Cisco ASA 5505 PAT / VPN issue

Discussion in 'Cisco' started by around1234, Jun 6, 2009.

  1. around1234


    Jun 6, 2009
    Likes Received:

    first time poster, thanks in advance for any and all help!

    I have an ASA behind a DSL modem. The ASA is terminating the PPPoE connection. The outside interface 'PPPoE' is getting its address via DHCP and via 'ip address pppoe setroute' the ASA uses this as the default route for the inside traffic. I have (or so i think) successfully have PAT working, as any inside host can do what it wants on the Internet. I have one port forward setup to forward VNC request to an inside host, all this works just fine!

    The issue: When client VPN in from outside they cannot access any internal resources, i know it's something simple like defining not just split tunneling but whatever tell the PAT engine to not try to re-PAT the request one received through tunnel. below is the current running config.


    ----paste config-----

    home# sh run
    : Saved
    ASA Version 8.0(3)
    hostname home
    enable password xxx encrypted
    name x.x.15.152 desktop_work
    name laptop_home
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group qwestdsl
    ip address pppoe setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    passwd xxx encrypted
    ftp mode passive
    clock timezone MST -7
    clock summer-time MDT recurring
    object-group service vnc tcp
    port-object eq 5900
    access-list outside_access_in extended permit ip any interface outside
    access-list outside_access_in extended permit tcp host desktop_work interface outside eq 5900
    access-list Remote_Users_0_splitTunnelAcl standard permit
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool Remote_Users_0_pool mask
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-611.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1
    static (inside,outside) tcp interface 5900 laptop_home 5900 netmask
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    http server enable
    http inside
    http x.x.15.0 outside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    fqdn home
    subject-name CN=home
    crl configure
    crypto ca certificate chain ASDM_TrustPoint0
    certificate 31
    308201bc 30820125 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
    24310d30 0b060355 04031304 686f6d65 31133011 06092a86 4886f70d 01090216
    1b2c4b71 582ea292 e6ee875c 3cc3f00a 7c6e423b 013cb6bf cbee2b7a fa0f45cf
    ba84abd9 afeea423 447aaa97 e1d45aa7 d705ea0f 55ea9499 f28c977c 933e053c
    29728eae f7b106cd d2b9c5eb b2d9e789 0d22831a 00e685f2 c7037318 75a7155f
    e13445f9 2c5d884f 02030100 01300d06 092a8648 86f70d01 01040500 03818100
    d40b0643 f42090e6 d9c4457d 93f6b8bb f2f28abe 3fe37344 9dd0b6b4 fd6b3a7d
    7087ddb5 757a654f 31c39c03 df51d32f d2da5ee2 3236c51a 0b7ddc0a 57832cfb
    e788a5d9 141d2fcf b835b9dd 34118d22 da0c73e8 1c4450aa 060ba798 841c23a6
    5e09b7e2 76a2ef91 af94a24c 8197f22c 283a7b2f 591c1e8b c94e16d8 54ba34a6
    crypto isakmp enable outside
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal
    vpn-addr-assign local reuse-delay 120
    telnet timeout 5
    ssh inside
    ssh x.x.0.0 outside
    ssh timeout 5
    ssh version 2
    console timeout 0
    vpdn group qwestdsl request dialout pppoe
    vpdn group qwestdsl localname [email protected]
    vpdn group qwestdsl ppp authentication chap
    vpdn username [email protected] password ********* store-local
    dhcpd auto_config outside
    dhcpd address inside
    dhcpd dns x.x.3.65 x.x.2.65 interface inside
    dhcpd lease 86400 interface inside
    dhcpd ping_timeout 200 interface inside
    dhcpd enable inside

    threat-detection basic-threat
    threat-detection statistics
    group-policy DfltGrpPolicy attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Remote_Users_0_splitTunnelAcl
    group-policy Remote_Users_0 internal
    group-policy Remote_Users_0 attributes
    dns-server value x.x.2.65 x.x.3.65
    vpn-tunnel-protocol IPSec l2tp-ipsec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value Remote_Users_0_splitTunnelAcl
    username jxa password xf3EN0E encrypted privilege 15
    username cxm password xUhkXiY encrypted privilege 15
    tunnel-group Remote_Users_0 type remote-access
    tunnel-group Remote_Users_0 general-attributes
    address-pool (inside) Remote_Users_0_pool
    address-pool Remote_Users_0_pool
    default-group-policy Remote_Users_0
    tunnel-group Remote_Users_0 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    service-policy global_policy global
    prompt hostname context
    : end

    ----end past config----
    around1234, Jun 6, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.