I have recently configured a remote access VPN on a customer ASA7.2. I have tested the RA IPSEC vpn on using an IP address that is in the same segment as the outside interface of the ASA and it works.
But the funny thing right now is if I am using a client that is using NAT to access the network, I have problem connecting. It cant even contact the security gateway and go pass the phrase 1 authentication of the tunnel group and pre-sharekey. There is nothing on the VPN client log.
I have configured NAT-T too.
Anyone have any idea? Here's the config that's relevant to the remote access IPSEC VPN.
access-list inside_nat0_outbound extended permit ip 10.203.1.0 255.255.255.0 10.
ip local pool vpnpool 10.203.8.100-10.203.8.199 mask 255.255.255.0
One other thing, might be very obvious, but do you have a default route setup? You mentioned that it works when on the same subnet but I'm assuming that when you're behind whatever nat device, you're coming from another network? I might be totally off but being that I don't know the details of your test environment, just check that to make sure.
If you're doing client vpn, I don't think changing this stuff helps. Usually, modifying pfs, md5/sha is important to match up on lan-to-lan tunnels. With a client, the end device (your router/concentrator) tells the client what to use. As long as you're not using a very outdated client, I wouldn't think there'd be a problem.
Keep in mind that you can also turn on some debugging in the Cisco client. I believe it's under 'Options'.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :