ASA Config Needs some Help....

I have posted a few other times looking for some assistance with my config. It was recommended by someone (Darren -- Thanks). That I post a config and see what anyone sees that I have done wrong...

What I am attempting to do with this config....this ASA is in our Main office. It will be handling remote VPN connections from about 10-15 remote users with laptops. I am currently testing this myself with the

5.0.02 client on Windows 7 all "real" users will be Windows XP with that client.

It also will be handling 2 site-to-site VPN's to our two remote offices. I currently have one of the sites up and "working" I haven't changed all the gateways and such there yet, but I can see the router in the remote location from my desktop which is currently using the ASA as its gateway (this way I can see what works and what doesn't).

For the remote user VPN, I have it so that it will connect from my home and I can see the IKE and IPSEC tunnels go live in the ASDM when I connect, but I can't get to anything. I created a rule to allow me to supposedly get to my work desktop using Remote Desktop, but it doesn't connect.

So if you have some time and wouldn't mind, look this over and let me know how far off base I am. I hope I have given enough background on what I am trying to do.

Oh, the network structure is such that, the main office is one range (192.168.16.x - all servers, workstations, printers, routers, etc) and the remote offices each have their own (192.168.116.x and

192.168.216.x -- the first one is the one that is currently partially active with the router that I can see).

Thank you all for any help and guidance you can offer.

Tim

Result of the command: "sh run"

: Saved : ASA Version 7.2(4) ! hostname MOPS-ASA-5505 domain-name mops-ohio.local enable password PASSWORDREMOVED encrypted passwd PASSWORDREMOVED encrypted names name a.b.c.195 ASA_5505 description Firewall name 192.168.116.0 Columbus-Net description Columbus Subnet name 192.168.16.0 Lancaster-Net description Lancaster Subnet name 192.168.216.0 LickingCounty-Net description Licking County Subnet name a.b.c.194 External_Web_Mail_Server description External_Web_Mail_Server name 192.168.18.3 Internal_Web_Mail_Server description Internal_Web_Mail_Server name d.e.f.200 VPNUser_Tim_Home description Tim Parker - Home IP name g.h.i.195 Router_Columbus description Cisco 871 - Columbus name j.k.l.178 Router_LickingCounty description Cisco 871 - Licking County name 192.168.16.95 VPNPool1 name 192.168.16.35 Tim_Work_Computer description WKSTN0020 name 192.168.16.5 MOPSSRV05 description Mail, Backup Server ! interface Vlan1 nameif inside security-level 100 ip address 192.168.16.9 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address ASA_5505 255.255.255.248 ! interface Vlan12 nameif dmz security-level 10 ip address 192.168.18.9 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 switchport access vlan 12 ! interface Ethernet0/7 switchport access vlan 12 ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.16.3 name-server 192.168.16.6 domain-name mops-ohio.local object-group protocol TCPUDP protocol-object udp protocol-object tcp protocol-object esp protocol-object ah object-group network VPNRemote-Admin description Administrative Users network-object host VPNUser_Tim_Home object-group network Router_RemoteOffices description Remote Offices Router for Site-to-Site VPN network-object host Router_Columbus network-object host Router_LickingCounty object-group network VPN_Pool_IP network-object host VPNPool1 object-group service WindowsRemoteDesktop tcp port-object eq 3389 object-group network DM_INLINE_NETWORK_1 network-object host Tim_Work_Computer network-object host MOPSSRV05 object-group service DM_INLINE_UDP_1 udp port-object eq netbios-dgm port-object eq netbios-ns access-list outside_access_in extended permit object-group TCPUDP object-group Router_RemoteOffices host ASA_5505 access-list outside_access_in extended permit tcp host VPNPool1 object- group DM_INLINE_NETWORK_1 object-group WindowsRemoteDesktop access-list outside_access_in extended deny tcp any host ASA_5505 eq telnet access-list outside_access_in extended permit udp host VPNPool1 any object-group DM_INLINE_UDP_1 access-list outside_access_in extended permit udp host VPNPool1 any eq pim-auto-rp access-list mops-vpn_splitTunnelAcl standard permit Lancaster-Net

255.255.255.0 access-list outside_1_cryptomap extended permit ip Lancaster-Net 255.255.255.0 Columbus-Net 255.255.255.0 access-list inside_nat0_outbound extended permit ip Lancaster-Net 255.255.255.0 Columbus-Net 255.255.255.0 access-list inside_nat0_outbound extended permit ip Lancaster-Net 255.255.255.0 LickingCounty-Net 255.255.255.0 access-list inside_nat0_outbound extended permit ip Lancaster-Net 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip Lancaster-Net 255.255.255.0 LickingCounty-Net 255.255.255.0 access-list outside_3_cryptomap extended permit ip Lancaster-Net 255.255.255.0 192.168.1.0 255.255.255.0 access-list outside_nat0_outbound extended permit ip host VPNPool1 any pager lines 24 logging enable logging asdm informational logging from-address myemail@someplacecom logging recipient-address snipped-for-privacy@someplace.com level errors mtu inside 1500 mtu outside 1500 mtu dmz 1500 ip local pool Testing VPNPool1-192.168.16.98 mask 255.255.255.0 ip verify reverse-path interface outside ip verify reverse-path interface dmz no failover monitor-interface inside monitor-interface outside monitor-interface dmz icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (outside) 0 access-list outside_nat0_outbound outside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 a.b.c.193 1 route outside 192.168.116.1 255.255.255.255 Router_Columbus 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip- disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute aaa-server VPN_Authent protocol kerberos aaa-server VPN_Authent (inside) host 192.168.16.3 kerberos-realm MOPS-OHIO aaa-server VPN_Authorz protocol ldap aaa-server VPN_Authorz (inside) host 192.168.16.3 ldap-base-dn ou=All MOPS Users ldap-scope subtree ldap-naming-attribute uid server-type microsoft http server enable http Lancaster-Net 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 40 set pfs group1 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer Router_Columbus crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 2 set pfs group1 crypto map outside_map 2 set peer Router_LickingCounty crypto map outside_map 2 set transform-set ESP-3DES-SHA crypto map outside_map 3 match address outside_3_cryptomap crypto map outside_map 3 set pfs group1 crypto map outside_map 3 set peer VPNUser_Tim_Home crypto map outside_map 3 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication crack encryption 3des hash sha group 2 lifetime 86400 telnet Tim_Work_Computer 255.255.255.255 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd dns 192.168.16.3 192.168.16.6 dhcpd wins 192.168.16.3 dhcpd domain mops-ohio.local dhcpd auto_config outside dhcpd option 3 ip 192.168.16.9 !

group-policy mops-vpn internal group-policy mops-vpn attributes wins-server value 192.168.16.3 dns-server value 192.168.16.3 192.168.16.6 vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value mops-vpn_splitTunnelAcl default-domain value mops-ohio.local address-pools value Testing group-policy Site2Site-Columbus internal group-policy Site2Site-Columbus attributes vpn-tunnel-protocol IPSec l2tp-ipsec username timparker password PASSWORDREMOVED encrypted privilege 15 username timparker attributes vpn-group-policy mops-vpn vpn-tunnel-protocol IPSec l2tp-ipsec tunnel-group g.h.i.195 type ipsec-l2l tunnel-group g.h.i.195 general-attributes default-group-policy Site2Site-Columbus tunnel-group g.h.i.195 ipsec-attributes pre-shared-key * tunnel-group mops-vpn type ipsec-ra tunnel-group mops-vpn general-attributes default-group-policy mops-vpn tunnel-group mops-vpn ipsec-attributes pre-shared-key * tunnel-group j.k.l.178 type ipsec-l2l tunnel-group j.k.l.178 ipsec-attributes pre-shared-key * ! ! smtp-server 192.168.16.5 prompt hostname context Cryptochecksum:REMOVED : end

Reply to
TimParker
Loading thread data ...

I would recommend using a DHCP pool for your remote clients in a different subnet, such as 192.168.17.0/24

You are bypassing NAT for ACL inside_nat0_outbound, you need to include your remote VPN DHCP pool in this ACL.

for example,

access-list inside_nat0_outbound permit ip 192.168.0.17.0 255.255.255.0

192.168.16.0 255.255.255.0
Reply to
Artie Lange

I assume this DHCP pool I should have on the ASA? I will look at these changes today. I am home due to snow/ice so its a Cisco Day!

Reply to
TimParker

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.