Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Remote Access VPN strange behavior

Hello all,

I have a problem with remote access VPN on a ASA5505 (8.2).

I can establish a VPN connection and can ping the ASA, but nothing else on the network! Not only ping isn't working, I've also tried RDP, HTTP, and file access.

Additionally there is a site-to-site VPN to this ASA, which is working perfectly.

I have another ASA5505 which is almost configured the same and there it's working, so I really don't know where the problem is.

 

I hope you guys can help me!

Many thanks in advance!

 

Here's my config:

 

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(1)
!
hostname Shanghai
domain-name *******.local
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.20.18.0 network-vpnclient
name 172.20.16.8 SHDC01
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.20.16.1 255.255.248.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address ***.***.***.62 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone SGT 8
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.20.16.1
 domain-name *****.local
same-security-traffic permit inter-interface
access-list nonat extended permit ip 172.20.16.0 255.255.248.0 network-vpnclient 255.255.255.0
access-list nonat extended permit ip 172.20.16.0 255.255.248.0 172.20.0.0 255.255.248.0
access-list split_tunnel standard permit 172.20.16.0 255.255.248.0
access-list acl-in extended permit icmp any any
access-list acl-in extended permit tcp any host ***.***.***.190 eq h323
access-list VPN_acl extended permit ip 172.20.16.0 255.255.248.0 network-vpnclient 255.255.255.0
access-list outside_cryptomap extended permit ip 172.20.16.0 255.255.248.0 172.20.0.0 255.255.248.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool client-vpn 172.20.18.1-172.20.18.254 mask 255.255.248.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 172.20.16.0 255.255.248.0
static (inside,outside) tcp interface h323 192.168.0.250 h323 netmask 255.255.255.255
access-group acl-in in interface outside
route outside 0.0.0.0 0.0.0.0 ***.***.***.61 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ActiveDirectory protocol ldap
aaa-server ActiveDirectory (inside) host SHDC01
 server-port 3268
 ldap-base-dn DC=*****,DC=local
 ldap-scope subtree
 ldap-login-password *
 ldap-login-dn CN=Administrator,CN=Users,DC=lap-laser,DC=local
 server-type microsoft
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 172.20.0.0 255.255.248.0 inside
http 172.20.16.0 255.255.248.0 inside
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
crypto ipsec transform-set laplaserset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 20 set transform-set laplaserset
crypto map laplasermap 1 match address outside_cryptomap
crypto map laplasermap 1 set pfs group5
crypto map laplasermap 1 set peer **.***.***.51
crypto map laplasermap 1 set transform-set ESP-AES-256-SHA
crypto map laplasermap 65535 ipsec-isakmp dynamic dynmap
crypto map laplasermap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 11
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd ping_timeout 750
dhcpd auto_config outside
!
dhcpd address 172.20.16.50-172.20.17.1 inside
dhcpd dns SHDC01 interface inside
dhcpd option 3 ip 172.20.16.1 interface inside
dhcpd enable inside
!

vpnclient vpngroup lapserver password ********
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
group-policy user-vpn internal
group-policy user-vpn attributes
 wins-server value 172.20.16.8
 dns-server value 172.20.16.8
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 default-domain value *****.local
username admin password VQiqjZZuUSQOWz6. encrypted
username adminlogin password qZwgnR/XebVbOZxI encrypted
tunnel-group connection2 type ipsec-l2l
tunnel-group connection2 ipsec-attributes
 pre-shared-key *
tunnel-group **.***.***.51 type ipsec-l2l
tunnel-group **.***.***.51 ipsec-attributes
 pre-shared-key *
tunnel-group user-vpn type remote-access
tunnel-group user-vpn general-attributes
 address-pool client-vpn
 authentication-server-group ActiveDirectory
 default-group-policy user-vpn
 dhcp-server 172.20.16.1
tunnel-group user-vpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect dns preset_dns_map
  inspect http
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bc5e7b4ca01a2227885487ab3520ea9c
: end

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

I note in your config that

I note in your config that the pool of addresses for remote access VPN is a group of addresses included within the range of addresses on the inside interface. I have seen situations where this caused problems and so have a couple of suggestions:

- do the devices connected on the inside network have routes to the vpn pool of addresses?

- if you change the vpn address pool to use addresses that do not overlap with your inside network, does the behavior change?

 

HTH

 

Rick

3 REPLIES
Hall of Fame Super Silver

I note in your config that

I note in your config that the pool of addresses for remote access VPN is a group of addresses included within the range of addresses on the inside interface. I have seen situations where this caused problems and so have a couple of suggestions:

- do the devices connected on the inside network have routes to the vpn pool of addresses?

- if you change the vpn address pool to use addresses that do not overlap with your inside network, does the behavior change?

 

HTH

 

Rick

New Member

Hello Rick,I've changed the

Hello Rick,

I've changed the pool and guess what, it's working now!

Thanks a lot for your suggestion!

Hall of Fame Super Silver

I am glad that my suggestion

I am glad that my suggestion did lead you to a successful solution to the problem. Thank you for using the rating system to mark this question as answered. This will help to indicate to other readers that there is helpful information in this thread.

 

HTH

 

Rick

72
Views
0
Helpful
3
Replies