Site to Site VPN Problem

Discussion in 'Cisco' started by Peter Simons, Jun 27, 2007.

  1. Peter Simons

    Peter Simons Guest

    X-No-Archive: yes

    Have a site to site VP N problem
    The network servers are Microsoft windows server both 200 and 2003.

    AT one remote site using an ASA to ASA VPN clients could pick up email
    from an exchange server buy not send email.

    The site with the exchange server cold VNC to the machine that could
    not send email

    When one browsed the network one could see only local machines. The
    domain controller at the remote site had lots of id event 1311 in the
    directory log.

    Machines could not connect to an SQL server using active directory
    credentials but could get to a web site on the same machine.

    Change the remote site to A PIX 501 solved the problem

    Mugged config of remote site

    Thanks in advance for any help

    : Saved
    ASA Version 7.2(2)
    domain-name l
    enable password
    no names
    name mainsite
    name site a
    name caffreys
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    dns server-group DefaultDNS
    object-group service std tcp
    port-object eq domain
    port-object eq ftp
    port-object eq ftp-data
    port-object eq www
    port-object eq https
    object-group service Domain tcp-udp
    port-object eq domain
    access-list inside_access_in extended permit tcp any any object-group std
    access-list inside_access_in extended permit udp host any eq
    access-list inside_access_in extended permit tcp host any eq
    access-list inside_access_in extended permit ip
    access-list outside_20_cryptomap extended permit ip
    access-list inside_nat0_outbound extended permit ip
    access-list outside_access_in extended permit ip
    access-list outside_20_cryptomap_1 extended permit ip
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route inside 1
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    timeout uauth 0:05:00 absolute
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    client-firewall none
    client-access-rule none
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria
    have not been met or due to some specific group policy, you do not have
    permission to use any of the VPN features. Contact your IT administrator
    for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
    url-server (inside) vendor websense host timeout 30 protocol
    UDP version 4
    filter url 443 allow
    filter url http allow
    http server enable

    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 match address outside_20_cryptomap_1
    crypto map outside_map 20 set peer
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 40
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400
    crypto isakmp nat-traversal 20
    crypto isakmp ipsec-over-tcp port 10000
    tunnel-group type ipsec-l2l
    tunnel-group ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    pre-shared-key *
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    dhcpd address inside
    dhcpd dns interface inside
    dhcpd lease 360000 interface inside
    dhcpd domain lowery interface inside
    dhcpd option 3 ip interface inside

    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context
    Peter Simons, Jun 27, 2007
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    May 27, 2004
  2. Rick Stromberg
    Jun 3, 2011
  3. Dirk Westfal
    Dirk Westfal
    Mar 14, 2006
  4. Vigarv
    Walter Roberson
    Aug 7, 2006
  5. pasatealinux
    Dec 17, 2007