The public IP address is assigned to the outside interface of the C871. The C871 forwards incoming traffic UDP 500, 4500, and esp to the outside interface of the ASA that has a private IP address. The PC1 can establish a secure tunnel to the ASA. However, it is not able to ping or access PC2. PC2 is also not able to ping PC1. The PC1 encrypts packets to PC2 but the ASA does not to PC1. Maybe a NAT problem? I understand removing C871 and just use ASA makes VPN much simpler and easier, but I like to understand why it is not working with the current setup and learn how to troubleshoot and fix it. Here's the running config for the C871 and ASA. Thanks in advance for your help!C871: ---------------------------------------------------- version 15.0 no service pad service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption ! hostname router ! boot-start-marker boot-end-marker ! enable password 7 xxxx ! aaa new-model ! aaa session-id common ! clock timezone UTC -8 clock summer-time PDT recurring ! dot11 syslog ip source-route ! ip dhcp excluded-address 192.168.2.1 ip dhcp excluded-address 192.168.2.2 ! ip dhcp pool dhcp-vlan2 network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 ! ip cef ip domain name xxxx.local no ipv6 cef ! multilink bundle-name authenticated ! password encryption aes ! username xxxx password 7 xxxx ! ip ssh version 2 ! interface FastEthernet0 switchport mode trunk ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 description WAN Interface ip address 220.127.116.11 255.255.255.252 ip access-group wna-in in no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly duplex auto speed auto no cdp enable ! interface Vlan1 no ip address ! interface Vlan2 description LAN-192.168.2 ip address 192.168.2.1 255.255.255.0 ip nat inside ip virtual-reassembly ! interface Vlan10 description router-asa ip address 10.10.10.1 255.255.255.252 ip nat inside ip virtual-reassembly ! ip forward-protocol nd no ip http server no ip http secure-server ! ip nat inside source list nat-pat interface FastEthernet4 overload ip nat inside source static 10.10.10.1 interface FastEthernet4 ip nat inside source static udp 10.10.10.2 500 interface FastEthernet4 500 ip nat inside source static udp 10.10.10.2 4500 interface FastEthernet4 4500 ip nat inside source static esp 10.10.10.2 interface FastEthernet4 ip route 0.0.0.0 0.0.0.0 18.104.22.168 ip route 10.10.10.0 255.255.255.252 10.10.10.2 ip route 192.168.2.0 255.255.255.0 10.10.10.2 ! ip access-list standard ssh permit 0.0.0.0 255.255.255.0 log permit any log ! ip access-list extended nat-pat deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255 permit ip 192.168.2.0 0.0.0.255 any ip access-list extended wan-in deny ip 192.168.0.0 0.0.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 22.214.171.124 0.0.255.255 any deny ip 255.0.0.0 0.255.255.255 any deny ip 126.96.36.199 188.8.131.52 any deny ip host 0.0.0.0 any deny icmp any any fragments log permit tcp any any established permit icmp any any net-unreachable permit udp any any eq isakmp permit udp any any eq non500-isakmp permit esp any any permit icmp any any host-unreachable permit icmp any any port-unreachable permit icmp any any packet-too-big permit icmp any any administratively-prohibited permit icmp any any source-quench permit icmp any any ttl-exceeded permit icmp any any echo-reply deny ip any any log ! control-plane ! line con 0 exec-timeout 0 0 logging synchronous no modem enable line aux 0 line vty 0 4 access-class ssh in exec-timeout 5 0 logging synchronous transport input ssh ! scheduler max-task-time 5000 end -------------------------------------------------------------------
Re: RA VPN into ASA5505 behind C871 Router with one public IP ad
Well, it turns out changing the default gateway breaks the internet connection.
If the default gateway for the internal hosts is set to 184.108.40.206, the remote vpn host can access the internal LAN but the hosts on the internal LAN are not able to go out to the internet. On the other hand if the gateway is 192.168.2.1, the internal hosts can go out to the internet but the remote host can not access the internal LAN.
By the way, the router is the DHCP server that lease the IP addressess and gateway to the 192.168.2.0 /24 hosts.
Attached are the current config for the ASA and router.
It's probably something simple like a missing route or something but I can't seem to figure out what needs to be fixed.Hope someone can shed light for me.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...