07-10-2007 08:57 AM - edited 02-21-2020 03:08 PM
Please help... went through the VPN wizard. Can establish a connection but can't access anything on the inside interface. Is there an access list rule that is missing or a sysopt connection statement that is needed?
I've attached the current config.
Thank You
07-10-2007 09:18 AM
Hi
Try adding this to your config
"crypto isakmp nat-traversal"
HTH
Jon
07-10-2007 09:30 AM
Thanks John,
I added crypto isakmp nat-traversal to the config. It still is not working correctly. Since adding this statement, when I ping the "inside" interface 192.168.20.2, I get icmp replies from the "outside" interface.
07-10-2007 10:21 AM
Hi,
You need to use access-list to by pass nat
use nat 0 with access-list
I'm sending u a sample config as per ur network
backup ur current config
remove ur vpn config
and use this template just as template
.......................................
access-list 101 extended permit ip 192.168.20.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list 102 extended permit ip 192.168.20.0 255.255.255.0 192.168.200.0 255.255.255.0
ip local pool vpnpool1 192.168.200.1-192.168.200.254 mask 255.255.255.0
nat (inside) 0 access-list 102
group-policy test internal
group-policy test attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 101
sysopt connection permit-ipsec
username test password cisco encrypted privilege 0
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
address-pool vpnpool1
default-group-policy test
tunnel-group test ipsec-attributes
pre-shared-key cisco#123
.......................................
let me know if it works
pl don't forget to rate this post if it works
Regards,
07-10-2007 10:53 AM
Hi Schakra,
I modified the configuration per your instructions but still can't access anything on the inside interface. Split tunnel works as I can access the Internet when connected. But still have no access to anything on the "inside" interface.
Attached is the new configuration.
Thank You
07-10-2007 11:11 AM
where is this comman?
sysopt connection permit-ipsec
if not work
also try by removing
nat (inside) 1 0.0.0.0 0.0.0.0
r u trying to access other than 192.168.20.0 network,then u may need to explicitly allow them
Regards,
07-10-2007 11:30 AM
I've entered both of the following commands and neither show in the config:
sysopt connection permit-ipsec
sysopt connection permit-vpn
I also tried removing
nat (inside) 1 0.0.0.0 0.0.0.0
Still no luck in accessing the 192.168.20.0/24 subnet on the inside interface.
07-13-2007 08:40 PM
I have the same problem entering the command sysopt connection permit-ipsec.
if you do permit-ipsec ?, permit-ipsec is not an option.
I'm trying to do a spoke to spoke vpn solution and without connection permit-ipsec in my spoke asa5505's Pakets are rejected.
07-13-2007 09:23 PM
The sysopt connection permit-ipsec command is not be displayed in the output of the show running-config sysopt command on ASA version 7.x
but is displayed in PIX version 7.x. ASA only displays sysopt connection permit-vpn.
In PIX version 7.x, the sysopt connection permit-ipsec and in ASA version 7.x, the sysopt connection permit-vpn command resolves the one way traffic issue
Sourav
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide