01-20-2006 01:56 AM - edited 02-21-2020 02:12 PM
Hi!
I have a problem to get the vpn-filter to work in my ASA5520 ver 7.4 and it`s urgent. The traffic don`t
passtrough, and i get this message in the log.(106023: Deny tcp src Outside:10.10.10.1/1024 dst
Inside:192.0.0.20/23 by access-group "Outside_access_in"). I have tested with vpn-client and easy-vpn,
same problem. I have the relevant configuration below. Does anyone have a configuration example that works?
access-list grupp1_easyvpn_splitTunnelAcl standard permit 192.0.0.0 255.255.255.0
access-list Outside_access_in extended permit icmp any any echo-reply
access-list Inside_nat0_outbound extended permit ip 192.0.0.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list Inside_access_in extended permit ip any any
access-list DMZ_access_in extended permit ip any any
access-list Outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.0
access-list Test_Filter_10 extended permit ip any any
ip local pool test_pool_1 10.10.10.1-10.10.10.254 mask 255.255.255.0
group-policy grupp1_easyvpn internal
group-policy grupp1_easyvpn attributes
vpn-filter value Test_Filter_10
split-tunnel-policy tunnelspecified
split-tunnel-network-list value grupp1_easyvpn_splitTunnelAcl
webvpn
username xxx password xxxx encrypted privilege 0
username xxxx attributes
vpn-group-policy grupp1_easyvpn
no sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
/Regards
01-20-2006 04:22 AM
I have found the answer to the problem. You must have the sysopt command set to "sysopt connection permit-ipsec" NOT "no sysopt connection permit-ipsec" hope this will help somebody with the same problem. /Jonny
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide