07-30-2009 05:10 AM - edited 03-11-2019 09:00 AM
i have configured remote access VPN for my client on ASA version 7.0.they can able to remotely login on it but with one name only 2 simulateneosuly connection established but not more than that .when 3 person want to access with same name it's not allow to do it
what will be the reason how can i get out of this pathteic problem.i havent find any viable material .Need your help
07-30-2009 06:45 AM
07-31-2009 01:37 AM
thanks for your help i m actually facing other multiple users with same name can connect themself simultaneously
but not abble to ping split tunnel IP's
which i allowed in my configuration
if just one user connect he able to access all the IP
but multiple user with same name simultaneoulsy not able to ping
why and how can i solve this problem
waiting for your reply
07-31-2009 01:26 PM
post config
07-31-2009 08:53 PM
i m pasting selected configuration which necessary for Remote access VPN
access-list DMZ-DB-nonat extended permit ip 172.20.18.0 255.255.255.0 9.1.1.0 255.255.255.0
access-list RABRANCH standard permit host 172.20.18.12
access-list RADataBase standard permit host 172.20.18.12
access-list RADataBase standard permit host 172.20.17.12
access-list RADataBase standard permit host 172.20.17.11
access-list RAAdmin standard permit host 172.20.17.15
access-list RAAdmin standard permit host 172.20.17.12
access-list RAAdmin standard permit host 172.20.17.11
access-list RAAdmin standard permit host 172.20.17.17
access-list RAAdmin standard permit host 172.20.17.26
access-list RAAdmin standard permit host 172.20.17.27
access-list RAAdmin standard permit host 172.20.17.28
access-list RAAdmin standard permit host 172.20.17.31
access-list RAAdmin standard permit host 172.20.17.32
access-list RAAdmin standard permit host 172.20.18.12
access-list RAAdmin standard permit host 172.20.18.17
access-list RAAdmin standard permit host 172.20.18.18
access-list RAAdmin standard permit host 172.20.18.19
access-list RAAdmin standard permit host 172.20.18.20
access-list RAAdmin standard permit host 172.20.18.50
access-list RAAdmin standard permit host 172.20.18.100
access-list RAAdmin standard permit host 172.20.17.52
access-list DMZ-APP-nonat extended permit ip 172.20.17.0 255.255.255.0 9.1.1.0 255.255.255.0
ip local pool VPNPOOL 9.1.1.0-9.1.1.100 mask 255.255.255.0
nat (DMZ-DB) 0 access-list DMZ-DB-nonat
nat (DMZ-APP) 0 access-list DMZ-APP-nonat
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set DIBRA esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set DIBRA
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.20.3.0 255.255.255.0 inside
telnet 172.20.200.0 255.255.255.0 insideadmin
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
group-policy BRANCH internal
group-policy BRANCH attributes
dns-server value 172.20.10.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RABRANCH
group-policy DataBase internal
group-policy DataBase attributes
dns-server value 172.20.10.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RADataBase
group-policy Admin internal
group-policy Admin attributes
dns-server value 172.20.10.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAAdmin
username SADBAS password EAsVs94WRKBssa/R encrypted
username SADBAS attributes
vpn-group-policy DataBase
username Admin password diNnsTo5dthlcLs5 encrypted
username Admin attributes
vpn-group-policy Admin
username BUSER password /Xu0va7mHdNk9tXI encrypted
username BUSER attributes
vpn-group-policy BRANCH
tunnel-group BRANCH type remote-access
tunnel-group BRANCH general-attributes
address-pool VPNPOOL
default-group-policy BRANCH
tunnel-group BRANCH ipsec-attributes
pre-shared-key *
tunnel-group DataBase type remote-access
tunnel-group DataBase general-attributes
address-pool VPNPOOL
tunnel-group DataBase ipsec-attributes
pre-shared-key *
tunnel-group Admin type remote-access
tunnel-group Admin general-attributes
address-pool VPNPOOL
tunnel-group Admin ipsec-attributes
pre-shared-key *
08-01-2009 07:52 AM
Do a show version, and verify how many VPNs are supported.
When you are having your VPN users log in, are they using the SAME account? If so, you may have a limit on simultaneous logins, and that would also explain why the 3rd person can not log in.
Best wishes,
Keith.
08-01-2009 08:00 AM
ok i will see it . Problem is that i use
vpn-simultaneous-login command in group-policy attribute it able multiple users to login simultaneously with Same name
bu then they cant ping any IP which i allow on my Split tunnel
while when 1 user connected it able to access all the server which i allow in my split tunnel
what is the reason and then how can resolve this issue
thanks in advance
08-02-2009 11:49 PM
Cisco Adaptive Security Appliance Software Version 7.0(7)
Compiled on Fri 06-Jul-07 10:37 by builders
System image file is "disk0:/asa707-k8.bin"
Config file at boot was "startup-config"
ASA-Primary up 136 days 5 hours
failover cluster up 136 days 5 hours
Hardware: ASA5540-K8, 1024 MB RAM, CPU Pentium 4 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: GigabitEthernet0/0 : address is 0018.b91b.6042, irq 9
1: Ext: GigabitEthernet0/1 : address is 0018.b91b.6043, irq 9
2: Ext: GigabitEthernet0/2 : address is 0018.b91b.6044, irq 9
3: Ext: GigabitEthernet0/3 : address is 0018.b91b.6045, irq 9
4: Ext: Management0/0 : address is 0018.b91b.6041, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 200
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
VPN Peers : 5000
This platform has an ASA 5540 VPN Premium license.
this is the show version of my firewall
i shall be very thankful to u if you people helping me in resolving issue
with same name 6 user simualtaneously login but not able to ping any server which i allowed in my split tunnneled
whereas whn 1 user get connected he able to access all the servre how can i resolve this issue
plz guided if it is not possible then providing me Cisco documentation .i will present this infront of my client
08-03-2009 05:34 AM
you don't seem to have nat traversal enabled enable it with "crypto isakmp nat-traversal 3600". Try that and see if it works.
08-03-2009 09:13 PM
thanks for your support problem has ben sort it out
many thanks to all of u
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide