Also

This NAT configuration is atleast useless

nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24  NETWORK_OBJ_192.168.1.0_24 destination static Inside-Network  Inside-Network no-proxy-arp route-lookup

This is because you have the networks the wrong way around..

- Jouni

I am new to these ASA whats the correct NAT statement that i need to add?

I take it that i just need to reverse this NAT statement?

Hi,

Could you first tell me the configuration of this interface "inside". I can't see it in the above output. Theres only "management" and "outside" configured under the physical interfaces.

I think the output is missing some of the ASA interfaces. Also the same configuration is copy/pasted twice.

Can you copy/paste the complete current configuration here and specify which network you need to reach and what services have you used to test connectivity.

- Jouni

Hi yes i think i have missed some of the config off, here is a complete copy of the current running and startup config, any help would be greatly appreciated, thank you

hostname PIFW01

domain-name perfectdomain.perfect-image.co.uk

enable password pBWHd.sDdzPIDYW/ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.2.1.251 255.255.255.0

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.252

!

interface Management0/0

nameif management

security-level 100

ip address 10.2.1.252 255.255.240.0

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name perfectdomain.perfect-image.co.uk

same-security-traffic permit inter-interface

object network Inside-Network

subnet 10.2.0.0 255.255.240.0

description Inside Network

object network NETWORK_OBJ_192.168.1.0_27

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 any

access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 object Inside-Network

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

nat (outside,inside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static Inside-Network Inside-Network no-proxy-arp route-lookup

!

nat (inside,outside) after-auto source dynamic any interface

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable 4430

http 10.2.0.0 255.255.240.0 management

http 10.2.0.0 255.255.240.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 10.2.0.0 255.255.240.0 inside

telnet timeout 5

ssh 10.2.0.0 255.255.240.0 management

ssh 10.2.0.0 255.255.240.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 10

console timeout 0

dhcpd address 10.2.1.253-10.2.2.252 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy RAIPSECTUNNEL internal

group-policy RAIPSECTUNNEL attributes

dns-server value 10.2.1.7 10.2.1.8

vpn-tunnel-protocol ikev1

default-domain value perfectdomain.perfect-image.co.uk

username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15

username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15

tunnel-group RAIPSECTUNNEL type remote-access

tunnel-group RAIPSECTUNNEL general-attributes

address-pool RAIPSECPOOL

default-group-policy RAIPSECTUNNEL

tunnel-group RAIPSECTUNNEL ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:e69b2bbd683bfa19cf259c293776108e

Hi,

I think you have actually removed the wrong NAT configuration

You could do these configurations for example

Remove the existing NAT for the VPN

• The source network and destination network are the wrong way around

no nat (outside,inside) source static NETWORK_OBJ_192.168.1.0_24  NETWORK_OBJ_192.168.1.0_24 destination static Inside-Network  Inside-Network no-proxy-arp route-lookup

Create a new NAT for the VPN

• We create objects for the LAN network and VPN Pool network
• We then tell the ASA that when network LAN contacts network VPN-POOL, NO NAT needs to be done

object network VPN-POOL

subnet 192.168.1.0 255.255.255.0

object network LAN

subnet 10.2.1.0 255.255.255.0

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

Correct the current LAN ACL

• For some reason your LAN networks ACL is allow traffic only from the network 192.168.1.0/24. This should at the moment mean that no traffic from the actual LAN network of 10.2.10/24 is allowed

access-list inside_access_in extended permit ip object LAN any

no access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 any

Remove the OUTSIDE ACL

• You wont need an ACL on the OUTSIDE interface to allow VPN user traffic. At current setting it should be automatically allowed through the ASA

no access-group outside_access_in in interface outside

no access-list outside_access_in extended permit ip object NETWORK_OBJ_192.168.1.0_24 object Inside-Network

Enable ICMP Inspection

• This will allow the ICMP echo replys to automatically get through the ASA
• This is one usual problem when ICMP/PING isnt going through when testing connectivity

fixup protocol icmp

- Jouni

I would also consider changing the interface "management" IP address to something else than the current one so that it isnt the same as the "inside" interface.

- Jouni

Hi Jouni

Still not working I am afraid, here is the current running config, I have noticed when I connect via VPN client the default gateway address on the VPN client is 192.168.1.2 ?? anymore help would be appreciated

thank you

!

hostname PIFW01

domain-name perfectdomain.perfect-image.co.uk

enable password pBWHd.sDdzPIDYW/ encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif inside

security-level 100

ip address 10.2.1.251 255.255.255.0

!

interface GigabitEthernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

nameif outside

security-level 0

ip address 212.135.154.130 255.255.255.252

!

interface Management0/0

nameif management

security-level 100

ip address 10.2.1.252 255.255.240.0

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name perfectdomain.perfect-image.co.uk

same-security-traffic permit inter-interface

object network Inside-Network

subnet 10.2.0.0 255.255.240.0

description Inside Network

object network NETWORK_OBJ_192.168.1.0_27

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object network VPNPool

subnet 192.168.1.0 255.255.255.0

description VPNPool

object network VPN-POOL

subnet 192.168.1.0 255.255.255.0

object network LAN

subnet 10.2.1.0 255.255.255.0

access-list inside_access_in extended permit ip object LAN any

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm history enable

arp timeout 14400

nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL

!

