ASA 5505 VPN Issue



  • I have an ASA 5505 at one of our remote sites that is used to form a VPN tunnel between that site and our main office. The VPN tunnel itself works beautifully. No issues with the tunnel. The clients on either side of the tunnel can reach each other, no problems there.

    Where I'm having a problem is getting the ASA itself to reach clients across the VPN tunnel. This was never an issue until now. I'd like to update the software on the ASA (it's a bit behind running 8.2(5), but it cannot reach the TFTP server I have set up at the main office.

    In doing a traceroute for networks across the VPN tunnel, it wants to use the default route which is to the Internet.

    For what it's worth, I can reach the ASA via it's inside IP address from my workstation and any other client on the other side of the VPN.

    Thoughts?

    Here is the configuration of said ASA:

    : Saved
    :
    ASA Version 8.2(5) 
    !
    hostname BRANCHFW01
    enable password nope encrypted
    passwd nope encrypted
    names
    !
    interface Ethernet0/0
     description Connection to Comcast
     switchport access vlan 20
    !
    interface Ethernet0/1
     description Connection to Branch Router
     switchport access vlan 10
    !
    interface Ethernet0/2
     shutdown
    !
    interface Ethernet0/3
     shutdown
    !
    interface Ethernet0/4
     shutdown
    !             
    interface Ethernet0/5
     shutdown
    !
    interface Ethernet0/6
     shutdown
    !
    interface Ethernet0/7
     shutdown
    !
    interface Vlan1
     no nameif
     no security-level
     no ip address
    !
    interface Vlan10
     nameif inside
     security-level 100
     ip address 192.168.254.253 255.255.255.248 
    !
    interface Vlan20
     nameif outside
     security-level 0
     ip address X.X.X.X 255.255.255.248 
    !             
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    same-security-traffic permit intra-interface
    object-group network HQ-VPN-NETWORKS
     network-object 172.16.0.0 255.240.0.0
     network-object 10.0.0.0 255.0.0.0
     network-object 192.168.0.0 255.255.0.0
    object-group network BRANCH-VPN-NETWORKS
     network-object 10.39.126.0 255.255.255.0
     network-object 10.39.226.0 255.255.255.0
     network-object 10.39.136.0 255.255.255.0
     network-object 10.39.8.144 255.255.255.240
     network-object 192.168.254.248 255.255.255.248
    access-list VPN extended permit ip object-group BRANCH-VPN-NETWORKS object-group HQ-VPN-NETWORKS 
    access-list NO-NAT extended permit ip object-group BRANCH-VPN-NETWORKS object-group HQ-VPN-NETWORKS 
    access-list inbound extended permit icmp any any time-exceeded 
    access-list inbound extended permit icmp any any unreachable 
    access-list inbound extended permit icmp any any echo-reply 
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NO-NAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group inbound in interface outside
    route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
    route inside 10.39.8.144 255.255.255.240 192.168.254.254 1
    route inside 10.39.126.0 255.255.255.0 192.168.254.254 1
    route inside 10.39.136.0 255.255.255.0 192.168.254.254 1
    route inside 10.39.226.0 255.255.255.0 192.168.254.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication serial console LOCAL 
    aaa authentication telnet console LOCAL 
    aaa authentication ssh console LOCAL 
    http server enable
    http 192.168.0.0 255.255.255.0 inside
    http 0.0.0.0 0.0.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address VPN
    crypto map outside_map 1 set peer X.X.X.X 
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map 1 set security-association lifetime seconds 28800
    crypto map outside_map 1 set security-association lifetime kilobytes 4608000
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    telnet 0.0.0.0 0.0.0.0 inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd dns 8.8.8.8 8.8.4.4
    !
    dhcpd dns 10.39.254.21 10.39.218.20 interface inside
    dhcpd domain domain.com interface inside
    !
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server 10.39.226.45
    webvpn
     anyconnect-essentials
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
     vpn-tunnel-protocol IPSec 
    username nope password nope encrypted privilege 15
    username nope attributes
     service-type admin
    username nope password nope encrypted privilege 15
    tunnel-group X.X.X.X type ipsec-l2l
    tunnel-group X.X.X.X ipsec-attributes
     pre-shared-key *****
    !
    class-map inspection_default
     match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect ip-options 
      inspect netbios 
      inspect rsh 
      inspect skinny  
      inspect esmtp 
      inspect sqlnet 
      inspect sunrpc 
      inspect tftp 
      inspect xdmcp 
    !
    service-policy global_policy global
    prompt hostname context 
    no call-home reporting anonymous
    call-home
     profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:nope
    : end


  • Ha. One of those "well, I feel stupid" moments. Specifying the source interface in the tftp command resolved the problem!

    copy tftp://serverIP/filename.bin;int=inside flash: 
    

    The new ASA software version is copying over. Though it's quite slow. I'll have to see what tweaks I can make there...definitely not an issue for this thread. 😃


Log in to reply