Hi  Federic,

Thanks for you response.....

I done what to said, but still the problem is same.

Site to Site VPN working fine and Remote Access VPN came up. But remote user unable to ping the local n/w.

Configured below statements:

ip local pool RPOOL 10.10.10.1-10.10.10.10 mask 255.255.255.0

access-list RAVPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0

access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.10.10.0 255.255.255.0

management-access inside

for your reference i am attaching configuration and output of the sh cry ipsec sa command.

Regards,

Janardhan

Do this:

no access-list RAVPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0
access-list RAVPN_splitTunnelAcl standard permit 192.168.8.0 255.255.255.0

Clear the SA:

clear cry isa sa
clear cry ips sa

Then try to PING 192.168.8.200 from the VPN client.

Federico.

HI Federic,

Thanks for reply.....

I done what you said.

But still having the same problem....

Regards,

Janardhan

On Thu, Feb 3, 2011 at 7:10 AM, coto.fusionet <

Ok but did you try to PING 192.168.8.200 from the VPN client?

If the PING is succesful, we are almost there ;p

If the PING is unsuccesful, check on the VPN client under statistics, if packets are being encrypted.

As well check the show crypto ipse sa if packets are being decrypted.

Federico.

Hi Federico,

Ping is not successful....

But in firewall showing packets are decrypted.....

Regards,

Janardhan

On Thu, Feb 3, 2011 at 9:45 PM, coto.fusionet <

Hi Federic,

This is the error log while i am pinging from the client.

3 Feb 03 2011 22:08:03 713042 IKE Initiator unable to find policy: Intf

outside, Src: 192.168.8.200, Dst: 10.10.10.1

Regards,

Janardhan

HI Federic,

Here i am attaching Debug output of : debug crypto isakmp sa

and

sh cry ipsec sa

sh cry isakmp sa outputs after connecting form Remote client.

may be these outpts will give some help to know the issue.

Regards,

janardahn

On Thu, Feb 3, 2011 at 8:15 AM, coto.fusionet <

Hi Federic,

Here i am attaching outputs of

debug cry ipsec sa

debug cry isakmp sa

sh cry ipsec sa

sh cry isakmp sa

Regards,

Janardahn

On Thu, Feb 3, 2011 at 8:15 AM, coto.fusionet <

Hi Federic,

Is there any update...

Regards,

Janardhan

Janardhan,

There's VPN traffic flowing fine between 192.168.0.0/22 and 192.168.8.0/24

Could you post your updated configuration?

Federico.

Hi Federic,

Thanks your support all the time with patience...

Below is the updated configuration.....

: Saved

:

ASA Version 7.2(4)

!

hostname KHARKANA

domain-name default.domain.invalid

enable password mwHq/3jt1S2xX9nS encrypted

passwd JbFSGGm/y7i8EPBL encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.8.200 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address X.X.X.X 255.255.255.0

!

interface Vlan200

no nameif

no security-level

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit intra-interface

access-list 100 extended permit ip any any

access-list 100 extended permit tcp any any

access-list 100 extended permit udp any any

access-list 100 extended permit icmp any any

access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0

255.2 55.252.0

access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.10.10.0

255.25 5.255.0

access-list 101 extended permit ip any any

access-list 101 extended permit icmp any any

access-list 101 extended permit tcp any any

access-list 101 extended permit udp any any

access-list RAVPN_splitTunnelAcl standard permit 192.168.8.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool RPOOL 10.10.10.1-10.10.10.10 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface https 192.168.8.104 https netmask

255.255. 255.255

static (inside,outside) tcp interface 81 192.168.8.220 81 netmask

255.255.255.25 5

static (inside,outside) tcp interface ftp-data 192.168.8.170 ftp-data

netmask 25 5.255.255.255

static (inside,outside) tcp interface 8002 192.168.8.170 8002 netmask

255.255.25 5.255

static (inside,outside) tcp interface 8003 192.168.8.170 8003 netmask

255.255.25 5.255

static (inside,outside) tcp interface ftp 192.168.8.170 ftp netmask

255.255.255. 255

static (inside,outside) tcp interface telnet 192.168.8.170 telnet netmask

255.25 5.255.255

static (inside,outside) tcp interface 8080 192.168.8.170 8080 netmask

255.255.25 5.255

static (inside,outside) tcp interface www 192.168.8.104 www netmask

255.255.255. 255

access-group 100 in interface inside

access-group 101 in interface outside

route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect

0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 0.0.0.0 0.0.0.0 outside

http 192.168.8.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set FirstSet

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map abcmap 1 match address nonat

crypto map abcmap 1 set peer 182.72.240.158

crypto map abcmap 1 set transform-set FirstSet

crypto map abcmap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map abcmap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 outside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 15

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 192.168.8.2-192.168.8.129 inside

dhcpd enable inside

!

group-policy RAVPN internal

group-policy RAVPN attributes

banner value UNAUTHORIZED USERS ARE STRICTLY PROHIBITED- POWERED BY NIPUN

NET S OLUTIONS

dns-server value X.X.X.X X.X.X.X

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RAVPN_splitTunnelAcl

username test1 password Kg/Rgy23do7gPGTv encrypted

username test1 attributes

vpn-group-policy RAVPN

username test password P4ttSyrm33SV8TYp encrypted

username lucid password /HXEx0mtSZZd.DrB encrypted

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

pre-shared-key *

tunnel-group RAVPN type ipsec-ra

tunnel-group RAVPN general-attributes

address-pool RPOOL

default-group-policy RAVPN

tunnel-group RAVPN ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

class-map testmap

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8f59afb70deaac55290ddef58961445a

: end

Regards,

Janardhan

On Sat, Feb 5, 2011 at 9:13 AM, coto.fusionet <

Hi Federic,

Finally i got the result..

Below is the configuration i modified..

access-list crypto_one extended permit ip 192.168.8.0 255.255.255.0

192.168.0.0 255.255.252.0

Then change :-

crypto map abcmap 1 match address nonat

crypto map abcmap 1 set peer X.X.X.X

crypto map abcmap 1 set transform-set FirstSet

to :-

crypto map abcmap 1 match address crypto_one

crypto map abcmap 1 set peer X.X.X.X

crypto map abcmap 1 set transform-set FirstSet

Now both VPNs are working fine..

Thanks for yoour support..

Regards,

Janardhan