×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Vpn Client no received packets

Unanswered Question
Dec 1st, 2011
User Badges:

Hello    


I did the config for a vpn with a asa 5520 the vpn client connects correctly but i can`t ping for the client to my lan until one pc of my lan ping the ip of the vpn client, can you help me?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hectorsalgado Fri, 12/02/2011 - 08:52
User Badges:

the config is


ASA Version 8.3(1)

!

hostname ciscoasa

enable password 2WKw2mlc5qeH8nmnTIY encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface GigabitEthernet0/0

nameif outside

security-level 0

pppoe client vpdn group ppoe-ira

ip address pppoe setroute

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.16.1.8 255.255.255.240

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa831-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network DM_INLINE_NETWORK_1

network-object host 172.16.1.7

network-object host 172.31.151.222

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service DM_INLINE_SERVICE_1

service-object ip

service-object icmp

service-object tcp-udp destination eq domain

access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any

access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group Internet any

access-list inside_access_in extended permit object-group TCPUDP any any eq domain

access-list inside_access_in extended deny ip any any

access-list vpn_split standard permit 192.168.0.0 255.255.0.0

access-list vpn_split standard permit 172.31.0.0 255.255.0.0

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpn-pool 192.168.55.150-192.168.55.200 mask 255.255.255.128

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-631.bin

no asdm history enable

arp timeout 14400

nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.55.128_25 NETWORK_OBJ_192.168.55.128_25

!

object network Net_172.31.151.0

nat (any,outside) dynamic interface

object network Net_192.168.51.0

nat (any,outside) dynamic interface

object network Net_192.168.52.0

nat (any,outside) dynamic interface

object network Net_192.168.53.0

nat (any,outside) dynamic interface

object network Net_192.168.54.0

nat (any,outside) dynamic interface

object network Net_192.168.55.0

nat (any,outside) dynamic interface

object network Net_192.168.56.0

nat (any,outside) dynamic interface

access-group inside_access_in in interface inside

route inside 172.31.0.0 255.255.0.0 172.16.1.7 1

route inside 172.31.151.0 255.255.255.0 172.16.1.7 1

route inside 192.168.0.0 255.255.0.0 172.16.1.7 1

route inside 192.168.50.0 255.255.255.0 172.16.1.7 1

route inside 192.168.51.0 255.255.255.0 172.16.1.7 1

route inside 192.168.52.0 255.255.255.0 172.16.1.7 1

route inside 192.168.53.0 255.255.255.0 172.16.1.7 1

route inside 192.168.54.0 255.255.255.0 172.16.1.7 1

route inside 192.168.55.0 255.255.255.128 172.16.1.7 1

route inside 192.168.56.0 255.255.255.0 172.16.1.7 1

route inside 192.168.100.0 255.255.255.0 172.16.1.7 1

route inside 192.168.200.0 255.255.255.0 172.16.1.7 1

route inside 192.168.202.0 255.255.255.0 172.16.1.7 1

route inside 192.168.250.0 255.255.255.0 172.16.1.7 1

route inside 192.168.254.0 255.255.255.0 172.16.1.7 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65000 set pfs group5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65000 set transform-set ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 ESP-AES-128-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65000 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption aes

hash md5

group 5

lifetime 86400

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

vpdn group ppoe-ira ppp authentication pap

vpdn username t4626266019 password ***** store-local

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy vpn-demo internal

group-policy vpn-demo attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpn_split

username prueba5 password 5SsjHsNPiy24cMYU encrypted privilege 0

username prueba5 attributes

vpn-group-policy vpn-demo

tunnel-group vpn-demo type remote-access

tunnel-group vpn-demo general-attributes

address-pool vpn-pool

default-group-policy vpn-demo


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect dns

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:2df4260f34a46f20d7e51612845bac4e

: end

Actions

This Discussion