Announcement

Collapse
No announcement yet.

cisco asa 5510 vpn related problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco asa 5510 vpn related problem

    Hi,
    I have configured cisco asa5510 firewall for IPSEC vpn. vpn user successfully connects & inside host can access vpn users desktop,etc thru rdc but vpn user can not access anything behind asa, anybody pl help.

  • #2
    Re: cisco asa 5510 vpn related problem

    Can you post the config please (alter personal info but make it easy to understand).

    If it works one way but not another then have you checked for things like firewalls on the inside hosts for example?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: cisco asa 5510 vpn related problem

      Sounds like you didn't setup a access-list for the vpn pool to allow traffic to your internal network.
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: cisco asa 5510 vpn related problem

        hi,
        please check config below & suggest with ip changed

        Thanks

        vaibhav

        esult of the command: "sh run"

        : Saved
        :
        ASA Version 7.0(7)
        !
        hostname ciscoasa
        domain-name default.domain.invalid
        enable password CjB3V.RvuwKu6TC6 encrypted
        names
        dns-guard
        !
        interface Ethernet0/0
        nameif outside
        security-level 0
        ip address 203.124.222.125 255.255.255.0
        !
        interface Ethernet0/1
        nameif inside
        security-level 0
        ip address 192.168.0.9 255.255.255.0
        !
        interface Ethernet0/2
        shutdown
        no nameif
        no security-level
        no ip address
        !
        interface Management0/0
        nameif management
        security-level 0
        ip address 192.168.1.1 255.255.255.0
        management-only
        !
        passwd 2KFQnbNIdI.2KYOU encrypted
        ftp mode passive
        same-security-traffic permit inter-interface
        access-list inside_nat0_inbound extended permit ip any 192.168.50.0 255.255.255.192
        pager lines 24
        logging enable
        logging asdm informational
        mtu management 1500
        mtu outside 1500
        mtu inside 1500
        ip local pool vpn_pool 192.168.50.1-192.168.50.50 mask 255.255.255.0
        asdm image disk0:/asdm-507.bin
        no asdm history enable
        arp timeout 14400
        nat-control
        global (outside) 11 interface
        nat (inside) 0 access-list inside_nat0_inbound outside
        nat (inside) 11 192.168.0.0 255.255.255.0
        nat (inside) 0 0.0.0.0 0.0.0.0
        route outside 0.0.0.0 0.0.0.0 203.124.22.126 1
        timeout xlate 3:00:00
        timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
        timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
        timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
        timeout uauth 0:05:00 absolute
        group-policy arihant internal
        group-policy arihant attributes
        banner value Welcome to Arihant Network
        vpn-simultaneous-logins 30
        vpn-tunnel-protocol IPSec
        webvpn
        username vpnuser password uYAKpHZDzxydX2Gu encrypted privilege 0
        username vpnuser attributes
        vpn-group-policy arihant
        webvpn
        http server enable
        http 192.168.1.0 255.255.255.0 management
        no snmp-server location
        no snmp-server contact
        snmp-server enable traps snmp authentication linkup linkdown coldstart
        crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
        crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
        crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
        crypto map outside_map interface outside
        isakmp enable outside
        isakmp policy 10 authentication pre-share
        isakmp policy 10 encryption 3des
        isakmp policy 10 hash sha
        isakmp policy 10 group 2
        isakmp policy 10 lifetime 86400
        tunnel-group arihant type ipsec-ra
        tunnel-group arihant general-attributes
        address-pool vpn_pool
        default-group-policy arihant
        tunnel-group arihant ipsec-attributes
        pre-shared-key *
        telnet timeout 5
        ssh timeout 5
        console timeout 0
        dhcpd address 192.168.1.2-192.168.1.254 management
        dhcpd lease 3600
        dhcpd ping_timeout 50
        !
        class-map inspection_default
        match default-inspection-traffic
        !
        !
        policy-map global_policy
        class inspection_default
        inspect dns maximum-length 512
        inspect ftp
        inspect h323 h225
        inspect h323 ras
        inspect rsh
        inspect rtsp
        inspect esmtp
        inspect sqlnet
        inspect skinny
        inspect sunrpc
        inspect xdmcp
        inspect sip
        inspect netbios
        inspect tftp
        !
        service-policy global_policy global
        Cryptochecksum:1baeea6ad602a3d0f3868eea17f9f4a1
        : end

        Comment


        • #5
          Re: cisco asa 5510 vpn related problem

          any update?

          Regards,

          Vaibhav

          Comment


          • #6
            Re: cisco asa 5510 vpn related problem

            Sorry, I should be back in the office on Weds to have a look at this unless anyone else can in the mean time.
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: cisco asa 5510 vpn related problem

              I don't know anything from asa's however you might have a look at this one:
              http://www.cisco.com/en/US/products/...805734ae.shtml
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: cisco asa 5510 vpn related problem

                I'm not sure as to the benefit of this:
                nat (inside) 0 0.0.0.0 0.0.0.0

                and I haven't seen this with the word outside on the end?
                nat (inside) 0 access-list inside_nat0_inbound outside
                we have (in comparison)
                nat (inside) 0 access-list inside_nat0_inbound

                You could also add:
                group-policy arihant attributes
                dns-server value "IP ADDRESS OF DNS SERVER"
                vpn-idle-timeout 30
                default-domain value "DOMAIN NAME.LOCAL"
                cheers
                Andy

                Please read this before you post:


                Quis custodiet ipsos custodes?

                Comment


                • #9
                  Re: cisco asa 5510 vpn related problem

                  Thanks,
                  no no translation errors hitting, but no luck for access log says

                  teardown icmp/udp/tcp connection for faddr 192.168.50.1/24 gaddr 192.168.0.230 laddr 192.168.0.230(vpnuser)

                  any suggestions?

                  thanks in advance

                  Comment

                  Working...
                  X