Solved: Re: IPsec remote VPN's got an IP and doesnt work - Page 2

hanwucisco · ‎10-13-2012

I am setting up a simple remote IPsec VPN with a ASA 8.4. All I want to do is the remote user can VPN into the ASA, from there, he can
browse the outside Web pages in the internet. and we'd like not to use split-tunneling.

the outside infterface is 192.168.1.155/24, which is inside our network and this subnet works fine to outside.
the pool for vpn is 192.168.0.0./24(please pay attention to the 3r octet)

I configured and the remote user can vpn in and get an IP from the pool. but it seems that he cannot do anything. he cannot ping anything.
I suspected the NATTing that i use.

Can you tell me what is configured wrong? I guess i am having confusion as what traffice need to be natted and what need not.

thanks,
Han

======
:
ASA Version 8.4(2)
!

!
interface GigabitEthernet0
description VPN interface
nameif outside
security-level 0
ip address 192.168.1.156 255.255.255.0
!
interface GigabitEthernet1
description VPN interface
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0

!
ftp mode passive
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.1.155
host 192.168.1.155
access-list EXTERNAL extended permit ip any any
access-list EXTERNAL extended permit icmp any any
access-list vpn extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.0.10-192.168.0.15
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
!
object network obj-192.168.0.0
nat (inside,outside) dynamic interface
access-group EXTERNAL in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.155 1

dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set ikev1 transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
address-pool testpool
tunnel-group testgroup ipsec-attributes
ikev1 pre-shared-key *
!
!

Jennifer Halim · ‎10-15-2012

Thanks Han....

OK, let's go through the rest of the issue.

So now, the only issue that you have is not being able to access the Internet without split tunnel config when connected through VPN, right?

Can you pls try with packet tracer to see where it's failing?

Also, if the NAT doesn't work, can you configure NAT on the upstream router for the VPN Pool (192.168.200.0/24), then also route that subnet to point towards the ASA outside interface IP (192.168.1.156) on the router.

hanwucisco · ‎10-20-2012

Jen,

the problem solved. it is the "same interface" ....LOL.

Sorry for the late reply. have been very busy....

Jennifer Halim · ‎10-20-2012

Great, thanks for the update. Much appreciated.