asa 5505 + l2l vpn + cisco client vpn

Hi,

I'm trying to replace PIX 506[working ok] with asa 5505. But just after swaping them some of the vpn links doesn't work. I can't ping sites. Cisco vpn client access doesn't work too. I was following few cisco manuals but I can't figure out what is missing in my config. Could you pls have a look at my config maybe sth obvious - I hope so. Many thanks.

: Saved : Written by enable_15 at 01:48:02.989 UTC Tue Jan 13 2009 ! ASA Version 8.0(4) ! hostname pb domain-name zzzzzzz enable password zzzzzzzzzzzzzz encrypted passwd zzzzzzzzzzzz encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.254 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address zzzzzzzzzzzzz 255.255.255.240 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name zzzzzz access-list inside_nat0_outbound extended permit ip 192.168.1.0

255.255.255.0 192.168.5.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.18.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.22.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.19.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.64 255.255.255.224 access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0 access-list outside_30_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_40_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0 access-list outside_50_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.12.0 255.255.255.0 access-list outside_60_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.18.0 255.255.255.0 access-list outside_70_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.22.0 255.255.255.0 access-list outside_access_in extended permit tcp any host zzzzzzzzzzz eq smtp access-list outside_access_in extended permit tcp any host zzzzzzzzzzz eq https access-list outside_80_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.19.0 255.255.255.0 pager lines 24 logging asdm informational mtu inside 1500 mtu outside 1500 ip local pool ciscoClientPool 192.168.1.80-192.168.1.89 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-613.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.1.0 255.255.255.0 static (inside,outside) zzzzzzzzzzzz 192.168.1.2 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 zzzzzzzzzzzzzz 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa-server vpn protocol radius aaa-server vpn (inside) host 192.168.1.9 key zzzzzzzzzz url-server (inside) vendor websense host 192.168.1.7 timeout 30 protocol TCP version 4 connections 5 url-cache src_dst 128 filter url http 192.168.1.0 255.255.255.0 0.0.0.0 0.0.0.0 allow http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ciscoClientSet esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map dynmap 10 set transform-set ciscoClientSet crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800 crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000 crypto dynamic-map dynmap 10 set reverse-route crypto map outside_map 10 ipsec-isakmp dynamic dynmap crypto map outside_map 20 match address outside_20_cryptomap crypto map outside_map 20 set peer zzzzzzzzzzzzz crypto map outside_map 20 set transform-set ESP-DES-MD5 crypto map outside_map 20 set security-association lifetime seconds 28800 crypto map outside_map 20 set security-association lifetime kilobytes 4608000 crypto map outside_map 30 match address outside_30_cryptomap crypto map outside_map 30 set peer zzzzzzzzzzzzzz crypto map outside_map 30 set transform-set ESP-DES-MD5 crypto map outside_map 30 set security-association lifetime seconds 28800 crypto map outside_map 30 set security-association lifetime kilobytes 4608000 crypto map outside_map 40 match address outside_40_cryptomap crypto map outside_map 40 set peer zzzzzzzzzzzzzz crypto map outside_map 40 set transform-set ESP-DES-MD5 crypto map outside_map 40 set security-association lifetime seconds 28800 crypto map outside_map 40 set security-association lifetime kilobytes 4608000 crypto map outside_map 50 match address outside_50_cryptomap crypto map outside_map 50 set peer zzzzzzzzzzzz crypto map outside_map 50 set transform-set ESP-DES-MD5 crypto map outside_map 50 set security-association lifetime seconds 28800 crypto map outside_map 50 set security-association lifetime kilobytes 4608000 crypto map outside_map 60 match address outside_60_cryptomap crypto map outside_map 60 set peer zzzzzzzzzzzzzzzz crypto map outside_map 60 set transform-set ESP-DES-MD5 crypto map outside_map 60 set security-association lifetime seconds 28800 crypto map outside_map 60 set security-association lifetime kilobytes 4608000 crypto map outside_map 70 match address outside_70_cryptomap crypto map outside_map 70 set peer zzzzzzzzzzzz crypto map outside_map 70 set transform-set ESP-DES-MD5 crypto map outside_map 70 set security-association lifetime seconds 28800 crypto map outside_map 70 set security-association lifetime kilobytes 4608000 crypto map outside_map interface outside crypto map outsite_map 80 match address outside_80_cryptomap crypto map outsite_map 80 set peer zzzzzzzzzzzz crypto map outsite_map 80 set transform-set ESP-DES-MD5 crypto map outsite_map 80 set security-association lifetime seconds 28800 crypto map outsite_map 80 set security-association lifetime kilobytes 4608000 crypto map mymap 10 set security-association lifetime seconds 28800 crypto map mymap 10 set security-association lifetime kilobytes 4608000 crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption des hash md5 group 2 lifetime 86400 crypto isakmp nat-traversal 30 telnet 192.168.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0

threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy client internal group-policy client attributes dns-server value 192.168.1.3 default-domain value zzzzzzzzzz username ciscoClient password zzzzzzzzzzzzz encrypted tunnel-group zzzzzzzzzz type ipsec-l2l tunnel-group zzzzzzzzzzzz ipsec-attributes pre-shared-key zzzzzzzz tunnel-group zzzzzzzzzzz type ipsec-l2l tunnel-group zzzzzzzzzzz ipsec-attributes pre-shared-key zzzzzzzzzzz tunnel-group zzzzzzzzzzz type ipsec-l2l tunnel-group zzzzzzzzzz ipsec-attributes pre-shared-key zzzzzzzzz tunnel-group zzzzzzzzzzz type ipsec-l2l tunnel-group zzzzzzzzzzz ipsec-attributes pre-shared-key zzzzzzzzz tunnel-group zzzzzzzzzz type ipsec-l2l tunnel-group zzzzzzzzzzz ipsec-attributes pre-shared-key zzzzzzzzz tunnel-group zzzzzzzzzzzzz type ipsec-l2l tunnel-group zzzzzzzzzzzzz ipsec-attributes pre-shared-key zzzzzzzzzzzz tunnel-group zzzzzzzzzzzzz type ipsec-l2l tunnel-group zzzzzzzzzzzzz ipsec-attributes pre-shared-key zzzzzzzzzzz tunnel-group client type remote-access tunnel-group client general-attributes address-pool ciscoClientPool authentication-server-group vpn default-group-policy client tunnel-group client ipsec-attributes pre-shared-key zzzzzzzzzz ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:63c0936e6ca2805b829700b219116f5e : end

Reply to
lesniak81
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.