cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1831
Views
0
Helpful
12
Replies

vpn ipsec client to asa 5505

freddie975
Level 1
Level 1

hi everybody,

i ve configured vpn ipsec with wizard but my ip address assigned by pool not reach the lan network

lan network: 192.168.0.0 /24

pool network: 193.168.0.0 /24

any idea?

thx,

best regards

12 Replies 12

I wouldn't use 193.168.0.0/24, if you don't own it.

Please post config.

F

Hi,

I think on the client you need to add routes, since you are using pool that aren't part of the lan.

Also 193.168.0.0/24 is not private address..

HTH,

Vikram

hi, i changed the configuration and the pool now is part of network, but my remote user authenticated in vpn dont talk with other device in lan network.

ASA Version 8.4(2)

!

hostname ciscoasa

enable password DsjsJeE3SH4dWdaR encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.0.0.1 255.255.255.0

!

ftp mode passive

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network server_ip

host 192.168.0.99

object service tcp_80

service tcp destination eq www

object service tcp_5632

service tcp destination eq 5632

object service tcp_3389

service tcp destination eq 3389

description remote_desktop

object service tcp_443

service tcp destination eq https

description https

object network ip_outside

host 10.0.0.1

object network ip_inside

host 192.168.0.1

object network NETWORK_OBJ_192.168.0.0_24

subnet 192.168.0.0 255.255.255.0

object network NETWORK_OBJ_192.168.0.128_27

subnet 192.168.0.128 255.255.255.224

access-list outside_access_in extended permit tcp any host 192.168.0.99 eq www

access-list outside_access_in extended permit tcp any host 192.168.0.99 eq 5632

access-list outside_access_in extended permit object tcp_3389 any host 192.168.0.99

access-list sts_internal_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool pool_internal 192.168.0.130-192.168.0.150 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (outside,inside) source static any any destination static interface server_ip service tcp_80 tcp_80 unidirectional

nat (outside,inside) source static any any destination static interface server_ip service tcp_5632 tcp_5632 unidirectional

nat (outside,inside) source static any any destination static interface server_ip service tcp_3389 tcp_3389 unidirectional

nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_192.168.0.128_27 NETWORK_OBJ_192.168.0.128_27 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.15 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy sts_internal internal

group-policy sts_internal attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value sts_internal_splitTunnelAcl

username xxxxxx password yyyyyyyyyy encrypted privilege 0

username xxxxxx attributes

vpn-group-policy sts_internal

tunnel-group sts_internal type remote-access

tunnel-group sts_internal general-attributes

address-pool pool_internal

default-group-policy sts_internal

tunnel-group sts_internal ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

Cryptochecksum:b17c98f46de2ac320b2119f7feee3b5f

: end

ciscoasa#

Hi!

Use a different subnet for the VPNPool, like 10.20.30.0/24.

Implement apropriate accesslists to permit traffic between 10.20.30.0/24 and 192.168.0.0/24.

If needed exempt nat between 10.20.30.0/24 and 192.168.0.0/24.

F

uhm ok test the configuration.

i ve another problem:

when i connect in vpn and authenticate with asa and it assign the address, i cannot browsing from my pc!

my pc lose the gateway and all traffic is routed on vpn!

how can do to split the traffic? one for the vpn and one to the internet not cripted?

thx and sorry for my english

To begin with, make the changes I suggested.

Which vpn-client to you run? I would suggest running AnyConnect.

F

i use vpn client version 5.0.06.0110

the connection work, asa assign the address, then i must add the acl ok, but why cannot browsing with my pc?

must add route on my pc in windows?

thx

bye

No, you should not need that. Have you changed the IP-pool?

F

yes i changed the pool and asa assign the new address, but i v same problem:

- dont talk with lan network

- my home pc, dont browsing after connect vpn

ths,

bye

Hi,

The only thing that I can think about it..is the acl for split tunneling is not configured properly, hence the reason all traffic will go through tunnel..

and I don't see the nat exempt, altough I am not using newer code, but looks like you NAT you lan to the /27 address here.?

HTH,

Vikram

i ve used wizard to create vpn ipsec and probably wrong something,

though the wizard is so easy.

have you same sample of cinfiguration?

ths

bye

the split-tunnel acl is look ok and the group-policy also looks good.


Can you verify if you connect to the vpn-client, what permitted network it takes ?

is it 192.168.0.0 255.255.255.0 or blank ?

usually I put access-list as permit ip 192.168.0.0 255.255.255.0 any, but yours using standard one, not sure if that's the issue here....

Maybe you can try change the acl to extended one...

HTH,

Vikram

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: