07-17-2008
03:07 PM
- last edited on
02-21-2020
11:47 PM
by
cc_security_adm
Greetings, im having problems with Remote Access Connections to a Cisco ASA 5510 v8.0.3(19), i have setup the required connection profile, transform set, crypto map and split tunnel acl, specified traffic to be exempt from NAT and enabled NAT-T.
I can successfully establish a VPN connection and can ping the inside address of the firewall but nothing within the internal subnet beyond the firewall.
Ive read several technotes on cisco that suggest NAT-T issues and not specifying protected traffic but cant seem to pinpoint an issue. I have also tried several version of the Cisco VPN Client.
Any suggestions would be much appreciated.
Regards
07-17-2008 04:07 PM
Problem could be acls, double check your nat exempt access list. Could you provide sanitized asa config.
Rgds
Jorge
07-18-2008 03:57 PM
Please find the config below. ive also had a look at the logs which dont show any hits against the split tunnel acl.
: Saved
:
ASA Version 8.0(3)19
!
hostname it-fw-5510
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address ***.***.***.*** 255.255.255.240
!
interface Ethernet0/1
no nameif
no security-level
no ip address
!
interface Ethernet0/1.997
vlan 997
nameif demo
security-level 100
ip address 172.27.255.1 255.255.255.0
!
interface Ethernet0/1.998
vlan 998
nameif guest
security-level 25
ip address 172.30.255.1 255.255.255.0
!
interface Ethernet0/2
speed 100
duplex full
nameif access
security-level 100
ip address 172.29.255.1 255.255.255.0
!
interface Ethernet0/3
speed 100
duplex full
nameif voice
security-level 100
ip address 172.28.255.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.255.1 255.255.255.0
management-only
!
same-security-traffic permit inter-interface
access-list ITTelco_Rmt_splitTunnelAcl standard permit 172.29.255.0 255.255.255.0
access-list exempt_nat0_outbound extended permit ip 172.24.0.0 255.248.0.0 172.24.0.0 255.248.0.0
nat-control
global (outside) 1 interface
global (outside) 2 guestoutbound
nat (demo) 0 access-list exempt_nat0_outbound
nat (guest) 2 172.30.255.0 255.255.255.0
nat (access) 0 access-list exempt_nat0_outbound
nat (access) 1 172.29.255.0 255.255.255.0
nat (voice) 0 access-list exempt_nat0_outbound
nat (voice) 1 172.28.255.0 255.255.255.0
access-group outside_access_in in interface outside
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign local
group-policy ITTelco_Rmt internal
group-policy ITTelco_Rmt attributes
wins-server value 172.29.255.25
dns-server value 172.29.255.25
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ITTelco_Rmt_splitTunnelAcl
default-domain value
tunnel-group ITTelco_Rmt type remote-access
tunnel-group ITTelco_Rmt general-attributes
authentication-server-group LDAP
default-group-policy ITTelco_Rmt
dhcp-server it-bir-fap-int
tunnel-group ITTelco_Rmt ipsec-attributes
pre-shared-key *
!
07-20-2008 02:45 PM
Issue has been resolved by enabled proxy arps on the inside interface, very puzzled by this one but all working again :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: