Solved: Re: vpn between asa 5510 and router

said19770 · ‎05-30-2008

Hi,

I configured ASA 5510 to make vpn LAN to LAN with 17 router 857. and between routers.

the vpn between routers works fine.

from the lan behind ASA i can ping the PCs behind routers.

but from PCs behind routers i can't ping pscs behind ASA.

i configured remote access with client cisco vpn 4.X, it works good with routers , but can't works with asa.

the asa is connected to wan via Ã router zoom (adsl)

Farrukh Haroon · ‎06-10-2008

Are you telnetting into the firewall?

Do the following to see the debug output:

terminal monitor

logging monitor 7 (type this in config mode)

Else if its console, do 'logging console 7'

then do

debug crypto isakmp

debug crypto ipsec

then generate a ping from some device at the back of ASA having 192.168.200.0 address going towards any of the VPN subnets...and then paste output here

Regards

Farrukh

View solution in original post

said19770 · ‎06-02-2008

hi,

can someone check this configuration.

please help

mkkeyan · ‎06-02-2008

access-list inside_access-in extended permit ip yournetwork clientnetwork

Example

access-list inside_access-in extended permit ip 10.20.31.0 255.255.255.0 10.200.225.0 255.255.255.0

said19770 · ‎06-02-2008

hi mekkeyan,

i add this

access-list inside_access-in extended permit ip 192.168.200.0 255.255.255.0 192.168.111.0 255.255.255.0

but i have the same problem.

i use this ACL access-list inside_access-in extended permit ip any any

that englobe all traffic.

my problem that the vpn is one way.

from asa to router is ok.

but from router to asa and from client cisco to asa can't work.

Farrukh Haroon · ‎06-02-2008

Can you please be specific about your problem, Is it possible to post output of the following:

show crypto ipsec sa detail

show run sysopt

debug crypto ipsec (If phase 1 is ok)

else

debug crypto isakmp, also

Also after making changes on the crypto map, I hope you removed it and re-applied it to the interface

Regards

Farrukh

said19770 · ‎06-10-2008

hi farrukh,

i reconfgured the ASA but the problem is not resolved.

the debug commnd can't revelate anything:

firwall# show run sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

sysopt connection permit-ipsec

firwall# sh crypto ipsec sa

There are no ipsec sas

firwall# debug crypto ipsec

firwall#

firwall# debug crypto isakmp

firwall#

Farrukh Haroon · ‎06-10-2008

Are you telnetting into the firewall?

Do the following to see the debug output:

terminal monitor

logging monitor 7 (type this in config mode)

Else if its console, do 'logging console 7'

then do

debug crypto isakmp

debug crypto ipsec

then generate a ping from some device at the back of ASA having 192.168.200.0 address going towards any of the VPN subnets...and then paste output here

Regards

Farrukh

said19770 · ‎06-16-2008

hi Farrukh,

it is right.

the router zoom can't forward the traffic to interface outside of the ASA.

Now i gived a public address to interface outside of ASA, and the vpn works fine.

thank you very mutch for help