ASA VPN Quick hint?

Chad already helped me a lot with my initial configuration problem. Now I'm at the point of trying to configure a VPN connection.

I've run the wizard, and gotten a successful authentication to an internal user...

I've gotten it to forward the DNS request to an "Inside" network DNS server.

For some reason I can't connect to anything though. Pings don't work, name resolution doesn't work...

I just want a simple VPN Remot Access setup, so remote users can connect, get an "inside" (private) IP, and operate like that were on the network locally. Anything more sophistacated can wait.

With these symptoms, can someone tell me where to do my reading and troubleshooting? I was just hoping someone could tell me the most likely areas for where I messed up.

Group Policy?

ISAKMP?

Tunnel groups?

Ingot

Reply to
Ingot
Loading thread data ...

Hey Ignot,

Are you using PPTP or IPSEC? You might want to post your config, remove any public IP info.

Reply to
Chad Mahoney

"Chad Mahoney" wrote

I'm using IPSEC.

Well, I didn't want to ask anyone to do all of THAT, I just wanted to know if someone had a hint as to where I might have misconfigured.

But... Here it is.

Ingot

--- Begin Paste ---

User Access Verification

Password: Type help or '?' for a list of available commands. issciscoasa> en Password: ********* issciscoasa# sh run : Saved : ASA Version 7.2(1) ! hostname ciscoasa domain-name default.domain.invalid enable password xxxxxxxxxxx encrypted names dns-guard ! interface Ethernet0/0 nameif outside security-level 0 ip address x.x.x.34 255.255.255.248 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.5.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd xxxxxxxxxxx encrypted boot system disk0:/asa721-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name default.domain.invalid access-list outside_access_in extended permit icmp any host x.x.x.34 echo-r eply log access-list outside_access_in extended permit icmp any host x.x.x.34 time-e xceeded log access-list outside_access_in_1 extended permit icmp any host x.x.x.34 access-list inside_nat0_outbound extended permit ip any 192.168.5.192

255.255.255.192 access-list outside_cryptomap extended permit ip any 192.168.5.192 255.255.255.192 access-list outside_cryptomap_1 extended permit ip any 192.168.5.192 255.255.255.192 pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 no failover asdm image disk0:/asdm521.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface global (inside) 2 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 192.168.5.0 255.255.255.0 access-group outside_access_in_1 in interface outside route outside 0.0.0.0 0.0.0.0 x.x.x.33 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute group-policy psatunnel internal group-policy psatunnel attributes dns-server value 192.168.5.5 x.x.x.x vpn-tunnel-protocol IPSec username Name1 password xxxxxxxxx encrypted privilege 15 username Name1 attributes vpn-group-policy psatunnel username Name2 password xxxxxxx encrypted privilege 15 username Name2 attributes vpn-group-policy psatunnel http server enable http 192.168.5.0 255.255.255.0 management http 192.168.5.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 5 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp ipsec-over-tcp port 10000 tunnel-group DefaultWEBVPNGroup general-attributes dhcp-server 192.168.5.5 password-management password-expire-in-days 10 tunnel-group psatunnel type ipsec-ra tunnel-group psatunnel general-attributes default-group-policy psatunnel dhcp-server 192.168.5.5 tunnel-group psatunnel ipsec-attributes pre-shared-key * no vpn-addr-assign aaa telnet 192.168.5.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.168.5.2-192.168.5.254 management dhcpd enable management ! ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns migrated_dns_map_1 parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns migrated_dns_map_1 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx : end issciscoasa#
Reply to
Ingot

"Chad Mahoney" wrote

Ok, more info on this...

I'm getting "No translation group found for src outside x.x.x.x/xx dst inside y.y.y.y/yy

They're both the ip range of my inside network.

I wouldn't have thought I NEEDED a translation group for a VPN tunnel, since the address I served to the connecting client is the same network as the internal one.

I tried applying a NAT exemption for that IP on the outside interface, with no luck.

Obviously I'm missing something key.

Ingot

Reply to
Ingot

Ignot,

What is happening here is that the IP's you are being issued when you connect are trying to perform NAT, you need to exclude the IP range you are using from NAT.

The command below is your issue:

nat (inside) 0 access-list inside_nat0_outbound

You do not have inside_nat0_outbound applied anywhere in your config, you may remove.

I would suggest using a statement such as:

nat (inside) 0 access-list outside_cryptomap_1

Also how are your IP address' being assigned when the users connect, I would not have them assign an address already in use on your local LAN (192.168.5.X) I would make up a completely new subnet 192.168.6.0 and assign address from that range, the reason behind this is that with the statement nat (inside) 0 access-list outside_cryptomap_1, that means any IP address from 192.168.5.192 - 192.168.5.254 will now loose internet connectivity because you have excluded them from the NAT process, this could be an issue.

HTH,

Chad

Reply to
Chad Mahoney

"Chad Mahoney" wrote > Ignot,

Thanks Chad...

Still having problems, but I'm getting closer, I'll keep you apprised...

Meanwhile... The powers that be here are doing the classic. No training for five years, dump a complex piece of equipment on your desk, and expect you to get it running in three days.

I'll play hell getting any money for training too.

Is there a book anyone can recommend for the ASA 5510 ?

Ingot

Reply to
Ingot

Ingot wrote: > Thanks Chad...

Exactly how I learned as well :)

I would suggest:

formatting link

Reply to
Chad Mahoney

Try this:

static (int1,int2) netmask A.B.C.D

example:

static (inside,DMZ2) 172.21.4.0 172.21.4.0 netmask 255.255.255.0

Reply to
M

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.