Announcement

Collapse
No announcement yet.

Having some trouble with this RA VPN on ASA

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Having some trouble with this RA VPN on ASA

    So I'm having a bit of trouble with this VPN Remote access setup. I got connectivity to the ASA, I can VPN to it, get the address. Split tunnel is working I can get internet at the same. But I cannot access any resources over the VPN. I can't ping, I can't telnet, I cant access any internal web resources.

    This is my config, am I missing something?

    ASA Version 8.2(1)
    !
    hostname ciscoasa
    enable password xxxxxxxxxxxxx encrypted
    passwd xxxxxxxxx encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.100.3 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 99.99.158.52 255.255.255.248
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    ftp mode passive
    same-security-traffic permit intra-interface
    access-list 101 extended permit ip 192.168.100.0 255.255.255.0 192.168.220.0 255.255.255.0
    access-list NONAT extended permit ip 192.168.100.0 255.255.255.0 192.168.220.0 255.255.255.0
    access-list split-tunnel standard permit 192.168.100.0 255.255.255.0
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip local pool vpnpool 192.168.220.100-192.168.220.200 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list NONAT
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 99.99.158.54 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    http 192.168.100.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
    crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
    crypto dynamic-map outside_dyn_map 10 set reverse-route
    crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 43200
    crypto isakmp nat-traversal 30
    telnet 192.168.100.0 255.255.255.0 inside
    telnet 0.0.0.0 0.0.0.0 outside
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 5
    console timeout 0
    dhcpd auto_config outside
    !

    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy ccvpn internal
    group-policy ccvpn attributes
    vpn-tunnel-protocol IPSec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    username testaccount password xxxxxxxxxxx encrypted privilege 15
    tunnel-group ccvpn type remote-access
    tunnel-group ccvpn general-attributes
    address-pool vpnpool
    default-group-policy ccvpn
    tunnel-group ccvpn ipsec-attributes
    pre-shared-key *
    !
    !


    **********************************
    If I issue a show route this is what i get, so It is seeing the client. Some route issue maybe? I can't ping to and from either.


    C 99.99.158.48 255.255.255.248 is directly connected, outside
    S 192.168.220.100 255.255.255.255 [1/0] via 99.99.158.54, outside
    C 192.168.100.0 255.255.255.0 is directly connected, inside
    S* 0.0.0.0 0.0.0.0 [1/0] via 70.89.158.54, outside

  • #2
    Re: Having some trouble with this RA VPN on ASA

    i could be wrong.,

    but you may also require an ACL allowing traffic from the internal vlan to the vpn vlan.

    from your vpn client, try pinging the following:
    public internet interface of the connection
    gateway address of the vpn vlan
    gateway address of the internal vlan
    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

    Comment

    Working...
    X