Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is this the correct config for a Remote Access VPN for ASA 8.4?

First time configureing remote access VPN for 8.3 / 8.4 so the NAT and VPN commands are a bit diffrent for me.

Below is the VPN config and the coresponding NAT to NO NAT the IP space. If someone could have a look over it and let me know if I am missing anything. The network is 192.0.0.0 / 24 ha, not a typo.

----------------------------------------------------------------------------------------------------------

crypto ikev1 enable outside

crypto ikev1 policy 10

encryption 3des

authentication pre-share

hash sha

access-list SPLIT-TUNNEL-VPN standard permit 192.0.1.0 255.255.255.0

access-list SPLIT-TUNNEL-VPN standard permit 192.0.0.0 255.255.255.0

group-policy REMOTE-VPN-GP internal

group-policy REMOTE-VPN-GP attributes

vpn-tunnel-protocol ikev1

address-pools value REMOTE-VPN-POOL

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT-TUNNEL-VPN

dns-server value 192.0.0.201

tunnel-group REMOTE-VPN-TG type remote-access

tunnel-group REMOTE-VPN-TG general-attributes

default-group-policy REMOTE-VPN-GP

authentication-server-group LOCAL

tunnel-group REMOTE-VPN-TG ipsec-attributes

ikev1 pre-shared-key **********

ip local pool REMOTE-VPN-POOL 192.0.1.1-192.0.1.100 mask 255.255.255.0

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map OUTSIDE-DYNMAP 65535 set ikev1 transform-set ESP-3DES-SHA

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic OUTSIDE-DYNMAP

crypto map OUTSIDE_MAP interface outside

----------------------------------

//No NAT subnet

object network INSIDE_LAN

subnet 192.0.0.0 255.255.255.0

object network VPN_LAN

subnet 192.0.1.0 255.255.255.0

nat (inside,outside) source static INSIDE_LAN INSIDE_LAN  destination static VPN_LAN VPN_LAN

***EDIT***

or would I do this for the no nat:

---------------------------------

nat (inside,outside) 1 source static any any destination static GSO_LAN GSO_LAN

----------------------------------

My NAT is currently set up as:

object network LAN_NAT

subnet 192.0.0.0 255.255.255.0

nat (inside,outside) dynamic interface

Everyone's tags (4)
3 REPLIES
Super Bronze

Is this the correct config for a Remote Access VPN for ASA 8.4?

Your vpn pool subnet is 10.1.2.0/24, and that should be the destination in the NAT configuration.

Your NAT should be:

object network INSIDE_LAN

subnet 192.0.0.0 255.255.255.0

object network INSIDE_LAN_2

subnet 192.0.1.0 255.255.255.0

object network VPN_POOL

subnet 10.1.2.0 255.255.255.0

nat (inside,outside) source static INSIDE_LAN INSIDE_LAN destination static VPN_POOL VPN_POOL

nat (inside,outside) source static INSIDE_LAN_2 INSIDE_LAN_2 destination static VPN_POOL VPN_POOL

New Member

Is this the correct config for a Remote Access VPN for ASA 8.4?

Thanks for the responce but I had a mistake in the config I posted above. I corrected it but the error was having the wrong VPN pool address, it should have been 192.0.1.0-192.0.1.100.

I guess then INSIDE_LAN_2 is not needed and only one NO NAT then?

Super Bronze

Is this the correct config for a Remote Access VPN for ASA 8.4?

Yup, in that case your original static NAT command is correct:

nat (inside,outside) source static INSIDE_LAN INSIDE_LAN  destination static VPN_LAN VPN_LAN

1425
Views
0
Helpful
3
Replies