ASA8.0,make remote access ipsec vpn

Unanswered Question
Aug 4th, 2009
User Badges:

i can login into ASA,but don't interactive with lan.

the config :

hostname(config)# interface ethernet0

hostname(config-if)# ip address

hostname(config-if)# nameif outside

hostname(config-if)# no shutdown

hostname(config)# isakmp policy 1 authentication pre-share

hostname(config)# isakmp policy 1 encryption 3des

hostname(config)# isakmp policy 1 hash sha

hostname(config)# isakmp policy 1 group 2

hostname(config)# isakmp policy 1 lifetime 43200

hostname(config)# isakmp enable outside

hostname(config)# ip local pool testpool

hostname(config)# username testuser password 12345678

hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac

hostname(config)# tunnel-group testgroup type ipsec-ra

hostname(config)# tunnel-group testgroup general-attributes

hostname(config-general)# address-pool testpool

hostname(config)# tunnel-group testgroup ipsec-attributes

hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx

hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet

hostname(config)# crypto dynamic-map dyn1 1 set reverse-route

hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1

hostname(config)# crypto map mymap interface outside

the topology : LAN-ASA-WAN-PC(VPN client)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Todd Pula Wed, 08/05/2009 - 06:23
User Badges:
  • Silver, 250 points or more

Starting from the connected client, review the VPN client statistics and confirm whether or not you see packets being encap/decap. Next move to the ASA and review the IPSec SA for the connected client. Do you see packets being actively encap/decap? If you see packets being decap from the client but not being encap towards the client, you will want to confirm that you have exempted the LAN to client pool traffic from NAT. If the ASA is not the internal LAN host default gateway, ensure that the L3 devices in the path have a route towards the ASA for the client pool. I see that RRI is configured but can't tell from the config snippet whether a routing protocol is also configured. Finally, ensure that there are no packet filters in place which are inadvertently denying packets.

Tom Yan Wed, 08/05/2009 - 17:48
User Badges:

thanks for your help.I have seen the vpn client ,it's only encrypted,none decrypted.and it only can send packet,can't receive packets.before use vpn connection,all route is well .vpn client can connection with the lan behind asa.


This Discussion