I am having a problem on VPN routing.
The VPN client is connected to ASA5510 properly but can't access the inside network of ASA and Internet either. What I want to reach is,
[email protected] -> ASA5520(Public IP's) -> Inside(172.16.1.0)
The VPN address pool is using 184.108.40.206 (I also tried 172.16.1.100-120 with same network of inside).
ip address a.a.a.a 255.255.255.0
ip address 172.16.1.1 255.255.255.0
ip local pool vpnpool 192.168.10.1-192.168.10.254 mask 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
group-policy VPNstaff internal
group-policy VPNstaff attributes
dns-server value 220.127.116.11
tunnel-group VPNstaff type remote-access
tunnel-group VPNstaff general-attributes
tunnel-group VPNstaff ipsec-attributes
As a quick test , try this .
-Turn ON nat-t (if its disable)
Command : crypto isakmp nat-traversal 20
see if it helps.
-Run a continous ping from the client to the ASA inside interface, Make sure you execute the command " management-access inside" before you start with ping .
-Time our or ICMP REPLY from inside interface ..?
If Time out , then,
-Check the number of decrypts using the command " show crypto ipsec sa "
If ICMP reply from inside interface is recieved by VPN client.
-Run a ping to an internal host behind the ASA.
-"Show crypto ipsec sa "
IF you have received replies if first test then here you should see decrypts growing in number.
-Apply captures on inside interface
You can refer the document below
-If you see packet with source as VPN client interface reaching the inside interface for the destination of host behind the ASA, then its an issue with your internal routing.
In case you have a L3 device connected to the ASA inside interface , make sure you have a route for 192.168.1.x subnet pointing GW as ASA inside interface i.e 172.16.1.1
If its L2 or a dumb device , then as a quic test , put the follwoing route statement using the windows command line on the host behind the asa taking part in this test.
route add 192.168.1.0 mask 255.255.255.0 172.16.1.1
Please do let me know if this helps.