Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Remote Connection Issue

Hi Guys ,

I have got an issue connecting VPN client to ASA. VPN point to point with other sites is working fine. Please see blow for current scenario.

 

Current Remote VPN connectivity and settings

 

  • ASA 5552x (IOS v8.6, ADSM v6.6) communicates with internal Radius server (Windows 2008 + NPS) via standard Radius port
  • The internal radius server currently link to AD server (Windows 2008) for AD user database
  • IP DHCP is assigned by the ASA
  • Remote user login using Windows XP L2TP/IPsec with a pre-shared key and his domain login and password

 

Current situation and problems:

 

  • The user can login with their valid AD account. The remote laptop receives a correct IP address from the ASA IP DHCP pool (192.168.210.231-192.168.210.250). However, the remote laptop CANNOT communicate with other internal networks (i.e.: PING)
  • The remote laptop CAN PING the VPN interface (outside) of the ASA.
  • There is a VPN remote connection established (IKEv1) when logging into the ASA (see below)
  • Note: The ASA configuration code is attached  (Most of the configuration codes were configured with ADSM)

 

ciscoasa# sh vpn-sessiondb

---------------------------------------------------------------------------

VPN Session Summary

---------------------------------------------------------------------------

                               Active : Cumulative : Peak Concur : Inactive

                             ----------------------------------------------

IKEv1 IPsec/L2TP IPsec       :      1 :         46 :           1

Site-to-Site VPN             :      3 :        229 :           5

  IKEv2 IPsec                :      3 :        229 :           5

---------------------------------------------------------------------------

Total Active and Inactive    :      4             Total Cumulative :    275

Device Total VPN Capacity    :    750

Device Load                  :     1%

---------------------------------------------------------------------------

 

---------------------------------------------------------------------------

Tunnels Summary

---------------------------------------------------------------------------

                               Active : Cumulative : Peak Concurrent

                             ----------------------------------------------

IKEv1                        :      1 :         46 :               1

IKEv2                        :      3 :        229 :               5

IPsec                        :      5 :       2494 :              11

L2TPOverIPsec                :      1 :         13 :               1

---------------------------------------------------------------------------

Totals                       :     10 :       2782

---------------------------------------------------------------------------

 

please see attached ASA code for same.

1 REPLY
Silver

Hello,Having a look on your

Hello,

Having a look on your config, it seems you have missed reverse route injection under dynamic crypto map.

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP set reverse-route

ASA must know how to reach back to vpn client. By using reverse route injection,VPN client inject a static route on ASA to reach itself .As well as if you configure any routing protocol then this static route must be redistributed so that internal client know how to reach vpn client. Otherwise default route pointing towards ASA internal interface also works on internal hosts.

HTH

"Please rate helpful posts"

121
Views
0
Helpful
1
Replies
CreatePlease to create content