cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1083
Views
0
Helpful
8
Replies

Remote VPN on ASA5540

logan-7
Level 1
Level 1

Here is the situation

I am slowly migrating from a Cisco VPN 3030 concentrator to a Cisco ASA5540

My L2L tunnels are coming along fine, but I am running into issues with the Remote VPN Clients attaching.

I have set up the AAA and this works correctly, as well as building the profile.  ( we use IPSec )

My issues are with the IP address Pool.   we are using a different set of ip address than the Concentrator.

I have set up the routing on the next hop inside to point to the ASA as the home of the Pool of ip address.

But,  I am not getting any through put.

I can attach to the ASA with a Remote Client it checks the Radius server, and all of the Authentication goes through.  But I can not access anything.

All trace routes for the IP address pool from inside the network point to the ASA. 

Is there something else I need to set up besides just assign the IP Address Pool?

any suggestion would be helpful

thanks

2 Accepted Solutions

Accepted Solutions

hdashnau
Cisco Employee
Cisco Employee

The problem is not necessarily routing. Check the following other things:

1. Do you have nat exemption for the VPN pool (you need it)...If not youll see syslog messages about no translation group found and the traffic will be dropped. Assume your VPN pool is 172.16.4.0 255.255.255.255. You would add:

access-list nonat permit ip any 172.16.4.0 255.255.255.0

nat (inside) 0 access-list nonat

2. Do you have an access-group applied to the interface? Do a "show run access-group." If you have one applied make sure the access-list permits the traffic to the VPN client pool

3. If this is IPSec and either the client or the ASA is behind NAT, you need to have the following command:

isakmp nat-traversal

-heather

Please rate this post if it helped you.

View solution in original post

Please rate the posts and mark the question as resolved.

View solution in original post

8 Replies 8

johnd2310
Level 8
Level 8

Hi,

Sounds like a routing issue on the ASA. How have you set up the routing? Do you by any change have the "tunneled" command in your static routes.

Thanks

John

**Please rate posts you find helpful**

here is what the route statements look like on the ASA

route outside 0.0.0.0 0.0.0.0 205.203.38.254 1
route inside 10.0.0.0 255.0.0.0 10.130.49.254 1
route inside 172.50.0.0 255.255.0.0 10.130.49.254 1
route inside 199.21.26.0 255.255.255.0 10.130.49.254 10
route inside 205.203.39.0 255.255.255.0 10.130.49.254 5
route inside 205.203.49.0 255.255.255.0 10.130.49.254 1
route inside 205.203.51.0 255.255.255.0 10.130.49.254 2
route inside 205.203.54.0 255.255.255.0 10.130.49.254 1
route inside 205.203.56.0 255.255.255.0 10.130.49.254 2
route inside 205.203.57.0 255.255.255.0 10.130.49.254 2
route inside 205.203.107.0 255.255.255.0 10.130.49.254 1
route inside 205.203.109.0 255.255.255.0 10.130.49.254 5
route inside 205.203.123.0 255.255.255.0 10.130.49.254 5
route inside 205.203.125.0 255.255.255.0 10.130.49.254 5
route inside 0.0.0.0 0.0.0.0 10.130.49.254 tunneled

Hi,

Try removing "route inside 0.0.0.0 0.0.0.0 10.130.49.254 tunneled" and see if it works.

Thanks

John

**Please rate posts you find helpful**

So what is the Tunneled Command for then??

Bill

Hi,

Tunneled command is used if you do not have more specific routes to your "internal" network.  Encrypted traffic receive by the ASA for which there is no static or learned route is passed to the gateway with the IP address specified by the tunneled command. Your routing table shows you have puts static routes to your internal network, therefore, the ASA will use those and does not need the tunneled.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_static.html

Thanks

John

**Please rate posts you find helpful**

hdashnau
Cisco Employee
Cisco Employee

The problem is not necessarily routing. Check the following other things:

1. Do you have nat exemption for the VPN pool (you need it)...If not youll see syslog messages about no translation group found and the traffic will be dropped. Assume your VPN pool is 172.16.4.0 255.255.255.255. You would add:

access-list nonat permit ip any 172.16.4.0 255.255.255.0

nat (inside) 0 access-list nonat

2. Do you have an access-group applied to the interface? Do a "show run access-group." If you have one applied make sure the access-list permits the traffic to the VPN client pool

3. If this is IPSec and either the client or the ASA is behind NAT, you need to have the following command:

isakmp nat-traversal

-heather

Please rate this post if it helped you.

logan-7
Level 1
Level 1

thanks

that did it.  my exempt NAT was backwards.

Appreciate all the help.

Please rate the posts and mark the question as resolved.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: