My first VPN setup with my ASA 5505

Discussion in 'Cisco' started by mrkylewood, May 10, 2012.

  1. mrkylewood


    May 10, 2012
    Likes Received:
    I have a newly squired asa 5505 that I just set up to the bare minimum configurations. I followed a cisco paper on how to create a "remote access vpn" setup for ipsec. I can sucessfully connect and establish a VPN, but when I try to access an inside resource from the vpn address, the asa blocks it.

    Specific error is:

    5 May 09 2012 15:17:48 305013 80 Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside: dst inside: denied due to NAT reverse path failure

    Here is my config.

    : Saved
    ASA Version 8.2(2)
    hostname asawood
    domain-name wood.local
    enable password W/KqlBn3sSTvaD0T encrypted
    passwd W/KqlBn3sSTvaD0T encrypted
    name kylewooddesk description kyle
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address dhcp setroute
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    boot system disk0:/asa822-k8.bin
    ftp mode passive
    dns server-group DefaultDNS
    domain-name wood.local
    object-group service rdp tcp
    description rdp access
    port-object eq 3389
    access-list outside_access_in extended permit tcp any interface outside eq 3389
    access-list outside_access_in extended permit tcp any interface outside eq 8080
    access-list outside_access_in extended permit tcp any interface outside eq 3333
    access-list inside_nat0_outbound extended permit ip any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnpool
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-631.bin
    no asdm history enable
    arp timeout 14400
    global (inside) 2 interface
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1
    static (inside,outside) tcp interface 3389 kylewooddesk 3389 netmask dns
    static (inside,outside) tcp interface 8080 kylewooddesk 8080 netmask
    static (inside,outside) tcp interface 3333 3333 netmask
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication http console LOCAL
    http server enable
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dyn1 1 set transform-set FirstSet
    crypto dynamic-map dyn1 1 set reverse-route
    crypto map mymap 1 ipsec-isakmp dynamic dyn1
    crypto map mymap interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd dns
    dhcpd lease 3000
    dhcpd address inside
    dhcpd enable inside

    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username vpnkyle password p29RprV0OZB6997h encrypted
    username mrkylewood password Q4339wmn1ourxj9X encrypted
    tunnel-group woodgroup type remote-access
    tunnel-group woodgroup general-attributes
    address-pool vpnpool
    tunnel-group woodgroup ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect ip-options
    policy-map type inspect dns MY_DNS_INSPECT_MAP
    service-policy global_policy global
    prompt hostname context
    profile CiscoTAC-1
    no active
    destination address http
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
    : end
    asdm image disk0:/asdm-631.bin
    asdm location kylewooddesk inside
    no asdm history enable
    mrkylewood, May 10, 2012
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.