > (192.168.5.X) I would make up a completely new subnet 192.168.6.0 and
    > assign address from that range, the reason behind this is that with the
    > statement nat (inside) 0 access-list outside_cryptomap_1, that means any
    > IP address from 192.168.5.192 - 192.168.5.254 will now loose internet
    > connectivity because you have excluded them from the NAT process, this
    > could be an issue.
    >
    > HTH,
    >
    > Chad



    Thanks Chad...

    Still having problems, but I'm getting closer, I'll keep you apprised...

    Meanwhile... The powers that be here are doing the classic. No training
    for five years, dump a complex piece of equipment on your desk, and expect
    you to get it running in three days.

    I'll play hell getting any money for training too.

    Is there a book anyone can recommend for the ASA 5510 ?

    Ingot
    Ingot, Jun 8, 2007
    #6
  7. Ingot

    Chad Mahoney Guest

    Ingot wrote:
    > Thanks Chad...
    >
    > Still having problems, but I'm getting closer, I'll keep you apprised...
    >
    > Meanwhile... The powers that be here are doing the classic. No training
    > for five years, dump a complex piece of equipment on your desk, and expect
    > you to get it running in three days.
    >
    > I'll play hell getting any money for training too.
    >
    > Is there a book anyone can recommend for the ASA 5510 ?
    >
    > Ingot


    Exactly how I learned as well :)

    I would suggest:

    http://www.ciscopress.com/bookstore/product.asp?isbn=1587052148&rl=1
    Chad Mahoney, Jun 8, 2007
    #7
  8. Ingot

    M Guest

    Try this:

    static (int1,int2) <inside network> <inside network> netmask A.B.C.D

    example:

    static (inside,DMZ2) 172.21.4.0 172.21.4.0 netmask 255.255.255.0


    "Ingot" <> wrote in message
    news:46698c2e$0$16267$...
    >
    > "Chad Mahoney" <0ney.com> wrote
    >
    >> Are you using PPTP or IPSEC? You might want to post your config, remove
    >> any public IP info.

    >
    > Ok, more info on this...
    >
    > I'm getting "No translation group found for src outside x.x.x.x/xx dst
    > inside y.y.y.y/yy
    >
    > They're both the ip range of my inside network.
    >
    > I wouldn't have thought I NEEDED a translation group for a VPN tunnel,
    > since
    > the address I served to the connecting client is the same network as the
    > internal one.
    >
    > I tried applying a NAT exemption for that IP on the outside interface,
    > with
    > no luck.
    >
    > Obviously I'm missing something key.
    >
    > Ingot
    >
    >
    M, Jun 9, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Walter Roberson

    PIX VPN debugging hint

    Walter Roberson, Oct 18, 2005, in forum: Cisco
    Replies:
    0
    Views:
    2,105
    Walter Roberson
    Oct 18, 2005
  2. Robert

    can anyone give me a hint

    Robert, Aug 11, 2004, in forum: MCSD
    Replies:
    0
    Views:
    447
    Robert
    Aug 11, 2004
  3. Luca
    Replies:
    5
    Views:
    451
    Juhura Nagamichi
    May 13, 2004
  4. Ricardo

    Regional encoding - hint please.

    Ricardo, Mar 13, 2006, in forum: DVD Video
    Replies:
    6
    Views:
    528
    Ricardo
    Mar 14, 2006
  5. Replies:
    1
    Views:
    3,327
Loading...

Share This Page