Re: Remote vpn on router

estelamathew · ‎09-29-2010

Hello Friends,

when i try to connect to VPN through my HOME i m not able to authenticate though my username and password are correct,when i remove the command

crypto map <map-name> client authentication list <list name>, i m connecting directly without authenticating,but i not able to go further from internet router not even i can ping directly connected firewall interface

Thanks

Federico Coto Fajardo · ‎09-29-2010

Hi,

Something is not correct with the authentication portion of the configuration for the tunnel and that's why you can't connect with your user/pass.

If you remove that line, then you're not prompted for credentials and you're allowed in.

Now, if you can't access internal resources the most common issues are:

- No route back to the VPN pool from the internal network

- NAT messing in the path

- Split-tunneling issues

Question.

Can you PING the inside IP of the router when connected from the VPN client?

Can you check both the interesing traffic and that VPN traffic is bypassing NAT?

If you need help with that please post the relevant part of the configuration.

Federico.

estelamathew · ‎09-29-2010

Hello Dear,

The pool what i m using is the free subnet from the corporate LAN so i think it doesn't make any issues and also i have bypass NAT for the VPN pool,

still i m missing any thing please guide,

I can ping the internet router internal interface which is connected to ASA,but i can't ping the ASA interface though the ASA has default route pointing to internet router.I have enable icmp permit any any on the ASA.

Ur help will be appreciated.

CONFIGURATION:
aaa new-model
!
!
aaa authentication login test local
aaa authorization network test local
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 60 20
crypto isakmp xauth timeout 30

!
crypto isakmp client configuration group test
key cisco123
dns
pool test
!
!
crypto ipsec transform-set testtransform esp-3des esp-md5-hmac
!
crypto dynamic-map test-map 1
set transform-set testtransform
reverse-route
!
!
crypto map test-map client authentication list test
crypto map test-map isakmp authorization list test
crypto map test-map client configuration address respond
crypto map test-map 10 ipsec-isakmp dynamic test-map
!
!
!
!
!

!
interface FastEthernet0/1
ip address 212.X.X.X 255.255.255.248

ip nat outside
duplex auto
speed auto
crypto map test-map
!
interface FastEthernet0/0
description ** Connected to External ASA **
ip address 10.X.X.X 255.255.255.192
ip accounting output-packets
ip nat inside
no ip virtual-reassembly
ip policy route-map WWW-REDIRECT
duplex auto
speed 100
!
ip local pool test 10.1.1.1 10.1.1.30
ip classless
ip route 0.0.0.0 0.0.0.0 212.X.X.X
no ip http server
no ip http secure-server
!
!

ip nat inside source list 110 interface FastEthernet0/1 overload

access-list 110 deny ip 10.0.0.0 0.255.255.255 10.1.1.0 0.0.0.31

access-list 110 permit ip 10.0.0.0 0.255.255.255 any
!
logging alarm informational
!
!
!
!
control-plane

!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
!
!
end

Federico Coto Fajardo · ‎09-29-2010

If you can PING the inside IP of the router, traffic is flowing through the tunnel properly.

The setup is like this:

ASA -- VPN Router --- Internet -- VPN Client

The ASA should have a route to the VPN pool pointing to the ASA (assuming it does not have a default gateway).

Also check the following:

sh cry ips sa --> you should see the packets encrypted/decrypted for the subnet that you're trying to reach via VPN

On the VPN client:

Under the secured routes, you should see the networks you want to reach (or 0.0.0.0 if not using split tunneling).

Federico.