No announcement yet.

Having some trouble with this RA VPN on ASA

  • Filter
  • Time
  • Show
Clear All
new posts

  • Having some trouble with this RA VPN on ASA

    So I'm having a bit of trouble with this VPN Remote access setup. I got connectivity to the ASA, I can VPN to it, get the address. Split tunnel is working I can get internet at the same. But I cannot access any resources over the VPN. I can't ping, I can't telnet, I cant access any internal web resources.

    This is my config, am I missing something?

    ASA Version 8.2(1)
    hostname ciscoasa
    enable password xxxxxxxxxxxxx encrypted
    passwd xxxxxxxxx encrypted
    interface Vlan1
    nameif inside
    security-level 100
    ip address
    interface Vlan2
    nameif outside
    security-level 0
    ip address
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    same-security-traffic permit intra-interface
    access-list 101 extended permit ip
    access-list NONAT extended permit ip
    access-list split-tunnel standard permit
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnpool mask
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1
    route outside 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http inside
    http inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
    crypto dynamic-map outside_dyn_map 10 set reverse-route
    crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    crypto isakmp nat-traversal 30
    telnet inside
    telnet outside
    telnet timeout 5
    ssh outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    group-policy ccvpn internal
    group-policy ccvpn attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    username testaccount password xxxxxxxxxxx encrypted privilege 15
    tunnel-group ccvpn type remote-access
    tunnel-group ccvpn general-attributes
    address-pool vpnpool
    default-group-policy ccvpn
    tunnel-group ccvpn ipsec-attributes
    pre-shared-key *

    If I issue a show route this is what i get, so It is seeing the client. Some route issue maybe? I can't ping to and from either.

    C is directly connected, outside
    S [1/0] via, outside
    C is directly connected, inside
    S* [1/0] via, outside

  • #2
    Re: Having some trouble with this RA VPN on ASA

    i could be wrong.,

    but you may also require an ACL allowing traffic from the internal vlan to the vpn vlan.

    from your vpn client, try pinging the following:
    public internet interface of the connection
    gateway address of the vpn vlan
    gateway address of the internal vlan
    Please do show your appreciation to those who assist you by leaving Rep Point