Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

L2L works and mobile VPN works only outside the office

Hi to everybody and first of all sorry for my bad english...

I have this problem: we have in our office an ASA5510 (8.3.1, 6.3.1) with a l2l with a remote office that works without problem on an ASA5505 (9.1.2, 7.1.3) and also a remote VPN IPSEC from our office to the remote that doesn't work if I launch it from our network (this mobile VPN only connect if I launch it outside our office).

The strange things is that if I downgrade the ios on the ASA5505 in the remote office both the vpns work correctly from our office.

In the 5510 logs I don't find any errors, above is the log of the Cisco VPN Client.

Many thanks, Annibale

Cisco Systems VPN Client Version 5.0.06.0110
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      11:30:31.963  09/25/13  Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.

2      11:30:39.950  09/25/13  Sev=Info/4 CM/0x63100002
Begin connection process

3      11:30:39.997  09/25/13  Sev=Info/4 CM/0x63100004
Establish secure connection

4      11:30:39.997  09/25/13  Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"

5      11:30:39.997  09/25/13  Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x.

6      11:30:39.997  09/25/13  Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation

7      11:30:40.012  09/25/13  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x

8      11:30:40.012  09/25/13  Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

9      11:30:40.012  09/25/13  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

10     11:30:40.090  09/25/13  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

11     11:30:40.090  09/25/13  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from x.x.x.x

12     11:30:40.090  09/25/13  Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer

13     11:30:40.090  09/25/13  Sev=Info/5 IKE/0x63000001
Peer supports XAUTH

14     11:30:40.090  09/25/13  Sev=Info/5 IKE/0x63000001
Peer supports DPD

15     11:30:40.090  09/25/13  Sev=Info/5 IKE/0x63000001
Peer supports NAT-T

16     11:30:40.090  09/25/13  Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads

17     11:30:40.106  09/25/13  Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful

18     11:30:40.106  09/25/13  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x

19     11:30:40.106  09/25/13  Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA

20     11:30:40.106  09/25/13  Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port =  0xE054, Remote Port = 0x1194

21     11:30:40.106  09/25/13  Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

22     11:30:40.106  09/25/13  Sev=Info/4 CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

23     11:30:40.106  09/25/13  Sev=Info/4 CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

24     11:30:40.137  09/25/13  Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator

25     11:30:40.137  09/25/13  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x

26     11:30:40.231  09/25/13  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

27     11:30:40.231  09/25/13  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x

28     11:30:40.231  09/25/13  Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = y.y.y.y

29     11:30:40.231  09/25/13  Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK: , value = 255.255.255.0

30     11:30:40.231  09/25/13  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000

31     11:30:40.231  09/25/13  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001

32     11:30:40.231  09/25/13  Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = z.z.z.z
mask = 255.255.255.0
protocol = 0
src port = 0
dest port=0

33     11:30:40.231  09/25/13  Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = intranet.aaaaaa.it

34     11:30:40.231  09/25/13  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000

35     11:30:40.231  09/25/13  Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5505 Version 9.1(2) built by builders on Thu 09-May-13 15:37

36     11:30:40.231  09/25/13  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001

37     11:30:40.231  09/25/13  Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194

38     11:30:40.231  09/25/13  Sev=Info/4 CM/0x63100019
Mode Config data received

39     11:30:40.246  09/25/13  Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = y.y.y.y, GW IP = x.x.x.x, Remote IP = 0.0.0.0

40     11:30:40.246  09/25/13  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to x.x.x.x

41     11:30:40.340  09/25/13  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

42     11:30:40.340  09/25/13  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x

43     11:30:40.340  09/25/13  Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds

44     11:30:40.340  09/25/13  Sev=Info/5 IKE/0x63000047
This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now

45     11:30:40.340  09/25/13  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

46     11:30:40.340  09/25/13  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from x.x.x.x

47     11:30:40.356  09/25/13  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

48     11:30:40.356  09/25/13  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from x.x.x.x

49     11:30:40.356  09/25/13  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

50     11:30:40.356  09/25/13  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from x.x.x.x

51     11:30:40.356  09/25/13  Sev=Info/5 IKE/0x63000073
All fragments received.

