Remote vpn on router

Unanswered Question
Sep 29th, 2010

Hello Friends,

when i try to connect to VPN  through my HOME i m not able to authenticate though my username and password are correct,when i remove the command

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} crypto map <map-name> client authentication list <list name>, i m connecting directly without authenticating,but i not able to go further from internet router not even i can ping directly connected firewall interface


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Wed, 09/29/2010 - 09:41


Something is not correct with the authentication portion of the configuration for the tunnel and that's why you can't connect with your user/pass.

If you remove that line, then you're not prompted for credentials and you're allowed in.

Now, if you can't access internal resources the most common issues are:

- No route back to the VPN pool from the internal network

- NAT messing in the path

- Split-tunneling issues


Can you PING the inside IP of the router when connected from the VPN client?

Can you check both the interesing traffic and that VPN traffic is bypassing NAT?

If you need help with that please post the relevant part of the configuration.


estelamathew Wed, 09/29/2010 - 13:06

Hello Dear,

The pool what i m using is the free subnet from the corporate LAN so i think it doesn't make any issues and also i have bypass NAT for the VPN pool,

still i m missing any thing please guide,

I can ping the internet router internal interface which is connected to ASA,but i can't ping the ASA interface though the ASA has default route pointing to internet router.I have enable icmp permit any any on the ASA.

Ur help will be appreciated.

aaa new-model
aaa authentication login test local
aaa authorization network test local
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 60 20
crypto isakmp xauth timeout 30

crypto isakmp client configuration group test
key cisco123
pool test
crypto ipsec transform-set testtransform esp-3des esp-md5-hmac
crypto dynamic-map test-map 1
set transform-set testtransform
crypto map test-map client authentication list test
crypto map test-map isakmp authorization list test
crypto map test-map client configuration address respond
crypto map test-map 10 ipsec-isakmp dynamic test-map

interface FastEthernet0/1
ip address 212.X.X.X

ip nat outside
duplex auto
speed auto
crypto map test-map
interface FastEthernet0/0
description ** Connected to External ASA **
ip address 10.X.X.X
ip accounting output-packets
ip nat inside
no ip virtual-reassembly
ip policy route-map WWW-REDIRECT
duplex auto
speed 100
ip local pool test
ip classless
ip route 212.X.X.X
no ip http server
no ip http secure-server

ip nat inside source list 110 interface FastEthernet0/1 overload

access-list 110 deny  ip

access-list 110 permit  ip any
logging alarm informational

line con 0
stopbits 1
line aux 0
line vty 0 4

Federico Coto F... Wed, 09/29/2010 - 13:22

If you can PING the inside IP of the router, traffic is flowing through the tunnel properly.

The setup is like this:

ASA -- VPN Router --- Internet -- VPN Client

The ASA should have a route to the VPN pool pointing to the ASA (assuming it does not have a default gateway).

Also check the following:

sh cry ips sa --> you should see the packets encrypted/decrypted for the subnet that you're trying to reach via VPN

On the VPN client:

Under the secured routes, you should see the networks you want to reach (or if not using split tunneling).



This Discussion