Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

ASA Config Trouble

  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA Config Trouble

    Hi Folks

    Im having trouble configuring an ASA device. I have created the VPN connection and can connect to it via cisco vpn client but cannot access (ping any device on the internal network or even the internal interface on the router) Is this a NAT issue or ACL issue. Could you please advise

    hostname myasa
    enable password ************ encrypted
    passwd ************* encrypted
    interface GigabitEthernet0/0
     nameif Outside
     security-level 0
     ip address A.A.A.A 
    interface GigabitEthernet0/1
     nameif Inside
     security-level 99
     ip address 
    interface GigabitEthernet0/2
     no nameif
     no security-level
     no ip address
    interface GigabitEthernet0/3
     no nameif
     no security-level
     no ip address
    interface Management0/0
     nameif management
     security-level 100
     ip address 
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group service DM_INLINE_SERVICE_1
     service-object icmp 
     service-object icmp6 
     service-object icmp echo
     service-object icmp echo-reply
     service-object icmp information-reply
     service-object icmp information-request
     service-object icmp mask-reply
     service-object icmp mask-request
     service-object tcp eq domain 
     service-object tcp eq talk 
     service-object icmp traceroute
     service-object icmp unreachable
    access-list vpntunnel extended permit udp any any 
    access-list vpntunnel extended permit tcp any any 
    access-list vpntunnel extended permit object-group DM_INLINE_SERVICE_1 any any 
    access-list KVPNtunnel_splitTunnelAcl standard permit 
    pager lines 24
    logging enable
    logging asdm informational
    mtu Outside 1500
    mtu Inside 1500
    mtu management 1500
    ip local pool insideAddresses mask
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any Outside
    icmp permit any Inside
    asdm image disk0:/asdm-615.bin
    no asdm history enable
    arp timeout 14400
    global (Outside) 101 interface
    nat (Outside) 101
    nat (management) 101
    route Inside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
     network-acl vpntunnel
    http server enable
    http management
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
    crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map Outside_map interface Outside
    crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map Inside_map interface Inside
    crypto isakmp enable Outside
    crypto isakmp enable Inside
    crypto isakmp policy 10
     authentication pre-share
     encryption aes-256
     hash md5
     group 7
     lifetime 86400
    crypto isakmp policy 30
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    vpn-addr-assign local reuse-delay 5
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    dhcpd address management
    dhcpd domain interface management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy userstunnelpolicy internal
    group-policy userstunnelpolicy attributes
     vpn-filter value vpntunnel
     vpn-tunnel-protocol IPSec l2tp-ipsec 
     group-lock value userstunnel
     vlan none
     client-firewall none
    group-policy KVPNtunnel internal
    group-policy KVPNtunnel attributes
     vpn-tunnel-protocol IPSec l2tp-ipsec 
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value KVPNtunnel_splitTunnelAcl
     default-domain value
     client-access-rule none
    username dave password jiBIAG0I6a0MnQGj encrypted privilege 0
    username dave attributes
     vpn-group-policy KVPNtunnel
    tunnel-group userstunnel type remote-access
    tunnel-group userstunnel general-attributes
     address-pool insideAddresses
    tunnel-group userstunnel ipsec-attributes
     pre-shared-key *
    tunnel-group userstunnel ppp-attributes
     authentication pap
     authentication ms-chap-v2
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     message-length maximum 512
    policy-map global_policy
     class inspection_default
     inspect dns preset_dns_map 
     inspect ftp 
     inspect h323 h225 
     inspect h323 ras 
     inspect rsh 
     inspect rtsp 
     inspect esmtp 
     inspect sqlnet 
     inspect skinny  
     inspect sunrpc 
     inspect xdmcp 
     inspect sip  
     inspect netbios 
     inspect tftp 
    service-policy global_policy global
    prompt hostname context 
    : end
    asdm image disk0:/asdm-615.bin
    no asdm history enable
    Last edited by uncle_gimoah; 30th April 2009, 00:34.

  • #2
    Re: ASA Config Trouble


    There doesn't appear to be a nat 0 there.

    Might be worth having a quick look through this?

    Please read this before you post:

    Quis custodiet ipsos custodes?


    • #3
      Re: ASA Config Trouble

      NAT appears to be working ok. on connection to the vpn on the outside interface, i am getting an ip address on the internal pool, but can still not communicate to to the inside interface or beyond.

      What ia m looking is that all traffic on vpn can go out the inside interface.

      Thanks Andy
      Last edited by uncle_gimoah; 8th May 2009, 11:39.