Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
899
Views
0
Helpful
7
Replies

Remote VPN on ASA5510 is not working ?

manojpushpam
Level 1
Level 1

‎01-26-2012 06:47 PM

I have created Remote VPN on ASA5510 (8.0(5)) the Tunnel is UP and client machiches are able to connect to the VPN but not passing traffics between Server & Client.

Labels:
0 Helpful
7 Replies 7

mvsheik123
Level 7
Level 7

‎01-26-2012 06:51 PM

Hi Manoj,

Make sure the VPN client receiving all the internal network information and also the internal subnets --> VPN client IP subnet traffic is not natted.

If possible, post the configs.

hth

MS

0 Helpful

manojpushpam
Level 1
Level 1
In response to mvsheik123

‎01-26-2012 06:58 PM

The DHCP pool for the client access is natted through policy nat (NAT-0) despite of all the conerned configuration traffic is not passing through the same.

0 Helpful

mvsheik123
Level 7
Level 7
In response to manojpushpam

‎01-26-2012 07:21 PM

Post the related configs from ASA. Also, make sure the internal switch has a route to VPN client subnet pointing to ASA (default route will work through).

Thx

MS

0 Helpful

manojpushpam
Level 1
Level 1
In response to mvsheik123

‎01-26-2012 10:09 PM

Yes! I am sharing my configurations :-

VPN Configuration:-

crypto ipsec transform-set IPSEC-VPN esp-des esp-md5-hmac

crypto dynamic-map dyn100 65535 set transform-set IPSEC-VPN

crypto dynamic-map dyn100 65535 set reverse-route

crypto map out_map 200 ipsec-isakmp dynamic dyn100

crypto map out_map interface outside

ip local pool vpnpool 192.168.96.1-192.168.96.6 mask 255.255.255.0

crypto isakmp policy 1

authentication pre-share

encryption des

hash sha

group 2

group-policy VPN internal

group-policy VPN attributes         

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Remote_Access_splitTunnelAcl

tunnel-group IPSEC-VPN type remote-access

tunnel-group IPSEC-VPN general-attributes

address-pool vpnpool

default-group-policy VPN

tunnel-group IPSEC-VPN ipsec-attributes

pre-shared-key cisco@123

username remoteuser password user@#123

username remoteuser attributes

     vpn-group-policy VPN

     vpn-tunnel-protocol ipsec

access-list inside_nat0_outbound_1  extended permit ip 10.0.0.0 255.255.252.0 192.168.96.0 255.255.255.0

access-list Remote_Access_splitTunnelAcl extended permit ip 10.0.0.0 255.255.252.0 192.168.96.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound_1

route outside 0.0.0.0 0.0.0.0 210.7.75.129 1

route outside 210.7.68.224 255.255.255.240 210.7.68.225 1

Suggest me if anything addition on the same..

0 Helpful

mvsheik123
Level 7
Level 7
In response to manojpushpam

‎01-27-2012 09:36 AM

Hi Manoj,

How you are trying to access the Internal servers? If by hostname, then the DNS entries are missing for VPN clients. Add your internal DNS server IPs (aleast one)  under 'group-policy VPN attributes' (dns-server value x.x.x.x).

Also, to keep the split tunnel ACL simple, you can replace extended ACL with Standard ACL (as you are not blocking any ports)  -  access-list Remote_Access_splitTunnelAcl standard permit 10.0.0.0 255.255.252.0.

Do not see any issues with rest of config based on posting (anyway clients able to connect successfully).

If you still experience issues enable 'debug icmp trace' on ASA and try to ping from server --> Client and post the o/p.

hth

MS

0 Helpful

manojpushpam
Level 1
Level 1
In response to mvsheik123

‎01-27-2012 09:52 PM

Ok.. I'll check &v revert bact to you....

0 Helpful

manojpushpam
Level 1
Level 1
In response to manojpushpam

‎03-14-2012 07:38 PM

Thnks . now it is woking .....

0 Helpful
Customers Also Viewed These Support Documents