01-26-2012 06:47 PM
I have created Remote VPN on ASA5510 (8.0(5)) the Tunnel is UP and client machiches are able to connect to the VPN but not passing traffics between Server & Client.
01-26-2012 06:51 PM
Hi Manoj,
Make sure the VPN client receiving all the internal network information and also the internal subnets --> VPN client IP subnet traffic is not natted.
If possible, post the configs.
hth
MS
01-26-2012 06:58 PM
The DHCP pool for the client access is natted through policy nat (NAT-0) despite of all the conerned configuration traffic is not passing through the same.
01-26-2012 07:21 PM
Post the related configs from ASA. Also, make sure the internal switch has a route to VPN client subnet pointing to ASA (default route will work through).
Thx
MS
01-26-2012 10:09 PM
Yes! I am sharing my configurations :-
VPN Configuration:-
crypto ipsec transform-set IPSEC-VPN esp-des esp-md5-hmac
crypto dynamic-map dyn100 65535 set transform-set IPSEC-VPN
crypto dynamic-map dyn100 65535 set reverse-route
crypto map out_map 200 ipsec-isakmp dynamic dyn100
crypto map out_map interface outside
ip local pool vpnpool 192.168.96.1-192.168.96.6 mask 255.255.255.0
crypto isakmp policy 1
authentication pre-share
encryption des
hash sha
group 2
group-policy VPN internal
group-policy VPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Remote_Access_splitTunnelAcl
tunnel-group IPSEC-VPN type remote-access
tunnel-group IPSEC-VPN general-attributes
address-pool vpnpool
default-group-policy VPN
tunnel-group IPSEC-VPN ipsec-attributes
pre-shared-key cisco@123
username remoteuser password user@#123
username remoteuser attributes
vpn-group-policy VPN
vpn-tunnel-protocol ipsec
access-list inside_nat0_outbound_1 extended permit ip 10.0.0.0 255.255.252.0 192.168.96.0 255.255.255.0
access-list Remote_Access_splitTunnelAcl extended permit ip 10.0.0.0 255.255.252.0 192.168.96.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound_1
route outside 0.0.0.0 0.0.0.0 210.7.75.129 1
route outside 210.7.68.224 255.255.255.240 210.7.68.225 1
Suggest me if anything addition on the same..
01-27-2012 09:36 AM
Hi Manoj,
How you are trying to access the Internal servers? If by hostname, then the DNS entries are missing for VPN clients. Add your internal DNS server IPs (aleast one) under 'group-policy VPN attributes' (dns-server value x.x.x.x).
Also, to keep the split tunnel ACL simple, you can replace extended ACL with Standard ACL (as you are not blocking any ports) - access-list Remote_Access_splitTunnelAcl standard permit 10.0.0.0 255.255.252.0.
Do not see any issues with rest of config based on posting (anyway clients able to connect successfully).
If you still experience issues enable 'debug icmp trace' on ASA and try to ping from server --> Client and post the o/p.
hth
MS
01-27-2012 09:52 PM
Ok.. I'll check &v revert bact to you....
03-14-2012 07:38 PM
Thnks . now it is woking .....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide