[Urgent] Help Requested please => Cisco ASA and Remote IPSEC VPN

Discussion in 'Cisco' started by Mag, Jan 7, 2009.

  1. Mag

    Mag Guest

    Hi

    i have a small problems with my new asa 5510:

    I have configured a VPN IPSEC Service and no problems
    at the connection but after, when i want ping the lan
    i don't have a answer.

    On one of my server, i see the packet with tcpdump, i see
    the reply of the server but on the ASA i have a message of
    the firewall ...

    I have used the Wizard included into the 6.0 version.

    one sh run:



    : Saved
    :
    ASA Version 8.0(3)
    !
    hostname ASA5510-1
    domain-name asa.xxx.org
    enable password xxx encrypted
    names
    name 10.108.5.0 IPSec
    !
    interface Ethernet0/0
    nameif wan
    security-level 0
    ip address 62.XX.XX.XX 255.255.255.192
    !
    interface Ethernet0/1
    nameif lan
    security-level 0
    ip address 10.108.7.242 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 0
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    passwd xxx encrypted
    ftp mode passive
    dns domain-lookup lan
    dns server-group DefaultDNS
    name-server 10.108.7.250
    domain-name asa.xxx.org
    access-list lan_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0
    IPSec 255.255.255.0
    access-list ipsecvpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
    pager lines 24
    logging enable
    logging asdm informational
    mtu management 1500
    mtu lan 1500
    mtu wan 1500
    ip local pool IpSec 10.108.5.10-10.108.5.254
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any lan
    asdm image disk0:/asdm-603.bin
    no asdm history enable
    arp timeout 14400
    global (wan) 101 interface
    route wan 0.0.0.0 0.0.0.0 62.XX.XX.XX 1
    route lan 10.0.0.0 255.0.0.0 10.108.7.250 1
    route lan 172.16.0.0 255.255.0.0 10.108.7.250 1
    route lan 192.168.0.0 255.255.0.0 10.108.7.250 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server IPSEC protocol radius
    aaa-server IPSEC (lan) host 10.108.7.245
    key XXXXX
    authentication-port 1812
    accounting-port 1813
    http server enable
    http 0.0.0.0 0.0.0.0 wan
    http 62.xx.xx.xx 255.255.255.192 wan
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
    ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
    ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
    ESP-DES-MD5
    crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map wan_map interface wan
    crypto isakmp enable wan
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access wan
    threat-detection basic-threat
    threat-detection statistics
    group-policy ipsec internal
    group-policy ipsec attributes
    dns-server value 172.16.10.1 10.100.10.21
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value ipsec_splitTunnelAcl
    default-domain value xxx.fr
    vpn-group-policy ipsec
    tunnel-group ipsec type remote-access
    tunnel-group ipsec general-attributes
    address-pool IpSec
    authentication-server-group IPSEC LOCAL
    default-group-policy ipsec
    tunnel-group ipsec ipsec-attributes
    pre-shared-key *
    !
    !
    prompt hostname context
    Cryptochecksum:714d09de3a3cdxxxx
    : end



    and the deny logs:


    Ping:

    3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.108.7.248
    dst wan:10.108.5.10 (type 0, code 0)

    6|Jan 05 2009|05:30:10|302020|10.108.5.10|10.108.7.248|Built inbound
    ICMP connection for faddr 10.108.5.10/2048 gaddr 10.108.7.248/0 laddr
    10.108.7.248/0 (magalie)

    6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.108.7.248|Teardown ICMP
    connection for faddr 10.108.5.10/2048 gaddr 10.108.7.248/0 laddr
    10.108.7.248/0 (magalie)


    Idem pour du ssh:

    Inbound TCP connection denied from 10.108.7.245/22 to 10.108.5.10/1953
    flags SYN ACK on interface lan





    Pleassse help me, i thinks that it's a small error of me, but where ??????

    mag
     
    Mag, Jan 7, 2009
    #1
    1. Advertisements

  2. Mag

    Asansi

    Joined:
    Jan 7, 2009
    Messages:
    2
    Likes Received:
    0
    Hi,

    could you do a :

    packet-tracer input wan icmp <source-ip> 8 0 <destination-ip>

    and put the output in here?

    Thanks
     
    Asansi, Jan 7, 2009
    #2
    1. Advertisements

  3. Mag

    Lukas Guest

    Mag pisze:
    did You bypassed ACL's by typing:

    sysopt permitvpn
     
    Lukas, Jan 8, 2009
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.