11-24-2016 12:54 AM
Hi. I configured Site to Site IPsec VPN connection between ASA and RV042.
My VPN connection established. but each LAN network users can't access remote user. my configuration is
Cisco ASA 5510.
ASA Version 7.2(4)34
...
object-group network VPN-REMOTE
network-object 192.168.200.0 255.255.255.0
object-group network VPN-LOCAL
network-object 192.168.100.0 255.255.255.0
....
access-list outside_1_cryptomap extended permit ip object-group VPN-LOCAL object-group VPN-REMOTE
access-list inside_nat0_outbound extended permit ip object-group VPN-LOCAL object-group VPN-REMOTE
access-list inside-to-remote extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
....
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 192.168.100.0 255.255.255.0
...
access-group inside-to-remote in interface inside
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
...
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map MyDynMap 2 match address outside_1_cryptomap
crypto dynamic-map MyDynMap 2 set pfs
crypto dynamic-map MyDynMap 2 set transform-set ESP-3DES-MD5
crypto dynamic-map MyDynMap 2 set reverse-route
crypto map outside_map 1 ipsec-isakmp dynamic MyDynMap
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
...
group-policy VPNconn internal
group-policy VPNconn attributes
vpn-filter value outside_1_cryptomap
vpn-tunnel-protocol IPSec
ip-comp enable
pfs enable
username admin password Pl8vAVCARYhfCY0O encrypted privilege 15
tunnel-group DefaultL2LGroup general-attributes
default-group-policy VPNconn
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive disable
...
I had check why it can't ping to remote user by packet tracer.
INPUT:
packet-tracer input inside icmp 192.168.100.100 0 0 192.168.200.100.
RESULT:
phase: 11
Type: ACCESS_LIST
Subtype: ipsec-user
Result: drop
config:
additional Information:
I didn't found my mistake. If anyone found mistake from my config please tell me. i will be happy6
Solved! Go to Solution.
11-24-2016 07:01 AM
Hi ulziibadrakh.a,
The vpn-filter is incorrect, you currently have this:
group-policy VPNconn attributes
vpn-filter value outside_1_cryptomap
access-list outside_1_cryptomap extended permit ip object-group VPN-LOCAL object-group VPN-REMOTE
The filter should be from destination to source:
access-list vpn-filter extended permit ip object-group VPN-REMOTE object-group VPN-LOCAL
You should never use the same ACL that you already have applied on the cryptomap as a vpn filter.
Hope this info helps!!
Rate if helps you!!
-JP-
11-24-2016 06:53 AM
I wonder about the logic of using the same access list in the crypto map and in the vpn filter. I suggest that you try removing the vpn filter
vpn-filter value outside_1_cryptomap
and see if the VPN works better.
HTH
Rick
11-24-2016 07:01 AM
Hi ulziibadrakh.a,
The vpn-filter is incorrect, you currently have this:
group-policy VPNconn attributes
vpn-filter value outside_1_cryptomap
access-list outside_1_cryptomap extended permit ip object-group VPN-LOCAL object-group VPN-REMOTE
The filter should be from destination to source:
access-list vpn-filter extended permit ip object-group VPN-REMOTE object-group VPN-LOCAL
You should never use the same ACL that you already have applied on the cryptomap as a vpn filter.
Hope this info helps!!
Rate if helps you!!
-JP-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide