crypto ikev2 enable external

crypto ikev1 enable external

Running version 8.4(1)

The ssl works perfectly

I then configured the IPSEC using the wizard and it wont' connect?

Scratching my head a bit

Thanks

Roger

Hello Roger,

Can you share the configuration so I can take a quick look at it

Problem nearly fixed, I rebooted the firewall and I am now able to log in

However traffic is only flowing one way lots of encrypted packets but 0 decrypted

Also my split tunnel does not seem to be working.

I will get the config into this post soon

Thanks

Roger

Hello,

Then we will need to check the confi

Ok, I am getting this error when pinging an internal host from the connected vpn client

VPN client is on 172.16.24.2 internal host is on 192.168.100.37

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src external:172.16.24.2 dst internal:192.168.100.37 (type 8, code 0) denied due to NAT reverse path failure

object network obj-192.168.50.10

host 192.168.50.10

object network obj-192.168.50.20

host 192.168.50.20

object network obj-192.168.50.21

host 192.168.50.21

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network NETWORK_OBJ_10.10.1.0_28

subnet 10.10.1.0 255.255.255.240

object network vpn_clients

subnet 192.168.199.0 255.255.255.0

object network 192.168.100.0

subnet 192.168.100.0 255.255.255.0

object network NETWORK_OBJ_192.168.199.0_24

subnet 192.168.199.0 255.255.255.0

object network VPN_172

subnet 172.16.24.0 255.255.255.0

object-group service RDP tcp

port-object eq 3389

object-group service SQL tcp

port-object eq 1433

object-group service RDP-SQL tcp

group-object RDP

group-object SQL

access-list outside_in extended permit udp any any log

access-list network_10_access_in extended permit ip interface internal any

access-list external_access_in extended permit ip object NETWORK_OBJ_192.168.199.0_24 interface internal

access-list external_access_in extended permit tcp any any inactive

access-list from_outside extended permit icmp any any log

access-list from_outside extended permit icmp any any echo

access-list split_VPN_Split standard permit 192.168.100.0 255.255.255.0

access-list external_access_in_1 extended permit ip object NETWORK_OBJ_192.168.199.0_24 192.168.100.0 255.255.255.0

access-list external_access_in_1 extended permit ip object VPN_172 192.168.100.0 255.255.255.0

pager lines 24

nat (internal,external) source static any any destination static NETWORK_OBJ_10.10.1.0_28 NETWORK_OBJ_10.10.1.0_28

nat (internal,external) source static 192.168.100.0 192.168.100.0 destination static NETWORK_OBJ_192.168.199.0_24 NETWORK_OBJ_192.168.199.0_24

nat (internal,external) source static any any destination static NETWORK_OBJ_192.168.199.0_24 NETWORK_OBJ_192.168.199.0_24

object network obj-192.168.50.10

nat (internal,external) static 192.168.0.81

object network obj-192.168.50.20

nat (internal,external) static 192.168.0.230

object network obj-192.168.50.21

nat (internal,external) static 192.168.0.231

object network obj_any

nat (internal,external) dynamic interface

object network obj_any-01

nat (internal,external) dynamic obj-0.0.0.0

access-group network_10_access_in in interface internal

access-group external_access_in_1 in interface external

route external 0.0.0.0 0.0.0.0 4.5.6.7.1 1

route internal 10.10.10.0 255.255.255.255 192.168.100.1 1

Thanks for that, we are now one step closer!

Now getting this error

%ASA-4-313004: Denied ICMP type=0, from laddr 172.16.24.2 on interface external to 192.168.100.37: no matching session

Thanks for your replies, I have marked the nat as the correct answer, after much head stratching, I have now realised the porblem.

This is another firewall added to the network.

The default gateway of the client I am pinging is another firewall so the ping is going in and then going  back to the main firewall.

My issue lies on the internal network.

Thanks

Roger

Hello Roger,

Glad to know that I could help,

Have a great day