05-30-2008 09:29 AM
Hi,
I configured ASA 5510 to make vpn LAN to LAN with 17 router 857. and between routers.
the vpn between routers works fine.
from the lan behind ASA i can ping the PCs behind routers.
but from PCs behind routers i can't ping pscs behind ASA.
i configured remote access with client cisco vpn 4.X, it works good with routers , but can't works with asa.
the asa is connected to wan via à router zoom (adsl)
Solved! Go to Solution.
06-10-2008 05:19 AM
Are you telnetting into the firewall?
Do the following to see the debug output:
terminal monitor
logging monitor 7 (type this in config mode)
Else if its console, do 'logging console 7'
then do
debug crypto isakmp
debug crypto ipsec
then generate a ping from some device at the back of ASA having 192.168.200.0 address going towards any of the VPN subnets...and then paste output here
Regards
Farrukh
06-02-2008 12:51 AM
hi,
can someone check this configuration.
please help
06-02-2008 02:25 AM
access-list inside_access-in extended permit ip yournetwork clientnetwork
Example
access-list inside_access-in extended permit ip 10.20.31.0 255.255.255.0 10.200.225.0 255.255.255.0
06-02-2008 03:19 AM
hi mekkeyan,
i add this
access-list inside_access-in extended permit ip 192.168.200.0 255.255.255.0 192.168.111.0 255.255.255.0
but i have the same problem.
i use this ACL access-list inside_access-in extended permit ip any any
that englobe all traffic.
my problem that the vpn is one way.
from asa to router is ok.
but from router to asa and from client cisco to asa can't work.
06-02-2008 07:14 AM
Can you please be specific about your problem, Is it possible to post output of the following:
show crypto ipsec sa detail
show run sysopt
debug crypto ipsec (If phase 1 is ok)
else
debug crypto isakmp, also
Also after making changes on the crypto map, I hope you removed it and re-applied it to the interface
Regards
Farrukh
06-10-2008 01:28 AM
hi farrukh,
i reconfgured the ASA but the problem is not resolved.
the debug commnd can't revelate anything:
firwall# show run sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt uauth allow-http-cache
sysopt connection permit-ipsec
firwall# sh crypto ipsec sa
There are no ipsec sas
firwall# debug crypto ipsec
firwall#
firwall# debug crypto isakmp
firwall#
06-10-2008 05:19 AM
Are you telnetting into the firewall?
Do the following to see the debug output:
terminal monitor
logging monitor 7 (type this in config mode)
Else if its console, do 'logging console 7'
then do
debug crypto isakmp
debug crypto ipsec
then generate a ping from some device at the back of ASA having 192.168.200.0 address going towards any of the VPN subnets...and then paste output here
Regards
Farrukh
06-16-2008 06:09 AM
hi Farrukh,
it is right.
the router zoom can't forward the traffic to interface outside of the ASA.
Now i gived a public address to interface outside of ASA, and the vpn works fine.
thank you very mutch for help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide