1. Check that NAT-T is enabled on both sides (on the ASA crypto  isakmp nat-t and on the client side under the transport tab).

it is enabled on both the firewall and in the client.

2.  Check that there's no Firewall or device blocking ESP on either side

i have openend every thing from outside

3.  As a test include the command ''management-access inside'' and make  sure that you can PING the inside IP of the ASA from the VPN client.

after putting this command it started pinging but it is not pinging the core switch the next hop of firewall on inside interface

4.  When connected issue the command ''sh cry ips sa'' and check if packets  are being encrypted/decrypted when sending traffic.

ASA(config)# sh crypto ipsec sa
interface: outside
    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 254.254.254.254

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.X.122.50/255.255.255.255/0/0)
      current_peer: 18.135.2.X, username: XXX
      dynamic allocated peer ip: 10.X.122.50

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 533, #pkts decrypt: 533, #pkts verify: 533
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.109.253.253/4500, remote crypto endpt.: 188.135.2.215/6405
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: D32067D8
      current inbound spi : B66D5F1D

    inbound esp sas:
      spi: 0xB66D5F1D (3060621085)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 98304, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28262
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xD32067D8 (3542116312)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 98304, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28253
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

5. A normal  problem is that the ASA's inside LAN don't have a route back to the VPN  pool range, check this as well.

I can see the host route for the vpn client by sh route output on ASA, On core switch the default route is pointing to ASA still i m not able to ping the core.

If you can PING the ASA's inside IP but not the internal LAN (and you have the routing correct), maybe you have overlapping issue.

Is the VPN pool range part of the internal network IP addressing scheme?

Federico.

Hi,

Do you have NAT exemption configurecd on the ASA for traffic destined from the internal LAN to the pool of IPs.? Please post a sanitized config here if possible.

Regards,

Prapanch

Hello Dear's,

here are the related configuration for the remote VPN:

1. i have enable ip any any from outside interface and aslo
2. i enable sysopt command to permit anything from vpn client,
3. i have specified route inside tunneled
4. My corporate pool is 10.75.0.0 255.255.0.0 from that i m using the below pool for vpn.ip local pool pool 10.75.166.1-10.75.166.10 mask 255.255.255.0
5. when i change the pool i m not able to ping  the inside interface of firewall from firewall i m able to ping the client but from client i m not able to ping the inside interface.

after doing the above stilli can t access the internal network,Any clues dears,

Thanks

ip local pool pool 10.75.166.1-10.75.166.10 mask 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.75.166 0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound.

For spli tunneling

access-list split_tunnel standard permit any

group-policy XX internal
group-policy XX attributes
dns-server value X>X>X>X
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value XX.XX.gov.uk

tunnel-group XXX type remote-access
tunnel-group XXX general-attributes
address-pool pool
default-group-policy XX
tunnel-group XXX ipsec-attributes
pre-shared-key *****

The corporate pool is 10.75.0.0 255.255.0.0 and the VPN range is 10.75.166.1-10.75.166.10 mask  255.255.255.0

Do the following:

Attempt to connect from the VPN client.

Say you get IP 10.75.166.1/24

Add this route to the internal device: ip route 10.75.166.1 255.255.255.255 INSIDE_IP_ASA

The idea is that you connect your VPN client and add the route specifically back to the ASA from your corporate LAN and see if it works.

Federico.

Hello Federico,

It is pinging from core to vpn client but i m not able to ping from vpn client to core neither ASA inside interface.Also i m not able to do RDP to servers nor telent to access switches.

Thanks

Hello Dear,

I saw this it is disabled, i m not able to do RDP to servers nor access to any access switches.I can ping from the access switches but i cant ping from vpn client,   very much strange pings menas packets and come back then why client is not able to ping when permit ip any any is enabled on outside interface.

Thanks

Hello Federico

I removed the route and reload the core switch itis pinging by the default route ,there is no dynamic routing protocol all is static on core pointing to ASA for default and networks with specific next  hop

.I can ping from the access switches but i cant ping from vpn client,    very much strange pings means packets goes and come back then why client is  not able to ping when permit ip any any is enabled on outside interface.