Solved: How many vpn group supported on ASA 5520 for remote access

9898nishit · ‎03-25-2009

Hi,

Howmany vpn group is supported on asa 5520 with remote access vpn configuraion.

Regards

Yudong Wu · ‎03-28-2009

1. If nat-control is disabled and you don't have any other NAT command in your config, you don't it. Try to remove the existing "NAT 0" command and "clear xlate".

2. You must make sure your inside network know that they can go through ASA to access remote vpn client IP. Do you have any layer 3 device behind ASA which is doing routing. If yes, please check it's routing table.

View solution in original post

Yudong Wu · ‎03-25-2009

I don't see a document about how many vpn groups can be supported. But, the limitation is on how many vpn peer ASA can have concurrently. ASA5520 is 750 vpn peers.

9898nishit · ‎03-26-2009

Hi,

when i creates more then four vpn groups. new vpn group get created, tunnel is also established sucessfully but remote access users belong to that newely created vpn group is unable to access inside network allowed in the access list.

I can see the routes of the allowed inside network for that vpn group user after sucessful login. but unable to access those network.

can you help me in this.

Regards,

Nishith

Yudong Wu · ‎03-26-2009

Can you verify the following?

1. On VPN client side, in Status -> Statistics, does both encrypted and decrypted count increment?

2. On ASA side, in "show cryp ipsec sa" check if ecrypted and decrypted count increment for that vpn client peer.

3. Verified the routing in both direction.

Four vpn groups should not be a issue. I am suspecting a routing issue here if vpn tunnel is established successfully.

9898nishit · ‎03-27-2009

Hi,

Thanks for reply.

I have verified following as per your suggestion.

1. On VPN client side in status -> only encrypted packets are increasing but decrypted packets remains zero after vpn tunnel established sucessfully.

2. routing is through because i am able to reach the ip address allowed for that vpn group from asa.

3. i doubt on configuration because i have configured site to site vpn and remote access vpn on same asa. And i am facing this problem when i am trying to create any new profile for remote access vpn group.

I am attaching output of " tech-support' but removed public ip of outside interface because i am sharing it on public. can you please verify the configuration and provide your inputs.

Regards,

Nishith

Yudong Wu · ‎03-27-2009

Please check two things:

1. In "NAT 0", did you include the IP from remote vpn client? I did not see it in your config.

2. Make sure you have route to those vpn client's IP, default route is fine.

9898nishit · ‎03-28-2009

Hi,

1. I have disable nat-control in asa. If i disabled nat-control then also nat 0 is required ?

when i had configured rem access vpn first time through ASDM. This access-list was created for nat 0. " access-list Inside_nat0_outbound extended permit ip 10.124.25.192 255.255.255.224 192.168.160.0 255.255.255.192". In this acl 10.124.25.192 is my inside network & 192.168.160.0 ips of ip address pool assign for rem access vpn clent. But later on i had removed because i had disable nat-control.

2. Yes, i have routes to those vpn clients in asa and i am able to ping those insides network from ASA.

Regards,

Nishit

Yudong Wu · ‎03-28-2009

1. If nat-control is disabled and you don't have any other NAT command in your config, you don't it. Try to remove the existing "NAT 0" command and "clear xlate".

2. You must make sure your inside network know that they can go through ASA to access remote vpn client IP. Do you have any layer 3 device behind ASA which is doing routing. If yes, please check it's routing table.

9898nishit · ‎03-30-2009

Thanks a lot,

I found problem in the routing of my fwsm which is behind my asa vpn box.

I had wrongly configured reverse route in my fwsm for the ip address pool ips given by asa to vpn client.

Thanks once again.

Regards,

Nishit