ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ASA 5505 VPN Issue

    IT Discussion
    1
    2
    430
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • anthonyhA
      anthonyh
      last edited by anthonyh

      I have an ASA 5505 at one of our remote sites that is used to form a VPN tunnel between that site and our main office. The VPN tunnel itself works beautifully. No issues with the tunnel. The clients on either side of the tunnel can reach each other, no problems there.

      Where I'm having a problem is getting the ASA itself to reach clients across the VPN tunnel. This was never an issue until now. I'd like to update the software on the ASA (it's a bit behind running 8.2(5), but it cannot reach the TFTP server I have set up at the main office.

      In doing a traceroute for networks across the VPN tunnel, it wants to use the default route which is to the Internet.

      For what it's worth, I can reach the ASA via it's inside IP address from my workstation and any other client on the other side of the VPN.

      Thoughts?

      Here is the configuration of said ASA:

      : Saved
:
ASA Version 8.2(5) 
!
hostname BRANCHFW01
enable password nope encrypted
passwd nope encrypted
names
!
interface Ethernet0/0
 description Connection to Comcast
 switchport access vlan 20
!
interface Ethernet0/1
 description Connection to Branch Router
 switchport access vlan 10
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!             
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.254.253 255.255.255.248 
!
interface Vlan20
 nameif outside
 security-level 0
 ip address X.X.X.X 255.255.255.248 
!             
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit intra-interface
object-group network HQ-VPN-NETWORKS
 network-object 172.16.0.0 255.240.0.0
 network-object 10.0.0.0 255.0.0.0
 network-object 192.168.0.0 255.255.0.0
object-group network BRANCH-VPN-NETWORKS
 network-object 10.39.126.0 255.255.255.0
 network-object 10.39.226.0 255.255.255.0
 network-object 10.39.136.0 255.255.255.0
 network-object 10.39.8.144 255.255.255.240
 network-object 192.168.254.248 255.255.255.248
access-list VPN extended permit ip object-group BRANCH-VPN-NETWORKS object-group HQ-VPN-NETWORKS 
access-list NO-NAT extended permit ip object-group BRANCH-VPN-NETWORKS object-group HQ-VPN-NETWORKS 
access-list inbound extended permit icmp any any time-exceeded 
access-list inbound extended permit icmp any any unreachable 
access-list inbound extended permit icmp any any echo-reply 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
route inside 10.39.8.144 255.255.255.240 192.168.254.254 1
route inside 10.39.126.0 255.255.255.0 192.168.254.254 1
route inside 10.39.136.0 255.255.255.0 192.168.254.254 1
route inside 10.39.226.0 255.255.255.0 192.168.254.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication serial console LOCAL 
aaa authentication telnet console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer X.X.X.X 
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd dns 10.39.254.21 10.39.218.20 interface inside
dhcpd domain domain.com interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.39.226.45
webvpn
 anyconnect-essentials
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol IPSec 
username nope password nope encrypted privilege 15
username nope attributes
 service-type admin
username nope password nope encrypted privilege 15
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email [email protected]
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:nope
: end
      1 Reply Last reply Reply Quote 0
      • anthonyhA
        anthonyh
        last edited by

        Ha. One of those "well, I feel stupid" moments. Specifying the source interface in the tftp command resolved the problem!

        copy tftp://serverIP/filename.bin;int=inside flash:

        The new ASA software version is copying over. Though it's quite slow. I'll have to see what tweaks I can make there...definitely not an issue for this thread. 😄

        1 Reply Last reply Reply Quote 2
        • 1 / 1
        • First post
          Last post