10-09-2008 08:54 AM - edited 02-21-2020 03:58 PM
Hi all. I have 2 cisco asa5510 1 each for my 2 offices(A & B). I configured my office A asa5510 with vpn pass thru as below.
policy-map global_policy
class inspection_default
inspect ipsec-pass-thru
My vpn client from office A could vpn into office B but could not access any resources. I set my vpn client in office A to be translated into a static public ip which solves my problem. Another way to solve the problem is to implement NAT-T at office B. But i would like to know why my vpn pass thru config did not work. Pls advise, thks in advance.
10-09-2008 09:01 AM
Hi,
Check that if you are not using AH in the transform set for remote access. Because inspect ipsec-pass-thru only allow ESP and not AH .
From the link below:
"
All ESP data flows are permitted when a forward flow exists, and there is no limit on the maximum number of connections that can be allowed. AH is not permitted."
http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/i2_711.html#wp1631795
HTH
Saju
Pls rate helpful posts
10-09-2008 05:06 PM
Hi Saju. Thk you for the info. But how do i check if AH is implemented in my transform set?
Below are my transform set statements. THks in advance.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 220 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 240 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 260 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 280 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 300 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 320 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 340 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 360 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 380 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 400 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 420 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 440 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 460 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 480 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 500 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 520 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 540 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 560 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 580 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 600 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 620 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 640 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 660 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 680 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 700 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp reload-wait
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: