Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trouble w/ ASA 5510 and R-VPN

I'm having a tough time getting remote VPN to work with my ASA 5510.

I know there may be some problems with this config... Any advice would be greatly appreciated.


interface Ethernet0/0

nameif outside

security-level 2

ip address

rip send version 1


interface Ethernet0/1

nameif inside

security-level 90

ip address


boot system disk0:/asa721-k8.bin

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service Morbo_Services tcp

port-object eq ftp-data

port-object eq ftp

port-object eq ssh

port-object eq www

access-list buzznetRA_splitTunnelAcl standard permit any

access-list outside_access_in extended permit ip interface outside

access-list inside_access_in extended permit ip any any

access-list DefaultRAGroup2_splitTunnelAcl standard permit any

access-list outside_cryptomap extended permit ip any

ip local pool BNVPN_IP_Pool mask


global (outside) 200 interface

nat (inside) 200

nat (management) 0 access-list management_nat0_outbound

static (inside,outside) netmask

access-group outside_access_in in interface outside

access-group inside_access_in_1 in interface inside

route outside 1


group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server value

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value buzznetRA_splitTunnelAcl

default-domain none

split-dns none

intercept-dhcp disable

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

msie-proxy server none

msie-proxy method no-modify

msie-proxy except-list none

msie-proxy local-bypass disable

nac disable

nac-sq-period 300

nac-reval-period 36000

nac-default-acl none

address-pools value BNVPN_IP_Pool

client-firewall none

client-access-rule none

username asadowsky password ****== nt-encrypted privilege 0

username john password ****== nt-encrypted privilege 0

username john attributes

vpn-group-policy DfltGrpPolicy

http server enable

http management

http inside

crypto ipsec transform-set VPNTRANS esp-3des esp-sha-hmac

crypto ipsec transform-set VPNTRANS mode transport

crypto dynamic-map outside_dyn_map 20 set transform-set VPNTRANS

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map inside_map interface inside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

crypto isakmp ipsec-over-tcp port 10000

tunnel-group DefaultRAGroup general-attributes

address-pool BNVPN_IP_Pool

authorization-server-group LOCAL

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

peer-id-validate cert

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

authorization-server-group LOCAL

no vpn-addr-assign aaa

no vpn-addr-assign dhcp


dhcpd address management

dhcpd enable management



class-map inspection_default

match default-inspection-traffic


service-policy global_policy global

New Member

Re: Trouble w/ ASA 5510 and R-VPN

access-list inside-nonat permit ip

nat (inside) 0 access-list inside-nonat

Your vpn range is on the same network, which should work fine, but you could just as easily use an internal DHCP server at that point.

This is under the assumption that you're even authenticating. Are you? You should probably turn on logging and post the results of that as well.

New Member

Re: Trouble w/ ASA 5510 and R-VPN

I figured it out! I had been trying to authenticate against a PSK *AND* a cert. That was keeping me from successfully authenticating. And, as if that wasn't enough, my IP pool was in the same subnet as my internal network - something I learned that was incorrect.

Many thanks for checking in!