From: James Saarikko (James.Saariko@datalinecs.com)
Date: Fri May 11 2007 - 08:29:25 ART
I agree with Ben. I was experiencing the same issue. I was too the point of
pulling out my hair. Then I noticed I never placed the ISAKMP Nat-Traversal
statement in. Once placed in, that issue fixed my problems.
James
________________________________
From: nobody@groupstudy.com on behalf of Benjamin Hill
Sent: Fri 5/11/2007 1:46 AM
To: Joshua
Cc: ccielab@groupstudy.com
Subject: Re: Remote VPN Problem
Nat-traversal?
On 5/11/07, Joshua <joshualixin@gmail.com> wrote:
>
> Hi,
>
> I am experiencing a strange Remote VPN issue. A remote job site will have
> 40
> more users come in, current Remote VPN server (Concentrator 3005) is
> overloaded. I configured a ASA 5520 7.2(2) as a temporary solutions for
> new
> comers. I tested it fine from home and other locations, but this afternoon
> when that particular site technical support tested, it did not work. From
> ASA, I can see both isamap sa and ipsec sa are formed, that tech support
> also authorized by internal AD. But he could not ping any internal
> servers,
> including Active Directory. This remote location's LAN is using another
> company's network. They assign a VLAN for us. I suspected that company's
> fw
> may block that traffic, but it works fine with our concentrator. Please
> help!
>
> Here is the facts:
> Remote VPN server: Cisoc ASA 5520, 7.2(2);
> Remote VPN Client: VPN Client ver 4.0.3(F);
> Remote location IP segment: 10.10.10.0/24
> Remote VPN Client segment: 10.177.2.0/24
>
> ---------------------------------
> ciscoasa# sh run
> : Saved
> :
> ASA Version 7.2(2)
> !
> hostname ciscoasa
> domain-name xxx.net
> enable password aWd8He8T4FVPqVmP encrypted
> names
> !
> interface GigabitEthernet0/0
> nameif outside
> security-level 0
> ip address xxx.xxx.xxx.xxx 255.255.255.0
> !
> interface GigabitEthernet0/1
> speed 100
> duplex full
> nameif inside
> security-level 100
> ip address 10.11.5.10 255.255.255.0
> !
> interface GigabitEthernet0/2
> shutdown
> no nameif
> no security-level
> no ip address
> !
> interface GigabitEthernet0/3
> shutdown
> no nameif
> no security-level
> ip address dhcp
> !
> interface Management0/0
> shutdown
> no nameif
> no security-level
> no ip address
> !
> passwd 2KFQnbN3dI.2KYOU encrypted
> ftp mode passive
> dns server-group DefaultDNS
> domain-name ledcor.net
> access-list Split_Tunnel_List standard permit 10.11.5.0 255.255.255.0
> access-list Split_Tunnel_List standard permit 10.11.55.0 255.255.255.0
> pager lines 24
> logging enable
> logging timestamp
> logging monitor errors
> logging buffered errors
> logging asdm errors
> mtu outside 1500
> mtu inside 1500
> ip local pool ippool 10.177.2.10-10.177.2.100 mask 255.255.255.0
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> icmp permit any outside
> icmp permit any inside
> asdm image disk0:/asdm-522.bin
> no asdm history enable
> arp timeout 14400
> route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 1
> route inside 10.11.55.0 255.255.255.0 10.11.5.2 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server AD protocol nt
> aaa-server AD host 10.11.5.5
> timeout 5
> nt-auth-domain-controller 10.11.5.52
> group-policy exusers internal
> group-policy exusers attributes
> dns-server value 10.11.5.52
> vpn-tunnel-protocol IPSec
> split-tunnel-policy tunnelspecified
> split-tunnel-network-list value Split_Tunnel_List
> default-domain value ledcor.net
> http server enable
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto dynamic-map inside_dyn_map 20 set pfs
> crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-MD5
> crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
> crypto map inside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 1
> authentication pre-share
> encryption 3des
> hash md5
> group 2
> lifetime 43200
> tunnel-group exusers type ipsec-ra
> tunnel-group exusers general-attributes
> address-pool ippool
> authentication-server-group AD
> default-group-policy exusers
> tunnel-group exusers ipsec-attributes
> pre-shared-key *
> telnet 0.0.0.0 0.0.0.0 inside
> telnet timeout 5
> ssh 0.0.0.0 0.0.0.0 outside
> ssh 0.0.0.0 0.0.0.0 inside
> ssh timeout 5
> ssh version 2
> console timeout 0
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> message-length maximum 512
> policy-map global_policy
> class inspection_default
> inspect dns preset_dns_map
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect netbios
> inspect rsh
> inspect rtsp
> inspect skinny
> inspect esmtp
> inspect sqlnet
> inspect sunrpc
> inspect tftp
> inspect sip
> inspect xdmcp
> !
> service-policy global_policy global
> prompt hostname context
> Cryptochecksum:48435319a5f115633ffc1735658d3ba1
> : end
> ciscoasa#
> --------------------------------------------------------
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:20 ART