Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2551
Views
0
Helpful
6
Replies

IPSec VPN Connects But Unable to RDP

Kim Hoang
Level 1
Level 1

‎06-12-2013 10:05 AM - edited ‎02-21-2020 06:57 PM

Hello,

I can't figure out why remote desktop won't connect over an IPSec VPN tunnel. 

I had a similar problem a few months ago with AnyConnect SSL VPN connecting and RDP.  That has been resolved .. discussion can be found here:

https://supportforums.cisco.com/message/3934373#3934373

I was hoping someone can tell me what I need to add to get it to work with IPSec.

Here's the current configurations:

hostname pas-asa
enable password encrypted
passwd encrypted
names
name 10.0.1.0 Net-10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.0
!
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
!
ftp mode passive
object-group service RDP tcp
port-object eq 3389
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 12.0.1.0 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging standby
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
ip local pool IPSec-12 12.0.1.1-12.0.1.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 69.199.189.41 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate fecf8751
    308202da 308201c2 a0030201 020204fe cf875130 0d06092a 864886f7 0d010105
    0500302f 31153013 06035504 03130c70 61732d61 73612e6e 756c6c31 16301406
    092a8648 86f70d01 09021607 7061732d 61736130 1e170d31 33303530 36323134
    3131365a 170d3233 30353034 32313431 31365a30 2f311530 13060355 0403130c
    7061732d 6173612e 6e756c6c 31163014 06092a86 4886f70d 01090216 07706173
    2d617361 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
    02820101 00dc6f5c 584be603 1219ad4a 43085a97 b8fd7e33 c887933d 1b46dbca
    deada1da 7689ab5e 9b6fa20b d6f7e5e3 049285e7 65778c15 a9447e1e 8ba749cb
    61e0e985 9a90c09f b4c28af0 c6b5263c d2c13107 cce6c207 62f17cbe 99d9d5c2
    86870084 25c035e4 ea9ab8ae 8b664464 40305c4d e40dd774 506f6c0a 6f4ca4d1
    0c81d2dd bcdc8393 3f4fbcba 1b477d45 502063b8 af862bdf 50499615 7b9dac1b
    67252db8 1473feec c39d9c32 9d9f3564 74fdf1bd 71ca9310 e5ad6cba 999ae711
    c381347c a6508759 eb405cc0 a4adbe94 fb8204a2 382fad46 bc0fc43d 35df1b83
    6379a040 90469661 63868410 e16bf23b 05b724a3 edbd13e1 caa49238 ee6d1024
    a32a1003 af020301 0001300d 06092a86 4886f70d 01010505 00038201 010084b1
    62698729 c96aeec0 4e65cace 395b9053 62909905 e6f2e325 df31fbeb 8d767c74
    434c5fde 6b76779f 278270e0 10905abc a8f1e78e f2ad2cd9 6980f0be 56acfe53
    f1d715b9 89da338b f5ac9726 34520055 2de50629 55d1fcc5 f59c1271 ad14cd7e
    14adc454 f9072744 bf66ffb5 20c04069 375b858c 723999f8 5cc2ae38 4bb4013a
    2bdf51b3 1a36b7e6 2ffa3bb7 025527e1 e12cb2b2 f4fc624a 143ff416 d31135ff
    6c57d226 7d5330c4 c2fa6d3f a1472abc a6bd4d4c be7380b8 6214caa5 78d53ef0
    f08b2946 be8e04d7 9d15ef96 2e511fc5 33987858 804c402b 46a7b473 429a1936
    681a0caa b189d4f8 6cfe6332 8fc428df f07a21f8 acdb8594 0f57ffd4 376d
  quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh 10.0.1.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config inside
!
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
vpn-tunnel-protocol svc
group-policy PAS-IPSec internal
group-policy PAS-IPSec attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
service-type remote-access
username test1 password oFJjANE3QKoA206w encrypted privilege 0
username test1 attributes
vpn-group-policy PAS-IPSec
username password 1w1.F5oqiDOWdcll encrypted privilege 0
username attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username password encrypted privilege 15
username password encrypted privilege 15
username attributes
vpn-group-policy SSLClientPolicy
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
service-type admin
username password encrypted privilege 0
username attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username password encrypted privilege 0
username attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
username password encrypted privilege 0
username attributes
vpn-group-policy SSLClientPolicy
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool IPSec-12
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key ***********
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://x.x.x.x/PAS_VPN enable
tunnel-group PAS-IPSec type remote-access
tunnel-group PAS-IPSec general-attributes
address-pool IPSec-12
default-group-policy PAS-IPSec
tunnel-group PAS-IPSec ipsec-attributes
pre-shared-key ************
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3d8b1b6feb93de5709b14d471fc68aa8

And here's the capture output:

23: 16:45:22.556993 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  24: 16:45:22.557237 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

  25: 16:45:23.321348 802.1Q vlan#1 P0 12.0.1.1.49175 > 192.168.1.20.3389: S 3720739209:3720739209(0) win 65535 <mss 1316,nop,wscale 3,nop,nop,timestamp 146937406 0,sackOK,eol>

  26: 16:45:23.557100 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  27: 16:45:23.557359 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

  28: 16:45:24.245730 802.1Q vlan#1 P0 12.0.1.1.49175 > 192.168.1.20.3389: S 3720739209:3720739209(0) win 65535 <mss 1316,nop,wscale 3,nop,nop,timestamp 146937415 0,sackOK,eol>

  29: 16:45:24.557481 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  30: 16:45:24.558015 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

  31: 16:45:25.243395 802.1Q vlan#1 P0 12.0.1.1.49175 > 192.168.1.20.3389: S 3720739209:3720739209(0) win 65535 <mss 1316,nop,wscale 3,nop,nop,timestamp 146937425 0,sackOK,eol>

  32: 16:45:25.557481 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  33: 16:45:25.557740 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

  34: 16:45:26.245440 802.1Q vlan#1 P0 12.0.1.1.49175 > 192.168.1.20.3389: S 3720739209:3720739209(0) win 65535 <mss 1316,nop,wscale 3,nop,nop,timestamp 146937435 0,sackOK,eol>

  35: 16:45:26.560609 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  36: 16:45:26.560899 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

  37: 16:45:27.243502 802.1Q vlan#1 P0 12.0.1.1.49175 > 192.168.1.20.3389: S 3720739209:3720739209(0) win 65535 <mss 1316,nop,wscale 3,nop,nop,timestamp 146937445 0,sackOK,eol>

  38: 16:45:27.559999 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  39: 16:45:27.560243 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

  40: 16:45:28.244204 802.1Q vlan#1 P0 12.0.1.1.49175 > 192.168.1.20.3389: S 3720739209:3720739209(0) win 65535 <mss 1316,nop,wscale 3,nop,nop,timestamp 146937455 0,sackOK,eol>

  41: 16:45:28.559144 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  42: 16:45:28.559419 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

  43: 16:45:29.558122 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  44: 16:45:29.558335 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

  45: 16:45:30.246325 802.1Q vlan#1 P0 12.0.1.1.49175 > 192.168.1.20.3389: S 3720739209:3720739209(0) win 65535 <mss 1316,nop,wscale 3,nop,nop,timestamp 146937475 0,sackOK,eol>

  46: 16:45:30.559602 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  47: 16:45:30.559816 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

  48: 16:45:31.558473 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  49: 16:45:31.558702 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

  50: 16:45:32.558931 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  51: 16:45:32.559159 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

  52: 16:45:33.558839 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  53: 16:45:33.559083 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

  54: 16:45:34.559159 802.1Q vlan#1 P0 12.0.1.1 > 192.168.1.20: icmp: echo request

  55: 16:45:34.559404 802.1Q vlan#1 P0 192.168.1.20 > 12.0.1.1: icmp: echo reply

Thanks!

Labels:
0 Helpful
6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

‎06-12-2013 10:12 AM

Hi,

Can you do the following.

Connect with the IPsec VPN client connection. Check the IP address your VPN Client got.

Then use that IP address in the "packet-tracer" command below and share the output with us

packet-tracer input outside tcp 12345 192.168.1.20 3389

- Jouni

0 Helpful

Kim Hoang
Level 1
Level 1
In response to Jouni Forss

‎06-12-2013 10:35 AM

Jouni,

below is the output from the packet-tracer command.  Thanks!

packet-tracer input outside tcp 12.0.1.1 12345 192.168.1.20 3389

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.1.0     255.255.255.0   inside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Kim Hoang

‎06-12-2013 10:49 AM

Hi,

I dont see a reason why the output would be this.

Was your VPN Client connected to the ASA when the "packet-tracer" command was taken?

Was your VPN Client users IP address 12.0.1.1 when it was connected and you took the output of "packet-tracer"?

As we could see in the capture it seems to me that the traffic is going through the ASA, but I would expect to see something else than above in the "packet-tracer"

Ofcourse the first "gut feeling" is that the problem is NOT the ASA but rahter something in the LAN network behind the ASA.

- Jouni

0 Helpful

Kim Hoang
Level 1
Level 1
In response to Jouni Forss

‎06-12-2013 07:14 PM

I think I may have more than a problem with just RDP.  While connected through the VPN, pinging from the remote PC to a PC on the inside is inconsistent.  Perhaps I don't having NAT'ng set up correctly.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Kim Hoang

‎06-12-2013 11:29 PM

Hi,

Well generally the NAT configured for VPN Client users is done with NAT0

At the moment you seem to have both NAT0 configurations and some Dynamic PAT configuration related to the VPN Client connections

access-list vpn_nat_inside extended permit ip Net-10 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224

access-list inside_nat0_outbound extended permit ip any 12.0.1.0 255.255.255.224

global (inside) 10 interface

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (outside) 10 access-list vpn_nat_inside outside

I imagine you should be fine without the ID10 Dynamic PAT configurations

Also the network masks used in both NAT0 ACLs and the VPN Pool dont really match. I dont know if they can cause problem in this situation but I personally rather keep the matching others to avoid any problems. As you can see the blow includes masks like /24 , /25 and /27.

I would also specify the local networks in the ACL rather than using "any" keyword.

access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224

access-list inside_nat0_outbound extended permit ip any 12.0.1.0 255.255.255.224

ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128

ip local pool IPSec-12 12.0.1.1-12.0.1.20 mask 255.255.255.0

So if I were personally to change some configurations and have a try I would probably do the following

First remove the VPN Pool from the "tunnel-group" so we can make new ones

tunnel-group PAS-SSL-VPN general-attributes

no address-pool SSLClientPool-10

tunnel-group PAS-IPSec general-attributes

no address-pool IPSec-12

no ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128

no ip local pool IPSec-12 12.0.1.1-12.0.1.20 mask 255.255.255.0

ip local pool SSL-POOL 10.0.1.1-10.0.1.20 mask 255.255.255.0

ip local pool IPSEC-POOL 12.0.1.1-12.0.1.20 mask 255.255.255.0

tunnel-group PAS-SSL-VPN general-attributes

address-pool SSL-POOL

tunnel-group PAS-IPSec general-attributes

address-pool IPSEC-POOL

Then redo the NAT rules

no global (inside) 10 interface

no nat (inside) 0 access-list inside_nat0_outbound

no nat (outside) 10 access-list vpn_nat_inside outside

no access-list vpn_nat_inside extended permit ip Net-10 255.255.255.0 192.168.1.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224

no access-list inside_nat0_outbound extended permit ip any 12.0.1.0 255.255.255.224

access-list INSIDE-NAT0 remark NAT0 for SSL and IPSEC VPN connections

access-list INSIDE-NAT0 permit ip 192.168.1.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list INSIDE-NAT0 permit ip 192.168.1.0 255.255.255.0 12.0.1.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

This would be a pretty basic setup for the VPN Client connections. I am not sure if this would help with your actual problem in this case. There still might be some things in the "group-policy" configurations that would be good to define but I dont see anything there that should prevent these connections. It seems to me that you are using Full Tunnel VPN Client in both SSL and IPSEC which means all connections from VPN Client computer is tunneled to the ASA.

- Jouni

0 Helpful

Kim Hoang
Level 1
Level 1
In response to Jouni Forss

‎06-13-2013 04:19 AM

... thanks for the recommendation.  I'll give that a try.

thanks

0 Helpful
Customers Also Viewed These Support Documents