[c-nsp] ASA 5510 Remote VPN Problems

Andy Dills andy at xecu.net
Tue Nov 7 13:57:15 EST 2006 

I'm setting up remote VPN access on an ASA 5510, and I'm encountering some 
unexpected behavior.

The desired configuration is pretty straightforward; remote VPN users are 
assigned 10.2.210.0/24, inside network is 10.1.210.0/24 and is configured 
with a NAT pool.

Essentially, remote VPN users can get connected, but cannot communicate 
with anything on the inside interface. I'm unable to ping the inside 
interface IP, nor anything attached. From the ASA, I can ping anything on 
the inside interface but I cannot ping the remote VPN user.

Can anybody suggest what I'm missing? This is driving me nuts, as this 
should work (although I'm not all that familiar with the ASA products so 
I'm sure I'm missing something).

Relevant config:

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address OUTSIDEIP 255.255.255.252 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.1.210.1 255.255.255.0 

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object-group network VPN
 network-object 10.2.210.0 255.255.255.0

access-list vpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0 
access-list outside_cryptomap_20.20 extended permit ip any object-group VPN
access-list inside_nat0_outbound extended permit ip any 10.2.210.0 255.255.255.0 

ip local pool VPN 10.2.210.2-10.2.210.254 mask 255.255.255.0

global (outside) 1 NATPOOLLOW-NATPOOLHIGH
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.210.0 255.255.255.0

group-policy VPN internal
group-policy VPN attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_splitTunnelAcl

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20.20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20

tunnel-group waystation general-attributes
 address-pool VPN
 authentication-server-group VPN
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key *


Any suggestions would be greatly appreciated.

Thanks,
Andy

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

More information about the cisco-nsp mailing list