Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 vpn connection issue

Hi All,

we made vpn on ASA 5510.When client connects, i see log of ASA and vpn client there is no problem in them.After connecting, i see that there is no decrypted packets in vpn client's statistics.Secure routes is seen as

I know problem is that point, but i couldnt solve the issue.

I posted configuration below,Thanks

ASA Version 7.0(2)


name... ......


interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x x.x.x.x


interface Ethernet0/1

nameif inside

security-level 100

ip address


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



ftp mode passive

access-list inside_nat0_outbound extended permit ip any

access-list inside_nat0_outbound extended permit ip any

access-list deneme_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any

access-list deneme1_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_40 extended permit ip any

access-list deneme_splitTunnelAcl standard permit

access-list deneme1_splitTunnelAcl standard permit

access-list 15 extended permit ip

access-list 15 extended permit icmp

group-policy deneme internal

group-policy deneme attributes

split-tunnel-policy tunnelspecif deneme_splitTunnelAcl


group-policy deneme1 internal

group-policy deneme1 attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value deneme1_splitTunnelAcl


ip local pool gezi mask

username xxx password xxx privilege 0

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set TOLGA esp-3des esp-none

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet inside

telnet timeout 5

ssh outside

ssh outside

ssh outside

ssh outside

ssh outside

ssh outside

ssh outside

ssh timeout 5

console time deneme type ipsec-ra

tunnel-group deneme general-attributes

default-group-policy deneme

tunnel-group deneme ipsec-attributes

pre-shared-key *

tunnel-group deneme1 type ipsec-ra

tunnel-group deneme1 general-attributes

address-pool POOLVPN

default-group-policy deneme1

tunnel-group deneme1 ipsec-attributes

pre-shared-key *


Re: ASA 5510 vpn connection issue

Upgrade the code to a interim version sure crypto access-lists match on both the sides.Else there will be connection drop.

New Member

Re: ASA 5510 vpn connection issue

In your NAT Exemption, Split Tunnel and Interesting traffic ACL's, do not use 'any.' Be more specific.

Your dynamic maps dont need to reference an ACL. A dynamic crypto map doesnt know the source ip address anyway.

Add the following line to your config for routes to be injected into the ASA when users connect.

'crypto dynamic-map outside_dyn_map 20 set reverse-route'

'crypto dynamic-map outside_dyn_map 40 set reverse-route'