09-24-2007 10:21 AM - edited 02-21-2020 03:17 PM
I've just set up a RA VPN on a new ASA5505. I followed documentation from Cisco on getting it set up. I can connect, but I cannot ping anything on the inside. At first I had vpn pool giving out IP's on the inside but I read that this was incorrect. So I assigned a different IP scheme. I'm just not sure how to make it NAT correctly so that I can get to inside IP addresses. If anyone could help, I would appreciate it.
Thanks!
Solved! Go to Solution.
09-26-2007 07:44 AM
Thanks for all of your help.
I needed the route inside 172.20.5.0 255.255.255.0 192.168.1.x 255.255.255.0 command.
Evertything appears to be working correctly now.
09-26-2007 08:08 AM
Good deal, glad it worked out. Thanks for the rating.
09-27-2007 05:20 AM
Ran into another problem this morning. I've tested everything on my end and it works great. Client has a new web server that we are supposed to RDP into once connected to VPN and set up. From my office logged in with our account, I can RDP to the server fine. From a different office, my web developer tries to log in and gets connected fine but can't RDP into the server. Any ideas why it would work from here but not from there?
Thanks!
09-27-2007 05:23 AM
Check the firewall config for...
crypto isakmp nat-traversal
and add it if it is missing.
09-27-2007 05:35 AM
It wasn't in there. I added it and it worked. Can you tell me exactly what that command does?
Thanks again for all your help!
09-27-2007 05:43 AM
It enables nat-traversal which allow you to have ipsec esp packets encapsulated in udp. To put it simply, if a vpn client is behind a pat/nat device, ipsec and pat are incompatible, therefore nat-t must be enabled and used. It runs over udp port 4500.
11-29-2017 03:57 AM
I am in a middle of setting up an ipsec-vpn with ikev2. but my tunnel-group ipsec attributes will not accept
ikev2 command. Please refer to output below:
ata-FW(config)# tunnel-group RAVPN ipsec-attributes
Data-FW(config-tunnel-ipsec)# ?
tunnel-group configuration commands:
authorization-required Require users to authorize successfully in order to
connect (DEPRECATED)
chain Enable sending certificate chain
exit Exit from tunnel-group IPSec attribute configuration
mode
help Help for tunnel group configuration commands
ikev1 Configure IKEv1
isakmp Configure ISAKMP policy
no Remove an attribute value pair
peer-id-validate Validate identity of the peer using the peer's
certificate
radius-with-expiry Enable negotiation of password update during RADIUS
authentication (DEPRECATED)
Data-FW(config-tunnel-ipsec)#
11-29-2017 04:28 AM
Please start a new thread rather than add on to this 10 year old solved one.
11-29-2017 07:20 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide