[c-nsp] ASA 5510 Remote VPN Problems

Andy Dills andy at xecu.net
Tue Nov 7 15:32:44 EST 2006 

Solved this with the help of a friendly TAC engineer.

Turns out you don't need to specify the addresses to encrypt when using a 
dynamic map. Just needed to junk this line:

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20.20

Thanks,
Andy

On Tue, 7 Nov 2006, Andy Dills wrote:

> 
> I'm setting up remote VPN access on an ASA 5510, and I'm encountering some 
> unexpected behavior.
> 
> The desired configuration is pretty straightforward; remote VPN users are 
> assigned 10.2.210.0/24, inside network is 10.1.210.0/24 and is configured 
> with a NAT pool.
> 
> Essentially, remote VPN users can get connected, but cannot communicate 
> with anything on the inside interface. I'm unable to ping the inside 
> interface IP, nor anything attached. From the ASA, I can ping anything on 
> the inside interface but I cannot ping the remote VPN user.
> 
> Can anybody suggest what I'm missing? This is driving me nuts, as this 
> should work (although I'm not all that familiar with the ASA products so 
> I'm sure I'm missing something).
> 
> Relevant config:
> 
> interface Ethernet0/0
>  nameif outside
>  security-level 0
>  ip address OUTSIDEIP 255.255.255.252 
> !
> interface Ethernet0/1
>  nameif inside
>  security-level 100
>  ip address 10.1.210.1 255.255.255.0 
> 
> same-security-traffic permit inter-interface
> same-security-traffic permit intra-interface
> 
> object-group network VPN
>  network-object 10.2.210.0 255.255.255.0
> 
> access-list vpn_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0 
> access-list outside_cryptomap_20.20 extended permit ip any object-group VPN
> access-list inside_nat0_outbound extended permit ip any 10.2.210.0 255.255.255.0 
> 
> ip local pool VPN 10.2.210.2-10.2.210.254 mask 255.255.255.0
> 
> global (outside) 1 NATPOOLLOW-NATPOOLHIGH
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 1 10.1.210.0 255.255.255.0
> 
> group-policy VPN internal
> group-policy VPN attributes
>  split-tunnel-policy tunnelspecified
>  split-tunnel-network-list value vpn_splitTunnelAcl
> 
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
> crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20.20
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
> crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> 
> isakmp enable outside
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash sha
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> isakmp nat-traversal  20
> 
> tunnel-group waystation general-attributes
>  address-pool VPN
>  authentication-server-group VPN
>  default-group-policy VPN
> tunnel-group VPN ipsec-attributes
>  pre-shared-key *
> 
> 
> Any suggestions would be greatly appreciated.
> 
> Thanks,
> Andy
> 
> ---
> Andy Dills
> Xecunet, Inc.
> www.xecu.net
> 301-682-9972
> ---
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

---
Andy Dills
Xecunet, Inc.
www.xecu.net
301-682-9972
---

More information about the cisco-nsp mailing list