52     11:30:40.356  09/25/13  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_ID_INFO) from x.x.x.x

53     11:30:40.356  09/25/13  Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to x.x.x.x

54     11:30:40.371  09/25/13  Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=9C181182

55     11:30:40.371  09/25/13  Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=4418807381B63176 R_Cookie=66F58A6B4CCE1743) reason = DEL_REASON_IKE_NEG_FAILED

56     11:30:40.371  09/25/13  Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = x.x.x.x

57     11:30:40.371  09/25/13  Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=4418807381B63176 R_Cookie=66F58A6B4CCE1743

58     11:30:40.371  09/25/13  Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from x.x.x.x

59     11:30:40.512  09/25/13  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

60     11:30:43.554  09/25/13  Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=4418807381B63176 R_Cookie=66F58A6B4CCE1743) reason = DEL_REASON_IKE_NEG_FAILED

61     11:30:43.554  09/25/13  Sev=Info/4 CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

62     11:30:43.554  09/25/13  Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

63     11:30:43.569  09/25/13  Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

64     11:30:43.569  09/25/13  Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

65     11:30:43.569  09/25/13  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

66     11:30:43.569  09/25/13  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

67     11:30:43.569  09/25/13  Sev=Info/4 IPSEC/0x63700014
Deleted all keys

68     11:30:43.569  09/25/13  Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

3 REPLIES
New Member

L2L works and mobile VPN works only outside the office

Can you post the config of your ASAs?

L2L works and mobile VPN works only outside the office

Here is the config of the asa at the remote side (ASA2).

There is a l2l between the 2 asas and from the lan behind ASA1 I cannot close any mobile vpns.

I cannot post the config of ASA1.

Many thanks!!!

ASA Version 9.1(2)
!
hostname asa-mio
domain-name intranet.mio.it
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool pippo 10.0.1.1-10.0.1.10 mask 255.255.255.0
ip local pool pluto 10.0.2.1-10.0.2.2 mask 255.255.255.0
ip local pool paperino 10.0.3.1-10.0.3.2 mask 255.255.255.0
ip local pool mickymouse 10.0.4.1-10.0.4.2 mask 255.255.255.0
ip local pool bruto 10.0.5.1-10.0.5.2 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address x.x.x.100 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address z.z.z.213 255.255.255.248
!
banner login *********************************
banner login *          ATTENZIONE:          *
banner login *    E' SEVERAMENTE PROIBITO    *
banner login *   OGNI TENTATIVO DI ACCESSO   *
banner login *        NON AUTORIZZATO.       *
banner login *     OGNI INTRUSIONE SARA'     *
banner login *  PERSEGUITA LEGALMENTE COME   *
banner login *INDICATO DALL'ART. 615-TER C.P.*
banner login *                               *
banner login *********************************
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name intranet.mio.it
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Lan_inside
subnet x.x.x.0 255.255.255.0
object network AS400
host x.x.x.1
object network ServerT-01
host y.y.y.254
object network TeamL-15
host y.y.y.15
object network pippo
subnet 10.0.1.0 255.255.255.240
object network pluto
subnet 10.0.2.0 255.255.255.240
object network paperino
subnet 10.0.3.0 255.255.255.240
object network mickymouse
subnet 10.0.4.0 255.255.255.240
object network bruto
subnet 10.0.5.0 255.255.255.240
object-group network DM_INLINE_NETWORK_1
network-object object ServerT-01
network-object object TeamL-15
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any source-quench
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list SPLIT-TUNNEL extended permit ip x.x.x.0 255.255.255.0 any
access-list outside_cryptomap extended permit ip object Lan_inside object-group DM_INLINE_NETWORK_1
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Lan_inside Lan_inside destination static pippo pippo route-lookup
nat (inside,outside) source static Lan_inside Lan_inside destination static pluto pluto route-lookup
nat (inside,outside) source static Lan_inside Lan_inside destination static paperino paperino route-lookup
nat (inside,outside) source static Lan_inside Lan_inside destination static mickymouse mickymouse route-lookup
nat (inside,outside) source static Lan_inside Lan_inside destination static bruto bruto route-lookup
nat (inside,outside) source static Lan_inside Lan_inside destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 z.z.z.214 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http x.x.x.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
http 10.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256

-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer remote_ip_peer
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-

3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet x.x.x.0 255.255.255.0 inside
telnet 10.0.1.0 255.255.255.0 inside
telnet 10.0.2.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy mickymouse internal
group-policy mickymouse attributes
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value intranet.mio.it
group-policy GroupPolicy_remote_ip_peer internal
group-policy GroupPolicy_remote_ip_peer attributes
vpn-tunnel-protocol ikev1
group-policy pluto internal
group-policy pluto attributes
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value intranet.mio.it
group-policy pippo internal
group-policy pippo attributes
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value intranet.mio.it
group-policy bruto internal
group-policy bruto attributes
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value intranet.mio.it
group-policy paperino internal
group-policy paperino attributes
vpn-idle-timeout 60
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value intranet.mio.it
username mickymouse nopassword privilege 0
username mickymouse attributes
vpn-group-policy mickymouse
username pluto nopassword privilege 0
username pluto attributes
vpn-group-policy pluto
username pippo nopassword privilege 0
username pippo attributes
vpn-group-policy pippo
username bruto nopassword privilege 0
username bruto attributes
vpn-group-policy bruto
username paperino nopassword privilege 0
username paperino attributes
vpn-group-policy paperino
tunnel-group pippo type remote-access
tunnel-group pippo general-attributes
address-pool pippo
default-group-policy pippo
tunnel-group pippo ipsec-attributes
ikev1 pre-shared-key 11111111
ikev1 user-authentication (outside) none
tunnel-group pluto type remote-access
tunnel-group pluto general-attributes
address-pool pluto
default-group-policy pluto
tunnel-group pluto ipsec-attributes
ikev1 pre-shared-key 22222222
ikev1 user-authentication (outside) none
tunnel-group paperino type remote-access
tunnel-group paperino general-attributes
address-pool paperino
default-group-policy paperino
tunnel-group paperino ipsec-attributes
ikev1 pre-shared-key 33333333
ikev1 user-authentication (outside) none
tunnel-group mickymouse type remote-access
tunnel-group mickymouse general-attributes
address-pool mickymouse
default-group-policy mickymouse
tunnel-group mickymouse ipsec-attributes
ikev1 pre-shared-key 44444444
ikev1 user-authentication (outside) none
tunnel-group bruto type remote-access
tunnel-group bruto general-attributes
address-pool bruto
default-group-policy bruto
tunnel-group bruto ipsec-attributes
ikev1 pre-shared-key 55555555
ikev1 user-authentication (outside) none
tunnel-group remote_ip_peer type ipsec-l2l
tunnel-group remote_ip_peer general-attributes
default-group-policy GroupPolicy_remote_ip_peer
tunnel-group remote_ip_peer ipsec-attributes
ikev1 pre-shared-key 66666666
ikev2 remote-authentication pre-shared-key 66666666
ikev2 local-authentication pre-shared-key 66666666
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home

New Member

L2L works and mobile VPN works only outside the office

Annibale,

I believe your issue is with the NAT. When you upgrade frrom 8.x to 9.1 the NAT translations and ACL change (the format of the command). In the logs, it states that the "Remote end is NOT behind a NAT device". I suggest reveiwing the NAT Exempt for 9.1

21     11:30:40.106  09/25/13  Sev=Info/5 IKE/0x63000072

Automatic NAT Detection Status:

   Remote end is NOT behind a NAT device

   This   end IS behind a NAT device

FOR EXAMPLE:

See the following sample NAT configuration for the above network:

! Enable hairpin for non-split-tunneled VPN client traffic:

same-security-traffic permit intra-interface

! Identify local VPN network, & perform object interface PAT when going to Internet:

object network vpn_local

subnet 10.3.3.0 255.255.255.0

nat (outside,outside) dynamic interface

! Identify inside network, & perform object interface PAT when going to Internet:

object network inside_nw

subnet 10.1.1.0 255.255.255.0

nat (inside,outside) dynamic interface

! Use twice NAT to pass traffic between the inside network and the VPN client without

! address translation (identity NAT):

nat (inside,outside) source static inside_nw inside_nw destination static vpn_local

vpn_local

365
Views
0
Helpful
3
Replies
CreatePlease to create content