Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 vpn connection issue

Hi All,

we made vpn on ASA 5510.When client connects, i see log of ASA and vpn client there is no problem in them.After connecting, i see that there is no decrypted packets in vpn client's statistics.Secure routes is seen as 0.0.0.0 0.0.0.0.

I know problem is that point, but i couldnt solve the issue.

I posted configuration below,Thanks

ASA Version 7.0(2)

names

name... ......

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.19.60.0 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1

management-only

!

ftp mode passive

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.70.0 255.255.255.0

access-list deneme_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.0

access-list deneme1_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.70.0 255.255.255.0

access-list deneme_splitTunnelAcl standard permit 172.19.60.0 255.255.255.0

access-list deneme1_splitTunnelAcl standard permit 172.19.60.0 255.255.255.0

access-list 15 extended permit ip 192.168.70.0 255.255.255.0 172.19.60.0 255.255.255.0

access-list 15 extended permit icmp 192.168.70.0 255.255.255.0 172.19.60.0 255.255.255.0

group-policy deneme internal

group-policy deneme attributes

split-tunnel-policy tunnelspecif deneme_splitTunnelAcl

webvpn

group-policy deneme1 internal

group-policy deneme1 attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value deneme1_splitTunnelAcl

webvpn

ip local pool gezi 192.168.70.0-192.168.70.255 mask 255.255.255.255

username xxx password xxx privilege 0

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set TOLGA esp-3des esp-none

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 172.19.0.91 255.255.255.255 outside

ssh 172.19.0.71 255.255.255.255 outside

ssh 172.19.0.61 255.255.255.255 outside

ssh 172.19.0.78 255.255.255.255 outside

ssh 172.19.0.212 255.255.255.255 outside

ssh 172.19.0.243 255.255.255.255 outside

ssh 172.19.60.170 255.255.255.255 outside

ssh timeout 5

console time deneme type ipsec-ra

tunnel-group deneme general-attributes

default-group-policy deneme

tunnel-group deneme ipsec-attributes

pre-shared-key *

tunnel-group deneme1 type ipsec-ra

tunnel-group deneme1 general-attributes

address-pool POOLVPN

default-group-policy deneme1

tunnel-group deneme1 ipsec-attributes

pre-shared-key *

2 REPLIES
Silver

Re: ASA 5510 vpn connection issue

Upgrade the code to a interim version 7.2.1.9.Make sure crypto access-lists match on both the sides.Else there will be connection drop.

New Member

Re: ASA 5510 vpn connection issue

In your NAT Exemption, Split Tunnel and Interesting traffic ACL's, do not use 'any.' Be more specific.

Your dynamic maps dont need to reference an ACL. A dynamic crypto map doesnt know the source ip address anyway.

Add the following line to your config for routes to be injected into the ASA when users connect.

'crypto dynamic-map outside_dyn_map 20 set reverse-route'

'crypto dynamic-map outside_dyn_map 40 set reverse-route'

100
Views
0
Helpful
2
Replies