[Urgent] Help Requested please => Cisco ASA and Remote IPSEC VPN

Discussion in 'Cisco' started by Mag, Jan 7, 2009.

  1. Mag

    Mag Guest


    i have a small problems with my new asa 5510:

    I have configured a VPN IPSEC Service and no problems
    at the connection but after, when i want ping the lan
    i don't have a answer.

    On one of my server, i see the packet with tcpdump, i see
    the reply of the server but on the ASA i have a message of
    the firewall ...

    I have used the Wizard included into the 6.0 version.

    one sh run:

    : Saved
    ASA Version 8.0(3)
    hostname ASA5510-1
    domain-name asa.xxx.org
    enable password xxx encrypted
    name IPSec
    interface Ethernet0/0
    nameif wan
    security-level 0
    ip address 62.XX.XX.XX
    interface Ethernet0/1
    nameif lan
    security-level 0
    ip address
    interface Ethernet0/2
    no nameif
    no security-level
    no ip address
    interface Ethernet0/3
    no nameif
    no security-level
    no ip address
    interface Management0/0
    nameif management
    security-level 0
    ip address
    passwd xxx encrypted
    ftp mode passive
    dns domain-lookup lan
    dns server-group DefaultDNS
    domain-name asa.xxx.org
    access-list lan_nat0_outbound extended permit ip
    access-list ipsecvpn_splitTunnelAcl standard permit
    pager lines 24
    logging enable
    logging asdm informational
    mtu management 1500
    mtu lan 1500
    mtu wan 1500
    ip local pool IpSec
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any lan
    asdm image disk0:/asdm-603.bin
    no asdm history enable
    arp timeout 14400
    global (wan) 101 interface
    route wan 62.XX.XX.XX 1
    route lan 1
    route lan 1
    route lan 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server IPSEC protocol radius
    aaa-server IPSEC (lan) host
    key XXXXX
    authentication-port 1812
    accounting-port 1813
    http server enable
    http wan
    http 62.xx.xx.xx wan
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
    crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map wan_map interface wan
    crypto isakmp enable wan
    crypto isakmp policy 5
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp policy 65535
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access wan
    threat-detection basic-threat
    threat-detection statistics
    group-policy ipsec internal
    group-policy ipsec attributes
    dns-server value
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value ipsec_splitTunnelAcl
    default-domain value xxx.fr
    vpn-group-policy ipsec
    tunnel-group ipsec type remote-access
    tunnel-group ipsec general-attributes
    address-pool IpSec
    authentication-server-group IPSEC LOCAL
    default-group-policy ipsec
    tunnel-group ipsec ipsec-attributes
    pre-shared-key *
    prompt hostname context
    : end

    and the deny logs:


    3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:
    dst wan: (type 0, code 0)

    6|Jan 05 2009|05:30:10|302020|||Built inbound
    ICMP connection for faddr gaddr laddr (magalie)

    6|Jan 05 2009|05:30:09|302021|||Teardown ICMP
    connection for faddr gaddr laddr (magalie)

    Idem pour du ssh:

    Inbound TCP connection denied from to
    flags SYN ACK on interface lan

    Pleassse help me, i thinks that it's a small error of me, but where ??????

    Mag, Jan 7, 2009
    1. Advertisements

  2. Mag


    Jan 7, 2009
    Likes Received:

    could you do a :

    packet-tracer input wan icmp <source-ip> 8 0 <destination-ip>

    and put the output in here?

    Asansi, Jan 7, 2009
    1. Advertisements

  3. Mag

    Lukas Guest

    Mag pisze:
    did You bypassed ACL's by typing:

    sysopt permitvpn
    Lukas, Jan 8, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.