12-11-2014 03:04 AM
When I use a cisco vpn client to connect to my asa, the VPN tunnel gets up and I receive an ip address from the local pool. I can ping to my own address but that's it. The default gateway received from the vpn client is also an address from the local pool. I suppose I cannot reach any other devices because this is not correct. Anyone an idea how I can solve this issue?
01-01-2015 04:25 PM
Hi Jeroen,
Check the routing on you asa. When the vpn client connects you should see a reverse route injected on the asa. Is this route being propagated to the rest of the network?
01-01-2015 11:03 PM
How can I check that? With a simple show route?
01-02-2015 02:00 AM
I am using a local pool.
ip local pool VPN_GAD 10.0.19.39-10.0.19.50 mask 255.255.255.224
A show route command on the asa shows the following route
S 10.0.19.39 255.255.255.255 [1/0] iva 10.0.17.17, Outside
On my layer 3 switch, there is no route to the VPN client range.
The asa has RIP configured :
router rip
network 10.0.0.0
redistribute static
default-information originate
version 2
The layer 3 switch has RIP configured :
router rip
version2
redistribute static
network 10.0.0.0
no auto-summary
01-02-2015 06:27 AM
no auto-summary is missing on the ASA rip config. What routes from the ASA do you see on the layer 3 switch?
01-02-2015 06:46 AM
I added the "no auto-summary" on the ASA.
There are a lot of static routes defined on the ASA (as a S). These also appear on the layer 3 switch (as a R).
01-02-2015 02:54 PM
Is reverse route injection configured on the asa. Have a look at the following doc as a guide:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html
01-06-2015 05:21 AM
As far as I can see, these commands are present in my config.
We also have some site to site VPNs and they are working correctly.
Below is a copy of some relevant parts of my config:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 15 match address Outside_15_cryptomap
crypto dynamic-map Outside_dyn_map 15 set pfs
crypto dynamic-map Outside_dyn_map 15 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 15 set reverse-route
crypto dynamic-map Outside_dyn_map 20 match address Outside_20_cryptomap
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 20 set reverse-route
crypto dynamic-map Outside_dyn_map 40 set pfs
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 60 set pfs
crypto dynamic-map Outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 80 set pfs
crypto dynamic-map Outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 100 set pfs
crypto dynamic-map Outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto map Outside_map 40 match address Outside_40_cryptomap
crypto map Outside_map 40 set pfs
crypto map Outside_map 40 set peer 87.66.7.232
crypto map Outside_map 40 set transform-set ESP-3DES-SHA
crypto map Outside_map 80 match address Outside_80_cryptomap
crypto map Outside_map 80 set pfs
crypto map Outside_map 80 set peer 87.66.7.234
crypto map Outside_map 80 set transform-set ESP-3DES-SHA
crypto map Outside_map 100 match address Outside_100_cryptomap
crypto map Outside_map 100 set pfs
crypto map Outside_map 100 set peer 87.66.7.231
crypto map Outside_map 100 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp identity hostname
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group GADVPN type ipsec-ra
tunnel-group GADVPN general-attributes
address-pool VPN_GAD
authentication-server-group group1
default-group-policy GADVPN
tunnel-group GADVPN ipsec-attributes
pre-shared-key *
tunnel-group 87.66.7.232 type ipsec-l2l
tunnel-group 87.66.7.232 ipsec-attributes
pre-shared-key *
tunnel-group 87.66.7.231 type ipsec-l2l
tunnel-group 87.66.7.231 ipsec-attributes
pre-shared-key *
tunnel-group 87.66.7.234 type ipsec-l2l
tunnel-group 87.66.7.234 ipsec-attributes
pre-shared-key *
01-06-2015 06:09 AM
When I use the ASDM console I notice that the tunnel does come up. But when I go to the VPN statistics, there is 0 Bytes Tx and 0 Bytes Rx even though I am running a ping command from my laptop to a server on our LAN.
The site-to-site VPNs do show increasing Tx and Rx values.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide