Help on Cisco ASA 5510 VPN IPsec

Discussion in 'Cisco' started by Mag, Jan 4, 2009.

  1. Mag

    Mag Guest

    Hi

    i have a small problems with my new asa 5510:

    I have configured a VPN IPSEC Service and no problems
    at the connection but after, when i want ping the lan
    i don't have a answer.

    On one of my server, i see the packet with tcpdump, i see
    the reply of the server but on the ASA i have a message of
    the firewall ...

    I have used the Wizard included into the 6.0 version.

    Thanks for your help
    Mag
    Mag, Jan 4, 2009
    #1
    1. Advertising

  2. Mag

    Brian V Guest

    "Mag" <> wrote in message
    news:49607868$0$6704$...
    > Hi
    >
    > i have a small problems with my new asa 5510:
    >
    > I have configured a VPN IPSEC Service and no problems
    > at the connection but after, when i want ping the lan
    > i don't have a answer.
    >
    > On one of my server, i see the packet with tcpdump, i see
    > the reply of the server but on the ASA i have a message of
    > the firewall ...
    >
    > I have used the Wizard included into the 6.0 version.
    >
    > Thanks for your help
    > Mag
    >


    You need to post a santized config for us to be able to help you.
    Brian V, Jan 4, 2009
    #2
    1. Advertising

  3. Mag

    Mag Guest

    Brian V a écrit :
    >
    > You need to post a santized config for us to be able to help you.


    Ho yes sorry ;=) :
    Configuration (sh run) genered with Wizard of the ADSM:




    Result of the command: "show running-config"

    : Saved
    :
    ASA Version 8.0(3)
    !
    hostname ASA5510-1
    domain-name asa1.xxx.org
    enable password XXX
    names
    name 10.100.5.0 IPSec
    !
    interface Ethernet0/0
    nameif wan
    security-level 0
    ip address 62.XX.XX.XX 255.255.255.224
    !
    interface Ethernet0/1
    nameif lan
    security-level 0
    ip address 10.100.7.242 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 0
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    passwd XXXX encrypted
    ftp mode passive
    dns domain-lookup lan
    dns server-group DefaultDNS
    name-server 10.100.7.250
    domain-name asa1.xxx.org
    access-list lan_nat0_outbound extended permit ip any IPSec 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu management 1500
    mtu lan 1500
    mtu wan 1500
    ip local pool IpSec 10.100.5.10-10.100.5.254
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-603.bin
    no asdm history enable
    arp timeout 14400
    global (wan) 101 interface
    nat (lan) 0 access-list lan_nat0_outbound
    nat (lan) 101 0.0.0.0 0.0.0.0
    route wan 0.0.0.0 0.0.0.0 62.XX.XX.XX 1
    route lan 10.0.0.0 255.0.0.0 10.100.7.250 1
    route lan 172.26.0.0 255.255.0.0 10.100.7.250 1
    route lan 172.27.0.0 255.255.0.0 10.100.7.250 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 0.0.0.0 0.0.0.0 wan
    http 62.XX.XX.XX 255.255.255.224 wan
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
    ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
    ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
    ESP-DES-MD5
    crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map wan_map interface wan
    crypto isakmp enable wan
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access wan
    threat-detection basic-threat
    threat-detection statistics
    group-policy ipsecvpn internal
    group-policy ipsecvpn attributes
    dns-server value 10.100.7.242
    vpn-tunnel-protocol IPSec
    default-domain value XXXX.fr
    username magalie password 1YqAYSguYgIKdkUO encrypted privilege 0
    username magalie attributes
    vpn-group-policy ipsecvpn
    tunnel-group ipsecvpn type remote-access
    tunnel-group ipsecvpn general-attributes
    address-pool IpSec
    default-group-policy ipsecvpn
    tunnel-group ipsecvpn ipsec-attributes
    pre-shared-key *
    !
    !
    prompt hostname context
    Cryptochecksum:3c033e8f335604a9fa0af37e27ddf6d8
    : end





    and after connected, this is the log entry:

    3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.100.7.248
    dst wan:10.100.5.10 (type 0, code 0)

    6|Jan 05 2009|05:30:10|302020|10.100.5.10|10.100.7.248|Built inbound
    ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
    10.100.7.248/0 (magalie)

    6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.100.7.248|Teardown ICMP
    connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
    10.100.7.248/0 (magalie)





    Thanks for your help
    Magalie
    Mag, Jan 5, 2009
    #3
  4. Mag

    Mag Guest

    Anyone ?



    Mag a écrit :
    > Brian V a écrit :
    >>
    >> You need to post a santized config for us to be able to help you.

    >
    > Ho yes sorry ;=) :
    > Configuration (sh run) genered with Wizard of the ADSM:
    >
    >
    >
    >
    > Result of the command: "show running-config"
    >
    > : Saved
    > :
    > ASA Version 8.0(3)
    > !
    > hostname ASA5510-1
    > domain-name asa1.xxx.org
    > enable password XXX
    > names
    > name 10.100.5.0 IPSec
    > !
    > interface Ethernet0/0
    > nameif wan
    > security-level 0
    > ip address 62.XX.XX.XX 255.255.255.224
    > !
    > interface Ethernet0/1
    > nameif lan
    > security-level 0
    > ip address 10.100.7.242 255.255.255.0
    > !
    > interface Ethernet0/2
    > shutdown
    > no nameif
    > no security-level
    > no ip address
    > !
    > interface Ethernet0/3
    > shutdown
    > no nameif
    > no security-level
    > no ip address
    > !
    > interface Management0/0
    > nameif management
    > security-level 0
    > ip address 192.168.1.1 255.255.255.0
    > management-only
    > !
    > passwd XXXX encrypted
    > ftp mode passive
    > dns domain-lookup lan
    > dns server-group DefaultDNS
    > name-server 10.100.7.250
    > domain-name asa1.xxx.org
    > access-list lan_nat0_outbound extended permit ip any IPSec 255.255.255.0
    > pager lines 24
    > logging enable
    > logging asdm informational
    > mtu management 1500
    > mtu lan 1500
    > mtu wan 1500
    > ip local pool IpSec 10.100.5.10-10.100.5.254
    > icmp unreachable rate-limit 1 burst-size 1
    > asdm image disk0:/asdm-603.bin
    > no asdm history enable
    > arp timeout 14400
    > global (wan) 101 interface
    > nat (lan) 0 access-list lan_nat0_outbound
    > nat (lan) 101 0.0.0.0 0.0.0.0
    > route wan 0.0.0.0 0.0.0.0 62.XX.XX.XX 1
    > route lan 10.0.0.0 255.0.0.0 10.100.7.250 1
    > route lan 172.26.0.0 255.255.0.0 10.100.7.250 1
    > route lan 172.27.0.0 255.255.0.0 10.100.7.250 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    > 0:02:00
    > timeout uauth 0:05:00 absolute
    > dynamic-access-policy-record DfltAccessPolicy
    > http server enable
    > http 0.0.0.0 0.0.0.0 wan
    > http 62.XX.XX.XX 255.255.255.224 wan
    > no snmp-server location
    > no snmp-server contact
    > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    > crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    > crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    > crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    > crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    > crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    > crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    > crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    > crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
    > ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
    > ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
    > ESP-DES-MD5
    > crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    > crypto map wan_map interface wan
    > crypto isakmp enable wan
    > crypto isakmp policy 5
    > authentication pre-share
    > encryption 3des
    > hash sha
    > group 2
    > lifetime 86400
    > crypto isakmp policy 10
    > authentication pre-share
    > encryption des
    > hash sha
    > group 2
    > lifetime 86400
    > crypto isakmp policy 65535
    > authentication pre-share
    > encryption 3des
    > hash sha
    > group 2
    > lifetime 86400
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > management-access wan
    > threat-detection basic-threat
    > threat-detection statistics
    > group-policy ipsecvpn internal
    > group-policy ipsecvpn attributes
    > dns-server value 10.100.7.242
    > vpn-tunnel-protocol IPSec
    > default-domain value XXXX.fr
    > username magalie password 1YqAYSguYgIKdkUO encrypted privilege 0
    > username magalie attributes
    > vpn-group-policy ipsecvpn
    > tunnel-group ipsecvpn type remote-access
    > tunnel-group ipsecvpn general-attributes
    > address-pool IpSec
    > default-group-policy ipsecvpn
    > tunnel-group ipsecvpn ipsec-attributes
    > pre-shared-key *
    > !
    > !
    > prompt hostname context
    > Cryptochecksum:3c033e8f335604a9fa0af37e27ddf6d8
    > : end
    >
    >
    >
    >
    >
    > and after connected, this is the log entry:
    >
    > 3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.100.7.248
    > dst wan:10.100.5.10 (type 0, code 0)
    >
    > 6|Jan 05 2009|05:30:10|302020|10.100.5.10|10.100.7.248|Built inbound
    > ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
    > 10.100.7.248/0 (magalie)
    >
    > 6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.100.7.248|Teardown ICMP
    > connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
    > 10.100.7.248/0 (magalie)
    >
    >
    >
    >
    >
    > Thanks for your help
    > Magalie
    Mag, Jan 5, 2009
    #4
  5. Mag

    Mag Guest

    It's not only the ICMP that deny:

    Inbound TCP connection denied from 10.100.7.245/22 to 10.100.5.10/1953
    flags SYN ACK on interface lan

    what is the acl at put for accept all traffic between Lan to Ipsec and
    Ipsec to lan

    i see to that on my pc connected in IPSEC, the subnet are 255.0.0.0 and
    not 255.255.255.0 ..





    Mag a écrit :
    > Brian V a écrit :
    >>
    >> You need to post a santized config for us to be able to help you.

    >
    > Ho yes sorry ;=) :
    > Configuration (sh run) genered with Wizard of the ADSM:
    >
    >
    >
    >
    > Result of the command: "show running-config"
    >
    > : Saved
    > :
    > ASA Version 8.0(3)
    > !
    > hostname ASA5510-1
    > domain-name asa1.xxx.org
    > enable password XXX
    > names
    > name 10.100.5.0 IPSec
    > !
    > interface Ethernet0/0
    > nameif wan
    > security-level 0
    > ip address 62.XX.XX.XX 255.255.255.224
    > !
    > interface Ethernet0/1
    > nameif lan
    > security-level 0
    > ip address 10.100.7.242 255.255.255.0
    > !
    > interface Ethernet0/2
    > shutdown
    > no nameif
    > no security-level
    > no ip address
    > !
    > interface Ethernet0/3
    > shutdown
    > no nameif
    > no security-level
    > no ip address
    > !
    > interface Management0/0
    > nameif management
    > security-level 0
    > ip address 192.168.1.1 255.255.255.0
    > management-only
    > !
    > passwd XXXX encrypted
    > ftp mode passive
    > dns domain-lookup lan
    > dns server-group DefaultDNS
    > name-server 10.100.7.250
    > domain-name asa1.xxx.org
    > access-list lan_nat0_outbound extended permit ip any IPSec 255.255.255.0
    > pager lines 24
    > logging enable
    > logging asdm informational
    > mtu management 1500
    > mtu lan 1500
    > mtu wan 1500
    > ip local pool IpSec 10.100.5.10-10.100.5.254
    > icmp unreachable rate-limit 1 burst-size 1
    > asdm image disk0:/asdm-603.bin
    > no asdm history enable
    > arp timeout 14400
    > global (wan) 101 interface
    > nat (lan) 0 access-list lan_nat0_outbound
    > nat (lan) 101 0.0.0.0 0.0.0.0
    > route wan 0.0.0.0 0.0.0.0 62.XX.XX.XX 1
    > route lan 10.0.0.0 255.0.0.0 10.100.7.250 1
    > route lan 172.26.0.0 255.255.0.0 10.100.7.250 1
    > route lan 172.27.0.0 255.255.0.0 10.100.7.250 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    > 0:02:00
    > timeout uauth 0:05:00 absolute
    > dynamic-access-policy-record DfltAccessPolicy
    > http server enable
    > http 0.0.0.0 0.0.0.0 wan
    > http 62.XX.XX.XX 255.255.255.224 wan
    > no snmp-server location
    > no snmp-server contact
    > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    > crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    > crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    > crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    > crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    > crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    > crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    > crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    > crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    > crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    > crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
    > ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
    > ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
    > ESP-DES-MD5
    > crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    > crypto map wan_map interface wan
    > crypto isakmp enable wan
    > crypto isakmp policy 5
    > authentication pre-share
    > encryption 3des
    > hash sha
    > group 2
    > lifetime 86400
    > crypto isakmp policy 10
    > authentication pre-share
    > encryption des
    > hash sha
    > group 2
    > lifetime 86400
    > crypto isakmp policy 65535
    > authentication pre-share
    > encryption 3des
    > hash sha
    > group 2
    > lifetime 86400
    > telnet timeout 5
    > ssh timeout 5
    > console timeout 0
    > management-access wan
    > threat-detection basic-threat
    > threat-detection statistics
    > group-policy ipsecvpn internal
    > group-policy ipsecvpn attributes
    > dns-server value 10.100.7.242
    > vpn-tunnel-protocol IPSec
    > default-domain value XXXX.fr
    > username magalie password 1YqAYSguYgIKdkUO encrypted privilege 0
    > username magalie attributes
    > vpn-group-policy ipsecvpn
    > tunnel-group ipsecvpn type remote-access
    > tunnel-group ipsecvpn general-attributes
    > address-pool IpSec
    > default-group-policy ipsecvpn
    > tunnel-group ipsecvpn ipsec-attributes
    > pre-shared-key *
    > !
    > !
    > prompt hostname context
    > Cryptochecksum:3c033e8f335604a9fa0af37e27ddf6d8
    > : end
    >
    >
    >
    >
    >
    > and after connected, this is the log entry:
    >
    > 3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.100.7.248
    > dst wan:10.100.5.10 (type 0, code 0)
    >
    > 6|Jan 05 2009|05:30:10|302020|10.100.5.10|10.100.7.248|Built inbound
    > ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
    > 10.100.7.248/0 (magalie)
    >
    > 6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.100.7.248|Teardown ICMP
    > connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr
    > 10.100.7.248/0 (magalie)
    >
    >
    >
    >
    >
    > Thanks for your help
    > Magalie
    Mag, Jan 5, 2009
    #5
  6. Mag

    Mag Guest

    Brian V a écrit :
    >
    > "Mag" <> wrote in message
    > news:49607868$0$6704$...
    >> Hi
    >>
    >> i have a small problems with my new asa 5510:
    >>
    >> I have configured a VPN IPSEC Service and no problems
    >> at the connection but after, when i want ping the lan
    >> i don't have a answer.
    >>
    >> On one of my server, i see the packet with tcpdump, i see
    >> the reply of the server but on the ASA i have a message of
    >> the firewall ...
    >>
    >> I have used the Wizard included into the 6.0 version.
    >>
    >> Thanks for your help
    >> Mag
    >>

    >
    > You need to post a santized config for us to be able to help you.


    Hi,

    i add this:

    sh access-list

    access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
    alert-interval 300
    access-list lan_nat0_outbound; 1 elements
    access-list lan_nat0_outbound line 1 extended permit ip any IPSec
    255.255.255.0 (hitcnt=0) 0xf555dd22
    access-list All; 1 elements
    access-list All line 1 extended permit ip any IPSec 255.255.255.0
    (hitcnt=0) 0x71dc000e
    Mag, Jan 6, 2009
    #6
  7. Mag

    Techno_Guy Guest

    On Jan 5, 11:02 pm, Mag <> wrote:
    > Brian V a écrit :
    >
    >
    >
    >
    >
    >
    >
    > > "Mag" <> wrote in message
    > >news:49607868$0$6704$...
    > >> Hi

    >
    > >> i have a small problems with my new asa 5510:

    >
    > >> I have configured a VPN IPSEC Service and no problems
    > >> at the connection but after, when i want ping the lan
    > >> i don't have a answer.

    >
    > >> On one of my server, i see the packet with tcpdump, i see
    > >> the reply of the server but on the ASA i have a message of
    > >> the firewall ...

    >
    > >> I have used the Wizard included into the 6.0 version.

    >
    > >> Thanks for your help
    > >> Mag

    >
    > > You need to post a santized config for us to be able to help you.

    >
    > Hi,
    >
    > i add this:
    >
    > sh access-list
    >
    >   access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
    >              alert-interval 300
    > access-list lan_nat0_outbound; 1 elements
    > access-list lan_nat0_outbound line 1 extended permit ip any IPSec
    > 255.255.255.0 (hitcnt=0) 0xf555dd22
    > access-list All; 1 elements
    > access-list All line 1 extended permit ip any IPSec 255.255.255.0
    > (hitcnt=0) 0x71dc000e- Hide quoted text -
    >
    > - Show quoted text -


    Are you trying to do a L2L ipsec or a remote access? You currently
    have a remote access vpn setup according to your config

    tunnel-group ipsecvpn type remote-access
    tunnel-group ipsecvpn general-attributes
    address-pool IpSec
    default-group-policy ipsecvpn
    tunnel-group ipsecvpn ipsec-attributes
    pre-shared-key *

    Before I tell you anything I just want to be sure.

    here is the link from Cisco on how to do it via command line. I am
    personally not a fan of the gui for anything other than watching logs
    and cpu load.
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html
    Techno_Guy, Jan 6, 2009
    #7
  8. Mag

    Mag Guest

    Techno_Guy a écrit :
    > On Jan 5, 11:02 pm, Mag <> wrote:
    >> Brian V a écrit :
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>> "Mag" <> wrote in message
    >>> news:49607868$0$6704$...
    >>>> Hi
    >>>> i have a small problems with my new asa 5510:
    >>>> I have configured a VPN IPSEC Service and no problems
    >>>> at the connection but after, when i want ping the lan
    >>>> i don't have a answer.
    >>>> On one of my server, i see the packet with tcpdump, i see
    >>>> the reply of the server but on the ASA i have a message of
    >>>> the firewall ...
    >>>> I have used the Wizard included into the 6.0 version.
    >>>> Thanks for your help
    >>>> Mag
    >>> You need to post a santized config for us to be able to help you.

    >> Hi,
    >>
    >> i add this:
    >>
    >> sh access-list
    >>
    >> access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
    >> alert-interval 300
    >> access-list lan_nat0_outbound; 1 elements
    >> access-list lan_nat0_outbound line 1 extended permit ip any IPSec
    >> 255.255.255.0 (hitcnt=0) 0xf555dd22
    >> access-list All; 1 elements
    >> access-list All line 1 extended permit ip any IPSec 255.255.255.0
    >> (hitcnt=0) 0x71dc000e- Hide quoted text -
    >>
    >> - Show quoted text -

    >
    > Are you trying to do a L2L ipsec or a remote access? You currently
    > have a remote access vpn setup according to your config
    >
    > tunnel-group ipsecvpn type remote-access
    > tunnel-group ipsecvpn general-attributes
    > address-pool IpSec
    > default-group-policy ipsecvpn
    > tunnel-group ipsecvpn ipsec-attributes
    > pre-shared-key *
    >
    > Before I tell you anything I just want to be sure.
    >
    > here is the link from Cisco on how to do it via command line. I am
    > personally not a fan of the gui for anything other than watching logs
    > and cpu load.
    > http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html


    Hi

    Thanks for your answer, it's Remote Access IPSEC with the Cisco IPSEC
    Client.

    i read your link
    mag
    Mag, Jan 6, 2009
    #8
  9. Mag

    Mag Guest

    Mag a écrit :
    > Hi
    >
    > i have a small problems with my new asa 5510:
    >
    > I have configured a VPN IPSEC Service and no problems
    > at the connection but after, when i want ping the lan
    > i don't have a answer.
    >
    > On one of my server, i see the packet with tcpdump, i see
    > the reply of the server but on the ASA i have a message of
    > the firewall ...
    >
    > I have used the Wizard included into the 6.0 version.
    >
    > Thanks for your help
    > Mag
    >




    Snifff anyone can help me ?

    Mag
    Mag, Jan 6, 2009
    #9
  10. Mag

    Mag Guest

    Mag a écrit :
    > Hi
    >
    > i have a small problems with my new asa 5510:
    >
    > I have configured a VPN IPSEC Service and no problems
    > at the connection but after, when i want ping the lan
    > i don't have a answer.
    >
    > On one of my server, i see the packet with tcpdump, i see
    > the reply of the server but on the ASA i have a message of
    > the firewall ...
    >
    > I have used the Wizard included into the 6.0 version.
    >
    > Thanks for your help
    > Mag
    >





    arg ... no answer !!! very thanks for your help :=<
    Mag, Jan 7, 2009
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tilman Schmidt
    Replies:
    0
    Views:
    3,239
    Tilman Schmidt
    Jan 24, 2008
  2. Mag
    Replies:
    2
    Views:
    1,941
    alexd
    Jan 31, 2009
  3. Dav
    Replies:
    2
    Views:
    1,334
    Igor Mamuziæ aka Pseto
    May 5, 2009
  4. j1344
    Replies:
    0
    Views:
    887
    j1344
    Jul 23, 2009
  5. Igor Mamuziæ aka Pseto
    Replies:
    0
    Views:
    1,109
    Igor Mamuziæ aka Pseto
    Jan 6, 2010
Loading...

Share This Page