09-16-2009 11:46 PM
I have configured ASA for IPSec VPN communication through Cisco VPN Client and XP VPN client. I can connect successfully, but I can not see any networks behind ASA when connected through Cisco VPN. What am I missing?
Config is:
interface GigabitEthernet0/1
description vpn-turan-baku
nameif outside-Baku
security-level 0
ip address 10.254.17.9 255.255.255.248
!
interface GigabitEthernet0/2.30
description Remote Access
vlan 30
nameif remote-access
security-level 0
ip address 85.*.*.1 255.255.255.0
!
interface GigabitEthernet0/3
description BCT_Inside
nameif inside-Bct
security-level 100
ip address 10.40.50.65 255.255.255.252
!
boot system disk0:/asa821-k8.bin
ftp mode passive
access-list 110 extended permit ip any any
access-list nat extended permit tcp any host 10.254.17.10 eq ssh
access-list nat extended permit tcp any host 10.254.17.26 eq ssh
access-list nonat extended permit ip any any
access-list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
access-list nonat-vpn extended permit ip any 192.168.121.0 255.255.255.0
access-list split-tunnel standard permit 192.168.121.0 255.255.255.0
flow-export destination inside-Bct 192.168.1.27 9996
ip local pool raccess 192.168.121.60-192.168.121.120 mask 255.255.255.0
no failover
icmp permit any outside-Baku
no asdm history enable
arp timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) 2 interface
nat (inside-Bct) 0 access-list nonat-vpn
nat (inside-Bct) 1 access-list nat
nat (inside-Bct) 2 access-list nat-ganja
access-group rdp out interface outside-Ganja
!
route remote-access 0.0.0.0 0.0.0.0 85.*.*.2 1
route outside-Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
route outside-Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
route outside-Baku 192.168.39.0 255.255.255.0 10.254.17.10 1
route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
route outside-Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set newset esp-aes esp-md5-hmac
crypto ipsec transform-set vpnclienttrans esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclienttrans mode transport
crypto ipsec transform-set raccess esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 214748364
crypto ipsec security-association lifetime kilobytes 214748364
crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess
crypto map vpnclientmap 30 ipsec-isakmp dynamic dyn1
crypto map vpnclientmap interface remote-access
crypto isakmp identity address
crypto isakmp enable vpntest
crypto isakmp enable outside-Baku
crypto isakmp enable outside-Ganja
crypto isakmp enable remote-access
crypto isakmp enable inside-Bct
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
telnet timeout 5
ssh 192.168.1.0 255.255.255.192 outside-Baku
ssh 10.254.17.26 255.255.255.255 outside-Baku
ssh 10.254.17.18 255.255.255.255 outside-Baku
ssh 10.254.17.10 255.255.255.255 outside-Baku
ssh 10.254.17.26 255.255.255.255 outside-Ganja
ssh 10.254.17.18 255.255.255.255 outside-Ganja
ssh 10.254.17.10 255.255.255.255 outside-Ganja
ssh 192.168.1.0 255.255.255.192 inside-Bct
group-policy vpn internal
group-policy vpn attributes
dns-server value 192.168.1.3
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value bct.az
tunnel-group DefaultRAGroup general-attributes
address-pool raccess
authentication-server-group TACACS
default-group-policy vpn
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
09-16-2009 11:51 PM
Also, When I route print on client machine, I see no default route through VPN tunnel. I add it manually, but still no luck.
09-17-2009 12:05 AM
Issue is solved, split tunneling was incorrectly configured
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide