09-19-2011 12:01 PM
I have a new ASA5505 which I want to use for Remote Easy VPN. The device connects to the remote ends but I am not able to ping the remote network. The interface is new to me and I am not sure where to add the routes. The local network is 192.168.66.0/24. The remote network is 192.168.4.0/24
Any help will be appreciated. Jose
Message was edited by: JOSE NATAL My apologies for not including the correct configuration. I am trying to connect the Remote (conf) to the Corporate (conf). I have done this many times but now the new ADSM interface is confusing.
Message was edited by: JOSE NATAL Jennifer, I added the commands as you indicated with no success. The ASA gave me an error when I had added nat (inside) 0 access-list nonat. I wouldn't allow me to enable the EasyVPN option while this command was on the configuration. Here are the cry isa and cry ipsec isa files as requested.
Solved! Go to Solution.
09-24-2011 04:05 AM
OK, here is where the issue is:
Encrypts increases at remote site, meaning traffic from remote towards the corporate is getting encrypted.
Decrypts increases at corporate site, meaning traffic from remote arrives at the corporate and gets decrypted at the corporate.
So it seems like the corporate LAN does not reply back to the remote site because the corporate ASA does not have the encrypts increase.
Please modify the following:
from: management-access DMZ
to: management-access inside
And check if you are able to ping the ASA inside interface from the remote site. If you can, then you would need to check the LAN behind the ASA to see if they have the route to access the remote LAN (192.168.66.0/24)
09-20-2011 02:28 AM
The following default route is incorrect:
route outside 0.0.0.0 0.0.0.0 Gateway tunneled
It should be without the "tunneled" keyword:
route outside 0.0.0.0 0.0.0.0 Gateway
Actually, not quite sure how you can connect from the remote end because there is no VPN configuration on the ASA.
Is the attached ASA config the server or the client end? also, can you share the config on the other end?
09-20-2011 12:35 PM
Jennifer,
I have the updated files uploaded. Thanks.
09-20-2011 08:25 PM
Can you please add the following at the remote site:
policy-map global_policy
class inspection_default
inspect icmp
access-list nonat permit ip 192.168.66.0 255.255.255.0 192.168.4.0 255.255.255.0
nat (inside) 0 access-list nonat
Then test to see if you can ping 192.168.4.1.
If not, please share the output of from both sides:
show cry isa sa
show cry ipsec sa
09-22-2011 04:39 AM
Jennifer,
I have added the lines you gave me but no luck. I get an error that EasyVPN can not be enabled with
nat (inside) 0 access-list nonat
09-22-2011 04:44 AM
Pls share the output of the following from both sides:
show cry isa sa
show cry ipsec sa
09-22-2011 05:27 AM
I forgot to mention that I loaded the files for you to see. Both commands are included in the files.
09-24-2011 04:05 AM
OK, here is where the issue is:
Encrypts increases at remote site, meaning traffic from remote towards the corporate is getting encrypted.
Decrypts increases at corporate site, meaning traffic from remote arrives at the corporate and gets decrypted at the corporate.
So it seems like the corporate LAN does not reply back to the remote site because the corporate ASA does not have the encrypts increase.
Please modify the following:
from: management-access DMZ
to: management-access inside
And check if you are able to ping the ASA inside interface from the remote site. If you can, then you would need to check the LAN behind the ASA to see if they have the route to access the remote LAN (192.168.66.0/24)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide