07-18-2012 04:17 PM
Hello,
I already configured a remote vpn access in a 5515X but i have an issue when the clients connect to the remote vpn, the dhcp assign me an ip but there is no default route in ipconfig from the PC / Laptop , also i can access to the network configured for the clients but i can not access to the networks inside mty firewall 5515X.
this ACL is for the permited network for access.
access-list VPNSplit remark VPN-Internet
access-list VPNSplit standard permit 10.10.0.0 255.255.0.0
access-list VPNSplit standard permit 10.1.0.0 255.255.0.0
access-list VPNSplit standard permit 10.2.0.0 255.255.0.0
access-list VPNSplit standard permit 10.21.0.0 255.255.0.0
access-list VPNSplit standard permit 10.22.0.0 255.255.0.0
access-list VPNSplit standard permit 10.6.0.0 255.255.0.0
access-list VPNSplit standard permit 192.168.0.0 255.255.0.0
access-list VPNSplit standard permit 10.29.0.0 255.255.0.0
access-list VPNSplit standard permit 10.28.0.0 255.255.0.0
access-list VPNSplit standard permit 10.27.0.0 255.255.0.0
access-list VPNSplit standard permit 10.23.0.0 255.255.0.0
access-list VPNSplit standard permit 10.19.0.0 255.255.0.0
access-list VPNSplit standard permit 10.9.0.0 255.255.0.0
Configuration for the remote VPN
aaa-server LDAP_AXFI (Inside) host 10.10.0.12
ldap-base-dn OU=Admin, OU=People, DC=XXXXXX, DC=com
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=CiscoLDAP,ou=ServiceAccounts,ou=Services,dc=XXXXXX,dc=com
server-type microsoft
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto map outside_map 90 ipsec-isakmp dynamic dinomap
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool VPNPOOL
authentication-server-group LDAP_AXFI
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
ikev1 pre-shared-key *****
do i need to change the ikev1 to ikev2 for the remote vpn.?
what could be the issue?
Regards,
07-19-2012 12:05 AM
pls kindly share the whole config to see what could possibly be the issue.
Have you configured NAT exemption?
To answer your question, no you don't need to change to IKEv2 as IPSec VPN CLient only supports IKEv1
07-19-2012 09:53 AM
This are my nat ,
nat (Inside,Outside) source static SiteA SiteA destination static SiteB SiteB no-proxy-arp route-lookup
!
!
nat (Inside,Outside) after-auto source dynamic SiteA interface
Do i need to apply a nat for the remote vpn network also?
how will be this new nat configuration?
Regards,
07-19-2012 08:38 PM
Yes, you would also need to configure NAT exemption for remote vpn pool.
07-20-2012 07:33 AM
Hello,
These are the nat i configured:
nat (Inside,Outside) source static SiteA SiteA destination static SiteB SiteB no-proxy-arp route-lookup
nat (Inside,Outside) after-auto source dynamic SiteA interface
the configuration for the remote vpn pool will be : ip pool 10.10.26.1 - 10.10.26.50
nat ( Inside, Outside) source static any any destination static VPNpool VPNpool no proxy-arp route-lookup
Is it correct or do i need to make other changes?
Best Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide