Hello

i am a litte confused. I try to configure a remote access vpn, using the ASDM Wizzard like often. After that, the tunnel can be established but I got no data from the secure Network behind the FW.

ASA5515X

Cisco Adaptive Security Appliance Software Version 8.6(1)2

Device Manager Version 6.6(1)

relevant config parts:

object network NETWORK_OBJ_172.16.1.0_24

subnet 172.16.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.6.0_28

subnet 192.168.6.0 255.255.255.240

access-list test_splitTunnelAcl_1 standard permit 172.16.1.0 255.255.255.0

nat (inside,outside) source static NETWORK_OBJ_172.16.1.0_24 NETWORK_OBJ_172.16.1.0_24 destination static NETWORK_OBJ_192.168.6.0_28 NETWORK_OBJ_192.168.6.0_28 no-proxy-arp route-lookup

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp nat-traversal 10

crypto ikev1 enable outside

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy test internal

group-policy test attributes

dns-server value 192.168.1.151

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test_splitTunnelAcl_1

default-domain value

username test password P4ttSyrm33SV8TYp encrypted privilege 0

username test attributes

vpn-group-policy test

username asaroot password UxDV.ro.wmU03N5q encrypted privilege 15

tunnel-group test type remote-access

tunnel-group test general-attributes

address-pool test

default-group-policy test

tunnel-group test ipsec-attributes

ikev1 pre-shared-key *****

the tunnel is established:

sh crypto isakmp sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: <my-external-ip>

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_ACTIVE

There are no IKEv2 SAs

sh crypto ipsec sa

interface: outside

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <fw-external-ip>

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.6.1/255.255.255.255/0/0)

      current_peer: , username: test

      dynamic allocated peer ip: 192.168.6.1

      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

      #pkts decaps: 59, #pkts decrypt: 59, #pkts verify: 59

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: <fw-external-ip>/4500, remote crypto endpt.: <my-external-ip>/58544

      path mtu 1500, ipsec overhead 82, media mtu 1500

      current outbound spi: 6605E0F1

      current inbound spi : 43503D55

    inbound esp sas:

      spi: 0x43503D55 (1129332053)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 8192, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28006

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x0FFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x6605E0F1 (1711661297)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 8192, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28006

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

I got this error:

in my logs. Seems to be a problem with nat/no-nat, but I can't not see where.

I configured a lot VPN's but not one troubles me like this one. (I also did the same steps on a ASA5505 with 8.4.2 ios and it worked like a charm.)

Thx for your help