Easy VPN Issue

From: Ajay V m (ajayvm@gmail.com)
Date: Wed Jun 25 2008 - 06:08:28 ART

Next message: ccie: "Is there any difference between these two class-map NBAR-based"
Previous message: A.G. Ananth Sarma (GMail): "Re: Re: Reviews for Narbik's bootcamp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I'm facing an issue while doing easy VPN with network extension mode.

I have a setup

192.100.100.0/24 ---inside (ASA5510 Central ) outside 80.2XX.1XX.1XX
--------dynamic ADSL router 192.168.16.1-----192.168.16.21 outside (ASA5505
remote) inside 192.168.1.0/24

I configured the easy VPN with network extension between the central and
remote sites I can see that the VPN is up but I'm unable to ping the LAN IPs
from the server and remote client attacing the configs also.Split tunnel is
also configured.

I cannot reach to the server LAN(192.100.100.0/24) from the remote(
192.168.1.0/24) and Vice versa

-- Thanks And Regards

Ajay.V.M

" Remember that the Diamond is just another piece of Coal which did well under Pressure .." sh run

: Saved

ASA Version 7.2(3)

hostname AbuDhabi-Firewall

domain-name default.domain.invalid

names

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 192.168.16.25 255.255.255.0

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

<--- More ---> !

interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list acl_in extended permit ip any any

access-list acl_out extended permit ip any any

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

access-group acl_in in interface inside

access-group acl_in out interface inside

access-group acl_out in interface outside

access-group acl_out out interface outside

route outside 0.0.0.0 0.0.0.0 192.168.16.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

<--- More ---> telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

dhcpd address 192.168.1.3-192.168.1.240 inside

dhcpd dns 213.42.20.20 195.229.241.222 interface inside

dhcpd enable inside

vpnclient server 80.227.120.150

vpnclient mode network-extension-mode

vpnclient vpngroup mytunnel password ********

vpnclient username cisco password ********

vpnclient enable

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

<--- More ---> inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

Cryptochecksum:c8eeac77a0b25bccbd7018d55831cda4

: end sh run : Saved : ASA Version 7.0(7) ! hostname Dubai-Firewall domain-name default.domain.invalid

names dns-guard ! interface Ethernet0/0 nameif Outside security-level 0 ip address 8X.2XX.1XX.1XX 255.255.255.252 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.100.100.3 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address <--- More ---> ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 10.1.1.1 255.255.255.0 management-only ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive access-list acl_in extended permit ip any any access-list acl_out extended permit ip any any access-list no-nat extended permit ip 192.100.100.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list ezvpn1 extended permit ip 192.100.100.0 255.255.255.0 192.168.1.0 255.255.255.0 pager lines 24 logging enable logging asdm informational mtu Outside 1500 mtu inside 1500 <--- More ---> mtu management 1500 ip local pool testpool 192.100.100.150-192.100.100.200 no failover icmp permit any Outside icmp permit any inside asdm image disk0:/asdm-507.bin no asdm history enable arp timeout 14400 global (Outside) 1 interface nat (inside) 0 access-list no-nat nat (inside) 1 0.0.0.0 0.0.0.0 access-group acl_out in interface Outside access-group acl_out out interface Outside access-group acl_in in interface inside access-group acl_in out interface inside route Outside 0.0.0.0 0.0.0.0 80.227.120.149 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute

group-policy Mygroup internal group-policy Mygroup attributes split-tunnel-policy tunnelspecified split-tunnel-network-list value ezvpn1 nem enable webvpn username testuser password 0AKWGtPSEgAcPI9K encrypted

username cisco password cIudbEqx8vRFxinX encrypted

http server enable http 10.1.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set mySET esp-des esp-md5-hmac

crypto dynamic-map myDYN-MAP 5 set transform-set mySET crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map myMA 60 ipsec-isakmp dynamic myDYN-MAP crypto map myMA interface Outside crypto map myDYN-MAP 5 set reverse-route isakmp enable Outside

isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 isakmp nat-traversal 20

tunnel-group mytunnel type ipsec-ra tunnel-group mytunnel general-attributes default-group-policy Mygroup tunnel-group mytunnel ipsec-attributes pre-shared-key * telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd address 192.100.100.250-192.100.100.251 inside dhcpd address 10.1.1.2-10.1.1.253 management dhcpd dns 80.227.2.2 80.227.2.3 dhcpd lease 3600 dhcpd ping_timeout 750

class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global client-update enable Cryptochecksum:d595211c9d1bbdc084680fcaf35dfcb5 <--- More ---> : end Dubai-Firewall#

Next message: ccie: "Is there any difference between these two class-map NBAR-based"
Previous message: A.G. Ananth Sarma (GMail): "Re: Re: Reviews for Narbik's bootcamp"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:23 ART