Re: Help on Cisco ASA 5510 VPN IPsec

---

• From: Mag <mag@xxxxxxxxxxx>
• Date: Mon, 05 Jan 2009 16:16:17 +0100

---

It's not only the ICMP that deny:

Inbound TCP connection denied from 10.100.7.245/22 to 10.100.5.10/1953 flags SYN ACK on interface lan

what is the acl at put for accept all traffic between Lan to Ipsec and Ipsec to lan

i see to that on my pc connected in IPSEC, the subnet are 255.0.0.0 and not 255.255.255.0 ..





Mag a écrit :

Brian V a écrit :

You need to post a santized config for us to be able to help you.

Ho yes sorry ;=) :
Configuration (sh run) genered with Wizard of the ADSM:




Result of the command: "show running-config"

: Saved
:
ASA Version 8.0(3)
!
hostname ASA5510-1
domain-name asa1.xxx.org
enable password XXX
names
name 10.100.5.0 IPSec
!
interface Ethernet0/0
nameif wan
security-level 0
ip address 62.XX.XX.XX 255.255.255.224
!
interface Ethernet0/1
nameif lan
security-level 0
ip address 10.100.7.242 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd XXXX encrypted
ftp mode passive
dns domain-lookup lan
dns server-group DefaultDNS
name-server 10.100.7.250
domain-name asa1.xxx.org
access-list lan_nat0_outbound extended permit ip any IPSec 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu lan 1500
mtu wan 1500
ip local pool IpSec 10.100.5.10-10.100.5.254
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
global (wan) 101 interface
nat (lan) 0 access-list lan_nat0_outbound
nat (lan) 101 0.0.0.0 0.0.0.0
route wan 0.0.0.0 0.0.0.0 62.XX.XX.XX 1
route lan 10.0.0.0 255.0.0.0 10.100.7.250 1
route lan 172.26.0.0 255.255.0.0 10.100.7.250 1
route lan 172.27.0.0 255.255.0.0 10.100.7.250 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 wan
http 62.XX.XX.XX 255.255.255.224 wan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map wan_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map wan_map interface wan
crypto isakmp enable wan
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access wan
threat-detection basic-threat
threat-detection statistics
group-policy ipsecvpn internal
group-policy ipsecvpn attributes
dns-server value 10.100.7.242
vpn-tunnel-protocol IPSec
default-domain value XXXX.fr
username magalie password 1YqAYSguYgIKdkUO encrypted privilege 0
username magalie attributes
vpn-group-policy ipsecvpn
tunnel-group ipsecvpn type remote-access
tunnel-group ipsecvpn general-attributes
address-pool IpSec
default-group-policy ipsecvpn
tunnel-group ipsecvpn ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:3c033e8f335604a9fa0af37e27ddf6d8
: end





and after connected, this is the log entry:

3|Jan 05 2009|05:30:10|106014|||Deny inbound icmp src lan:10.100.7.248 dst wan:10.100.5.10 (type 0, code 0)

6|Jan 05 2009|05:30:10|302020|10.100.5.10|10.100.7.248|Built inbound ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr 10.100.7.248/0 (magalie)

6|Jan 05 2009|05:30:09|302021|10.100.5.10|10.100.7.248|Teardown ICMP connection for faddr 10.100.5.10/2048 gaddr 10.100.7.248/0 laddr 10.100.7.248/0 (magalie)





Thanks for your help
Magalie

.

---

• References:
  • Help on Cisco ASA 5510 VPN IPsec
    • From: Mag
  • Re: Help on Cisco ASA 5510 VPN IPsec
    • From: Brian V
  • Re: Help on Cisco ASA 5510 VPN IPsec
    • From: Mag

• Prev by Date: Re: Help on Cisco ASA 5510 VPN IPsec
• Next by Date: Re: Acess list filters at ethernet level
• Previous by thread: Re: Help on Cisco ASA 5510 VPN IPsec
• Next by thread: Re: Help on Cisco ASA 5510 VPN IPsec
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Multiple OS/2 PEERLAN help please ... individually but not to introduce IP interface to the whole LAN. ... beautifully now by swapping the TCP/IP LOCAL setup between LAN0 as ... either a DHCP connection when connected physically to the supplied ADSL ... (comp.os.os2.misc) NATD and Address Redirection ... interface and a private "LAN" address on the 2nd interface serving a ... group of windows machines on the LAN with private IPS. ... a test running VNC server on the ... It seems that the connection works ... (freebsd-hackers) Re: SBS Routing & Remote access changes ... interfacing the WAN and the other the LAN of course). ... cannot route traffic to the port ranges on the LAN side from a WAN IP ... We have opened up the port ranges on the router to the servers WAN NIC ... interface, but we need to be able to also forward these port ranges ... (microsoft.public.windows.server.sbs) Re: win2000as routing ... For a full implementation of MSFT LAN to LAN routing you need a RRAS ... demand-dial interface to link the static route to. ... connection you must use the name of the demand-dial interface as the ... (microsoft.public.win2000.ras_routing) SBS Routing & Remote access changes ... interfacing the WAN and the other the LAN of course). ... cannot route traffic to the port ranges on the LAN side from a WAN IP ... We have opened up the port ranges on the router to the servers WAN NIC ... interface, but we need to be able to also forward these port ranges ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)