nat (inside,outside) after-auto source dynamic any interface

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 212.135.154.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable 4430

http 10.2.0.0 255.255.240.0 management

http 10.2.0.0 255.255.240.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 10.2.0.0 255.255.240.0 inside

telnet timeout 5

ssh 10.2.0.0 255.255.240.0 management

ssh 10.2.0.0 255.255.240.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 10

console timeout 0

dhcpd address 10.2.1.253-10.2.2.252 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy RAIPSECTUNNEL internal

group-policy RAIPSECTUNNEL attributes

dns-server value 10.2.1.7 10.2.1.8

vpn-tunnel-protocol ikev1

default-domain value perfectdomain.perfect-image.co.uk

username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15

username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15

tunnel-group RAIPSECTUNNEL type remote-access

tunnel-group RAIPSECTUNNEL general-attributes

address-pool RAIPSECPOOL

default-group-policy RAIPSECTUNNEL

tunnel-group RAIPSECTUNNEL ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:f50aaad7c3ecaf94382ff0cc887bb5ac

: end

Hi,

If possible could you please change the "management" interface IP address to something else?

interface Management0/0

nameif management

security-level 100

ip address 10.2.1.252 255.255.240.0

management-only

For example change the "ip address" to "ip add 192.168.200.1 255.255.255.0"

Ofcourse this depends if you are actually using the "management" interface for managing the ASA. I notice you also have device management related configurations on the "inside" interface. Just want to make sure you dont loose management connectivity to the ASA.

The default gateway 192.168.1.2 is corrent I think. I assume this is the IP address that the Client has also gotten from the ASA.

- Jouni

I have changed the interface IP address and the client when connecting gets the IP

192.168.1.1 with the gateway address of 192.168.1.2 is this right?

please see current running config i do appreciate you help and i thank you

Result of the command: "show run"

: Saved
:
ASA Version 8.6(1)2
!
hostname PIFW01
domain-name
enable password pBWHd.sDdzPIDYW/ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 10.2.1.251 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.200.1 255.255.255.0
management-only
!
ftp mode passive
dns server-group DefaultDNS
domain-name perfectdomain.perfect-image.co.uk
same-security-traffic permit inter-interface
object network Inside-Network
subnet 10.2.0.0 255.255.240.0
description Inside Network
object network NETWORK_OBJ_192.168.1.0_27
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network VPN-POOL
subnet 192.168.1.0 255.255.255.0
object network LAN
subnet 10.2.1.0 255.255.255.0
access-list inside_access_in extended permit ip object LAN any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu outside 1500
ip local pool RAIPSECPOOL 192.168.1.1-192.168.1.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static any any destination static VPN-POOL VPN-POOL
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 4430
http 10.2.0.0 255.255.240.0 management
http 10.2.0.0 255.255.240.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.2.0.0 255.255.240.0 inside
telnet timeout 5
ssh 10.2.0.0 255.255.240.0 management
ssh 10.2.0.0 255.255.240.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RAIPSECTUNNEL internal
group-policy RAIPSECTUNNEL attributes
dns-server value 10.2.1.7 10.2.1.8
vpn-tunnel-protocol ikev1
default-domain value perfectdomain.perfect-image.co.uk
username KI-Admin password OMa9XVzN1OQ0Is.6 encrypted privilege 15
username PI-Admin password BEGl74DXS9pqUL6v encrypted privilege 15
username PI-Admin attributes
vpn-group-policy RAIPSECTUNNEL
tunnel-group RAIPSECTUNNEL type remote-access
tunnel-group RAIPSECTUNNEL general-attributes
address-pool RAIPSECPOOL
default-group-policy RAIPSECTUNNEL
tunnel-group RAIPSECTUNNEL ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect sip 
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:994f53e49dd106901f7804cf411285f9
: end

Hi,

You have changed the NAT configuration. There was really no need for that. It was already correct in the format I mentioned.

The default gateway of the VPN Client will always be the IP address that it gets from the ASA. This is just how the VPN Client software works on the local computer.

What are you trying to connect through the VPN client?

What is the destination IP address?

What is the service used? (TCP/UDP port)

If you have the chance to test the VPN connection from a host on the Internet and also have a ASDM connection to the ASA I would check the ASA logs through the Monitor window to see what happens to the connections you are attempting through the VPN client connection.

- Jouni

Hello Jouni

Sorry about the late reply i have been in transit back home.

The VPN client is configured for UDP/IPSEC and NAT T initially it wasnt connecting at all until i enabled NAT T, now it connects i just cannot access any resources on the local LAN for example if i try to ping 10.2.1.88 it just times out, when i look in the ASDM syslog i can see my client connect, I just cannot access any resoruces, I have checked the routing on the servers etc as the default gateway on the servers goes out through another device so i have added a static route into the servers for the 192.168.1.0 Remote access IP pool to point back to the inside interface on the ASA 5510

Does this make sense? thank you kindly, your help is appreciated greatly.

Hi,

You say that the default gateway of the servers that you are trying to reach through VPN is something different than the ASA which you use for the VPN.

This means that you will either have to somehow enable routing from that default gateway device to the ASA when the destination network is 192.168.1.0/24

OR

As you say, you will have to configure the route staticly to the hosts/servers to point towards ASA.

Configuring the route to the actual hosts is the quick way to confirm if the VPN is working and generally to get the connections to work but naturally its not the cleanest way since actual networking devices/routers should handle this task instead of the hosts/server.

But as I said you could alteast try the connectivity with the static routes on the actual hosts/server to confirm that things work after that. If after this connection work you will have a chance to think of a better solution on the actual network so you wont have to configure the routes on the actual hosts/servers.

- Jouni