11-25-2011 02:31 AM - edited 03-11-2019 02:55 PM
Hi,
I've configured a VPN IPSEC on my ASA5510. It Assigned IP/NETMASK/Gateway via a DHCP Server on the LAN.
The problem is that when a client is connected to the VPN , it takes the right IP and NETMASK. ( 192.168.1.109 / 255.255.255.0) but the Default Gateway is wrong ( 192.168.1.1). It should be the default Gateway of my LAN router ( 192.168.1.229).
Any Ideas?
Thank you
11-25-2011 03:16 AM
Hi,
What type of VPN is it ? Please post your ASA config.
Thanks
Ajay
11-25-2011 05:06 AM
It's a VPN IPSEC.
Here is the VPN ASA Config:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set RA-AES256SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set RA-AES256SHA
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
no threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy IPSecGroupPolicy internal
group-policy IPSecGroupPolicy attributes
vpn-tunnel-protocol IPSec
username vrichard password SLnrnvkgDCGbFzSy encrypted
username admin password s4eZ65wMkbzN/t/U encrypted
tunnel-group SecureMeIPSEC type remote-access
tunnel-group SecureMeIPSEC general-attributes
default-group-policy IPSecGroupPolicy
dhcp-server 192.168.1.4
tunnel-group SecureMeIPSEC ipsec-attributes
pre-shared-key *
11-25-2011 05:21 AM
can you post full config?
11-25-2011 05:36 AM
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(1)
!
hostname asaCDM
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 7pnMci0DbmR0wKYW encrypted
names
name 194.x.x.x WAN
!
interface Ethernet0/0
speed 100
nameif LAN
security-level 100
ip address 192.168.1.254 255.255.255.0
!
interface Ethernet0/1
speed 100
nameif DMZ
security-level 50
ip address 10.1.1.1 255.0.0.0
!
interface Ethernet0/2
speed 100
nameif WAN
security-level 0
ip address WAN 255.255.255.248
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 172.16.1.254 255.255.0.0
management-only
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup DMZ
dns domain-lookup WAN
dns server-group DefaultDNS
name-server 194.2.0.20
name-server 194.2.0.50
same-security-traffic permit intra-interface
access-list WAN_access_in extended deny ip any any
access-list DMZ_nat0_outbound extended permit ip host 10.1.1.2 host 192.168.1.4
access-list LAN_nat0_outbound extended permit ip 192.168.0.0 255.255.248.0 object-group DM_INLINE_NETWORK_24
access-list DMZ_nat0_outbound_1 extended permit ip host 10.1.1.2 host 192.168.1.4
pager lines 24
logging enable
logging asdm warnings
mtu LAN 1500
mtu DMZ 1500
mtu WAN 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 192.168.1.0 255.255.255.0
nat (DMZ) 0 access-list DMZ_nat0_outbound_1 outside
static (DMZ,LAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,LAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.x 10.1.1.2 netmask 255.255.255.255
static (DMZ,WAN) 194.x.x.y 10.1.1.3 netmask 255.255.255.255
static (LAN,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.248.0
access-group LAN_access_in in interface LAN
access-group DMZ_access_in in interface DMZ
access-group WAN_access_in in interface WAN
route WAN 0.0.0.0 0.0.0.0 194.x.x.z 1
route LAN 192.168.0.1 255.255.255.255 192.168.1.229 1
route LAN 192.168.2.0 255.255.255.0 192.168.1.230 1
route LAN 192.168.2.2 255.255.255.255 192.168.1.240 1
route LAN 192.168.2.209 255.255.255.255 192.168.1.240 1
route LAN 192.168.2.210 255.255.255.255 192.168.1.240 1
route LAN 192.168.4.0 255.255.255.0 192.168.1.229 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.0.0 255.255.0.0 management
http 192.168.1.0 255.255.255.0 LAN
no service resetoutbound interface management
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set RA-AES256SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set RA-AES256SHA
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN
crypto isakmp enable WAN
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign local
telnet timeout 5
ssh timeout 5
console timeout 0
no threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy IPSecGroupPolicy internal
group-policy IPSecGroupPolicy attributes
vpn-tunnel-protocol IPSec
username vrichard password SLnrnvkgDCGbFzSy encrypted
username admin password s4eZ65wMkbzN/t/U encrypted
tunnel-group SecureMeIPSEC type remote-access
tunnel-group SecureMeIPSEC general-attributes
default-group-policy IPSecGroupPolicy
dhcp-server 192.168.1.4
tunnel-group SecureMeIPSEC ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2c69d62bdf751b2bcbbe68b181e0bd09
: end
11-25-2011 05:43 AM
Here is journal logging of the VPN Client
11-25-2011 07:31 AM
I forgot to say that I use VISTA as operating system.
When I use XP , Default Gateway is the same IP that the Cisco system adapter interface. Is it normal ?
In the Two Cases, I have access to my LAN ressources but I don't have access to Internet.
Thank you.
11-29-2011 08:06 AM
I Add manually the DNS in the ASA config and i'am able to access internet now. In fact, VPN client just received the IP address and the Netmask from the DHCP.
Does someone have explaination about the default gateway ?
Without the right gateway I only have access to the 192.168.1.0/24 network. I would like to join other network.
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide