Announcement

Collapse
No announcement yet.

Cisco ASA Problems

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco ASA Problems

    Hi all,

    I have been having major headaches with my Cisco ASA.

    Everything seemed fine and working at first, however 2 days into the go live of the ASA,
    I had a few particular clients from a same site having difficulty accessing to the remote server using cisco client 4.6. They can connect to the VPN and are assigned a VPN address from the access however they cant seem to connect to the remote server.

    The strange thing is that other clients from the same tunnel-group have no problems what so ever in connecting to that remote server.

    After a few tries at troubleshooting the problem, it seemed that they could get a connection after powering off and on the modem on their end.

    They figured it would be a modem problem and tried swapping the modem but still the problem persisted.

    When i check the logs of the ASDM, i do see them successfully connecting to the VPN.

    What could be the probable cause? This problem only started with the introduction of the Cisco ASA.

    Things I have done:
    - I tested their account on my end with the same client and i had no problems what so ever.
    - checked that my ACL allowed access.

    Questions:
    - Is there some issue with the Cisco VPN client 4.6 with ASA 8.0?
    - Is an ISP issue on their end ?
    - What should i look out for to troubleshoot this?
    - Is there something wrong with my ACLs? (But how could this cause an 'once a while' denial in accessing the remote server?)

    I noticed users have problem accessing the remote server come from the same address pool called retail thats the only clue i got so far. But i dont understand why is the problem an intermittent one.

    My ASA has the unlimited VPN user license as well.
    Another thing is that i can get seem to get logging from the ASA on my syslog server working,
    attached is the code.

    I have verified that syslog is running on the server and it worked fine when the PIX was still in use.

    Here is a sample of my config file.
    ASA Version 8.0(2)
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name ciscoasa.com
    object-group protocol TCPUDP
    protocol-object udp
    protocol-object tcp
    object-group protocol DM_INLINE_PROTOCOL_1
    protocol-object udp
    protocol-object tcp
    access-list acl_out extended permit tcp any host X.X.113.108 eq https
    access-list acl_out extended permit tcp any host X.X.113.107 eq 13013
    access-list acl_out extended permit tcp any host X.X.113.107 eq smtp
    access-list acl_out extended permit tcp any host X.X.113.109 eq 9090
    access-list acl_out extended permit tcp host X.X.146.94 host X.X.113.109 eq ftp
    access-list acl_out extended permit tcp host X.X.146.94 host X.X.113.109 eq ssh
    access-list acl_out extended permit tcp any any eq www
    access-list acl_out extended permit tcp any host X.X.64.217 eq www
    access-list acl_out extended permit tcp any host X.X.64.218 eq www
    access-list vpnuserin extended permit tcp 10.0.0.0 255.0.0.0 host X.X.2.50 eq www -- This is the ACL permiting to the web app java server
    access-list vpn_no_nat extended permit ip host X.X.1.80 host 192.168.120.20
    access-list vpn_no_nat extended permit ip host X.X.1.88 10.0.1.0 255.255.255.0
    access-list vpn_no_nat extended permit ip host X.X.1.82 10.0.1.0 255.255.255.0
    access-list vpn_no_nat extended permit ip host X.X.1.80 host 172.16.88.66
    access-list vpn_no_nat_inside extended permit ip X.X.2.0 255.255.255.0 10.0.0.0 255.255.255.0
    access-list vpn_no_nat_inside extended permit ip host X.X.2.50 160.48.12.0 255.255.255.0
    access-list vpn_no_nat_inside extended permit ip host X.X.2.70 10.0.3.0 255.255.255.248
    access-list vpn_no_nat_inside extended permit ip host X.X.2.48 10.0.4.0 255.255.255.0
    access-list vpn_no_nat_inside extended permit ip host X.X.2.50 192.168.1.0 255.255.255.0
    access-list vpn_no_nat_inside extended permit ip host X.X.2.50 10.0.0.0 255.255.255.224
    access-list vpn_ops extended permit tcp 10.0.3.0 255.255.255.248 host X.X.2.70 eq ssh
    access-list vpnuat extended permit tcp 10.0.4.0 255.255.255.0 host X.X.2.48 eq www
    access-list vpnuat extended permit tcp 10.0.4.0 255.255.255.0 host X.X.2.48 eq ssh
    access-list vpnuat extended permit tcp 10.0.4.0 255.255.255.0 host X.X.2.48 eq 9090
    access-list toShop extended permit ip host X.X.2.50 192.168.1.0 255.255.255.0
    access-list toShop extended permit tcp 192.168.1.0 255.255.255.0 host X.X.2.50 eq www
    access-list outside_1_cryptomap extended permit ip host X.X.2.50 192.168.1.0 255.255.255.0
    access-list DMZ_access_in extended permit object-group DM_INLINE_PROTOCOL_1 X.X.113.104 255.255.255.248 X.X.1.0 255.255.255.0
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    mtu DMZ 1500
    ip local pool partners 10.0.0.21-10.0.0.50
    ip local pool office 10.0.0.2-10.0.0.20
    ip local pool demo_pool 10.0.1.1-10.0.1.14
    ip local pool ops 10.0.3.1-10.0.3.6
    ip local pool retail 10.0.0.100-10.0.0.255
    ip local pool uat_pool 10.0.4.1-10.0.4.20
    ip local pool shop 10.0.0.51-10.0.0.69
    failover
    failover lan unit primary
    failover lan interface failover Ethernet0/3
    failover replication http
    failover link failover Ethernet0/3
    failover interface ip failover X.X.3.1 255.255.255.252 standby X.X.3.2
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-602.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (DMZ) 1 X.X.1.101-X.X.1.125
    nat (inside) 0 access-list vpn_no_nat_inside
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (DMZ) 0 access-list vpn_no_nat
    nat (DMZ) 1 0.0.0.0 0.0.0.0
    static (DMZ,outside) tcp X.X.64.218 www X.X.1.28 www netmask 255.255.255.255
    static (DMZ,inside) tcp X.X.64.218 www X.X.1.28 www netmask 255.255.255.255
    static (DMZ,outside) tcp X.X.113.107 13013 X.X.1.88 13013 netmask 255.255.255.255
    static (DMZ,inside) tcp X.X.113.107 13013 X.X.1.88 13013 netmask 255.255.255.255
    static (DMZ,outside) tcp X.X.113.107 https X.X.1.88 https netmask 255.255.255.255
    static (DMZ,inside) tcp X.X.113.107 https X.X.1.88 https netmask 255.255.255.255
    access-group acl_out in interface outside
    access-group DMZ_access_in in interface DMZ
    route outside 0.0.0.0 0.0.0.0 X.X.113.105 1
    route DMZ X.X.1.0 255.255.255.0 X.X.1.1 1
    route outside X.X.113.104 255.255.255.248 X.X.113.106 1
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server RADIUS protocol radius
    aaa-server RADIUS host X.X.2.48
    timeout 5
    key mang0
    aaa authentication ssh console LOCAL
    http server enable
    http X.X.2.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    service resetoutside
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set toShop esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 1 match address outside_1_cryptomap
    crypto map outside_map 1 set pfs
    crypto map outside_map 1 set peer X.X.146.94
    crypto map outside_map 1 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 8
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh X.X.2.0 255.255.255.0 inside
    ssh timeout 5
    console timeout 0
    tunnel-group office_team type remote-access
    tunnel-group office_team general-attributes
    address-pool office
    authentication-server-group RADIUS
    tunnel-group office_team ipsec-attributes
    pre-shared-key XXXX
    tunnel-group retail_team type remote-access
    tunnel-group retail_team general-attributes
    address-pool retail
    authentication-server-group RADIUS
    tunnel-group retail_team ipsec-attributes
    pre-shared-key XXXX
    tunnel-group partners_team type remote-access
    tunnel-group partners_team general-attributes
    address-pool partners
    authentication-server-group RADIUS
    tunnel-group partners_team ipsec-attributes
    pre-shared-key XXXX
    tunnel-group demo_team type remote-access
    tunnel-group demo_team general-attributes
    address-pool office
    authentication-server-group RADIUS
    tunnel-group demo_team ipsec-attributes
    pre-shared-key XXXX
    tunnel-group a_users type remote-access
    tunnel-group a_users general-attributes
    address-pool retail
    authentication-server-group RADIUS
    tunnel-group a_users ipsec-attributes
    pre-shared-key XXXX
    tunnel-group uat_team type remote-access
    tunnel-group uat_team general-attributes
    address-pool uat_pool
    authentication-server-group RADIUS
    tunnel-group uat_team ipsec-attributes
    pre-shared-key XXXX
    tunnel-group ops_team type remote-access
    tunnel-group ops_team general-attributes
    address-pool ops
    authentication-server-group RADIUS
    tunnel-group ops_team ipsec-attributes
    pre-shared-key XXXX
    tunnel-group shop_team type remote-access
    tunnel-group shop_team general-attributes
    address-pool shop
    authentication-server-group RADIUS
    tunnel-group shop_team ipsec-attributes
    pre-shared-key XXXX
    tunnel-group X.X.146.94 type ipsec-l2l
    tunnel-group X.X.146.94 ipsec-attributes
    pre-shared-key ****
    prompt hostname context

    Sorry for the long post! Would really appreciate help!

    Cheers
Working...
X