Re: Remote client VPN not working after Site to site VPN configu

d_unafraid · ‎03-29-2006

HI all

Appreciate if you can give me some guidance on what could have went wrong with my configuration. My remote client VPN was working fine till I loaded in the site to site configuration.

I believe there must be some issue with my configuration for the site to site as once i remove it, The client vpn get on fine.

Appreciate your time

d_unafraid · ‎04-02-2006

Hi All

I realised the NAT number is the same the site to site vpn, but the same issue occue even I change the NAT

jmia · ‎04-03-2006

Shawn,

Try this:

access-list nonat permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0

access-list nonat permit ip 10.x.x.0 255.255.255.0 172.x.x.0 255.255.255.0

access-list 200 permit ip 10.x.x.0 255.255.255.0 192.x.x.0 255.255.255.0

access-list 300 permit ip 10.x.x.0 255.255.255.0 172.x.x.0 255.255.255.240

ip local pool vpn-ras-pool 172.x.x.1-172.x.x.10

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

crypto ipsec transform-set transam1 esp-3des esp-md5-hmac

crypto dynamic-map dynmap 100 set transform-set transam1

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 200

crypto map mymap 10 set peer

crypto map mymap 10 set transform-set transam1

crypto map mymap 65535 ipsec-isakmp dynamic dynmap

crypto map mymap interface outside

isakmp enable outside

isakmp key address netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup ras1 address-pool vpn-ras-pool

vpngroup ras1 dns-server

vpngroup ras1 wins-server

vpngroup ras1 default-domain

vpngroup ras1 split-tunnel 300

vpngroup ras1 idle-time 1800

vpngroup ras1 password

Hope this helps and pls rate post if it does.

Jay

d_unafraid · ‎04-04-2006

Hi Jay

Thank you so much for your help, I am trying to work this out, appreciate if you can guide me along

access-list nonat permit ip 10.x.x.0 (internal IP?) 255.255.255.0 192.x.x.0(Internal IP?) 255.255.255.0

access-list nonat permit ip 10.x.x.0 255.255.255.0 172.x.x.0 255.255.255.0 (client vpn rule?)

access-list 200 permit ip 10.x.x.0 (Internal IP?) 255.255.255.0

192.x.x.0(Internal IP?) 255.255.255.0

access-list 300 permit ip 10.x.x.0 255.255.255.0 172.x.x.0 255.255.255.240 (client vpn rule?)

I have mark out the access-list above with some enquires, pls let me know if this is correct.

for the site to site VPN both our internal network are actually sitting behind another firewall after the ASA 5500 and watchguard. so therefore should the accesslist be pointing to the exact Internal network IP address and not the internal interface of the firewall? that where i am really puzzle with.....

Example

inside Net--ISA--watchguard-----ASA--ISA--inside net

Thank Jay

d_unafraid · ‎04-04-2006

another question that is make me puzzle

if i am creating a site to site VPN together with a remote cisco VPN client, doi need to created two transform set name? one for the site to site and one for the remote vpn? will that be an issue? cause i realised from your sample config file, there is only a single transform set name

Remote client VPN not working after Site to site VPN configuration