Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
708
Views
0
Helpful
10
Replies

Anyconnect with ASA5520 issues

Adrian Ardelean
Level 1
Level 1

‎07-23-2012 07:38 AM - edited ‎02-21-2020 06:13 PM

Hi,

I set up Remote access VPN, I get connected but no traffic.

From packet tracer seems to be OK.

Any ideeas?

Thanks!

Labels:
132084-ASA-running-config.cfg.zip
0 Helpful
10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-23-2012 09:20 AM

You would need to configure NAT exemption as follows:

object network obj-172.16.5.0

   subnet 172.16.5.0 255.255.255.0

object network obj-172.16.0.0

   subnet 172.16.0.0 255.255.255.224

object network obj-172.16.2.0

   subnet 172.16.2.0 255.255.254.0

object network vpn-pool

   subnet 172.16.200.0 255.255.255.0

nat (LAN-Servers,External) source static obj-172.16.5.0 obj-172.16.5.0 destination static vpn-pool vpn-pool

nat (LAN-IT,External) source static obj-172.16.0.0 obj-172.16.0.0 destination static vpn-pool vpn-pool

nat (LAN-GenPop,External) source static obj-172.16.2.0 obj-172.16.2.0 destination static vpn-pool vpn-pool

0 Helpful

Adrian Ardelean
Level 1
Level 1
In response to Jennifer Halim

‎07-23-2012 10:58 AM

Thank you.

I'm afraid it's not working, same thing like before

Now I have this:

132106-ASArunning-config2.cfg.zip
0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Adrian Ardelean

‎07-23-2012 06:59 PM

How are you trying to test? Did you use ping?

If you do, please also add the following:

policy-map global_policy
class inspection_default

   inspect icmp

And are you able to ping 172.16.0.29 after connected through AnyConnect?

0 Helpful

Adrian Ardelean
Level 1
Level 1
In response to Jennifer Halim

‎07-23-2012 09:49 PM

I tried with ping, nothing.

I added those, still nothing.

i can't ping anything, not even 172.16.0.29.

But now, in packet tracer I have this:

Thank you!

0 Helpful

Jose L. Berlanga V.
Level 1
Level 1
In response to Adrian Ardelean

‎07-24-2012 01:36 PM

You need to declarate the network routes for the inside network. Can you put the show output of the command "debug crypto ipsec sa"???

Saludos,
Jose Luis B.
No te olvides de calificar si te sirvio la ayuda.
Please do rate if the given information helps.

Saludos, Jose Luis B. No te olvides de calificar si te sirvio la ayuda. Please do rate if the given information helps.
0 Helpful

Adrian Ardelean
Level 1
Level 1
In response to Jose L. Berlanga V.

‎07-24-2012 09:43 PM

No output on "debug crypto ipsec". (with sa it gives me an error)

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Adrian Ardelean

‎07-25-2012 01:41 AM

well, this is AnyConnect, so the "debug cry ipsec" is incorrect debug to use.

Can you please connect via AnyConnect, and share the output of statistics and also the route from the AnyConnect client.

Also, pls share the latest config after the changes.

0 Helpful

Adrian Ardelean
Level 1
Level 1
In response to Jennifer Halim

‎07-25-2012 03:03 AM

This is what I have:

1.png

2.png

132202-ASA-rc.cfg.zip
0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Adrian Ardelean

‎07-25-2012 09:16 AM

On the ASA, can you please share the details of the following once you connected through the AnyConnect and ping something:

show vpn-sessiondb detail anyconnect

0 Helpful

Adrian Ardelean
Level 1
Level 1
In response to Jennifer Halim

‎07-25-2012 10:19 AM

Yes sir!

Here you have:

132217-asa-vpn-details.txt.zip
0 Helpful
Customers Also Viewed These Support Documents