[c-nsp] ASA 8.4 VPN config help

Tue Nov 27 17:16:58 EST 2012

I'm trying to configure a remote office and have run into a roadblock that
I'm hoping someone will be able to help with. I have configured a few
remote VPNs using ASA's in the past but always on pre 8.3 code without any
issues...so I'm sure its just something minor that I'm missing.

The setup is fairly basic, I'm trying to setup a p2p vpn between our main
office(pix firewalls) and remote office(asa5510 pair). Hosts will connect
from the main office to the remote site for pop3 and smtp access.

I currently have the remote office up and am able to use the ipsec vpn
client to connect and access the internal network on the remote side. Once
I add the peer config and bring up the p2p vpn by connecting to the smtp
server on the remote side via the vpn it works just fine, however, I loose
my ability to use the ipsec client. The ipsec client connects just fine,
but I am unable to access any of the resources I was able to prior to
bringing up the peer. If I remove the cryptomap set peer statement bringing
down the p2p vpn, the ipsec client starts working again. The main office
site has a few other connections like this and they work just fine, its
just my one site with 8.4 code running that is causing trouble...I think it
might have to do with my identity nat statement but after fiddling for a
few hours a second set of eyes would be helpful.

10.1.0.0/16 is at the main office where as 10.2.0.0/16 is at the remote
side.

Here is trimmed configuration that is running on the remote side.
ASA Version 8.4(3)12
!
hostname edge-vpn
domain-name remote.test.com
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 65.x.x.4 255.255.255.248
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.2.254.4 255.255.255.0
!
interface Ethernet0/2
 description STATE Failover Interface
!
interface Ethernet0/3
 description LAN Failover Interface
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 no ip address
 management-only
!
boot system disk0:/asa843-12-k8.bin
ftp mode passive
same-security-traffic permit intra-interface
object network remote-clients
 subnet 192.168.1.0 255.255.255.0
object network local-resources
 subnet 10.2.0.0 255.255.0.0
access-list acl_vpn_tunnel standard permit 10.2.0.0 255.255.0.0
access-list l2l_ros extended permit tcp host 10.2.0.24 eq pop3 host
10.1.40.17
access-list l2l_ros extended permit tcp host 10.2.0.24 eq smtp host
10.1.40.17
pager lines 24
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool ip_vpn_admin 192.168.1.0-192.168.1.15
nat (inside,outside) source static remote-clients remote-clients
destination static local-resources local-resources no-proxy-arp
route outside 0.0.0.0 0.0.0.0 65.x.x.1 1
route inside 10.2.0.0 255.255.0.0 10.2.254.1 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
service resetoutside
crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set l2lvpn esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set ikev1 transform-set myset
crypto map mymap 25 match address l2l_ros
crypto map mymap 25 set peer 60.y.y.233
crypto map mymap 25 set ikev1 transform-set l2lvpn
crypto map mymap 25 set nat-t-disable
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication rsa-sig
 encryption 3des
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 3600
crypto ikev1 policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 3600
crypto ikev1 policy 70
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
group-policy vpn_admin internal
group-policy vpn_admin attributes
 dns-server value 10.1.40.17
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl_vpn_tunnel
 default-domain value remote.test.com
username user1 password ****** encrypted
username user1 attributes
 group-lock value Ops
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 60 retry 10
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 60 retry 10
tunnel-group 60.y.y.233 type ipsec-l2l
tunnel-group 60.y.y.233 ipsec-attributes
 ikev1 pre-shared-key *
tunnel-group Ops type remote-access
tunnel-group Ops general-attributes
 address-pool ip_vpn_admin
 default-group-policy vpn_admin
 authorization-required
tunnel-group Ops ipsec-attributes
 ikev1 trust-point remote.test.trustpoint
 isakmp keepalive threshold 60 retry 10

Thank you in advance for any pointers.
Jeff