Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA 5505 Remote Access VPN

Please help... went through the VPN wizard. Can establish a connection but can't access anything on the inside interface. Is there an access list rule that is missing or a sysopt connection statement that is needed?

I've attached the current config.

Thank You

8 REPLIES
Hall of Fame Super Blue

Re: ASA 5505 Remote Access VPN

Hi

Try adding this to your config

"crypto isakmp nat-traversal"

HTH

Jon

New Member

Re: ASA 5505 Remote Access VPN

Thanks John,

I added crypto isakmp nat-traversal to the config. It still is not working correctly. Since adding this statement, when I ping the "inside" interface 192.168.20.2, I get icmp replies from the "outside" interface.

New Member

Re: ASA 5505 Remote Access VPN

Hi,

You need to use access-list to by pass nat

use nat 0 with access-list

I'm sending u a sample config as per ur network

backup ur current config

remove ur vpn config

and use this template just as template

.......................................

access-list 101 extended permit ip 192.168.20.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list 102 extended permit ip 192.168.20.0 255.255.255.0 192.168.200.0 255.255.255.0

ip local pool vpnpool1 192.168.200.1-192.168.200.254 mask 255.255.255.0

nat (inside) 0 access-list 102

group-policy test internal

group-policy test attributes

vpn-idle-timeout 30

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 101

sysopt connection permit-ipsec

username test password cisco encrypted privilege 0

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto dynamic-map map2 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic map2

crypto map map1 interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

address-pool vpnpool1

default-group-policy test

tunnel-group test ipsec-attributes

pre-shared-key cisco#123

.......................................

let me know if it works

pl don't forget to rate this post if it works

Regards,

New Member

Re: ASA 5505 Remote Access VPN

Hi Schakra,

I modified the configuration per your instructions but still can't access anything on the inside interface. Split tunnel works as I can access the Internet when connected. But still have no access to anything on the "inside" interface.

Attached is the new configuration.

Thank You

New Member

Re: ASA 5505 Remote Access VPN

where is this comman?

sysopt connection permit-ipsec

if not work

also try by removing

nat (inside) 1 0.0.0.0 0.0.0.0

r u trying to access other than 192.168.20.0 network,then u may need to explicitly allow them

Regards,

New Member

Re: ASA 5505 Remote Access VPN

I've entered both of the following commands and neither show in the config:

sysopt connection permit-ipsec

sysopt connection permit-vpn

I also tried removing

nat (inside) 1 0.0.0.0 0.0.0.0

Still no luck in accessing the 192.168.20.0/24 subnet on the inside interface.

New Member

Re: ASA 5505 Remote Access VPN

I have the same problem entering the command sysopt connection permit-ipsec.

if you do permit-ipsec ?, permit-ipsec is not an option.

I'm trying to do a spoke to spoke vpn solution and without connection permit-ipsec in my spoke asa5505's Pakets are rejected.

New Member

Re: ASA 5505 Remote Access VPN

The sysopt connection permit-ipsec command is not be displayed in the output of the show running-config sysopt command on ASA version 7.x

but is displayed in PIX version 7.x. ASA only displays sysopt connection permit-vpn.

In PIX version 7.x, the sysopt connection permit-ipsec and in ASA version 7.x, the sysopt connection permit-vpn command resolves the one way traffic issue

Sourav

394
Views
0
Helpful
8
Replies
CreatePlease to create content