VPN issue with Cisco clients behind asa to remote network

Unanswered Question
Jun 4th, 2008

I can connect and authenticate to the remote network, but i cannot access remote resources. I have ipsec listed under global inspections, i think my acls are ok...Any help greatly appreciated 'cause I'm stuck... Here's my config:

Thank you,

Mike

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 06/04/2008 - 10:02

Which ASA is this? The one the vpn clients are behind or the one they are terminating vpn to? I assume due to lack of configuration it is the one the clients are behind. Check for nat-traversal on the remote end device.

machwhat1 Wed, 06/04/2008 - 10:24

You are right, it's the ASA the clients are behind. It's a Cisco 5510, sorry i left that out. I also attached my config to my previous post, but here it is again with some exclusions do to post limits:

ASA Version 7.2(3)

!

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service UDPforVPN udp

port-object range 4500 4500

port-object eq echo

port-object eq isakmp

access-list vpnusers_splitTunnelAcl standard permit any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in remark udp for vpn

access-list inside_access_in extended permit udp any any

access-list inside_access_in remark udp for vpn

access-list outside_access_in remark incoming from outside everyone to ***.com on the inside 192.168.10.6

access-list outside_access_in extended permit tcp any object-group ***.com host 192.168.10.6 object-group ***.com inactive

access-list outside_access_in remark incoming from outside everyone to ***.com on the inside 192.x.x.20

access-list outside_access_in extended permit tcp any object-group ****.com host 192.x.x.20 object-group ****.com inactive

access-list outside_access_in extended permit tcp any host 192.x.x.x inactive

access-list outside_access_in remark incoming udp for vpn

access-list outside_access_in extended permit udp any object-group UDPforVPN any object-group UDPforVPN inactive

access-list vpnusergroup_splitTunnelAcl standard permit any

access-list dmz_access_in remark access rule for ***.com TCP FTP and FTP-data outside-->dmz

access-list dmz_access_in extended permit tcp any object-group ***.com host 192.x.x.x object-group ***.com inactive

access-list outside extended permit tcp any any eq pptp

access-list outside extended permit gre any any

access-list outside extended permit udp any any

access-list inside extended permit tcp any any eq pptp

access-list inside extended permit gre any any

access-list inside extended permit udp any any

access-list inside_access_out extended permit ip any any

nat-control

global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group dmz_access_in in interface dmz

route outside 0.0.0.0 0.0.0.0 99.165.4.134 1

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 192.x.x.x 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec fragmentation after-encryption management

crypto ipsec fragmentation after-encryption dmz

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 3600

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ctiqbe

inspect dcerpc

inspect http

inspect icmp

inspect icmp error

inspect ils

inspect ipsec-pass-thru

inspect mgcp

inspect pptp

inspect snmp

inspect waas

!

service-policy global_policy global

singhsaju Fri, 06/06/2008 - 10:47

I think you are missing nat bypass statement ,

Nat 0 access-list

Actions

This Discussion