INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

cisco vpn ssl help!

cisco vpn ssl help!

(OP)
I have been banging my head against a wall on this one..



I setup a ssl vpn asa 6.4 and my remote user connects via cisco anywhere client, but when it connected the user loses internet and cannot ping anything not even on remote side. I did research and i tried nat acl , but i just can figure this out.. below is the error

5 Nov 08 2014 11:31:32 192.168.36.2 53 Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.0.100.1/59436 dst inside:192.168.36.2/53 denied due to NAT reverse path failure



below is my config, im sure its n a nat rule or an acl.. thanks for your help.



=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.11.08 19:24:48 =~=~=~=~=~=~=~=~=~=~=~=

ASA Version 8.2(5)
!
hostname ASAfirewall
enable password whammy encrypted
passwd whammy encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
<--- More --->

security-level 100
ip address 192.168.36.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
!
banner exec Please do not attempt to access this device unless you are authorized-
banner login Please do not attempt to access this device unless you are authorized-
banner asdm Please do not attempt to access this device unless you are authorized
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
same-security-traffic permit intra-interface
access-list OPEN1 extended permit ip 192.168.36.0 255.255.255.0 any
access-list OPEN standard permit any
access-list OPEN standard permit 192.168.36.0 255.255.255.0
access-list acl extended permit ip any any
access-list acl extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 1.1.1.1 255.255.255.248 interface inside
access-list no_nat extended permit ip 10.10.100.0 255.255.255.0 10.10.200.0 255.255.255.0
pager lines 30
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool pool 10.0.0.1-10.0.0.254 mask 255.255.255.0
<--- More --->

ip local pool SSLClientPool 10.0.100.1-10.0.100.80 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 access-list acl
nat (inside) 2 192.168.36.0 255.255.255.0
access-group acl in interface inside
access-group acl in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.36.0 255.255.255.0 inside
http 1.1.1.1 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
<--- More --->

no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASAfirewall
crl configure
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.whammy.com
subject-name CN=sslvpn.whammy.com
keypair sslvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 2c3a4a54
3082019 72657761 6c6c301e 170d3134 31313038
31353033 ce9e51e e1028fd7
35e0a075 bbb9b60 05050003 8181004d
13417194 c4f1fd84 79201145 75d044db 460e08c7 25a0ad84 d8c55954 a2a53cb7
ee68b439 434ff8f4 6906359f 882eab44 19a45043 ecadc354 8bfd5db5 a7e7f99d
5b1d2498 34932b37 65a24174 c3afe449 7bb75488 87bcd85f 228bd8e0 48260ee2
<--- More --->

104e7da6 a1c0f763 176043e9 257473db 2c6a47f8 0025492e 6ba981c1 60c4b4
quit
crypto ca certificate chain localtrust
certificate 2d3a4a54
308201ff 30820168 a0030201 0202042d 3a4a5430 0d06092a 864886f7 0d010105
050bbfe 4df9218f
0cc54bb5 7afe3354 1912e5fa 877e5526 b80dab44 84e678e2 a2e70c0f caf47e96
5275df40 67db1977 7a6021b8 cfab2665 cfebba53 e1a285fe f5f4de98 9bb66204
ba6757ec e3716757 ef2b9d88 28ab1a6e f43b114c 731605f9 8a041ecf 8c4fdef5 2e05a0
quit
telnet timeout 5
ssh scopy enable
ssh 192.168.36.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 20
dhcpd dns 1.1.1.1 1.1.1.1
dhcpd lease 4600
!
<--- More --->

dhcpd address 192.168.36.40-192.168.36.100 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy SSLClient internal
group-policy SSLClient attributes
dns-server value 192.168.36.2
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
default-domain value whammy
split-tunnel-all-dns enable
address-pools value SSLClientPool
group-policy DfltGrpPolicy attributes
dns-server value 192.168.36.2
vpn-simultaneous-logins 1
vpn-tunnel-protocol svc webvpn
username admin password whammy encrypted privilege 15
username ska password whammy encrypted privilege 7
username ska attributes
service-type remote-access
<--- More --->

username cl password whammy encrypted privilege 15
tunnel-group SSLClient type remote-access
tunnel-group SSLClient general-attributes
address-pool SSLClientPool
default-group-policy SSLClient
dhcp-server 192.168.36.2
tunnel-group SSLClient webvpn-attributes
group-alias whammy1 disable
group-alias whammy enable
!
class-map inspection
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
!
mount users type cifs
server 192.168.36.2
share files
domain SC
username administrator
password whammy
<--- More --->

status enable
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services...
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cb0c126961188b226f5acf32ac0c2c23
: end

ASAfirewall#

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close