1. Home
  2. Cisco Systems
  3. vpn stopped working on ASA 5510

vpn stopped working on ASA 5510

This is the famous: "I only pressed *that* button! *Not* *that* button".

I've searched high and low including browsing through the last 8000+ posts in this group but haven't found anything which gave me a clue of what causes my vpn to stop working. :-( I know I should provide the configuration (and I will this Monday) but I hope somebody may provide me with a clue of what events triggered my vpn to stop working.

The employee before me configured the following internet set up:

(internet) 192.168.1.1 -> 192.168.1.2 (ASA 5510) 172.18.1.x -> (network)

The internet router is a standard (Danish) internet router which performs PAT, DHCP, ... The ASA 5510 is set up to "the same way", i.e., it also performs PAT, DHCP, ..., i.e., the functionality of the ISP router is ignored! And the provider claims that we haven't ever asked them to set their router in bridge-mode, i.e., passing the tcp/ip directly to our Cisco box.

Then one day some yerk dug a hole without consulting the maps and lo & behold he cut a fiber and we (and the rest of the people on an island) went offline! Fortunately we have a WiMax (wireless) so I set out to use that instead and after changing the following settings through the GUI:

  1. the static ip-address & netmask of the ASA to match the WiMax 2. the default route to match the WiMax (deleted and created a new one) 3. the DNS entries in the DHCP settings

everything(*) worked like a charm and we got back to work!

*) The vpn from the outside didn't work of course because our ip-address changed because we changed provider but that should work again when we restored the original connection - yeah right!

The next day the original line was back up and I (as far as I know) restored the values in the ASA - but it didn't work and I fiddled - don't

*do* that - with all the settings and finally consulted the documentation and suddenly after 15 minutes the packets started flowing through!?!

What happened? Well I don't know but everything seemed to work - except the vpn! :-(

When I look into the log it complains about "deny ip spoof from

192.168.1.2" (or was it 192.168.1.1) every time I try to connect through vpn.

What has been changed/removed without my knowledge when I changed/removed/created the values to connect the WiMax and later to restore the original connection?

Andrew Engels Rump

Reply to
Andrew Engels Rump (formerly L
Loading thread data ...

Hi

Could somebody please help me solve this problem? Thanks

I demand that Andrew Engels Rump (formerly Leif Andrew Rump) on Fri, 25 Jul 2008 20:45:10 +0000 may or may not have written:

Now with the configuration and full (correct) explanation below

When I look at the log when I try to connect via vpn I get the following errors:

Deny IP spoof from (x.x.x.x) to 192.168.1.2 on interface outside

Below is my configuration (I have compared it with and old configuration and cannot spot the difference which will get vpn back in working order):

ASA Version 8.0(2) ! hostname asa5510 domain-name xxx enable password xxx encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 192.168.1.2 255.255.255.0 ospf cost 10 ! interface Ethernet0/1 nameif testnet security-level 50 ip address 192.168.64.254 255.255.255.0 ospf cost 10 ! interface Ethernet0/2 nameif appliances security-level 90 ip address 172.18.2.254 255.255.255.0 ospf cost 10 ! interface Ethernet0/3 nameif inside security-level 100 ip address 172.18.1.254 255.255.255.0 ospf cost 10 ! interface Management0/0 shutdown no nameif no security-level no ip address ! passwd xxx encrypted ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns server-group DefaultDNS domain-name xxx same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network DM_INLINE_NETWORK_1 network-object host 152.73.0.0 object-group network DM_INLINE_NETWORK_2 network-object host 192.168.1.2 access-list inside_access_in extended permit ip any any access-list nonat extended permit ip 172.18.1.0 255.255.255.0 172.18.2.0

255.255.255.0 access-list nonat extended permit ip 172.18.1.0 255.255.255.0 172.18.255.0 255.255.255.0 access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 eq ssh access-list outside_access_in_1 extended permit icmp any 172.18.1.0 255.255.255.0 echo-reply inactive access-list testnte extended permit ip 172.18.255.0 255.255.255.0 192.168.64.0 255.255.255.0 access-list testnte extended permit ip 192.168.64.0 255.255.255.0 172.18.255.0 255.255.255.0 pager lines 24 logging enable logging buffered informational logging asdm informational logging from-address xxx logging recipient-address xxx level errors mtu outside 1500 mtu testnet 1500 mtu appliances 1500 mtu inside 1500 ip local pool vpn-pool 172.18.255.100-172.18.255.120 mask 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-602.bin no asdm history enable arp timeout 14400 global (outside) 1 interface global (testnet) 1 interface nat (outside) 1 172.18.255.0 255.255.255.0 nat (testnet) 1 192.168.64.0 255.255.255.0 nat (appliances) 1 172.18.2.0 255.255.255.0 nat (inside) 0 access-list nonat nat (inside) 1 172.18.1.0 255.255.255.0 static (testnet,outside) 192.168.64.0 192.168.64.0 netmask 255.255.255.0 access-group outside_access_in_1 in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http 152.73.0.0 255.255.0.0 outside http 85.81.18.165 255.255.255.255 outside http 192.168.1.0 255.255.255.0 outside http 172.18.1.0 255.255.255.0 inside http 172.18.255.0 255.255.255.0 inside http 80.251.192.0 255.255.240.0 outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP- AES-256-SHA ESP-AES-256-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal crypto isakmp ipsec-over-tcp port 10000 no vpn-addr-assign aaa no vpn-addr-assign dhcp telnet timeout 5 ssh 192.168.1.0 255.255.255.0 outside ssh 152.73.0.0 255.255.0.0 outside ssh 172.18.255.0 255.255.255.0 outside ssh 80.251.192.0 255.255.240.0 outside ssh 85.81.18.165 255.255.255.255 outside ssh 172.18.1.0 255.255.255.0 inside ssh 172.18.255.0 255.255.255.0 inside ssh timeout 30 console timeout 0 management-access inside dhcpd address 172.18.1.50-172.18.1.100 inside dhcpd dns 89.150.129.4 89.150.129.10 interface inside dhcpd lease 28800 interface inside dhcpd domain xxx interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global ntp server 194.239.134.10 source outside prefer group-policy yyy internal group-policy yyy attributes dns-server value 89.150.129.4 89.150.129.10 vpn-tunnel-protocol IPSec l2tp-ipsec default-domain value xxx tunnel-group yyy type remote-access tunnel-group yyy general-attributes address-pool vpn-pool default-group-policy yyy tunnel-group yyy ipsec-attributes pre-shared-key * prompt hostname context Cryptochecksum:xxx : end

Andrew Engels Rump

Reply to
Andrew Engels Rump

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.