03-12-2009 01:52 PM
Does anyone see something that would stop a remote vpn connection from working? My L2L works like a champ. I can connect via the Remote VPN client fine, but I cannot talk to anything on the network. I do not see any routes show up under my software client under statistics. HELP!
domain-name default.domain.invalid
enable password
passwd
names
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.248
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list 90 extended permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 90 extended permit ip any 10.10.10.0 255.255.255.0
access-list acl_inside extended deny tcp 192.168.3.0 255.255.255.0 any eq smtp
access-list acl_inside extended permit ip any any
access-list Split_tunnel_list remark SPlit tunnel list
access-list Split_tunnel_list standard permit any
ip local pool YW#vpn 10.10.10.1-10.10.10.32 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 90
nat (inside) 1 0.0.0.0 0.0.0.0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
route outside 0.0.0.0 0.0.0.0 69.57.59.137 1
timeout xlate 3:00:00
timeout conn 4:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
http server enable
http 192.168.3.0 255.255.255.0 inside
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map ToMarina 20 match address 90
crypto map ToMarina 20 set peer 69.57.51.194
crypto map ToMarina 20 set transform-set strong ESP-3DES-SHA ESP-3DES-MD5
crypto map ToMarina 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map ToMarina interface outside
crypto isakmp enable outside
crypto isakmp policy 9
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
vpn-sessiondb max-session-limit 30
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 5
ssh 69.85.192.0 255.255.192.0 outside
ssh 67.177.64.0 255.255.255.0 outside
ssh timeout 5
ssh version 2
console timeout 0
group-policy YW#vpn internal
group-policy YW#vpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel_list
group-policy 69.57.51.194 internal
group-policy 69.57.51.194 attributes
vpn-tunnel-protocol IPSec
username admin password RqwfSgGaHexJEm4c encrypted privilege 15
username admin attributes
vpn-group-policy YW#vpn
tunnel-group 69.57.51.194 type ipsec-l2l
tunnel-group 69.57.51.194 ipsec-attributes
pre-shared-key *
tunnel-group YW#vpn type ipsec-ra
tunnel-group YW#vpn general-attributes
address-pool YW#vpn
authorization-server-group LOCAL
authorization-server-group (outside) LOCAL
default-group-policy YW#vpn
tunnel-group YW#vpn ipsec-attributes
pre-shared-key *
!
policy-map global_policy
class class-default
Solved! Go to Solution.
03-12-2009 02:29 PM
Well your main problem is your match address definition:
crypto map ToMarina 20 match address 90
this is the access-list used for the nonat that includes both S2S and Remote access traffic, being used on the match address will avoid it to get the remote access connection, so go ahead and change that to:
access-list ToMarina permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
no crypto map ToMarina 20 match address 90
crypto map ToMarina 20 match address ToMarina
and the other problem which is not afecting but is really misconfigured is your Split tunnel policy, you are defining the network Any as part of the split tunnel which is just as if you did nto have split tunnel enabled (hence the reason why the route shows 0.0.0.0 on the client)
Go ahead and change that to be:
access-list Split_tunnel_list standard permit 192.168.3.0 255.255.255.0
03-12-2009 02:29 PM
Well your main problem is your match address definition:
crypto map ToMarina 20 match address 90
this is the access-list used for the nonat that includes both S2S and Remote access traffic, being used on the match address will avoid it to get the remote access connection, so go ahead and change that to:
access-list ToMarina permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
no crypto map ToMarina 20 match address 90
crypto map ToMarina 20 match address ToMarina
and the other problem which is not afecting but is really misconfigured is your Split tunnel policy, you are defining the network Any as part of the split tunnel which is just as if you did nto have split tunnel enabled (hence the reason why the route shows 0.0.0.0 on the client)
Go ahead and change that to be:
access-list Split_tunnel_list standard permit 192.168.3.0 255.255.255.0
03-12-2009 02:34 PM
Thanks so much. I had tried several things and the Split tunnel policy was a last ditch effort. I originally had it setup like you are suggesting. The Crypto map is what got me. Thanks again.
03-12-2009 02:40 PM
great to hear! please rate useful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide