Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
430
Views
0
Helpful
2
Replies

Cisco VPN Client to ASA

fgasimzade
Level 4
Level 4

‎09-16-2009 11:46 PM

I have configured ASA for IPSec VPN communication through Cisco VPN Client and XP VPN client. I can connect successfully, but I can not see any networks behind ASA when connected through Cisco VPN. What am I missing?

Config is:

interface GigabitEthernet0/1

description vpn-turan-baku

nameif outside-Baku

security-level 0

ip address 10.254.17.9 255.255.255.248

!

interface GigabitEthernet0/2.30

description Remote Access

vlan 30

nameif remote-access

security-level 0

ip address 85.*.*.1 255.255.255.0

!

interface GigabitEthernet0/3

description BCT_Inside

nameif inside-Bct

security-level 100

ip address 10.40.50.65 255.255.255.252

!

boot system disk0:/asa821-k8.bin

ftp mode passive

access-list 110 extended permit ip any any

access-list nat extended permit tcp any host 10.254.17.10 eq ssh

access-list nat extended permit tcp any host 10.254.17.26 eq ssh

access-list nonat extended permit ip any any

access-list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

access-list nonat-vpn extended permit ip any 192.168.121.0 255.255.255.0

access-list split-tunnel standard permit 192.168.121.0 255.255.255.0

flow-export destination inside-Bct 192.168.1.27 9996

ip local pool raccess 192.168.121.60-192.168.121.120 mask 255.255.255.0

no failover

icmp permit any outside-Baku

no asdm history enable

arp timeout 14400

global (outside-Baku) 1 interface

global (outside-Ganja) 2 interface

nat (inside-Bct) 0 access-list nonat-vpn

nat (inside-Bct) 1 access-list nat

nat (inside-Bct) 2 access-list nat-ganja

access-group rdp out interface outside-Ganja

!

route remote-access 0.0.0.0 0.0.0.0 85.*.*.2 1

route outside-Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

route outside-Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

route outside-Baku 192.168.39.0 255.255.255.0 10.254.17.10 1

route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

route outside-Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set newset esp-aes esp-md5-hmac

crypto ipsec transform-set vpnclienttrans esp-3des esp-md5-hmac

crypto ipsec transform-set vpnclienttrans mode transport

crypto ipsec transform-set raccess esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 214748364

crypto ipsec security-association lifetime kilobytes 214748364

crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess

crypto map vpnclientmap 30 ipsec-isakmp dynamic dyn1

crypto map vpnclientmap interface remote-access

crypto isakmp identity address

crypto isakmp enable vpntest

crypto isakmp enable outside-Baku

crypto isakmp enable outside-Ganja

crypto isakmp enable remote-access

crypto isakmp enable inside-Bct

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

no vpn-addr-assign aaa

telnet timeout 5

ssh 192.168.1.0 255.255.255.192 outside-Baku

ssh 10.254.17.26 255.255.255.255 outside-Baku

ssh 10.254.17.18 255.255.255.255 outside-Baku

ssh 10.254.17.10 255.255.255.255 outside-Baku

ssh 10.254.17.26 255.255.255.255 outside-Ganja

ssh 10.254.17.18 255.255.255.255 outside-Ganja

ssh 10.254.17.10 255.255.255.255 outside-Ganja

ssh 192.168.1.0 255.255.255.192 inside-Bct

group-policy vpn internal

group-policy vpn attributes

dns-server value 192.168.1.3

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value bct.az

tunnel-group DefaultRAGroup general-attributes

address-pool raccess

authentication-server-group TACACS

default-group-policy vpn

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

Labels:
0 Helpful
2 Replies 2

fgasimzade
Level 4
Level 4

‎09-16-2009 11:51 PM

Also, When I route print on client machine, I see no default route through VPN tunnel. I add it manually, but still no luck.

0 Helpful

fgasimzade
Level 4
Level 4
In response to fgasimzade

‎09-17-2009 12:05 AM

Issue is solved, split tunneling was incorrectly configured

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents