I'm having trouble setting up a remote access vpn on my ASA 5505. Right now, we're using a windows pptp vpn and remote desktop to connect to office machines from home, and it works fine (so I know my firewalls aren't an issue). I want to migrate to a Cisco vpn so I can retire the MS vpn server, which is quite old.
I can get the cisco vpn client 5.05 to connect from windows, and the open-source vpnc client from Debian Linux, but in both cases, even though the client is fully connected, I cannot see or do anything on the office network. No pings, Remote Desktop times out, etc. These both work with the MS vpn. I suspect a routing issue, but it's also possible that there may be ACL issues. Here is my current attempt in the 5505, which gives me a client connect, but no data flow.
Suggestions for cleaning up or improving the config are also welcome.
A few notes about the config:
The series of 10.96.96.* addresses in the config are a way of making a lan-to-lan vpn with a customer whose network addresses overlap with our internal addresses. It looks funky, but it works and I don't dare touch it.
Also, note the vpn ip pool: ip local pool CiscoVpnPool 172.17.47.96-172.17.47.127 mask
255.255.255.240 I have tried putting the pool in a separate subnet with the same non- working result: ip local pool CiscoVpnPool 172.31.1.1-172.31.1.254 mask 255.255.255.255I know the word wrap will make things tough to decipher, but here's what I have:
Result of the command: "sh run"
: Saved : ASA Version 7.2(4) ! hostname ciscoasa domain-name enable password encrypted passwd encrypted names name 192.168.3.3 web-ftp-email_server description in-house web, ftp, e- mail server name 172.17.47.6 realtime-osp-server description RealTime OSP data collection server name 172.17.47.50 vpn-server description internal VPN server name 172.17.47.71 websira-server description WebSIRA server name 172.17.47.90 exchange-server description internal Exchange server name 192.168.3.4 wraenviro-email description Second IP address on web- ftp-email_server name 12.129.242.22 WorldOfWarcraft description WOW website name 172.17.47.80 XAMPP-server description XAMPP server dns-guard ! interface Vlan1 nameif inside security-level 100 ip address 172.17.47.49 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 192.168.2.2 255.255.255.0 ! interface Vlan3 nameif DMZ security-level 50 ip address 192.168.3.1 255.255.255.0 ! interface Vlan10 description Connected to 's Juniper VPN appliance nameif security-level 50 ip address 10.96.96.20 255.255.255.0 ! interface Vlan20 nameif Monitoring security-level 0 ip address 10.1.1.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 switchport access vlan 3 ! interface Ethernet0/3 switchport access vlan 10 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 switchport access vlan 20 ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name same-security-traffic permit inter-interface object-group service E-MAIL_SERVICES tcp port-object eq pop3 port-object eq smtp object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq https object-group service WOW tcp description World of Warcraft ports port-object eq 3724 port-object eq 6112 access-list outside_access_in remark RealTime OSP data for access-list outside_access_in extended permit tcp any 192.168.2.0
255.255.255.0 eq 1024 access-list outside_access_in remark RealTime OSP for access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 eq 55003 access-list outside_access_in remark VPN server access-list outside_access_in extended permit gre any 192.168.2.0 255.255.255.0 access-list outside_access_in remark VPN server access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 eq pptp access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 object-group E-MAIL_SERVICES access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 eq ftp access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 object-group DM_INLINE_TCP_1 access-list outside_access_in remark WebSIRA - access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 eq 81 access-list outside_access_in remark WebSIRA - access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 eq 8085 access-list outside_access_in remark WebSIRA - access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 eq 8081 access-list outside_access_in remark Exchange OWA access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 eq 1443 access-list outside_access_in remark Exchange OWA access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 eq 8088 access-list outside_access_in remark RealTime OSP for access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 eq 55005 access-list outside_access_in remark XAMPP server access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 eq 8090 access-list outside_access_in extended permit tcp any 192.168.2.0 255.255.255.0 eq 8021 access-list outside_access_in extended deny tcp any any object-group WOW access-list DMZ_access_in extended permit tcp host web-ftp-email_server 172.17.47.0 255.255.255.0 eq smtp access-list DMZ_access_in extended permit tcp host wraenviro-email 172.17.47.0 255.255.255.0 eq smtp access-list DMZ_access_in extended permit tcp host web-ftp-email_server 172.17.47.0 255.255.255.0 eq domain access-list DMZ_access_in extended permit tcp host wraenviro-email 172.17.47.0 255.255.255.0 eq domain access-list DMZ_access_in extended permit udp host web-ftp-email_server 172.17.47.0 255.255.255.0 eq domain access-list DMZ_access_in extended permit udp host wraenviro-email 172.17.47.0 255.255.255.0 eq domain access-list DMZ_access_in remark Deny all from DMZ to inside, part of allowing outside-world browsing from DMZ access-list DMZ_access_in extended deny ip 192.168.3.0 255.255.255.0 172.17.47.0 255.255.255.0 access-list DMZ_access_in remark Allow all traffic from DMZ to outside, allows browsing from DMZ access-list DMZ_access_in extended permit ip 192.168.3.0 255.255.255.0 any access-list _access_in extended permit ip any any access-list outside_access_out extended deny tcp any any object-group WOW access-list outside_access_out extended deny ip any host WorldOfWarcraft access-list outside_access_out extended permit ip any any access-list WraUsers_splitTunnelAcl standard permit 172.17.47.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 172.17.47.0 255.255.255.0 172.31.1.0 255.255.255.0 pager lines 24 logging trap warnings logging asdm informational logging host inside 172.17.47.94 logging debug-trace logging permit-hostdown mtu inside 1500 mtu outside 1500 mtu DMZ 1500 mtu 1500 mtu Monitoring 1500 ip local pool CiscoVpnPool 172.17.47.96-172.17.47.127 mask 255.255.255.240 no failover monitor-interface inside monitor-interface outside monitor-interface DMZ monitor-interface monitor-interface Monitoring icmp unreachable rate-limit 1 burst-size 1 icmp permit any inside icmp permit any outside icmp permit any DMZ icmp permit any icmp permit any Monitoring asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 dns nat (DMZ) 1 0.0.0.0 0.0.0.0 dns static (DMZ,outside) tcp interface ftp web-ftp-email_server ftp netmask 255.255.255.255 dns static (DMZ,outside) tcp interface www web-ftp-email_server www netmask 255.255.255.255 dns static (DMZ,outside) tcp interface smtp web-ftp-email_server smtp netmask 255.255.255.255 dns static (DMZ,outside) tcp interface pop3 web-ftp-email_server pop3 netmask 255.255.255.255 dns static (inside,outside) tcp interface 1024 realtime-osp-server 1024 netmask 255.255.255.255 static (inside,outside) tcp interface 55003 realtime-osp-server 55003 netmask 255.255.255.255 static (DMZ,outside) tcp interface https web-ftp-email_server https netmask 255.255.255.255 dns static (inside,outside) tcp interface 55005 realtime-osp-server 55005 netmask 255.255.255.255 static (inside,outside) tcp interface pptp vpn-server pptp netmask 255.255.255.255 static (inside,outside) tcp interface 81 XAMPP-server 81 netmask 255.255.255.255 dns static (inside,outside) tcp interface 8085 XAMPP-server 8085 netmask 255.255.255.255 dns static (inside,outside) tcp interface 8081 XAMPP-server 8081 netmask 255.255.255.255 dns static (inside,outside) tcp interface 1443 exchange-server 1443 netmask 255.255.255.255 dns static (inside,outside) tcp interface 8088 exchange-server 8088 netmask 255.255.255.255 dns static (inside,outside) tcp interface 8090 XAMPP-server 8090 netmask 255.255.255.255 dns static (inside,outside) tcp interface 8021 XAMPP-server ftp netmask 255.255.255.255 static (DMZ,) 10.96.96.3 web-ftp-email_server netmask 255.255.255.255 static (inside,DMZ) 172.17.47.0 172.17.47.0 netmask 255.255.255.0 static (inside,) 10.96.96.16 172.17.47.16 netmask 255.255.255.240 static (inside,) 10.96.96.32 172.17.47.32 netmask 255.255.255.224 static (inside,) 10.96.96.64 172.17.47.64 netmask 255.255.255.192 static (inside,) 10.96.96.128 172.17.47.128 netmask 255.255.255.128 access-group outside_access_in in interface outside access-group outside_access_out out interface outside access-group DMZ_access_in in interface DMZ access-group _access_in in interface route outside 0.0.0.0 0.0.0.0 192.168.2.1 1 route 172.16.0.0 255.255.0.0 10.96.96.1 1 route 172.19.0.0 255.255.0.0 10.96.96.1 1 route 172.20.0.0 255.255.0.0 10.96.96.1 1 route 172.18.0.0 255.255.0.0 10.96.96.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 172.17.47.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication crack encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 crypto isakmp ipsec-over-tcp port 10000 no vpn-addr-assign aaa no vpn-addr-assign dhcp telnet 172.17.47.0 255.255.255.0 inside telnet timeout 30 ssh timeout 5 console timeout 0ntp server 172.17.47.1 source inside prefer group-policy WraUsers internal group-policy WraUsers attributes wins-server value 172.17.47.90 172.17.47.1 dns-server value 172.17.47.90 172.17.47.1 split-tunnel-policy tunnelspecified split-tunnel-network-list value WraUsers_splitTunnelAcl default-domain value address-pools value CiscoVpnPool username davek password encrypted privilege 15 tunnel-group WraUsers type ipsec-ra tunnel-group WraUsers general-attributes address-pool CiscoVpnPool default-group-policy WraUsers tunnel-group WraUsers ipsec-attributes pre-shared-key * peer-id-validate cert tunnel-group WraUsers ppp-attributes authentication pap authentication ms-chap-v2 authentication eap-proxy tunnel-group-map default-group WraUsers ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect icmp inspect icmp error inspect pptp ! service-policy global_policy global prompt hostname context Cryptochecksum:7e721e22b08ee2878d6f15ecd592c870 : end