Hi Teddy, I have created a local pool and the VPN Client looks ok. Since creating the post I have carried out some more tests, the 5505 I am trying to connect to is also connected via a static IPSec tunnel the hub of our network, from my client I can connect to any remote device accross multiple subnets i.e. 192.168.16.0/24, 192.168.113.0/24 the only subnet I cannot connect to is 192.168.110.0/24 bellonging to the ASA I am connected to. This is my current config:

:

ASA Version 9.1(1)

!

hostname ASA5505MAN

domain-name ********

names

dns-guard

ip local pool MANIPPool 192.168.110.200-192.168.110.220 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 5

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.110.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 82.*.*.*  *.*.*.*

!

interface Vlan5

no forward interface Vlan2

nameif DMZ

security-level 50

ip address 192.168.17.1 255.255.255.0

!

boot system disk0:/asa911-k8.bin

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.0.0_16

subnet 192.168.0.0 255.255.0.0

object network NETWORK_OBJ_192.168.110.0_24

subnet 192.168.110.0 255.255.255.0

object network ******

host 192.168.110.21

object network External-1

host 82.*.*.*

object network visitor-wifi

subnet 192.168.17.0 255.255.255.0

object network NETWORK_OBJ_192.168.110.192_27

subnet 192.168.110.192 255.255.255.224

access-list outside_cryptomap remark C****

access-list outside_cryptomap extended permit ip 192.168.110.0 255.255.255.0 object NETWORK_OBJ_192.168.0.0_16

access-list VPN-UserssplitTunnelAcl_1 standard permit any4

access-list VPN-Users_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

access-list outside_cryptomap_1 extended permit ip object NETWORK_OBJ_192.168.110.0_24 object NETWORK_OBJ_192.168.0.0_16

access-list misltd_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

ip verify reverse-path interface outside

ip verify reverse-path interface DMZ

no arp permit-nonconnected

nat (inside,outside) source static NETWORK_OBJ_192.168.110.0_24 NETWORK_OBJ_192.168.110.0_24 destination static NETWORK_OBJ_192.168.0.0_16 NETWORK_OBJ_192.168.0.0_16

nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_16 NETWORK_OBJ_192.168.0.0_16 destination static NETWORK_OBJ_192.168.110.192_27 NETWORK_OBJ_192.168.110.192_27 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

!

nat (inside,outside) after-auto source dynamic any interface

route outside 0.0.0.0 0.0.0.0 82.*.*.* 1

management-access inside

: end

This looks ok to me! uhmm can you do some debugs lets see

debug crypto ikev1 7

debug crypto ipsec 7

also I would like to see the

show crypto isakmp as

show crypto ipsec sa too!!

This could give us another side to whats happening. For me if you are authentication very well but can't just seem to reach the inside, Well from my little experience there are two things usually involved, like I said, my experience with such case is either a nat case, which urs seems fine or Routing issues. So I ask do you have some kind of switch that does routing or points routes behind your ASA?

Teddy

This is a sanitised version of the crypto dump, I have changed the user and IP addresses

ASA5505MAN# debug crypto ikev1 7

ASA5505MAN# debug crypto ipsec 7

ASA5505MAN# Jul 24 15:49:03 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=fbc167de) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload

Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload

Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb72)

Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb72)

Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload

Jul 24 15:49:03 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload

Jul 24 15:49:03 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=515fbf7e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jul 24 15:49:18 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=2fe7cf10) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload

Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload

Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb73)

Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb73)

Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload

Jul 24 15:49:18 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload

Jul 24 15:49:18 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=e450c971) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jul 24 15:49:28 [IKEv1]IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=e6c212e7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing hash payload

Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, processing notify payload

Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0xa6dcb74)

Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0xa6dcb74)

Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing blank hash payload

Jul 24 15:49:28 [IKEv1 DEBUG]Group = VPN-Users, Username = username, IP = x.x.x.x, constructing qm hash payload

Jul 24 15:49:28 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=af5953c7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

This is the isakmp dump

ASA5505MAN# show crypto isakmp

IKEv1 SAs:

   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1   IKE Peer: x.x.x.x

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: x.x.x.x

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_ACTIVE

There are no IKEv2 SAs

Global IKEv1 Statistics

  Active Tunnels:              1

  Previous Tunnels:           40

  In Octets:              322076

  In Packets:               2060

  In Drop Packets:            84

  In Notifys:               1072

  In P2 Exchanges:            35

  In P2 Exchange Invalids:     0

  In P2 Exchange Rejects:      0

  In P2 Sa Delete Requests:   24

  Out Octets:             591896

  Out Packets:              3481

  Out Drop Packets:            0

  Out Notifys:              2101

  Out P2 Exchanges:          275

  Out P2 Exchange Invalids:    0

  Out P2 Exchange Rejects:     0

  Out P2 Sa Delete Requests: 284

  Initiator Tunnels:         231

  Initiator Fails:           221

  Responder Fails:            76

  System Capacity Fails:       0

  Auth Fails:                 54

  Decrypt Fails:               0

  Hash Valid Fails:            0

  No Sa Fails:                30

Global IKEv2 Statistics

  Active Tunnels:                          0

  Previous Tunnels:                        0

  In Octets:                               0

  In Packets:                              0

  In Drop Packets:                         0

  In Drop Fragments:                       0

  In Notifys:                              0

  In P2 Exchange:                          0

  In P2 Exchange Invalids:                 0

  In P2 Exchange Rejects:                  0

  In IPSEC Delete:                         0

  In IKE Delete:                           0

  Out Octets:                              0

  Out Packets:                             0

  Out Drop Packets:                        0

  Out Drop Fragments:                      0

  Out Notifys:                             0

  Out P2 Exchange:                         0

  Out P2 Exchange Invalids:                0

  Out P2 Exchange Rejects:                 0

  Out IPSEC Delete:                        0

  Out IKE Delete:                          0

  SAs Locally Initiated:                   0

  SAs Locally Initiated Failed:            0

  SAs Remotely Initiated:                  0

  SAs Remotely Initiated Failed:           0

  System Capacity Failures:                0

  Authentication Failures:                 0

  Decrypt Failures:                        0

  Hash Failures:                           0

  Invalid SPI:                             0

  In Configs:                              0

  Out Configs:                             0

  In Configs Rejects:                      0

  Out Configs Rejects:                     0

  Previous Tunnels:                        0

  Previous Tunnels Wraps:                  0

  In DPD Messages:                         0

  Out DPD Messages:                        0

  Out NAT Keepalives:                      0

  IKE Rekey Locally Initiated:             0

  IKE Rekey Remotely Initiated:            0

  CHILD Rekey Locally Initiated:           0

  CHILD Rekey Remotely Initiated:          0

IKEV2 Call Admission Statistics

  Max Active SAs:                   No Limit

  Max In-Negotiation SAs:                 12

  Cookie Challenge Threshold:          Never

  Active SAs:                              0

  In-Negotiation SAs:                      0

  Incoming Requests:                       0

  Incoming Requests Accepted:              0

  Incoming Requests Rejected:              0

  Outgoing Requests:                       0

  Outgoing Requests Accepted:              0

  Outgoing Requests Rejected:              0

  Rejected Requests:                       0

  Rejected Over Max SA limit:              0

  Rejected Low Resources:                  0

  Rejected Reboot In Progress:             0

  Cookie Challenges:                       0

  Cookie Challenges Passed:                0

  Cookie Challenges Failed:                0

Global IKEv1 IPSec over TCP Statistics

--------------------------------

Embryonic connections: 0

Active connections: 0

Previous connections: 0

Inbound packets: 0

Inbound dropped packets: 0

Outbound packets: 0

Outbound dropped packets: 0

RST packets: 0

Recevied ACK heart-beat packets: 0

Bad headers: 0

Bad trailers: 0

Timer failures: 0

Checksum errors: 0

Internal errors: 0

ASA5505MAN#

and this is the ipsec dump

ASA5505MAN# show crypto ipsec sa

interface: outside

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x.x.x.x

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.110.200/255.255.255.255/0/0)

      current_peer: x.x.x.x, username: username

      dynamic allocated peer ip: 192.168.110.200

      #pkts encaps: 778, #pkts encrypt: 778, #pkts digest: 778

      #pkts decaps: 1959, #pkts decrypt: 1959, #pkts verify: 1959

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 778, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x/4500, remote crypto endpt.: x.x.x.x/54599

      path mtu 1500, ipsec overhead 82(52), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 532B60D0

      current inbound spi : 472C8AE7

    inbound esp sas:

      spi: 0x472C8AE7 (1194101479)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }

         slot: 0, conn_id: 241664, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 26551

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x532B60D0 (1395351760)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }

         slot: 0, conn_id: 241664, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 26551

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    Crypto map tag: outside_map0, seq num: 1, local addr: x.x.x.x

      access-list outside_cryptomap_1 extended permit ip 192.168.110.0 255.255.255.0 192.168.0.0 255.255.0.0

      local ident (addr/mask/prot/port): (192.168.110.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

      current_peer: x.x.x.x

      #pkts encaps: 39333117, #pkts encrypt: 39333117, #pkts digest: 39333117

      #pkts decaps: 24914965, #pkts decrypt: 24914965, #pkts verify: 24914965

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 39333117, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0

      path mtu 1500, ipsec overhead 58(36), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: F6943017

      current inbound spi : E6CDF924

    inbound esp sas:

      spi: 0xE6CDF924 (3872258340)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv1, }

         slot: 0, conn_id: 163840, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (3651601/15931)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0xF6943017 (4136906775)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv1, }

         slot: 0, conn_id: 163840, crypto-map: outside_map0

         sa timing: remaining key lifetime (kB/sec): (3561355/15931)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

ASA5505MAN#

Can anybody help with this question?