Hi,
I am having trouble with my VPNs. I have them set up and I can connect fine. Everything is to be tunneled (including Internet traffic). I am using Cisco VPN
Client on a Win XP SP2 machine to a Cisco ASA 5510. When I connect, it hits the RADIUS server fine (Windows IAS on WIndows 2003 server) and
authenticates. Once I am connected, I can get anywhere in the corporate LAN via IP address, but not any other way. If I want to get to the path
\\\\servername\\files\\IT I have to type in \\\\10.10.10.10\\files\\IT. And the tunnel is supposed to support Internet traffic and yet no internet traffic is coming through
either.
Also, in the Cisco VPN Client Log I am getting:
1 11:28:14.062 11/08/06 Sev=Warning/2 CVPND/0xA3400011 Error -14 sending packet. Dst Addr: 0xFFFFFFFF, Src Addr: NICs MAC (DRVIFACE:1199).In the Cisco VPN Client Statistics I also see under Route Details ->
Secured Routes Network 0.0.0.0 Subnet Mask 0.0.0.0 and that's it. Is that normal?
Also, how do i know what group-policy is being applied to my VPN users?
Here are some show commands from the ASA followed by the running config. These are edited of course
ASA# sh crypto ipsec sa interface: outside Crypto map tag: RemoteVPNDynmap, seq num: 10, local addr: ASA PUBLIC IP
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (192.168.10.1/255.255.255.255/0/0) current_peer: 76.212.75.13, username: kholleran dynamic allocated peer ip: 192.168.10.1
#pkts encaps: 480, #pkts encrypt: 480, #pkts digest: 480 #pkts decaps: 559, #pkts decrypt: 559, #pkts verify: 559 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 480, #pkts comp failed: 0, #pkts decomp failed: 0 #send errors: 0, #recv errors: 0
local crypto endpt.: ASA PUBLIC IP/PORT, remote crypto endpt.:
76.212.75.1 3/61509 path mtu 1500, ipsec overhead 68, media mtu 1500 current outbound spi: 7425EFE0inbound esp sas: spi: 0x6072CF2F (1618136879) transform: esp-3des esp-sha-hmac in use settings ={RA, Tunnel, UDP-Encaps, } slot: 0, conn_id: 2, crypto-map: RemoteVPNDynmap sa timing: remaining key lifetime (sec): 28716 IV size: 8 bytes replay detection support: Y
ASA# sh crypto isakmp sa
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1
1 IKE Peer: 76.212.75.13 Type : user Role : responder Rekey : no State : AM_ACTIVEASA# sh run
ASA Version 7.0(5) ! hostname ASA domain-name DOMAIN enable password MsKIE8kJNDmkdKIi encrypted names dns-guard ! interface Ethernet0/0 description INside interface. NAT to private IPs nameif inside security-level 100 ip address ASA PRIVATE IP ! interface Ethernet0/1 description Outside Interface. nameif outside security-level 0 ip address ASA PUBLIC IP ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown nameif management security-level 100 ip address management-only ! passwd SisLvDjB/rijelPS encrypted banner exec # You are logging into a corporate device. Unauthorized access is prohibited. banner motd # "We are what we repeatedly do. Excellence, then, is not an act, but a habit." - Aristotle # ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup inside dns name-server DNS SERVER INTERNAL IP object-group service NecessaryServices tcp port-object eq echo port-object eq www port-object eq domain port-object eq ssh port-object eq smtp port-object eq ftp-data port-object eq pop3 port-object eq aol port-object eq ftp port-object eq https object-group service UDPServices udp port-object eq nameserver port-object eq www port-object eq isakmp port-object eq domain object-group service TCP-UDPServices tcp-udp port-object eq echo port-object eq www port-object eq domain
ACLs - Nothing is wrong here
access-list 110 extended permit ip 192.168.1.0 255.255.255.0
192.168.10.0 255.255.255.0 pager lines 24 logging enable logging timestamp logging list ASALog level notifications logging monitor notifications logging trap notifications logging asdm informational logging device-id hostname logging host inside SYSLOG SERVER mtu management 1500 mtu inside 1500 mtu outside 1500 ip local pool vpnclient 192.168.10.1-192.168.10.254 ip verify reverse-path interface inside ip verify reverse-path interface outside icmp permit any inside icmp permit any outside asdm image disk0:/asdm505.bin asdm history enable arp timeout 14400 nat-control global (outside) 2 interface nat (inside) 0 access-list 110 nat (inside) 2 192.168.0.0 255.255.0.0 static (inside,outside) MAIL SERVER access-group inside_access_in in interface inside access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 ISP GATEWAY 1 ! router ospf 1 NETWORK COMMANDS area 0 log-adj-changes ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server vpn protocol radius aaa-server vpn host IAS SERVER key * group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec webvpn password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp enable ipsec-udp-port PORT split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions url-entry port-forward-name value Application Access group-policy vpnUsers internal group-policy vpnUsers attributes banner value You are remotely accessing a corporate network. Any unauthorized use is strictly prohibited. dns-server value DNS SERVER INTERNAL IP