My first VPN setup with my ASA 5505

Discussion in 'Cisco' started by mrkylewood, May 10, 2012.

  1. mrkylewood

    mrkylewood

    Joined:
    May 10, 2012
    Messages:
    1
    I have a newly squired asa 5505 that I just set up to the bare minimum configurations. I followed a cisco paper on how to create a "remote access vpn" setup for ipsec. I can sucessfully connect and establish a VPN, but when I try to access an inside resource from the vpn address, the asa blocks it.

    Specific error is:


    5 May 09 2012 15:17:48 305013 192.168.1.2 80 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:192.168.1.220/53101 dst inside:192.168.1.2/80 denied due to NAT reverse path failure


    Here is my config.

    : Saved
    :
    ASA Version 8.2(2)
    !
    hostname asawood
    domain-name wood.local
    enable password W/KqlBn3sSTvaD0T encrypted
    passwd W/KqlBn3sSTvaD0T encrypted
    names
    name 192.168.1.117 kylewooddesk description kyle
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    boot system disk0:/asa822-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name wood.local
    object-group service rdp tcp
    description rdp access
    port-object eq 3389
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in extended permit tcp any interface outside eq 8080
    access-list outside_access_in extended permit tcp any interface outside eq 3333
    access-list inside_nat0_outbound extended permit ip any 192.168.1.200 255.255.255.248
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnpool 192.168.1.220-192.168.1.230
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-631.bin
    no asdm history enable
    arp timeout 14400
    global (inside) 2 interface
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp interface 3389 kylewooddesk 3389 netmask 255.255.255.255 dns
    static (inside,outside) tcp interface 8080 kylewooddesk 8080 netmask 255.255.255.255
    static (inside,outside) tcp interface 3333 192.168.1.86 3333 netmask 255.255.255.255
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dyn1 1 set transform-set FirstSet
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map mymap 1 ipsec-isakmp dynamic dyn1
    crypto map mymap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd dns 8.8.8.8 8.8.4.4
    dhcpd lease 3000
    !
    dhcpd address 192.168.1.100-192.168.1.130 inside
    dhcpd enable inside
    !

    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    username vpnkyle password p29RprV0OZB6997h encrypted
    username mrkylewood password Q4339wmn1ourxj9X encrypted
    tunnel-group woodgroup type remote-access
    tunnel-group woodgroup general-attributes
    address-pool vpnpool
    tunnel-group woodgroup ipsec-attributes
    pre-shared-key *****
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect ip-options
    policy-map type inspect dns MY_DNS_INSPECT_MAP
    parameters
    !
    service-policy global_policy global
    prompt hostname context
    call-home
    profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email callhome@cisco.com
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:f9f7a0ad86a0a913921eed28f1e7369c
    : end
    asdm image disk0:/asdm-631.bin
    asdm location kylewooddesk 255.255.255.255 inside
    no asdm history enable
     
    mrkylewood, May 10, 2012
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. bjorn@kumlait.se
    Replies:
    1
    Views:
    3,426
    bjorn@kumlait.se
    Jun 17, 2007
  2. pclposts@yahoo.com
    Replies:
    3
    Views:
    1,740
  3. lesniak81
    Replies:
    0
    Views:
    2,267
    lesniak81
    Jan 13, 2009
  4. shbbjj

    Cisco ASA 5505 VPN setup..

    shbbjj, Apr 23, 2009, in forum: Cisco
    Replies:
    0
    Views:
    605
    shbbjj
    Apr 23, 2009
  5. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    713
    Dogg Child
    Jun 7, 2010
Loading...

Share This Page