Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 VPN problem

Hi,

I have configured ASA5510. remote vpn client gets connected but they are not able to access any network resource behind firewall.

here is current config of asa

any one please help to resolve this

thanks

6 REPLIES

Re: ASA 5510 VPN problem

Hi,

Could you please remove a "nat (inside) 0 0.0.0.0 0.0.0.0" command and put "sysopt connection permit-ipsec" for testing?

HTH

Thot

Re: ASA 5510 VPN problem

Try to add the following line:

crypto isakmp nat-traversal 20

Let us know if it works.

Is you VPN client routes window similar to the following:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml#connect

Regards

Farrukh

New Member

Re: ASA 5510 VPN problem

Hi,

In your nat0 acl..just swap the networks .(your vpn pool address should be destination)

and call that access-list in nat.

check sysopt and nat-t as well.

and remove nat (inside) 0 0.0.0.0 0.0.0.0

Regards,

Re: ASA 5510 VPN problem

There is no need to remove nat (inside) 0 0.0.0.0 0.0.0.0 if the proper nat 0 ACL is there. NAT Exemption (nat 0 ACL) has the highest priority and will be consider first.

sysopt is enabled by default (but worth the check).

He is not using the nat ACL you refer to (nat_0), this one is being used which seems correct:

access-list inside_nat0_inbound extended permit ip any 192.168.50.0 255.255.255.192

nat (inside) 0 access-list inside_nat0_inbound

Regards

Farrukh

New Member

Re: ASA 5510 VPN problem

true,

New Member

Re: ASA 5510 VPN problem

Can u mention some lan subnet in your no nat ACL instead of "any".

Just try If it works because "any" should also work.

Regards,

118
Views
0
Helpful
6
Replies
CreatePlease login to create content