ASA5505 as VPN client problem

From: Jordan (zdh1207@gmail.com)
Date: Mon Sep 08 2008 - 04:12:02 ART

• Next message: Huan Pham: "Re: [OT] New card doesn't show up in router - pls help"
• Previous message: Harry Chan: "[OT] New card doesn't show up in router - pls help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,groups:

I have a ASA5505 acting as a VPN client, peering to a easy VPN
server PIX515 with version 7.2 . I have got two problems:
1. Once the ASA5505 establishes isak SA with the PIX, clients behind
the ASA5505 lose their connections to the Internet;
2. I have configured backup server (such as another PIX515) on the
PIX515.But even when I disconnect the PIX from the net, the SA betwenn
the PIX and the ASA5505 still exist, untill I use the clear crypto isa
sa command, then the ASA5505 can connect to the backup server. What I
need is: As soon as the PIX515 is disconnected, the ASA5505 will
immediately switch the backup server without clear crypto isa sa
command.

To the first problem, I know there is a command under group-policy
should be configured, split-tunnel-policy tunnelspecified ,but it
seams not to work.

anyone help will be very appreciated. the configuration is below:
----------------------------------------------------------------------------------------------------------------
pixfirewall(config)# sh run
: Saved
:
PIX Version 7.2(1)
!
hostname pixfirewall
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
 nameif outside
 security-level 0
 ip address 10.0.0.254 255.255.255.0
!
interface Ethernet1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list out-in extended permit icmp any any
access-list group1 extended permit ip 192.168.2.0 255.255.255.0
192.168.1.0 255.255.255.0
access-list nat0 extended permit ip 192.168.2.0 255.255.255.0
192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nat0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group out-in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy group1 internal
group-policy group1 attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value group1
 nem enable
 backup-servers 10.0.0.253
username zdh1 password 2r6744/AjVH3mel5 encrypted
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set vpn esp-des esp-md5-hmac
crypto dynamic-map vpn 8 set transform-set vpn
crypto map vpn 200 ipsec-isakmp dynamic vpn
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group group1 type ipsec-ra
tunnel-group group1 general-attributes
 default-group-policy group1
tunnel-group group1 ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:9937e2537e2187d5e14198b845a509fc
: end
pixfirewall(config)# !!!!!!!!!
pixfirewall(config)# sh run cry
crypto ipsec transform-set vpn esp-des esp-md5-hmac
crypto dynamic-map vpn 8 set transform-set vpn
crypto map vpn 200 ipsec-isakmp dynamic vpn
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
pixfirewall(config)# sh run grou
pixfirewall(config)# sh run group-p
pixfirewall(config)# sh run group-policy
group-policy group1 internal
group-policy group1 attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value group1
 nem enable
 backup-servers 10.0.0.253
pixfirewall(config)# sh run acce
pixfirewall(config)# sh run access-l
pixfirewall(config)# sh run access-list
access-list out-in extended permit icmp any any
access-list group1 extended permit ip 192.168.2.0 255.255.255.0
192.168.1.0 255.255.255.0
access-list nat0 extended permit ip 192.168.2.0 255.255.255.0
192.168.1.0 255.255.255.0
----------------------------------------------------

Jordan
ciscoasa# sh run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.0.0.1 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
ftp mode passive
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 10.0.0.253 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
!
vpnclient server 10.0.0.254
vpnclient mode network-extension-mode
vpnclient vpngroup group1 password ********
vpnclient username zdh1 password ********
vpnclient enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:1e716346362e34051528b0aed53bfaad
: end

Blogs and organic groups at http://www.ccie.net

• Next message: Huan Pham: "Re: [OT] New card doesn't show up in router - pls help"
• Previous message: Harry Chan: "[OT] New card doesn't show up in router - pls help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 04 2008 - 09:26:17 ART