08-04-2009 05:59 PM - edited 03-11-2019 09:02 AM
i can login into ASA,but don't interactive with lan.
the config :
hostname(config)# interface ethernet0
hostname(config-if)# ip address 10.10.4.200 255.255.0.0
hostname(config-if)# nameif outside
hostname(config-if)# no shutdown
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# ip local pool testpool 192.168.0.10-192.168.0.15
hostname(config)# username testuser password 12345678
hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# tunnel-group testgroup type ipsec-ra
hostname(config)# tunnel-group testgroup general-attributes
hostname(config-general)# address-pool testpool
hostname(config)# tunnel-group testgroup ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto dynamic-map dyn1 1 set transform-set FirstSet
hostname(config)# crypto dynamic-map dyn1 1 set reverse-route
hostname(config)# crypto map mymap 1 ipsec-isakmp dynamic dyn1
hostname(config)# crypto map mymap interface outside
the topology : LAN-ASA-WAN-PC(VPN client)
08-05-2009 06:23 AM
Starting from the connected client, review the VPN client statistics and confirm whether or not you see packets being encap/decap. Next move to the ASA and review the IPSec SA for the connected client. Do you see packets being actively encap/decap? If you see packets being decap from the client but not being encap towards the client, you will want to confirm that you have exempted the LAN to client pool traffic from NAT. If the ASA is not the internal LAN host default gateway, ensure that the L3 devices in the path have a route towards the ASA for the 192.168.0.0 client pool. I see that RRI is configured but can't tell from the config snippet whether a routing protocol is also configured. Finally, ensure that there are no packet filters in place which are inadvertently denying packets.
08-05-2009 05:48 PM
thanks for your help.I have seen the vpn client ,it's only encrypted,none decrypted.and it only can send packet,can't receive packets.before use vpn connection,all route is well .vpn client can connection with the lan behind asa.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide