[c-nsp] ASA 7.2 Remote access VPN will not work if client is using NAT to access internet
Dave Lim
dave.daturax at gmail.com
Mon Feb 12 10:46:07 EST 2007
Hi group,
I have recently configured a remote access VPN on a customer ASA7.2. I have
tested the RA IPSEC vpn on using an IP address that is in the same segment
as the outside interface of the ASA and it works.
But the funny thing right now is if I am using a client that is using NAT to
access the network, I have problem connecting. It cant even contact the
security gateway and go pass the phrase 1 authentication of the tunnel group
and pre-sharekey. There is nothing on the VPN client log.
Anyone have any idea? Here's the config that's relevant to the remote access
IPSEC VPN.
access-list inside_nat0_outbound extended permit ip 10.203.1.0 255.255.255.010.
203.8.0 255.255.255.0
ip local pool vpnpool 10.203.8.100-10.203.8.199 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
group-policy ntnvpn internal
group-policy ntnvpn attributes
dns-server value 165.21.83.88 165.21.100.88
vpn-tunnel-protocol IPSec
default-domain value x
username hw-support password x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group ntnvpn type ipsec-ra
tunnel-group ntnvpn general-attributes
address-pool vpnpool
default-group-policy ntnvpn
tunnel-group ntnvpn ipsec-attributes
pre-shared-key *
More information about the cisco-nsp
mailing list