ASA 5505 VPN Issue

  • I have an ASA 5505 at one of our remote sites that is used to form a VPN tunnel between that site and our main office. The VPN tunnel itself works beautifully. No issues with the tunnel. The clients on either side of the tunnel can reach each other, no problems there.

    Where I'm having a problem is getting the ASA itself to reach clients across the VPN tunnel. This was never an issue until now. I'd like to update the software on the ASA (it's a bit behind running 8.2(5), but it cannot reach the TFTP server I have set up at the main office.

    In doing a traceroute for networks across the VPN tunnel, it wants to use the default route which is to the Internet.

    For what it's worth, I can reach the ASA via it's inside IP address from my workstation and any other client on the other side of the VPN.


    Here is the configuration of said ASA:

    : Saved
    ASA Version 8.2(5) 
    hostname BRANCHFW01
    enable password nope encrypted
    passwd nope encrypted
    interface Ethernet0/0
     description Connection to Comcast
     switchport access vlan 20
    interface Ethernet0/1
     description Connection to Branch Router
     switchport access vlan 10
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
     no nameif
     no security-level
     no ip address
    interface Vlan10
     nameif inside
     security-level 100
     ip address 
    interface Vlan20
     nameif outside
     security-level 0
     ip address X.X.X.X 
    ftp mode passive
    clock timezone PST -8
    clock summer-time PDT recurring
    same-security-traffic permit intra-interface
    object-group network HQ-VPN-NETWORKS
    object-group network BRANCH-VPN-NETWORKS
    access-list VPN extended permit ip object-group BRANCH-VPN-NETWORKS object-group HQ-VPN-NETWORKS 
    access-list NO-NAT extended permit ip object-group BRANCH-VPN-NETWORKS object-group HQ-VPN-NETWORKS 
    access-list inbound extended permit icmp any any time-exceeded 
    access-list inbound extended permit icmp any any unreachable 
    access-list inbound extended permit icmp any any echo-reply 
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any inside
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NO-NAT
    nat (inside) 1
    access-group inbound in interface outside
    route outside X.X.X.X 1
    route inside 1
    route inside 1
    route inside 1
    route inside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication serial console LOCAL 
    aaa authentication telnet console LOCAL 
    aaa authentication ssh console LOCAL 
    http server enable
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map outside_map 1 match address VPN
    crypto map outside_map 1 set peer X.X.X.X 
    crypto map outside_map 1 set transform-set ESP-AES-256-SHA
    crypto map outside_map 1 set security-association lifetime seconds 28800
    crypto map outside_map 1 set security-association lifetime kilobytes 4608000
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    telnet inside
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    management-access inside
    dhcpd dns
    dhcpd dns interface inside
    dhcpd domain interface inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    ntp server
    group-policy GroupPolicy1 internal
    group-policy GroupPolicy1 attributes
     vpn-tunnel-protocol IPSec 
    username nope password nope encrypted privilege 15
    username nope attributes
     service-type admin
    username nope password nope encrypted privilege 15
    tunnel-group X.X.X.X type ipsec-l2l
    tunnel-group X.X.X.X ipsec-attributes
     pre-shared-key *****
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map 
      inspect ftp 
      inspect h323 h225 
      inspect h323 ras 
      inspect ip-options 
      inspect netbios 
      inspect rsh 
      inspect skinny  
      inspect esmtp 
      inspect sqlnet 
      inspect sunrpc 
      inspect tftp 
      inspect xdmcp 
    service-policy global_policy global
    prompt hostname context 
    no call-home reporting anonymous
     profile CiscoTAC-1
      no active
      destination address http
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    : end

  • Ha. One of those "well, I feel stupid" moments. Specifying the source interface in the tftp command resolved the problem!

    copy tftp://serverIP/filename.bin;int=inside flash: 

    The new ASA software version is copying over. Though it's quite slow. I'll have to see what tweaks I can make there...definitely not an issue for this thread. 😃

Log in to reply