03-29-2006 12:53 AM - edited 02-21-2020 02:20 PM
HI all
Appreciate if you can give me some guidance on what could have went wrong with my configuration. My remote client VPN was working fine till I loaded in the site to site configuration.
I believe there must be some issue with my configuration for the site to site as once i remove it, The client vpn get on fine.
Appreciate your time
04-02-2006 11:55 PM
Hi All
I realised the NAT number is the same the site to site vpn, but the same issue occue even I change the NAT
04-03-2006 05:20 AM
Shawn,
Try this:
access-list nonat permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list nonat permit ip 10.x.x.0 255.255.255.0 172.x.x.0 255.255.255.0
access-list 200 permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0
access-list 300 permit ip 10.x.x.0 255.255.255.0 172.x.x.0 255.255.255.240
ip local pool vpn-ras-pool 172.x.x.1-172.x.x.10
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set transam1 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 100 set transform-set transam1
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 200
crypto map mymap 10 set peer
crypto map mymap 10 set transform-set transam1
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp key
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ras1 address-pool vpn-ras-pool
vpngroup ras1 dns-server
vpngroup ras1 wins-server
vpngroup ras1 default-domain
vpngroup ras1 split-tunnel 300
vpngroup ras1 idle-time 1800
vpngroup ras1 password
Hope this helps and pls rate post if it does.
Jay
04-04-2006 08:29 PM
Hi Jay
Thank you so much for your help, I am trying to work this out, appreciate if you can guide me along
access-list nonat permit ip 10.x.x.0 (internal IP?) 255.255.255.0 192.x.x.0(Internal IP?) 255.255.255.0
access-list nonat permit ip 10.x.x.0 255.255.255.0 172.x.x.0 255.255.255.0 (client vpn rule?)
access-list 200 permit ip 10.x.x.0 (Internal IP?) 255.255.255.0
192.x.x.0(Internal IP?) 255.255.255.0
access-list 300 permit ip 10.x.x.0 255.255.255.0 172.x.x.0 255.255.255.240 (client vpn rule?)
I have mark out the access-list above with some enquires, pls let me know if this is correct.
for the site to site VPN both our internal network are actually sitting behind another firewall after the ASA 5500 and watchguard. so therefore should the accesslist be pointing to the exact Internal network IP address and not the internal interface of the firewall? that where i am really puzzle with.....
Example
inside Net--ISA--watchguard-----ASA--ISA--inside net
Thank Jay
04-04-2006 10:03 PM
another question that is make me puzzle
if i am creating a site to site VPN together with a remote cisco VPN client, doi need to created two transform set name? one for the site to site and one for the remote vpn? will that be an issue? cause i realised from your sample config file, there is only a single transform set name
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide