Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
235
Views
0
Helpful
2
Replies

ASA 5510 vpn connection issue

cascolibre
Level 1
Level 1

‎10-17-2006 06:45 AM

Hi All,

we made vpn on ASA 5510.When client connects, i see log of ASA and vpn client there is no problem in them.After connecting, i see that there is no decrypted packets in vpn client's statistics.Secure routes is seen as 0.0.0.0 0.0.0.0.

I know problem is that point, but i couldnt solve the issue.

I posted configuration below,Thanks

ASA Version 7.0(2)

names

name... ......

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x x.x.x.x

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.19.60.0 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1

management-only

!

ftp mode passive

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.70.0 255.255.255.0

access-list deneme_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_20 extended permit ip any 192.168.1.0 255.255.255.0

access-list deneme1_splitTunnelAcl standard permit any

access-list outside_cryptomap_dyn_40 extended permit ip any 192.168.70.0 255.255.255.0

access-list deneme_splitTunnelAcl standard permit 172.19.60.0 255.255.255.0

access-list deneme1_splitTunnelAcl standard permit 172.19.60.0 255.255.255.0

access-list 15 extended permit ip 192.168.70.0 255.255.255.0 172.19.60.0 255.255.255.0

access-list 15 extended permit icmp 192.168.70.0 255.255.255.0 172.19.60.0 255.255.255.0

group-policy deneme internal

group-policy deneme attributes

split-tunnel-policy tunnelspecif deneme_splitTunnelAcl

webvpn

group-policy deneme1 internal

group-policy deneme1 attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value deneme1_splitTunnelAcl

webvpn

ip local pool gezi 192.168.70.0-192.168.70.255 mask 255.255.255.255

username xxx password xxx privilege 0

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp

crypto ipsec transform-set TOLGA esp-3des esp-none

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 172.19.0.91 255.255.255.255 outside

ssh 172.19.0.71 255.255.255.255 outside

ssh 172.19.0.61 255.255.255.255 outside

ssh 172.19.0.78 255.255.255.255 outside

ssh 172.19.0.212 255.255.255.255 outside

ssh 172.19.0.243 255.255.255.255 outside

ssh 172.19.60.170 255.255.255.255 outside

ssh timeout 5

console time deneme type ipsec-ra

tunnel-group deneme general-attributes

default-group-policy deneme

tunnel-group deneme ipsec-attributes

pre-shared-key *

tunnel-group deneme1 type ipsec-ra

tunnel-group deneme1 general-attributes

address-pool POOLVPN

default-group-policy deneme1

tunnel-group deneme1 ipsec-attributes

pre-shared-key *

Labels:
0 Helpful
2 Replies 2

thomas.chen
Level 6
Level 6

‎10-20-2006 01:47 PM

Upgrade the code to a interim version 7.2.1.9.Make sure crypto access-lists match on both the sides.Else there will be connection drop.

0 Helpful

joshua.walton
Level 1
Level 1
In response to thomas.chen

‎05-12-2007 01:28 PM

In your NAT Exemption, Split Tunnel and Interesting traffic ACL's, do not use 'any.' Be more specific.

Your dynamic maps dont need to reference an ACL. A dynamic crypto map doesnt know the source ip address anyway.

Add the following line to your config for routes to be injected into the ASA when users connect.

'crypto dynamic-map outside_dyn_map 20 set reverse-route'

'crypto dynamic-map outside_dyn_map 40 set reverse-route'

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents