Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client is cannot able to connect to the internal network

When a remote vpn client connects he can ssh to dmz network but cannot able to do ssh on the internal network.

There are 2 types of VPN are installed. First is Site-site and the second is remote vpnclient. please help me out.

8 REPLIES
Green

Re: VPN Client is cannot able to connect to the internal network

Could you post a sanitized config from the ASA?

Is the traffic between the inside network and the vpn client subnet exempted from nat?

Is there any split tunnel configured?

New Member

Re: VPN Client is cannot able to connect to the internal network

access-list inside_outbound_nat0_acl extended permit ip INSIDE-NET 255.255.255.0 192.168.70.0 255.255.255.0

access-list dmz_outbound_nat0_acl extended permit ip DMZ-NET 255.255.255.0 192.168.70.0 255.255.255.0

access-list dmz_outbound_nat0_acl extended permit ip any host 10.1.19.4

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 INSIDE-NET 255.255.255.0

nat (dmz) 0 access-list dmz_outbound_nat0_acl

nat (dmz) 1 DMZ-NET 255.255.255.0

Split tunnel is enabled

New Member

Re: VPN Client is cannot able to connect to the internal network

please find attached the configs

Green

Re: VPN Client is cannot able to connect to the internal network

The config looks ok. The inside network is exempted from nat to the vpn client subnet and is also included in the split tunnel acl. Can you ping any devices on the inside network or is it specifically ssh traffic?

New Member

Re: VPN Client is cannot able to connect to the internal network

Any thing on the internal network is not reachable

New Member

Re: VPN Client is cannot able to connect to the internal network

I tried to SSH to Internal network, the syslog gives the following:

3 Jul 16 2007 18:13:40 713042 IKE Initiator unable to find policy: Intf 1, Src: 192.168.60.10, Dst: 192.168.70.8

Please help me out.

Green

Re: VPN Client is cannot able to connect to the internal network

Try this...

crypto map outside_map interface outside

crypto isakmp identity address

no crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

This is all you should need. I would clean out all the rest.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

New Member

Re: VPN Client is cannot able to connect to the internal network

Crypto map access list was conflicting with the site-site vpn. i have changed that, it started working.

thanks for the support

180
Views
0
Helpful
8
Replies