Site to Site VPN Problem

Discussion in 'Cisco' started by Peter Simons, Jun 27, 2007.

  1. Peter Simons

    Peter Simons Guest

    X-No-Archive: yes
    Hi

    Have a site to site VP N problem
    The network servers are Microsoft windows server both 200 and 2003.

    AT one remote site using an ASA to ASA VPN clients could pick up email
    from an exchange server buy not send email.

    The site with the exchange server cold VNC to the machine that could
    not send email

    When one browsed the network one could see only local machines. The
    domain controller at the remote site had lots of id event 1311 in the
    directory log.

    Machines could not connect to an SQL server using active directory
    credentials but could get to a web site on the same machine.

    Change the remote site to A PIX 501 solved the problem


    Mugged config of remote site


    Thanks in advance for any help

    : Saved
    :
    ASA Version 7.2(2)
    !
    hostname
    domain-name l
    enable password
    no names
    name 10.0.20.0 mainsite
    name 10.0.50.0 site a
    name 10.0.50.2 caffreys
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.50.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address aa.bb.nn.mm 255.255.255.248
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd
    ftp mode passive
    dns server-group DefaultDNS
    domain-name
    object-group service std tcp
    port-object eq domain
    port-object eq ftp
    port-object eq ftp-data
    port-object eq www
    port-object eq https
    object-group service Domain tcp-udp
    port-object eq domain
    access-list inside_access_in extended permit tcp any any object-group std
    access-list inside_access_in extended permit udp host 10.0.50.2 any eq
    domain
    access-list inside_access_in extended permit tcp host 10.0.50.2 any eq
    domain
    access-list inside_access_in extended permit ip 10.0.50.0 255.255.255.0
    10.0.20.0 255.255.255.0
    access-list outside_20_cryptomap extended permit ip 10.0.50.0
    255.255.255.0 10.0.20.0 255.255.255.0
    access-list inside_nat0_outbound extended permit ip 10.0.50.0
    255.255.255.0 10.0.20.0 255.255.255.0
    access-list outside_access_in extended permit ip 10.0.20.0 255.255.255.0
    10.0.50.0 255.255.255.0
    access-list outside_20_cryptomap_1 extended permit ip 10.0.50.0
    255.255.255.0 10.0.20.0 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route inside 10.0.20.0 255.255.255.0 10.0.50.33 1
    route outside 0.0.0.0 0.0.0.0 aa.bb.nn.pp 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    group-policy DfltGrpPolicy attributes
    banner none
    wins-server none
    dns-server none
    dhcp-network-scope none
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout 30
    vpn-session-timeout none
    vpn-filter none
    vpn-tunnel-protocol IPSec
    password-storage disable
    ip-comp disable
    re-xauth disable
    group-lock none
    pfs disable
    ipsec-udp disable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelall
    split-tunnel-network-list none
    default-domain none
    split-dns none
    intercept-dhcp 255.255.255.255 disable
    secure-unit-authentication disable
    user-authentication disable
    user-authentication-idle-timeout 30
    ip-phone-bypass disable
    leap-bypass disable
    nem disable
    backup-servers keep-client-config
    msie-proxy server none
    msie-proxy method no-modify
    msie-proxy except-list none
    msie-proxy local-bypass disable
    nac disable
    nac-sq-period 300
    nac-reval-period 36000
    nac-default-acl none
    address-pools none
    client-firewall none
    client-access-rule none
    webvpn
    functions url-entry
    html-content-filter none
    homepage none
    keep-alive-ignore 4
    http-comp gzip
    filter none
    url-list none
    customization value DfltCustomization
    port-forward none
    port-forward-name value Application Access
    sso-server none
    deny-message value Login was successful, but because certain criteria
    have not been met or due to some specific group policy, you do not have
    permission to use any of the VPN features. Contact your IT administrator
    for more information
    svc none
    svc keep-installer installed
    svc keepalive none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression deflate
    url-server (inside) vendor websense host 10.0.20.8 timeout 30 protocol
    UDP version 4
    filter url 443 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
    filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
    http server enable

    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 20 match address outside_20_cryptomap_1
    crypto map outside_map 20 set peer xx.yy.bb.cc
    crypto map outside_map 20 set transform-set ESP-3DES-MD5
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp policy 40
    authentication pre-share
    encryption 3des
    hash md5
    group 1
    lifetime 86400
    crypto isakmp nat-traversal 20
    crypto isakmp ipsec-over-tcp port 10000
    tunnel-group xx.yy.bb.cc type ipsec-l2l
    tunnel-group xx.yy.bb.cc ipsec-attributes
    pre-shared-key *
    peer-id-validate nocheck
    pre-shared-key *
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd auto_config outside
    !
    dhcpd address 10.0.50.2-10.0.50.33 inside
    dhcpd dns 10.0.20.12 10.0.20.16 interface inside
    dhcpd lease 360000 interface inside
    dhcpd domain lowery interface inside
    dhcpd option 3 ip 10.0.50.1 interface inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Peter Simons, Jun 27, 2007
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    Replies:
    3
    Views:
    3,911
    tical
    May 27, 2004
  2. Rick Stromberg
    Replies:
    7
    Views:
    9,888
    luisjimher
    Jun 3, 2011
  3. Dirk Westfal
    Replies:
    5
    Views:
    9,057
    Dirk Westfal
    Mar 14, 2006
  4. Vigarv
    Replies:
    1
    Views:
    1,524
    Walter Roberson
    Aug 7, 2006
  5. pasatealinux
    Replies:
    1
    Views:
    2,036
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page