cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
327
Views
0
Helpful
3
Replies

Remote access Vpn in cisco asa 5510

girishkumar123
Level 1
Level 1

We have established an MPLS connectivity towards the remote client end. All users in the LAN are able to access the remote end servers through PAT over the MPLS circuit

nat (inside) 10 access-list mpls_traffic

global (MPLS) 10 interface

The problem is the users when dialed in through internet cannot access the remote end servers through the MPLS interface PAT.

So the access is like this for C2S users

Dial in vpn-> ASA -> MPLS interface(PAT)-> remote end servers.

--------------------------------------

Configuration

ASA Version 7.2(4)

hostname ciscoasa

enable password xxx

passwd xxx

names

interface Ethernet0/0

nameif outside

security-level 0

ip address 125.x.x.x.255.255.240

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

interface Ethernet0/2

nameif dmz

security-level 50

ip address 10.25.25.25 255.255.255.0

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

interface Management0/0

shutdown

no nameif

no security-level

no ip address

ftp mode passive

access-list 101 extended permit ip 192.168.0.0 255.255.255.0 10.50.50.0 255.255.255.0

access-list 101 extended permit ip 192.168.100.0 255.255.255.0 10.50.50.0 255.255.255.0

access-list allowlan extended permit ip 192.168.100.0 255.255.255.0 10.50.50.0 255.255.255.0

access-list allowlan extended permit ip 10.50.50.0 255.255.255.0 192.168.100.0 255.255.255.0

pager lines 24

logging console debugging

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool mypool 192.168.100.30-192.168.100.40 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (dmz) 5 interface

nat (inside) 5 access-list 101

route outside 20.20.20.0 255.255.255.0 125.17.97.98 1

route dmz 10.50.50.0 255.255.255.0 10.25.25.26 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set test esp-3des esp-md5-hmac

crypto dynamic-map dyn1 20 set transform-set test

crypto map mymap 30 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

username xx password xxx encrypted

username xx password xxx encrypted privilege 15

tunnel-group mytunnel type ipsec-ra

tunnel-group mytunnel general-attributes

address-pool mypool

tunnel-group mytunnel ipsec-attributes

pre-shared-key *

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

3 Replies 3

sachinraja
Level 9
Level 9

hello girish

are they getting an ip address from ASA after dialing in ? I see an ip pool 192.168.100.30-40 on the ASA.. are these for the remote access users ? This could be a problem with the routing somewhere.. especially with reverse routing... check on the mpls router if you have routed the ip pool..

uff. before that.. is the VPN terminating on the inside interface ? I see a PAT for 100.0 ip pool towards the outside interface ? but i thought u said, u are doing a remote dial in from internet ?? internet zone would be outside right ?

Regards

Raj

You want to add an access-list for networks you do not want to have 'nat' applied to, such as VPN RA network like your config is setup for.

Try adding:

access-list NONAT_NETWORK extended permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0

!The 0 in the next line exempts the access-list NONAT_NETWORK from being nat(ted)

nat (inside) 0 access-list NONAT_NETWORK

connectone
Level 4
Level 4

girishkumar123

From your config, did you try using the same-security-traffic permit intra-interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: