[Urgent] Help Requested please => Cisco ASA and Remote IPSEC VPN

Hi

i have a small problems with my new asa 5510:

I have configured a VPN IPSEC Service and no problems
at the connection but after, when i want ping the lan
i don't have a answer.

On one of my server, i see the packet with tcpdump, i see
the reply of the server but on the ASA i have a message of
the firewall ...

I have used the Wizard included into the 6.0 version.

one sh run:



: Saved
:
ASA Version 8.0(3)
!
hostname ASA5510-1
domain-name asa.xxx.org
enable password xxx encrypted
names
name 10.108.5.0 IPSec
!
interface Ethernet0/0
nameif wan
security-level 0
ip address 62.XX.XX.XX 255.255.255.192
!
interface Ethernet0/1
nameif lan
security-level 0
ip address 10.108.7.242 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd xxx encrypted
ftp mode passive
dns domain-lookup lan
dns server-group DefaultDNS
name-server 10.108.7.250
domain-name asa.xxx.org
access-list lan_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0
IPSec 255.255.255.0
access-list ipsecvpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu lan 1500
mtu wan 1500
ip local pool IpSec 10.108.5.10-10.108.5.254
icmp unreachable rate-limit 1 burst-size 1
icmp permit any lan
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (wan) 101 interface
route wan 0.0.0.0 0.0.0.0 62.XX.XX.XX 1
route lan 10.0.0.0 255.0.0.0 10.108.7.250 1
route lan 172.16.0.0 255.255.0.0 10.108.7.250 1
route lan 192.168.0.0 255.255.0.0 10.108.7.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server IPSEC protocol radius
aaa-server IPSEC (lan) host 10.108.7.245
key XXXXX
authentication-port 1812
accounting-port 1813
http server enable
http 0.0.0.0 0.0.0.0 wan
http 62.xx.xx.xx 255.255.255.192 wan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto isakmp enable wan
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access wan
threat-detection basic-threat
threat-detection statistics
group-policy ipsec internal
group-policy ipsec attributes
dns-server value 172.16.10.1 10.100.10.21
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ipsec_splitTunnelAcl
default-domain value xxx.fr
vpn-group-policy ipsec
tunnel-group ipsec type remote-access
tunnel-group ipsec general-attributes
address-pool IpSec
authentication-server-group IPSEC LOCAL
default-group-policy ipsec
tunnel-group ipsec ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:714d09de3a3cdxxxx
: end



and the deny logs:


Ping:

3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.108.7.248
dst wan:10.108.5.10 (type 0, code 0)

6|Jan 05 2009|05:30:10|302020|10.108.5.10|10.108.7.248|Built inbound
ICMP connection for faddr 10.108.5.10/2048 gaddr 10.108.7.248/0 laddr
10.108.7.248/0 (magalie)

6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.108.7.248|Teardown ICMP
connection for faddr 10.108.5.10/2048 gaddr 10.108.7.248/0 laddr
10.108.7.248/0 (magalie)


Idem pour du ssh:

Inbound TCP connection denied from 10.108.7.245/22 to 10.108.5.10/1953
flags SYN ACK on interface lan





Pleassse help me, i thinks that it's a small error of me, but where ??????

mag

 

Hi,

could you do a :

packet-tracer input wan icmp <source-ip> 8 0 <destination-ip>

and put the output in here?

Thanks

 

Mag pisze:

did You bypassed ACL's by typing:

sysopt permitvpn