Having some trouble with this RA VPN on ASA

millworxmillworx Member Posts: 290
So I'm having a bit of trouble with this VPN Remote access setup. I got connectivity to the ASA, I can VPN to it, get the address. Split tunnel is working I can get internet at the same. But I cannot access any resources over the VPN. I can't ping, I can't telnet, I cant access any internal web resources.

This is my config, am I missing something?

ASA Version 8.2(1)
hostname ciscoasa
enable password xxxxxxxxxxxxx encrypted
passwd xxxxxxxxx encrypted
interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address xx.xx.xx.52
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
same-security-traffic permit intra-interface
access-list 101 extended permit ip
access-list NONAT extended permit ip
access-list split-tunnel standard permit
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool mask
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1
route outside xx.xx.xx.54 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 288000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp nat-traversal 30
telnet inside
telnet outside
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy ccvpn internal
group-policy ccvpn attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
username testaccount password xxxxxxxxxxx encrypted privilege 15
tunnel-group ccvpn type remote-access
tunnel-group ccvpn general-attributes
address-pool vpnpool
default-group-policy ccvpn
tunnel-group ccvpn ipsec-attributes
pre-shared-key *

If I issue a show route this is what i get, so It is seeing the client. Some route issue maybe? I can't ping to and from either.

C is directly connected, outside
S [1/0] via xx.xx.xx.54, outside
C is directly connected, inside
S* [1/0] via xx.xx.xx.54, outside
Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide


  • Options
    millworxmillworx Member Posts: 290
    I think I know what the issue is. See the Network guy that works there that originally setup the network did not want me to remove the router from the network which is assigned and has an outside address of

    Instead for the VPN access he wanted me to add the ASA to the network with internal address and outside int of

    Now Im pretty sure I got the config right, hell, I even used the config wizard to make sure I wasnt wrong, still couldnt get internal connectivity. I can get an IPSec connection up no problem.

    So correct me if I'm wrong. But RA client connects to network, sends traffic, but since all the internal hosts have the gateway set for they will never respond to the (ASA) to reach the network that is assigned to the RA clients?
    Currently Reading:
    CCIE: Network Security Principals and Practices
    CCIE: Routing and Switching Exam Certification Guide
  • Options
    millworxmillworx Member Posts: 290
    Yup my suspicions where correct. I had everything setup just perfect. It was the routing issue's that I thought. I guess their IT guy is an idiot, and thus why they hired a contractor like me ;)
    Currently Reading:
    CCIE: Network Security Principals and Practices
    CCIE: Routing and Switching Exam Certification Guide
Sign In or Register to comment.