09-16-2009 11:46 PM
I have configured ASA for IPSec VPN communication through Cisco VPN Client and XP VPN client. I can connect successfully, but I can not see any networks behind ASA when connected through Cisco VPN. What am I missing?
Config is:
interface GigabitEthernet0/1
description vpn-turan-baku
nameif outside-Baku
security-level 0
ip address 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2.30
description Remote Access
vlan 30
nameif remote-access
security-level 0
ip address 85.*.*.1 255.255.255.0
!
interface GigabitEthernet0/3
description BCT_Inside
nameif inside-Bct
security-level 100
ip address 10.40.50.65 255.255.255.252
!
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nat extended permit tcp any host 10.254.17.10 eq ssh
access-list nat extended permit tcp any host 10.254.17.26 eq ssh
access-list nonat extended permit ip any any
access-list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
access-list nonat-vpn extended permit ip any 192.168.121.0 255.255.255.0
access-list split-tunnel standard permit 192.168.121.0 255.255.255.0
flow-export destination inside-Bct 192.168.1.27 9996
ip local pool raccess 192.168.121.60-192.168.121.120 mask 255.255.255.0
no failover
icmp permit any outside-Baku
no asdm history enable
arp timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) 2 interface
nat (inside-Bct) 0 access-list nonat-vpn
nat (inside-Bct) 1 access-list nat
nat (inside-Bct) 2 access-list nat-ganja
access-group rdp out interface outside-Ganja
!
route remote-access 0.0.0.0 0.0.0.0 85.*.*.2 1
route outside-Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
route outside-Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
route outside-Baku 192.168.39.0 255.255.255.0 10.254.17.10 1
route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
route outside-Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set newset esp-aes esp-md5-hmac
crypto ipsec transform-set vpnclienttrans esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclienttrans mode transport
crypto ipsec transform-set raccess esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 214748364
crypto ipsec security-association lifetime kilobytes 214748364
crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess
crypto map vpnclientmap 30 ipsec-isakmp dynamic dyn1
crypto map vpnclientmap interface remote-access
crypto isakmp identity address
crypto isakmp enable vpntest
crypto isakmp enable outside-Baku
crypto isakmp enable outside-Ganja
crypto isakmp enable remote-access
crypto isakmp enable inside-Bct
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
telnet timeout 5
ssh 192.168.1.0 255.255.255.192 outside-Baku
ssh 10.254.17.26 255.255.255.255 outside-Baku
ssh 10.254.17.18 255.255.255.255 outside-Baku
ssh 10.254.17.10 255.255.255.255 outside-Baku
ssh 10.254.17.26 255.255.255.255 outside-Ganja
ssh 10.254.17.18 255.255.255.255 outside-Ganja
ssh 10.254.17.10 255.255.255.255 outside-Ganja
ssh 192.168.1.0 255.255.255.192 inside-Bct
group-policy vpn internal
group-policy vpn attributes
dns-server value 192.168.1.3
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value bct.az
tunnel-group DefaultRAGroup general-attributes
address-pool raccess
authentication-server-group TACACS
default-group-policy vpn
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
09-16-2009 11:51 PM
Also, When I route print on client machine, I see no default route through VPN tunnel. I add it manually, but still no luck.
09-17-2009 12:05 AM
Issue is solved, split tunneling was incorrectly configured
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: