1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco ASA 5505 config issue (VPN)

Discussion in 'Internet, Connectivity and Communications' started by tomshawk, Jul 8, 2013.

  1. tomshawk

    tomshawk Byte Poster

    142
    1
    24
    Hey guys,

    Long time no talk.

    I picked up a new client at the end of the week.

    Their network works fine now. Many issues with Servers, workstations, ETC. and they are taken care of.

    My issue, or, what the client wants is they have 2 locations, they already own a couple of Cisco ASA 5505 and their internet works but they want to VPN their 2 offices. If I can get the 2 working, they will want to set up all of their locaitons (5 of them)

    I'm going to post the current config's of the 2 they want connected for now.
    If any of you could assist me with what I am missing that'd be outstanding.

    I'll post one config here and the second config in a second post

    Code:
    Main#  sh run
    : Saved
    :
    ASA Version 7.2(4)
    !
    hostname Main
    domain-name default.domain.invalid
    enable password "password" encrypted
    passwd "Password" encrypted
    names
    !
    interface Vlan1
     nameif inside
     security-level 100
     ip address xxx.xxx.xxx.xxx 255.255.0.0
    !
    interface Vlan2
     nameif outside
     security-level 0
     pppoe client vpdn group ATT
     ip address pppoe setroute
    !
    interface Ethernet0/0
     switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
     speed 100
    !
    interface Ethernet0/7
    !
    ftp mode passive
    dns server-group DefaultDNS
     domain-name default.domain.invalid
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list inside_nat0_outbound extended permit ip any xxx.xxx.xxx.xxx 255.255.0.0
    access-list fe_1341_splitTunnelAcl standard permit any
    access-list inside_access_in extended permit ip xxx.xxx.xxx.xxx 255.255.0.0 any
    access-list inside_access_in extended permit ip any any inactive
    access-list outside_access_in extended permit ip xxx.xxx.xxx.xxx 255.255.0.0 any inactive
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPNpool xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx mask 255.255.0.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication ssh console LOCAL
    aaa authentication enable console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 outside
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set pfs group1
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp nat-traversal  20
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    management-access inside
    vpdn group ATT request dialout pppoe
    vpdn group ATT localname bccooling1341@att.net
    vpdn group ATT ppp authentication pap
    vpdn username User@ATT.net password ********* store-local
    dhcpd auto_config outside
    !
    dhcpd address xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx inside
    dhcpd dns 68.94.156.1 68.94.157.1 interface inside
    dhcpd enable inside
    !
    
    vpnclient mode network-extension-mode
    vpnclient nem-st-autoconnect
    group-policy fe_1341 internal
    group-policy fe_1341 attributes
     dns-server value 68.94.156.1 68.94.157.1
     vpn-idle-timeout none
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelall
     split-tunnel-network-list none
    
    username user1 password "Password" encrypted privilege 15
    username user2 password "Password" encrypted
    tunnel-group fe_morrow type ipsec-ra
    tunnel-group fe_morrow general-attributes
     address-pool VPNpool
    tunnel-group fe_morrow ipsec-attributes
     pre-shared-key *
    tunnel-group fe_1341 type ipsec-ra
    tunnel-group fe_1341 general-attributes
     address-pool VPNpool
    tunnel-group fe_1341 ipsec-attributes
     pre-shared-key *
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map glob
    policy-map gl
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:"Password"
    : end
    Main#
    
    I apriciate any help you guys can provide.

    Thank you

    - - - Updated - - -

    Code:
    ASA Version 7.2(4)
    !
    hostname Satelite1
    domain-name default.domain.invalid
    enable password "Password" encrypted
    passwd "Password" encrypted
    names
    !
    interface Vlan1
     nameif inside
     security-level 100
     ip address xxx.xxx.xxx.xxx 255.255.0.0
    !
    interface Vlan2
     nameif outside
     security-level 0
     pppoe client vpdn group ATT
     ip address xxx.xxx.xxx.xxx 255.255.255.255 pppoe setroute
    !
    interface Ethernet0/0
     switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    dns domain-lookup outside
    dns server-group DefaultDNS
     name-server 68.94.156.1
     name-server 68.94.157.1
     domain-name default.domain.invalid
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list fe_KingCity_split_TunnelAcl standard permit xxx.xxx.xxx.xxx 255.255.0.0
    access-list inside_nat0_outbound extended permit ip xxx.xxx.xxx.xxx 255.255.0.0 xxx.xxx.xxx.xxx 255.255.255.0
    access-list inside_nat0_outbound extended permit ip xxx.xxx.xxx.xxx 255.255.0.0 xxx.xxx.xxx.xxx 255.255.255.0
    access-list inside_nat0_outbound extended permit ip xxx.xxx.xxx.xxx 255.255.0.0 xxx.xxx.xxx.xxx 255.255.255.0
    access-list outside_access_in extended permit ip any any
    access-list inside_access_in extended permit ip any any
    access-list fe_KingCity_NO_splitTunelAcl standard permit any
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool VPNpool xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-524.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    aaa authentication ssh console LOCAL
    http server enable
    http 0.0.0.0 0.0.0.0 inside
    http xxx.xxx.xxx.xxx 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp nat-traversal  20
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    management-access outside
    vpdn group ATT request dialout pppoe
    vpdn group ATT localname user@att.net
    vpdn group ATT ppp authentication pap
    vpdn username user@att.net password ********* store-local
    dhcpd address xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx inside
    dhcpd dns xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx interface inside
    dhcpd enable inside
    !
    
    group-policy ww_KingCity internal
    group-policy ww_KingCity attributes
     dns-server value 68.94.156.1 68.94.157.1
     vpn-idle-timeout none
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value fe_KingCity_split_TunnelAcl
    group-policy rs_KingCity internal
    group-policy rs_KingCity attributes
     dns-server value 68.94.156.1 68.94.157.1
     vpn-idle-timeout none
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value fe_KingCity_split_TunnelAcl
    group-policy fe_KingCity internal
    group-policy fe_KingCity attributes
     dns-server value 68.94.156.1 68.94.157.1
     vpn-idle-timeout none
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value fe_KingCity_split_TunnelAcl
    group-policy mcc_KingCity internal
    group-policy mcc_KingCity attributes
     dns-server value 68.94.156.1 68.94.157.1
     vpn-idle-timeout none
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value fe_KingCity_split_TunnelAcl
    username user password "Password" encrypted privilege 15
    username user2 password "Password" encrypted
     vpn-group-policy mcc_KingCity
    tunnel-group fe_KingCity type ipsec-ra
    tunnel-group fe_KingCity general-attributes
     address-pool VPNpool
     authorization-server-group LOCAL
     default-group-policy fe_KingCity
    tunnel-group fe_KingCity ipsec-attributes
     pre-shared-key *
    tunnel-group rs_KingCity type ipsec-ra
    tunnel-group rs_KingCity general-attributes
     address-pool VPNpool
     default-group-policy fe_KingCity
    tunnel-group rs_KingCity ipsec-attributes
     pre-shared-key *
    tunnel-group mcc_KingCity type ipsec-ra
    tunnel-group mcc_KingCity general-attributes
     address-pool VPNpool
     default-group-policy fe_KingCity
    tunnel-group mcc_KingCity ipsec-attributes
     pre-shared-key *
    !
    !
    prompt hostname context
    Cryptochecksum:"Password"
    : end
    
    - - - Updated - - -

    Obviously I left IP's and etc out.

    If you need them to assist further let me know and I will PM them to you.

    Again, Thank you very much
     
    Certifications: MCSE/NT4, MCP/2K3, MCP+I, CCNA, Net+, A+
  2. Cunningfox

    Cunningfox Byte Poster

    219
    6
    27
    Too tried/lazy to run through the configuration right now, but do the debug logs give you anything? I also assume your licences allow VPN on both ends?
     
    Certifications: CCNP, CCNA, MCP
    WIP: ??
  3. tomshawk

    tomshawk Byte Poster

    142
    1
    24
    Hey Cunningfox,

    Sorry for the very late reply.
    I have been swamped with other work as of late.
    Luckily this client is patient they have not had this working in over a year.
    anyway, I do not have access to this Router remotely Yet, I hope to set up a ssh username for myself soon.

    Could you enlighten as to the commend for the debug log, or,
    could you go ahead and take a look at the configs when you can?

    Thank you in advance
     
    Certifications: MCSE/NT4, MCP/2K3, MCP+I, CCNA, Net+, A+

Share This Page

Loading...