VPN Connection thru ASA5500 Problem

Discussion in 'Cisco' started by dave, Jan 18, 2008.

  1. dave

    dave Guest

    Hello Everyone,
    I've configured and installed a new ASA5500 at home and everything is
    working except outgoing VPN connections. I run the Cisco VPN client
    and connect to 'Work' and it appears to build the tunnel, however I
    cannot access anything on the remote network. An 'ipconfig/all' shows
    that I've received an IP address on the remote network; just can't get
    to anything. If I swap my old router back in place, I am able to
    connect and access all remote network resources. VPN server on the
    'Work' side is an ASA5510. I appreciate your time and any help you
    can provide, Dave.

    Here's my current running-config:

    Result of the command: "sh run"

    : Saved
    :
    ASA Version 7.2(2)
    !
    hostname home
    domain-name domain.net
    enable password xxxxxxxxxxxxxxxxx encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    !
    interface Vlan3
    no nameif
    security-level 50
    no ip address
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    speed 100
    duplex full
    !
    interface Ethernet0/2
    speed 100
    duplex full
    !
    interface Ethernet0/3
    speed 100
    duplex full
    !
    interface Ethernet0/4
    speed 100
    duplex full
    !
    interface Ethernet0/5
    speed 100
    duplex full
    !
    interface Ethernet0/6
    speed 100
    duplex full
    !
    interface Ethernet0/7
    speed 100
    duplex full
    !
    passwd xxxxxxxxxxxxxxxxxx encrypted
    ftp mode passive
    clock timezone EST -5
    clock summer-time EDT recurring
    dns domain-lookup inside
    dns domain-lookup outside
    dns server-group DefaultDNS
    name-server xx.xx.xx.xx
    name-server xx.xx.xx.xx
    domain-name domain.net
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    http server enable
    http xx.xx.xx.xx xxx.xxx.xxx.xxx inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    telnet xx.xx.xx.xx xxx.xxx.xxx.xxx inside
    telnet timeout 5
    ssh xx.xx.xx.xx xxx.xxx.xxx.xxx inside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !
    dhcpd address xx.xx.xx.xx-xx.xx.xx.xx inside
    dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside
    dhcpd enable inside
    !

    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum: xxxxxxxxxxxxxxxxxxxxxxxxxx
    : end
     
    dave, Jan 18, 2008
    #1
    1. Advertising

  2. dave

    Brian V Guest

    "dave" <> wrote in message
    news:...
    > Hello Everyone,
    > I've configured and installed a new ASA5500 at home and everything is
    > working except outgoing VPN connections. I run the Cisco VPN client
    > and connect to 'Work' and it appears to build the tunnel, however I
    > cannot access anything on the remote network. An 'ipconfig/all' shows
    > that I've received an IP address on the remote network; just can't get
    > to anything. If I swap my old router back in place, I am able to
    > connect and access all remote network resources. VPN server on the
    > 'Work' side is an ASA5510. I appreciate your time and any help you
    > can provide, Dave.
    >
    > Here's my current running-config:
    >
    > Result of the command: "sh run"
    >
    > : Saved
    > :
    > ASA Version 7.2(2)
    > !
    > hostname home
    > domain-name domain.net
    > enable password xxxxxxxxxxxxxxxxx encrypted
    > names
    > !
    > interface Vlan1
    > nameif inside
    > security-level 100
    > ip address 192.168.1.1 255.255.255.0
    > !
    > interface Vlan2
    > nameif outside
    > security-level 0
    > ip address dhcp setroute
    > !
    > interface Vlan3
    > no nameif
    > security-level 50
    > no ip address
    > !
    > interface Ethernet0/0
    > switchport access vlan 2
    > !
    > interface Ethernet0/1
    > speed 100
    > duplex full
    > !
    > interface Ethernet0/2
    > speed 100
    > duplex full
    > !
    > interface Ethernet0/3
    > speed 100
    > duplex full
    > !
    > interface Ethernet0/4
    > speed 100
    > duplex full
    > !
    > interface Ethernet0/5
    > speed 100
    > duplex full
    > !
    > interface Ethernet0/6
    > speed 100
    > duplex full
    > !
    > interface Ethernet0/7
    > speed 100
    > duplex full
    > !
    > passwd xxxxxxxxxxxxxxxxxx encrypted
    > ftp mode passive
    > clock timezone EST -5
    > clock summer-time EDT recurring
    > dns domain-lookup inside
    > dns domain-lookup outside
    > dns server-group DefaultDNS
    > name-server xx.xx.xx.xx
    > name-server xx.xx.xx.xx
    > domain-name domain.net
    > pager lines 24
    > logging enable
    > logging asdm informational
    > mtu inside 1500
    > mtu outside 1500
    > icmp unreachable rate-limit 1 burst-size 1
    > asdm image disk0:/asdm-522.bin
    > no asdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    > disconnect 0:02:00
    > timeout uauth 0:05:00 absolute
    > http server enable
    > http xx.xx.xx.xx xxx.xxx.xxx.xxx inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > telnet xx.xx.xx.xx xxx.xxx.xxx.xxx inside
    > telnet timeout 5
    > ssh xx.xx.xx.xx xxx.xxx.xxx.xxx inside
    > ssh timeout 5
    > console timeout 0
    > dhcpd auto_config outside
    > !
    > dhcpd address xx.xx.xx.xx-xx.xx.xx.xx inside
    > dhcpd dns xx.xx.xx.xx xx.xx.xx.xx interface inside
    > dhcpd enable inside
    > !
    >
    > !
    > class-map inspection_default
    > match default-inspection-traffic
    > !
    > !
    > policy-map type inspect dns preset_dns_map
    > parameters
    > message-length maximum 512
    > policy-map global_policy
    > class inspection_default
    > inspect dns preset_dns_map
    > inspect ftp
    > inspect h323 h225
    > inspect h323 ras
    > inspect rsh
    > inspect rtsp
    > inspect esmtp
    > inspect sqlnet
    > inspect skinny
    > inspect sunrpc
    > inspect xdmcp
    > inspect sip
    > inspect netbios
    > inspect tftp
    > !
    > service-policy global_policy global
    > prompt hostname context
    > Cryptochecksum: xxxxxxxxxxxxxxxxxxxxxxxxxx
    > : end
    >
    >
    >


