[c-nsp] ASA Remote site VPN

Amol Sapkal amolsapkal at gmail.com
Thu Jul 19 16:29:02 EDT 2007 

Kris,

In the below configuration, how are you allowing the incoming traffic? (from
outside to inside/internal)

Can you share your logs, when you try to initiate an access to the inside?
(output of 'show logging')


Regards,
Amol

PS: Hope the user/pass on the configs are not the actual ones!



On 7/20/07, krishna at siticable.co.ug <krishna at siticable.co.ug> wrote:
>
> Hi All,
>
> Iam confguring remote site VPN on ASA 5510. Iam using Cisco VPN client. I
> can
> able to connect the vpn successfully, after connecting i cant able to
> access
> the lan on ASA side. the config is as like as follows,
>
>
>
> sh run
> : Saved
> :
> ASA Version 7.0(5)
> !
> hostname ASA
> domain-name xxxx.xx
> enable password oxHHVUhvm1EJfZCj encrypted
> names
> dns-guard
> !
> interface Ethernet0/0
> nameif outside
> security-level 0
> ip address 213.177.160.50 255.255.255.252
> !
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 192.168.0.1 255.255.255.0
> !
> interface Ethernet0/2
> nameif internal
> security-level 100
> ip address 192.168.10.1 255.255.255.0
> !
> interface Management0/0
> shutdown
> no nameif
> no security-level
> no ip address
> management-only
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> ftp mode passive
> access-list inside_nat0_outbound extended permit ip 192.168.0.0
> 255.255.255.0
> 172.16.1.0 255.255.255.224
> access-list internal_nat0_outbound extended permit ip 192.168.10.0
> 255.255.255.0 172.16.1.0 255.255.255.224
> access-list ucom_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> mtu internal 1500
>
> ip local pool VPNPOOL 172.16.1.1-172.16.1.16 mask 255.255.255.240
> asdm image disk0:/asdm505.bin
> no asdm history enable
> arp timeout 14400
>
> global (outside) 1 interface
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 1 192.168.0.0 255.255.255.0
> nat (internal) 0 access-list internal_nat0_outbound
> nat (internal) 1 192.168.10.0 255.255.255.0
> route outside 0.0.0.0 0.0.0.0 213.177.160.49 1
>
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
> timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
>
> group-policy ucom internal
> group-policy ucom attributes
> dns-server value 213.177.160.1 213.177.160.2
> split-tunnel-policy tunnelspecified
> split-tunnel-network-list value ucom_splitTunnelAcl
> default-domain value xxxx.xx
> webvpn
> username telesec password mLUUBJZq1Q9OKOae encrypted privilege 15
> username gemalto password EAwYWfbDrtjzr5xI encrypted privilege 0
> username gemalto attributes
> vpn-group-policy ucom
> webvpn
> username sigvalue password CFqT082gDAsqzvn0 encrypted privilege 0
> username sigvalue attributes
> vpn-group-policy ucom
> webvpn
> http server enable
> http 192.168.10.0 255.255.255.0 internal
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> isakmp enable outside
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash sha
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> tunnel-group ucom type ipsec-ra
> tunnel-group ucom general-attributes
> address-pool VPNPOOL
> default-group-policy ucom
> tunnel-group ucom ipsec-attributes
> pre-shared-key *
> telnet 192.168.10.0 255.255.255.0 internal
> telnet timeout 5
> ssh timeout 5
> console timeout 0
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map global_policy
> class inspection_default
> inspect dns maximum-length 512
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> !
> service-policy global_policy global
> Cryptochecksum:94fb36e22bab9ae94dcdd91dcdb9f188
> : end
>
>
> As iam new to vpn configuration on ASA, i couldnt understand where i am
> mistaken.
> Has anyone else faced this problem before, Please share the solution
>
> Thanks in Advance
>
> Kris.
>
>
> ----------------------------------------------------------------------
> This mail sent through Toaster-Horde (http://qmailtoaster.clikka.com/)
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Warm regards,

Amol Sapkal

-------------------------------------------------------------------
"When I'm not in my right mind, my left mind
gets pretty crowded"
-------------------------------------------------------------------

More information about the cisco-nsp mailing list