ASA 5505 Remote Access VPN

Unanswered Question
Jul 10th, 2007
User Badges:

Please help... went through the VPN wizard. Can establish a connection but can't access anything on the inside interface. Is there an access list rule that is missing or a sysopt connection statement that is needed?


I've attached the current config.


Thank You



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 07/10/2007 - 09:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Try adding this to your config


"crypto isakmp nat-traversal"


HTH


Jon

bennettg Tue, 07/10/2007 - 09:30
User Badges:

Thanks John,


I added crypto isakmp nat-traversal to the config. It still is not working correctly. Since adding this statement, when I ping the "inside" interface 192.168.20.2, I get icmp replies from the "outside" interface.

schakra Tue, 07/10/2007 - 10:21
User Badges:

Hi,


You need to use access-list to by pass nat

use nat 0 with access-list


I'm sending u a sample config as per ur network


backup ur current config


remove ur vpn config


and use this template just as template


.......................................



access-list 101 extended permit ip 192.168.20.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list 102 extended permit ip 192.168.20.0 255.255.255.0 192.168.200.0 255.255.255.0


ip local pool vpnpool1 192.168.200.1-192.168.200.254 mask 255.255.255.0


nat (inside) 0 access-list 102


group-policy test internal

group-policy test attributes

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 101


sysopt connection permit-ipsec


username test password cisco encrypted privilege 0


crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

address-pool vpnpool1

default-group-policy test

tunnel-group test ipsec-attributes

pre-shared-key cisco#123


.......................................


let me know if it works


pl don't forget to rate this post if it works


Regards,


bennettg Tue, 07/10/2007 - 10:53
User Badges:

Hi Schakra,


I modified the configuration per your instructions but still can't access anything on the inside interface. Split tunnel works as I can access the Internet when connected. But still have no access to anything on the "inside" interface.


Attached is the new configuration.


Thank You



Attachment: 
schakra Tue, 07/10/2007 - 11:11
User Badges:

where is this comman?


sysopt connection permit-ipsec


if not work

also try by removing

nat (inside) 1 0.0.0.0 0.0.0.0



r u trying to access other than 192.168.20.0 network,then u may need to explicitly allow them


Regards,

bennettg Tue, 07/10/2007 - 11:30
User Badges:

I've entered both of the following commands and neither show in the config:

sysopt connection permit-ipsec

sysopt connection permit-vpn


I also tried removing

nat (inside) 1 0.0.0.0 0.0.0.0


Still no luck in accessing the 192.168.20.0/24 subnet on the inside interface.


aalexanian1 Fri, 07/13/2007 - 20:40
User Badges:

I have the same problem entering the command sysopt connection permit-ipsec.


if you do permit-ipsec ?, permit-ipsec is not an option.


I'm trying to do a spoke to spoke vpn solution and without connection permit-ipsec in my spoke asa5505's Pakets are rejected.

schakra Fri, 07/13/2007 - 21:23
User Badges:

The sysopt connection permit-ipsec command is not be displayed in the output of the show running-config sysopt command on ASA version 7.x


but is displayed in PIX version 7.x. ASA only displays sysopt connection permit-vpn.


In PIX version 7.x, the sysopt connection permit-ipsec and in ASA version 7.x, the sysopt connection permit-vpn command resolves the one way traffic issue


Sourav


Actions

This Discussion