    On the work firewall enter the command "isakmp nat-traversal 20". You are
    comming from behind a "real" firewall now that does true NAT/PAT and the
    work firewal needs to be configured to allow that.
     
    Brian V, Jan 18, 2008
    #2
    1. Advertising

  3. dave

    Guest

    Hi

    The problem is not on your side. The Firewall where you connect to
    must configured with nat traversal. On a cisco box (asa/pix) its like
    this:

    crypto isakmp nat-traversal 20

    or on older os's:

    isakmp nat-traversal 20


    cu
     
    , Jan 19, 2008
    #3
  4. dave

    Jens Haase Guest

    "dave" <> wrote

    > Hello Everyone,
    > I've configured and installed a new ASA5500 at home and everything is
    > working except outgoing VPN connections. I run the Cisco VPN client
    > and connect to 'Work' and it appears to build the tunnel, however I
    > cannot access anything on the remote network. An 'ipconfig/all' shows
    > that I've received an IP address on the remote network; just can't get
    > to anything. If I swap my old router back in place, I am able to
    > connect and access all remote network resources. VPN server on the
    > 'Work' side is an ASA5510. I appreciate your time and any help you
    > can provide, Dave.
    >


    Enable ipsec-pass-thru:

    policy-map global_policy
    class inspection_default
    inspect ipsec-pass-thru


    see:

    http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i2_72.html#wp1668213



    for details


    Jens
     
    Jens Haase, Jan 20, 2008
    #4
  5. dave

    Guest

    On Jan 20, 9:12 pm, "Jens Haase" <> wrote:
    > "dave" <> wrote
    >
    > > Hello Everyone,
    > > I've configured and installed a new ASA5500 at home and everything is
    > > working except outgoing VPN connections. I run the Cisco VPN client
    > > and connect to 'Work' and it appears to build the tunnel, however I
    > > cannot access anything on the remote network. An 'ipconfig/all' shows
    > > that I've received an IP address on the remote network; just can't get
    > > to anything. If I swap my old router back in place, I am able to
    > > connect and access all remote network resources. VPN server on the
    > > 'Work' side is an ASA5510. I appreciate your time and any help you
    > > can provide, Dave.

    >
    > Enable ipsec-pass-thru:
    >
    > policy-map global_policy
    > class inspection_default
    > inspect ipsec-pass-thru
    >
    > see:
    >
    > http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/...
    >
    > for details
    >
    > Jens



    Jens, please correct me, but with the pass-thru command, you can't
    have other vpn connections on the outsite interface.

    Ok on this example it's not a problem, but for others, i think that's
    an importand point.

    cu ivo
     
    , Jan 21, 2008
    #5
  6. dave

    Jens Haase Guest

    <> wrote

    > Jens, please correct me, but with the pass-thru command, you can't
    > have other vpn connections on the outsite interface.
    >
    > Ok on this example it's not a problem, but for others, i think that's
    > an importand point.
    >


    You are right about Pix 6.x versions but I am not sure that this also
    applies to ASA 7.x and 8.x versions. The DocCD does not mention it.
    I might test it if I find the time.
    On the other hand his requirement was to connect to work and this might be
    the only solution as depending on his position I doubt that the VPN Admins
    will change the setup only because of him.

    Jens
     
    Jens Haase, Jan 21, 2008
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Young
    Replies:
    3
    Views:
    7,776
    CeykoVer
    Jan 9, 2008
  2. Young
    Replies:
    2
    Views:
    5,080
    nonameforyou
    Aug 22, 2012
  3. Young
    Replies:
    0
    Views:
    3,806
    Young
    Jan 17, 2008
  4. Replies:
    21
    Views:
    1,532
    Shauna
    Aug 26, 2008
  5. Mike
    Replies:
    1
    Views:
    686
    Jacques Virchaux
    Jan 14, 2009
Loading...

Share This Page