|
Posted by Newbie72 on May 16, 2008, 10:22 am
If you were Registered and logged in, you could reply and use other advanced thread options
> Hi all,
>
> In the hopes anyone sees my error in my config (I'm almost sure it's a
> config error on my part but i can't find it).
> I'm trying to get the Cisco VPN client to work with an ASA 5510. Tried the=
> manual config way and the ASDM way through the wizard.
>
> The problem is not that i can't get any ipsec connection. That works. But
> when the VPN connection is established i can't get any trafic from my Clie=
nt
> VPN IP segment (172.16.101.0/24 to the internal network (172.16.100.0/24).=
> The logs in the ASDM keep giving me the same error (this is another error
> but the error for opening a RDP connection from src to dst is the same):
>
> 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/49959 dst Company-lan:172.16.100.252/53=
> 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53=
> 3|May 13 2008|21:09:41|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/61829 dst Company-lan:172.16.100.252/53=
> 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53=
> 3|May 13 2008|21:09:40|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/64955 dst Company-lan:172.16.100.252/53=
> 3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53=
> 3|May 13 2008|21:09:39|305005|172.16.100.252|53|||No translation group fou=
nd
> for udp src outside:172.16.101.100/61676 dst Company-lan:172.16.100.252/53=
>
> This is the current config file i'm using (anonymised offcourse):
>
> : Saved
> :
> ASA Version 8.0(3)
> !
> hostname asa5510
> enable password 1mujhtmA4fcM3pOA encrypted
> !
> interface Ethernet0/0
> description Interface connected to Internet
> nameif outside
> security-level 0
> ip address x.x.x.x 255.255.255.248
> !
> interface Ethernet0/1
> description Interface connected to the Company-Holding LAN
> speed 1000
> duplex full
> nameif Company-lan
> security-level 100
> ip address 172.16.100.1 255.255.255.0
> !
> interface Ethernet0/2
> description Interface connected to the old OLDLAN-Lan
> nameif OLDLAN-lan
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Ethernet0/3
> description Interface for DMZ purposes
> nameif DMZ
> security-level 50
> ip address 10.172.100.1 255.255.255.0
> !
> interface Management0/0
> nameif management
> security-level 100
> ip address 10.10.10.1 255.255.255.0
> management-only
> !
> passwd 2KFQnbNIdI.2KYOU encrypted
> boot system disk0:/asa803-k8.bin
> ftp mode passive
> dns server-group CompanyDNS
> name-server 172.16.100.252
> name-server 192.168.1.100
> name-server 194.151.228.18
> name-server 194.151.228.34
> domain-name Company-holding.local
> dns-group CompanyDNS
> same-security-traffic permit inter-interface
> access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0
> 255.255.255.0 192.168.1.0 255.255.255.0
> access-list Company-lan_nat0_outbound extended permit ip 172.16.100.0
> 255.255.255.0 172.16.101.0 255.255.255.0
> access-list OLDLAN-lan_nat0_outbound extended permit ip 192.168.1.0
> 255.255.255.0 172.16.100.0 255.255.255.0
> access-list outside-entry extended permit tcp any host x.x.x.x eq smtp
> access-list outside_access_in remark SMTP permit line to the Exchange Serv=
er
> access-list outside_access_in extended permit tcp any host x.x.x.x eq smtp=
> access-list outside_access_in extended permit tcp any host x.x.x.x eq ssh
> inactive
> access-list outside_access_in extended permit ip 172.16.101.0 255.255.255.=
0
> 172.16.100.0 255.255.255.0
> pager lines 24
> logging enable
> logging asdm informational
> mtu outside 1500
> mtu Company-lan 1500
> mtu OLDLAN-lan 1500
> mtu DMZ 1500
> mtu management 1500
> ip local pool CompanySecure 172.16.101.100-172.16.101.252 mask 255.255.255=
.0
> ip verify reverse-path interface outside
> no failover
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdn-611.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (Company-lan) 0 access-list Company-lan_nat0_outbound
> nat (Company-lan) 1 0.0.0.0 0.0.0.0
> nat (OLDLAN-lan) 0 access-list OLDLAN-lan_nat0_outbound
> nat (OLDLAN-lan) 1 0.0.0.0 0.0.0.0
> static (Company-lan,outside) tcp interface smtp 172.16.100.251 smtp netmas=
k
> 255.255.255.255
> access-group outside_access_in in interface outside
> route outside 0.0.0.0 0.0.0.0 77.61.155.73 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> dynamic-access-policy-record DfltAccessPolicy
> aaa-server IASadCompany protocol radius
> aaa-server IASadCompany (Company-lan) host <host>
> key <omitted>
> aaa authentication http console IASadCompany LOCAL
> aaa authentication ssh console LOCAL
> http server enable 20443
> http 172.16.100.0 255.255.255.0 Company-lan
> http 10.10.10.0 255.255.255.0 management
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
> crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set
> ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
> ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
> ESP-DES-MD5
> crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MA=
P
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp ipsec-over-tcp port 10000
> telnet timeout 5
> ssh 172.16.100.0 255.255.255.0 Company-lan
> ssh 10.10.10.0 255.255.255.0 management
> ssh timeout 5
> ssh version 2
> console timeout 0
> dhcpd address 10.10.10.100-10.10.10.200 management
> dhcpd dns 194.151.228.18 194.151.228.34 interface management
> dhcpd domain itmanagement.Company-holding.local interface management
> dhcpd enable management
> !
> vpn load-balancing
> interface lbprivate DMZ
> threat-detection basic-threat
> threat-detection statistics port
> threat-detection statistics protocol
> threat-detection statistics access-list
> webvpn
> csd image disk0:/securedesktop_asa-3.3.0.118-k9.pkg
> csd enable
> group-policy DfltGrpPolicy attributes
> vpn-tunnel-protocol l2tp-ipsec webvpn
> group-policy ClientVPN internal
> group-policy ClientVPN attributes
> dns-server value 172.16.100.252
> vpn-tunnel-protocol IPSec
> password-storage disable
> default-domain value secure.Company-holding.local
> secure-unit-authentication enable
> user-authentication enable
> msie-proxy server value 172.16.100.250:8080
> msie-proxy method use-server
> msie-proxy local-bypass enable
> username admin password <omitted> privilege 15
> tunnel-group ClientVPN type remote-access
> tunnel-group ClientVPN general-attributes
> address-pool CompanySecure
> default-group-policy ClientVPN
> tunnel-group ClientVPN ipsec-attributes
> pre-shared-key *
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map type inspect dns preset_dns_map
> parameters
> =A0 message-length maximum 512
> policy-map global_policy
> class inspection_default
> =A0 inspect dns preset_dns_map
> =A0 inspect ftp
> =A0 inspect h323 h225
> =A0 inspect h323 ras
> =A0 inspect rsh
> =A0 inspect rtsp
> =A0 inspect sqlnet
> =A0 inspect skinny
> =A0 inspect sunrpc
> =A0 inspect xdmcp
> =A0 inspect sip
> =A0 inspect netbios
> =A0 inspect tftp
> !
> service-policy global_policy global
> prompt hostname domain context
> Cryptochecksum:25bc95a8279f59219e3d64b5129271c8
> : end
>
> Hope anyone can help....
the error you listed indicates you have not setup nat for your
clients. You can fix it one of 2 ways either configure Nat for your
vpn clients or configure nat 0
use the the following command
nat 0 access-list vpnclients
then creat an acl called vpn clients with the ip address of your vpn
clients.
like so
access-list vpnclients extended permit ip any host {enter your host
ips here}
| 
NewsGroups 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map