10-17-2006 06:45 AM
Hi All,
we made vpn on ASA 5510.When client connects, i see log of ASA and vpn client there is no problem in them.After connecting, i see that there is no decrypted packets in vpn client's statistics.Secure routes is seen as 0.0.0.0 0.0.0.0.
I know problem is that point, but i couldnt solve the issue.
I posted configuration below,Thanks
ASA Version 7.0(2)
names
name... ......
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 172.19.60.0 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1
management-only
!
ftp mode passive
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.70.0 255.255.255.0
access-list deneme_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.0
access-list deneme1_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.70.0 255.255.255.0
access-list deneme_splitTunnelAcl standard permit 172.19.60.0 255.255.255.0
access-list deneme1_splitTunnelAcl standard permit 172.19.60.0 255.255.255.0
access-list 15 extended permit ip 192.168.70.0 255.255.255.0 172.19.60.0 255.255.255.0
access-list 15 extended permit icmp 192.168.70.0 255.255.255.0 172.19.60.0 255.255.255.0
group-policy deneme internal
group-policy deneme attributes
split-tunnel-policy tunnelspecif deneme_splitTunnelAcl
webvpn
group-policy deneme1 internal
group-policy deneme1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value deneme1_splitTunnelAcl
webvpn
ip local pool gezi 192.168.70.0-192.168.70.255 mask 255.255.255.255
username xxx password xxx privilege 0
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp
crypto ipsec transform-set TOLGA esp-3des esp-none
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 172.19.0.91 255.255.255.255 outside
ssh 172.19.0.71 255.255.255.255 outside
ssh 172.19.0.61 255.255.255.255 outside
ssh 172.19.0.78 255.255.255.255 outside
ssh 172.19.0.212 255.255.255.255 outside
ssh 172.19.0.243 255.255.255.255 outside
ssh 172.19.60.170 255.255.255.255 outside
ssh timeout 5
console time deneme type ipsec-ra
tunnel-group deneme general-attributes
default-group-policy deneme
tunnel-group deneme ipsec-attributes
pre-shared-key *
tunnel-group deneme1 type ipsec-ra
tunnel-group deneme1 general-attributes
address-pool POOLVPN
default-group-policy deneme1
tunnel-group deneme1 ipsec-attributes
pre-shared-key *
10-20-2006 01:47 PM
Upgrade the code to a interim version 7.2.1.9.Make sure crypto access-lists match on both the sides.Else there will be connection drop.
05-12-2007 01:28 PM
In your NAT Exemption, Split Tunnel and Interesting traffic ACL's, do not use 'any.' Be more specific.
Your dynamic maps dont need to reference an ACL. A dynamic crypto map doesnt know the source ip address anyway.
Add the following line to your config for routes to be injected into the ASA when users connect.
'crypto dynamic-map outside_dyn_map 20 set reverse-route'
'crypto dynamic-map outside_dyn_map 40 set reverse-route'
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: