Remote VPN Problem

From: Joshua (joshualixin@gmail.com)
Date: Fri May 11 2007 - 02:28:05 ART

• Next message: Benjamin Hill: "Re: Remote VPN Problem"
• Previous message: cisco efiko: "Re: San Jose Site"
• Next in thread: Benjamin Hill: "Re: Remote VPN Problem"
• Maybe reply: Benjamin Hill: "Re: Remote VPN Problem"
• Maybe reply: James Saarikko: "RE: Remote VPN Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I am experiencing a strange Remote VPN issue. A remote job site will have 40
more users come in, current Remote VPN server (Concentrator 3005) is
overloaded. I configured a ASA 5520 7.2(2) as a temporary solutions for new
comers. I tested it fine from home and other locations, but this afternoon
when that particular site technical support tested, it did not work. From
ASA, I can see both isamap sa and ipsec sa are formed, that tech support
also authorized by internal AD. But he could not ping any internal servers,
including Active Directory. This remote location's LAN is using another
company's network. They assign a VLAN for us. I suspected that company's fw
may block that traffic, but it works fine with our concentrator. Please
help!

Here is the facts:
Remote VPN server: Cisoc ASA 5520, 7.2(2);
Remote VPN Client: VPN Client ver 4.0.3(F);
Remote location IP segment: 10.10.10.0/24
Remote VPN Client segment: 10.177.2.0/24

---------------------------------
ciscoasa# sh run
: Saved
:
ASA Version 7.2(2)
!
hostname ciscoasa
domain-name xxx.net
enable password aWd8He8T4FVPqVmP encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface GigabitEthernet0/1
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 10.11.5.10 255.255.255.0
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 ip address dhcp
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbN3dI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name ledcor.net
access-list Split_Tunnel_List standard permit 10.11.5.0 255.255.255.0
access-list Split_Tunnel_List standard permit 10.11.55.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging buffered errors
logging asdm errors
mtu outside 1500
mtu inside 1500
ip local pool ippool 10.177.2.10-10.177.2.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
route inside 10.11.55.0 255.255.255.0 10.11.5.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
aaa-server AD protocol nt
aaa-server AD host 10.11.5.5
 timeout 5
 nt-auth-domain-controller 10.11.5.52
group-policy exusers internal
group-policy exusers attributes
 dns-server value 10.11.5.52
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 default-domain value ledcor.net
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 43200
tunnel-group exusers type ipsec-ra
tunnel-group exusers general-attributes
 address-pool ippool
 authentication-server-group AD
 default-group-policy exusers
tunnel-group exusers ipsec-attributes
 pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:48435319a5f115633ffc1735658d3ba1
: end
ciscoasa#
--------------------------------------------------------

• Next message: Benjamin Hill: "Re: Remote VPN Problem"
• Previous message: cisco efiko: "Re: San Jose Site"
• Next in thread: Benjamin Hill: "Re: Remote VPN Problem"
• Maybe reply: Benjamin Hill: "Re: Remote VPN Problem"
• Maybe reply: James Saarikko: "RE: Remote VPN Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:20 ART