Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
0
Helpful
7
Replies

EasyVPN Routing

Go to solution
jnatal
Level 1
Level 1

‎09-19-2011 12:01 PM

I have a new ASA5505 which I want to use for Remote Easy VPN. The device connects to the remote ends but I am not able to ping the remote network. The interface is new to me and I am not sure where to add the routes. The local network is 192.168.66.0/24. The remote network is 192.168.4.0/24

Any help will be appreciated. Jose

Message was edited by: JOSE NATAL My apologies for not including the correct configuration. I am trying to connect the Remote (conf) to the Corporate (conf). I have done this many times but now the new ADSM interface is confusing.

Message was edited by: JOSE NATAL Jennifer, I added the commands as you indicated with no success. The ASA gave me an error when I had added nat (inside) 0 access-list nonat. I wouldn't allow me to enable the EasyVPN option while this command was on the configuration. Here are the cry isa and cry ipsec isa files as requested.

Labels:
114002-corporate.txt.zip
114192-corporatecry.txt.zip
114001-Remote.txt.zip
114117-remotecry.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jnatal

‎09-24-2011 04:05 AM

OK, here is where the issue is:

Encrypts increases at remote site, meaning traffic from remote towards the corporate is getting encrypted.

Decrypts increases at corporate site, meaning traffic from remote arrives at the corporate and gets decrypted at the corporate.

So it seems like the corporate LAN does not reply back to the remote site because the corporate ASA does not have the encrypts increase.

Please modify the following:

from: management-access DMZ

to: management-access inside

And check if you are able to ping the ASA inside interface from the remote site. If you can, then you would need to check the LAN behind the ASA to see if they have the route to access the remote LAN (192.168.66.0/24)

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-20-2011 02:28 AM

The following default route is incorrect:

route outside 0.0.0.0 0.0.0.0 Gateway tunneled

It should be without the "tunneled" keyword:

route outside 0.0.0.0 0.0.0.0 Gateway

Actually, not quite sure how you can connect from the remote end because there is no VPN configuration on the ASA.

Is the attached ASA config the server or the client end? also, can you share the config on the other end?

0 Helpful

Go to solution
jnatal
Level 1
Level 1
In response to Jennifer Halim

‎09-20-2011 12:35 PM

Jennifer,

I have the updated files uploaded. Thanks.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jnatal

‎09-20-2011 08:25 PM

Can you please add the following at the remote site:

policy-map global_policy

class inspection_default

     inspect icmp

access-list nonat permit ip 192.168.66.0 255.255.255.0 192.168.4.0 255.255.255.0

nat (inside) 0 access-list nonat

Then test to see if you can ping 192.168.4.1.

If not, please share the output of from both sides:

show cry isa sa

show cry ipsec sa

0 Helpful

Go to solution
jnatal
Level 1
Level 1
In response to Jennifer Halim

‎09-22-2011 04:39 AM

Jennifer,

I have added the lines you gave me but no luck. I get an error that EasyVPN can not be enabled with

nat (inside) 0 access-list nonat

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jnatal

‎09-22-2011 04:44 AM

Pls share the output of the following from both sides:

show cry isa sa

show cry ipsec sa

0 Helpful

Go to solution
jnatal
Level 1
Level 1
In response to Jennifer Halim

‎09-22-2011 05:27 AM

I forgot to mention that I loaded the files for you to see. Both commands are included in the files.

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to jnatal

‎09-24-2011 04:05 AM

OK, here is where the issue is:

Encrypts increases at remote site, meaning traffic from remote towards the corporate is getting encrypted.

Decrypts increases at corporate site, meaning traffic from remote arrives at the corporate and gets decrypted at the corporate.

So it seems like the corporate LAN does not reply back to the remote site because the corporate ASA does not have the encrypts increase.

Please modify the following:

from: management-access DMZ

to: management-access inside

And check if you are able to ping the ASA inside interface from the remote site. If you can, then you would need to check the LAN behind the ASA to see if they have the route to access the remote LAN (192.168.66.0/24)

0 Helpful
Customers Also Viewed These Support Documents