Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problems Remote Access VPN on ASA 5540

I just created a Remote Access VPN, I can connect to the VPN via radius. However, I cannot connect to any of the networks behind the ASA. I have tried to use split-tunneling and without to no avail. I have no problem connecting, its just none of the traffic is being encrypted/sent back to the client.

Here is the config.

access-list INSIDE-TRUSTED_nat0_outbound extended permit ip any 10.118.0.0 255.255.255.0

access-list OUTSIDE-UNPROTECTED_cryptomap_dyn_20 extended permit ip any 10.118.0.0 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map OUTSIDE-UNPROTECTED_dyn_map 20 match address OUTSIDE-UNPROTECTED_cryptomap_dyn_20

crypto dynamic-map OUTSIDE-UNPROTECTED_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map OUTSIDE-UNPROTECTED_map 65535 ipsec-isakmp dynamic OUTSIDE-UNPROTECTED_dyn_map

crypto map OUTSIDE-UNPROTECTED_map interface OUTSIDE-UNPROTECTED

isakmp identity address

isakmp enable OUTSIDE-UNPROTECTED

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 7

isakmp policy 30 lifetime 86400

4 REPLIES
Cisco Employee

Re: Problems Remote Access VPN on ASA 5540

A bit hard without seeing your entire config, but make sure you have the following:

nat (inside) 0 access-list INSIDE-TRUSTED_nat0_outbound

Also presumably your IP pool is 10.118.0.0/24, so you need to make sure your inside network/hosts have a route that points this network back to the inside interface of the PIX. Also make sure the PIX has a route pointing this network out its outside interface as follows:

route OUTSIDE_UNPROTECTED 10.118.0.0 255.255.255.0

New Member

Re: Problems Remote Access VPN on ASA 5540

I have got it working now, I had some static's pointing to the wrong device. For the Internet, I do not want to use split-tunneling. If I use the route outside interface to the Internet, isn't that saying I am trying to use split-tunneling?

Gold

Re: Problems Remote Access VPN on ASA 5540

i guess the command "route OUTSIDE_UNPROTECTED 10.118.0.0 255.255.255.0 " is only required, if and only if the default gateway of the asa is not set to the outside interface (i.e. the internet router).

further, by applying the route statement as above will not enable split tunneling. in order to configure this feature, an acl needs to be created and applied by using command "split-tunnel".

New Member

Re: Problems Remote Access VPN on ASA 5540

Exactly, but the point is to have the VPN subnet access the Internet the same as any other subnet, NAT through the ASA's internal interface to the external.

135
Views
0
Helpful
4
Replies