Hola:
bueno principlamente es lo siguiente , en la puesta en produccion de un Cisco AsA realice la conexion hacia internet sin problemas luego configure un grupo de vpn para comenzar a trabajar y dar soporte pero al conectar hacia la red interna lan este provoco la caida de la red especialmente del servicio dhcp y con esto los usuarios finales les daba el error de ip en conflicto , hoy analice mejor la configuracion y existia un error adjunto la configuracion y el cambio, creo esa era la situacion ahora estoy esperando la ventana de tiempo para poder levantar la conexion de la ethernet 0/1
principalmente el error era el nat con esto estaba activando las traslaciones pero en sentido inverso con sus proxy arp. para los usuarios vpn.
nat (internet,inside) source static VpnLAN VpnLAN destination static VpnCliente VpnCliente
el cambio
nat (inside,internet) source static VpnLAN VpnLAN destination static VpnCliente VpnCliente
interface Ethernet0/0
description INTERNET
nameif internet
security-level 0
ip address 201.238.221.21 255.255.255.248
!
interface Ethernet0/1
description LAN
shutdown
nameif inside
security-level 100
ip address 10.30.17.1 255.255.254.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
boot system disk0:/asa845-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name linde.cl
object-group network VpnLAN
description Permisos administracion red interna
network-object 10.30.16.0 255.255.254.0
network-object 10.218.131.0 255.255.255.0
object-group network VpnCliente
description usuarios vpn soporte
network-object host 10.30.17.20
network-object host 10.30.17.21
network-object host 10.30.17.22
network-object host 10.30.17.23
network-object host 10.30.17.24
network-object host 10.30.17.25
access-list vpn_client extended permit ip object-group VpnLAN object-group VpnCliente
pager lines 24
logging enable
logging asdm debugging
mtu internet 1500
mtu inside 1500
mtu management 1500
ip local pool Soporte 10.30.17.20-10.30.17.25 mask 255.255.254.0
ip local pool user-corp 10.30.17.26-10.30.17.40 mask 255.255.254.0
ip verify reverse-path interface internet
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,internet) source static VpnLAN VpnLAN destination static VpnCliente VpnCliente
route internet 0.0.0.0 0.0.0.0 201.238.221.17 1
route inside 10.218.131.0 255.255.255.0 10.30.16.11 1
crypto ipsec ikev1 transform-set usuarioremoto esp-aes esp-sha-hmac
crypto dynamic-map clienteremoto 65535 set ikev1 transform-set usuarioremoto
crypto map segurovpn 200 ipsec-isakmp dynamic clienteremoto
crypto map segurovpn interface internet
crypto isakmp identity address
crypto isakmp nat-traversal 30
crypto ikev1 enable internet
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 1800
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
anyconnect-essentials
group-policy cliente internal
group-policy cliente attributes
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_client
address-pools value Soporte-Hiway
tunnel-group Soporte2013 type remote-access
tunnel-group Soporte2013 general-attributes
address-pool Soporte
default-group-policy cliente
password-management
tunnel-group Soporte2013 ipsec-attributes
ikev1 pre-shared-key *****
