vpn stopped working on ASA 5510

This is the famous: "I only pressed *that* button! *Not* *that* button".

I've searched high and low including browsing through the last 8000+ posts in this group but haven't found anything which gave me a clue of what causes my vpn to stop working. :-( I know I should provide the configuration (and I will this Monday) but I hope somebody may provide me with a clue of what events triggered my vpn to stop working.

The employee before me configured the following internet set up:

(internet) -> (ASA 5510) 172.18.1.x -> (network)

The internet router is a standard (Danish) internet router which performs PAT, DHCP, ... The ASA 5510 is set up to "the same way", i.e., it also performs PAT, DHCP, ..., i.e., the functionality of the ISP router is ignored! And the provider claims that we haven't ever asked them to set their router in bridge-mode, i.e., passing the tcp/ip directly to our Cisco box.

Then one day some yerk dug a hole without consulting the maps and lo & behold he cut a fiber and we (and the rest of the people on an island) went offline! Fortunately we have a WiMax (wireless) so I set out to use that instead and after changing the following settings through the GUI:

  1. the static ip-address & netmask of the ASA to match the WiMax 2. the default route to match the WiMax (deleted and created a new one) 3. the DNS entries in the DHCP settings

everything(*) worked like a charm and we got back to work!

*) The vpn from the outside didn't work of course because our ip-address changed because we changed provider but that should work again when we restored the original connection - yeah right!

The next day the original line was back up and I (as far as I know) restored the values in the ASA - but it didn't work and I fiddled - don't

*do* that - with all the settings and finally consulted the documentation and suddenly after 15 minutes the packets started flowing through!?!

What happened? Well I don't know but everything seemed to work - except the vpn! :-(

When I look into the log it complains about "deny ip spoof from" (or was it every time I try to connect through vpn.

What has been changed/removed without my knowledge when I changed/removed/created the values to connect the WiMax and later to restore the original connection?

Andrew Engels Rump

Reply to
Andrew Engels Rump (formerly L
Loading thread data ...


Could somebody please help me solve this problem? Thanks

I demand that Andrew Engels Rump (formerly Leif Andrew Rump) on Fri, 25 Jul 2008 20:45:10 +0000 may or may not have written:

Now with the configuration and full (correct) explanation below

When I look at the log when I try to connect via vpn I get the following errors:

Deny IP spoof from (x.x.x.x) to on interface outside

Below is my configuration (I have compared it with and old configuration and cannot spot the difference which will get vpn back in working order):

ASA Version 8.0(2) ! hostname asa5510 domain-name xxx enable password xxx encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address ospf cost 10 ! interface Ethernet0/1 nameif testnet security-level 50 ip address ospf cost 10 ! interface Ethernet0/2 nameif appliances security-level 90 ip address ospf cost 10 ! interface Ethernet0/3 nameif inside security-level 100 ip address ospf cost 10 ! interface Management0/0 shutdown no nameif no security-level no ip address ! passwd xxx encrypted ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns server-group DefaultDNS domain-name xxx same-security-traffic permit inter-interface same-security-traffic permit intra-interface object-group network DM_INLINE_NETWORK_1 network-object host object-group network DM_INLINE_NETWORK_2 network-object host access-list inside_access_in extended permit ip any any access-list nonat extended permit ip access-list nonat extended permit ip access-list outside_access_in extended permit tcp object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2 eq ssh access-list outside_access_in_1 extended permit icmp any echo-reply inactive access-list testnte extended permit ip access-list testnte extended permit ip pager lines 24 logging enable logging buffered informational logging asdm informational logging from-address xxx logging recipient-address xxx level errors mtu outside 1500 mtu testnet 1500 mtu appliances 1500 mtu inside 1500 ip local pool vpn-pool mask icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-602.bin no asdm history enable arp timeout 14400 global (outside) 1 interface global (testnet) 1 interface nat (outside) 1 nat (testnet) 1 nat (appliances) 1 nat (inside) 0 access-list nonat nat (inside) 1 static (testnet,outside) netmask access-group outside_access_in_1 in interface outside access-group inside_access_in in interface inside route outside 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy aaa authentication ssh console LOCAL http server enable http outside http outside http outside http inside http inside http outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP- AES-256-SHA ESP-AES-256-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal crypto isakmp ipsec-over-tcp port 10000 no vpn-addr-assign aaa no vpn-addr-assign dhcp telnet timeout 5 ssh outside ssh outside ssh outside ssh outside ssh outside ssh inside ssh inside ssh timeout 30 console timeout 0 management-access inside dhcpd address inside dhcpd dns interface inside dhcpd lease 28800 interface inside dhcpd domain xxx interface inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect icmp ! service-policy global_policy global ntp server source outside prefer group-policy yyy internal group-policy yyy attributes dns-server value vpn-tunnel-protocol IPSec l2tp-ipsec default-domain value xxx tunnel-group yyy type remote-access tunnel-group yyy general-attributes address-pool vpn-pool default-group-policy yyy tunnel-group yyy ipsec-attributes pre-shared-key * prompt hostname context Cryptochecksum:xxx : end

Andrew Engels Rump

Reply to
Andrew Engels Rump

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.