Solved: VPN connection Between ASA 5510 (static address) and RV042 (Dynamic Address)

ulziibadrakh.a · ‎11-24-2016

Hi. I configured Site to Site IPsec VPN connection between ASA and RV042.

My VPN connection established. but each LAN network users can't access remote user. my configuration is

Cisco ASA 5510.

ASA Version 7.2(4)34

...

object-group network VPN-REMOTE

network-object 192.168.200.0 255.255.255.0

object-group network VPN-LOCAL

network-object 192.168.100.0 255.255.255.0

....

access-list outside_1_cryptomap extended permit ip object-group VPN-LOCAL object-group VPN-REMOTE

access-list inside_nat0_outbound extended permit ip object-group VPN-LOCAL object-group VPN-REMOTE

access-list inside-to-remote extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0

....

global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 192.168.100.0 255.255.255.0

...

access-group inside-to-remote in interface inside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1

...

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map MyDynMap 2 match address outside_1_cryptomap
crypto dynamic-map MyDynMap 2 set pfs
crypto dynamic-map MyDynMap 2 set transform-set ESP-3DES-MD5
crypto dynamic-map MyDynMap 2 set reverse-route
crypto map outside_map 1 ipsec-isakmp dynamic MyDynMap
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800

...

group-policy VPNconn internal
group-policy VPNconn attributes
vpn-filter value outside_1_cryptomap
vpn-tunnel-protocol IPSec
ip-comp enable
pfs enable
username admin password Pl8vAVCARYhfCY0O encrypted privilege 15
tunnel-group DefaultL2LGroup general-attributes
default-group-policy VPNconn
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive disable
...

I had check why it can't ping to remote user by packet tracer.

INPUT:

packet-tracer input inside icmp 192.168.100.100 0 0 192.168.200.100.

RESULT:

phase: 11

Type: ACCESS_LIST

Subtype: ipsec-user

Result: drop

config:

additional Information:

I didn't found my mistake. If anyone found mistake from my config please tell me. i will be happy6

JP Miranda Z · ‎11-24-2016

Hi ulziibadrakh.a,

The vpn-filter is incorrect, you currently have this:

group-policy VPNconn attributes
vpn-filter value outside_1_cryptomap

access-list outside_1_cryptomap extended permit ip object-group VPN-LOCAL object-group VPN-REMOTE

The filter should be from destination to source:

access-list vpn-filter extended permit ip object-group VPN-REMOTE object-group VPN-LOCAL

You should never use the same ACL that you already have applied on the cryptomap as a vpn filter.

Hope this info helps!!

Rate if helps you!!

-JP-

View solution in original post

Richard Burts · ‎11-24-2016

I wonder about the logic of using the same access list in the crypto map and in the vpn filter. I suggest that you try removing the vpn filter

vpn-filter value outside_1_cryptomap

and see if the VPN works better.

HTH

Rick

HTH

Rick

JP Miranda Z · ‎11-24-2016

Hi ulziibadrakh.a,

The vpn-filter is incorrect, you currently have this:

group-policy VPNconn attributes
vpn-filter value outside_1_cryptomap

access-list outside_1_cryptomap extended permit ip object-group VPN-LOCAL object-group VPN-REMOTE

The filter should be from destination to source:

access-list vpn-filter extended permit ip object-group VPN-REMOTE object-group VPN-LOCAL

You should never use the same ACL that you already have applied on the cryptomap as a vpn filter.

Hope this info helps!!

Rate if helps you!!

-JP-