Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco ASA Remote Access VPN - No Traffic

Status
Not open for further replies.
kevmullet

kevmullet

Technical User
Feb 12, 2002
56
GB
OK, have configured a remote access VPN and it connects OK and the split tunnel works OK, but no data is passed between the remote site and the LAN


I followed this walk through on creating it:

Thanks in advance

Config attached

: Saved
:
ASA Version 8.2(2)
!
hostname lch4fw01
domain-name x.x.x.x
enable password woR8KjAVup9wPqzN encrypted
passwd y/Pr2LedIYfv7ya4 encrypted
names
name 172.16.0.0 lch1-encdom1
name 172.16.64.0 lch2-encdom1
name 172.16.128.0 lch2-encdom2
name 172.16.210.0 penton-connectivity
name 172.16.211.0 penton-data
dns-guard
!
interface Ethernet0/0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
nameif INSIDE
security-level 100
ip address 172.16.210.1 255.255.254.0
!
interface Ethernet0/2
nameif MPLS_Primary
security-level 0
ip address 172.16.213.1 255.255.255.252
!
interface Ethernet0/3
nameif MPLS_Secondary
security-level 0
ip address 172.16.213.5 255.255.255.252
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
banner login *****************************************************************
banner login This is a monitored proprietary system for authorised users only.
banner login Access by unauthorised individuals is prohibited.
banner login If monitoring reveals evidence of misuse or criminal activity,
banner login it may be used to support disciplinary and/or legal proceedings.
banner login *****************************************************************
banner asdm *****************************************************************
banner asdm This is a monitored proprietary system for authorised users only.
banner asdm Access by unauthorised individuals is prohibited.
banner asdm If monitoring reveals evidence of misuse or criminal activity,
banner asdm it may be used to support disciplinary and/or legal proceedings.
banner asdm *****************************************************************
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server 172.16.31.11
name-server 172.16.131.11
domain-name x.x.x.x
object-group network RAVPNUSERS
description Remote Access VPN Range
network-object 172.16.210.192 255.255.255.192
access-list OUTSIDE_access_in extended permit ip any host x.x.x.x
access-list OUTSIDE_access_in extended permit icmp lch1-encdom1 255.255.192.0 penton-connectivity 255.255.254.0
access-list OUTSIDE_access_in extended permit tcp any eq 3389 host x.x.x.x eq 3389
access-list OUTSIDE_access_in extended permit ip any any
access-list OUTSIDE_access_in extended permit esp any interface OUTSIDE
access-list vpn-traffic extended permit ip penton-connectivity 255.255.254.0 lch1-encdom1 255.255.192.0
access-list vpn-traffic extended permit ip penton-connectivity 255.255.254.0 lch2-encdom1 255.255.192.0
access-list vpn-traffic extended permit ip penton-connectivity 255.255.254.0 lch2-encdom2 255.255.192.0
access-list vpn-traffic extended permit ip penton-connectivity 255.255.254.0 172.16.240.0 255.255.254.0
access-list vpn-traffic extended permit ip any 172.16.210.192 255.255.255.192
access-list vpn-traffic extended permit ip penton-connectivity 255.255.254.0 172.16.210.192 255.255.255.192
access-list Virtual_Beckton_access_in extended permit ip penton-connectivity 255.255.254.0 172.16.240.0 255.255.254.0 inactive
access-list INSIDE_access_in extended permit ip any any
access-list RA_VPN_splitTunnelAcl standard permit penton-connectivity 255.255.254.0
access-list RA_VPN_splitTunnelAcl standard permit any
access-list RA_VPN1_splitTunnelAcl standard permit any
access-list DGTEST extended permit ip penton-connectivity 255.255.254.0 host 172.16.113.16
access-list DGTEST extended permit ip host 172.16.113.16 penton-connectivity 255.255.254.0
access-list Datacentre extended permit ip lch1-encdom1 255.255.192.0 penton-connectivity 255.255.254.0
access-list Datacentre extended permit ip lch2-encdom1 255.255.192.0 penton-connectivity 255.255.254.0
access-list Datacentre extended permit ip lch2-encdom2 255.255.192.0 penton-connectivity 255.255.254.0
access-list OUTSIDE_2_cryptomap extended permit ip penton-connectivity 255.255.254.0 172.16.240.0 255.255.254.0
access-list RemoteAccess_splitTunnelAcl standard permit penton-connectivity 255.255.254.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging asdm-buffer-size 512
logging asdm debugging
logging host INSIDE 85.8.221.189
logging permit-hostdown
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu MPLS_Primary 1500
mtu MPLS_Secondary 1500
ip local pool LCHSVPNPOOL 172.16.210.200-172.16.210.250 mask 255.255.254.0
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo INSIDE
icmp permit any echo-reply INSIDE
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
global (INSIDE) 1 interface
nat (INSIDE) 0 access-list vpn-traffic
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) tcp interface 3389 172.16.210.100 3389 netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
access-group Datacentre in interface MPLS_Primary
access-group Datacentre in interface MPLS_Secondary
!
router rip
network lch1-encdom1
passive-interface default
no passive-interface MPLS_Primary
no passive-interface MPLS_Secondary
redistribute connected
version 2
no auto-summary
!
route OUTSIDE 0.0.0.0 0.0.0.0 84.12.203.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 20
http 172.16.31.17 255.255.255.255 INSIDE
http 172.16.131.17 255.255.255.255 INSIDE
http 82.69.33.254 255.255.255.255 OUTSIDE
http 172.16.210.55 255.255.255.255 INSIDE
http 213.131.111.134 255.255.255.255 OUTSIDE
snmp-server location Penton Street-GR:TBC-Rack:SA-TBC
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp OUTSIDE
sysopt noproxyarp INSIDE
crypto ipsec transform-set strong-aes esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map vpn 2 match address OUTSIDE_2_cryptomap
crypto map vpn 2 set pfs group1
crypto map vpn 2 set peer 80.46.47.242
crypto map vpn 2 set transform-set ESP-3DES-SHA
crypto map vpn 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map vpn interface OUTSIDE
crypto map INSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INSIDE_map interface INSIDE
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 1
ssh 82.69.33.254 255.255.255.255 OUTSIDE
ssh 213.131.111.134 255.255.255.255 OUTSIDE
ssh 172.16.31.17 255.255.255.255 INSIDE
ssh 172.16.131.17 255.255.255.255 INSIDE
ssh 172.16.210.55 255.255.255.255 INSIDE
ssh penton-connectivity 255.255.254.0 INSIDE
ssh 172.16.31.17 255.255.255.255 MPLS_Primary
ssh 172.16.31.17 255.255.255.255 MPLS_Secondary
ssh timeout 20
ssh version 2
console timeout 20
management-access INSIDE
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.16.31.123 source INSIDE prefer
ntp server 172.16.131.123 source INSIDE prefer
tftp-server INSIDE 172.16.0.73 Temp
webvpn
enable OUTSIDE
group-policy DfltGrpPolicy attributes
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 172.16.210.100
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
default-domain value lchs.serco.com
username unify password akJlbe8uQBYwbSIm encrypted privilege 15
username manager password et.ntatxo43eDfK6 encrypted
username lchsback password n1pISwglUo6nOzv/ encrypted privilege 15
username lchsadmin password RT7ntb9mZfcNtmo9 encrypted privilege 15
username lchsvpn password 1q4w9gRcV5RW9zAe encrypted privilege 0
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool LCHSVPNPOOL
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:70b39fdd4a517ba0a1d6b984066f4efe
: end
asdm image disk0:/asdm-625.bin
asdm history enable
 
Sort by date Sort by votes
Further to this the tunnel in use is called RemoteAccess
 
Upvote 0 Downvote
i would do two things to start:
1) put your vpn pool into a completely separate address space than anything that you are using on any other segments within your org. you'll obviously need to alter your access-lists to match
2) add crypto isakmp nat-traversal

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Cheers,

I have been looking around and added the crypto isakmp nat-traversal command to no avail.

I prefer to have the VPN pool within the network range, I know this is possible as I have done it in the past, but have no idea why traffic is not passing.

Thanks
 
Upvote 0 Downvote
Hi Guys,

I am still having this issue, the current config is below. I have added the nat-traversal lines.

Strangely I am able to ping 4 IPs on the internal network, which belong to an IP phone system, but only these, they are not different in anyway and everything on the internal network has the same DG





:
ASA Version 8.2(2)
!
hostname xxx4fw01
domain-name x.x.x.x
enable password woR8KjAVup9wPqzN encrypted
passwd y/Pr2LedIYfv7ya4 encrypted
names
name 172.16.0.0 xxx1-encdom1
name 172.16.64.0 xxx2-encdom1
name 172.16.128.0 xxx2-encdom2
name 172.16.210.0 penton-connectivity
name 172.16.211.0 penton-data
dns-guard
!
interface Ethernet0/0
description OUTSIDE
nameif OUTSIDE
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
nameif INSIDE
security-level 100

ip address 172.16.210.1 255.255.254.0
!
interface Ethernet0/2
nameif MPLS_Primary
security-level 0
ip address 172.16.213.1 255.255.255.252
!
interface Ethernet0/3
nameif MPLS_Secondary
security-level 0
ip address 172.16.213.5 255.255.255.252
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
management-only
!
banner login *****************************************************************
banner login This is a monitored proprietary system for authorised users only.
banner login Access by unauthorised individuals is prohibited.
banner login If monitoring reveals evidence of misuse or criminal activity,
banner login it may be used to support disciplinary and/or legal proceedings.


banner login *****************************************************************
banner asdm *****************************************************************
banner asdm This is a monitored proprietary system for authorised users only.
banner asdm Access by unauthorised individuals is prohibited.
banner asdm If monitoring reveals evidence of misuse or criminal activity,
banner asdm it may be used to support disciplinary and/or legal proceedings.
banner asdm *****************************************************************
boot system disk0:/asa822-k8.bin
ftp mode passive
dns domain-lookup OUTSIDE
dns domain-lookup INSIDE
dns server-group DefaultDNS
name-server 172.16.31.11
name-server 172.16.131.11
domain-name x.x.x.x
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network RAVPNUSERS
description Remote Access VPN Range
network-object 172.16.210.192 255.255.255.192
access-list OUTSIDE_access_in extended permit ip any host x.x.x.x
access-list OUTSIDE_access_in extended permit icmp xxx1-encdom1 255.255.192.0 penton-connectivity 255.255.254.0
access-list OUTSIDE_access_in extended permit tcp any eq 3389 host x.x.x.x eq 3389
access-list OUTSIDE_access_in extended permit ip any any


access-list OUTSIDE_access_in extended permit esp any interface OUTSIDE
access-list vpn-traffic extended permit ip penton-connectivity 255.255.254.0 xxx1-encdom1 255.255.192.0
access-list vpn-traffic extended permit ip penton-connectivity 255.255.254.0 xxx2-encdom1 255.255.192.0
access-list vpn-traffic extended permit ip penton-connectivity 255.255.254.0 xxx2-encdom2 255.255.192.0
access-list vpn-traffic extended permit ip penton-connectivity 255.255.254.0 penton-connectivity 255.255.254.0
access-list vpn-traffic extended permit ip penton-connectivity 255.255.254.0 172.16.240.0 255.255.254.0
access-list Virtual_Beckton_access_in extended permit ip penton-connectivity 255.255.254.0 172.16.240.0 255.255.254.0 inactive
access-list INSIDE_access_in extended permit ip any any
access-list DGTEST extended permit ip penton-connectivity 255.255.254.0 host 172.16.113.16
access-list DGTEST extended permit ip host 172.16.113.16 penton-connectivity 255.255.254.0
access-list Datacentre extended permit ip xxx1-encdom1 255.255.192.0 penton-connectivity 255.255.254.0
access-list Datacentre extended permit ip xxx2-encdom1 255.255.192.0 penton-connectivity 255.255.254.0
access-list Datacentre extended permit ip xxx2-encdom2 255.255.192.0 penton-connectivity 255.255.254.0
access-list OUTSIDE_2_cryptomap extended permit ip penton-connectivity 255.255.254.0 172.16.240.0 255.255.254.0
access-list RemoteAccess_splitTunnelAcl standard permit penton-connectivity 255.255.254.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 8192
logging asdm-buffer-size 512
logging asdm debugging
logging host INSIDE x.x.x.x
logging permit-hostdown
mtu OUTSIDE 1500


mtu INSIDE 1500
mtu MPLS_Primary 1500
mtu MPLS_Secondary 1500
ip local pool xxxSVPNPOOL 172.16.210.192-172.16.210.254 mask 255.255.254.0
ip verify reverse-path interface OUTSIDE
ip verify reverse-path interface INSIDE
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo INSIDE
icmp permit any echo-reply INSIDE
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
global (OUTSIDE) 1 interface
global (INSIDE) 1 interface
nat (INSIDE) 0 access-list vpn-traffic
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,OUTSIDE) tcp interface 3389 172.16.210.100 3389 netmask 255.255.255.255
access-group OUTSIDE_access_in in interface OUTSIDE
access-group INSIDE_access_in in interface INSIDE
access-group Datacentre in interface MPLS_Primary
access-group Datacentre in interface MPLS_Secondary
!
router rip
network xxx-encdom1


passive-interface default
no passive-interface MPLS_Primary
no passive-interface MPLS_Secondary
redistribute connected
version 2
no auto-summary
!
route OUTSIDE 0.0.0.0 0.0.0.0 x.x.x.x 1
route OUTSIDE x.x.x.x 255.255.255.255 x.x.x.x 1
route OUTSIDE x.x.x.x 255.255.255.255 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable 8443
http server idle-timeout 20
http 172.16.31.17 255.255.255.255 INSIDE
http 172.16.131.17 255.255.255.255 INSIDE
http x.x.x.x 255.255.255.255 OUTSIDE
http 172.16.210.55 255.255.255.255 INSIDE


http x.x.x.x 255.255.255.255 OUTSIDE
snmp-server location Penton Street-GR:TBC-Rack:SA-TBC
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp OUTSIDE
sysopt noproxyarp INSIDE
crypto ipsec transform-set strong-aes esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map outside_dyn_map 20 set pfs group1


crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map vpn 2 match address OUTSIDE_2_cryptomap
crypto map vpn 2 set pfs group1
crypto map vpn 2 set peer 80.46.47.242
crypto map vpn 2 set transform-set ESP-3DES-SHA
crypto map vpn 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map vpn interface OUTSIDE
crypto map INSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INSIDE_map interface INSIDE
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 10


telnet timeout 1
ssh x.x.x.x 255.255.255.255 OUTSIDE
ssh x.x.x.x 255.255.255.255 OUTSIDE
ssh x.x.x.x 255.255.255.255 OUTSIDE
ssh 172.16.31.17 255.255.255.255 INSIDE
ssh 172.16.131.17 255.255.255.255 INSIDE
ssh 172.16.210.55 255.255.255.255 INSIDE
ssh penton-connectivity 255.255.254.0 INSIDE
ssh 172.16.31.17 255.255.255.255 MPLS_Primary
ssh 172.16.31.17 255.255.255.255 MPLS_Secondary
ssh timeout 20
ssh version 2
console timeout 20
management-access INSIDE
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.16.31.123 source INSIDE prefer
ntp server 172.16.131.123 source INSIDE prefer
tftp-server INSIDE 172.16.0.73 Temp
webvpn
enable OUTSIDE


group-policy DfltGrpPolicy attributes
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 172.16.210.100
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
default-domain value x.x.x.x
username unify password akJlbe8uQBYwbSIm encrypted privilege 15
username manager password et.ntatxo43eDfK6 encrypted
username xxxsback password n1pISwglUo6nOzv/ encrypted privilege 15
username xxxsadmin password RT7ntb9mZfcNtmo9 encrypted privilege 15
username xxxsvpn password 1q4w9gRcV5RW9zAe encrypted privilege 0
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool xxxSVPNPOOL
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
!
class-map inspection_default


match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4890fd08ebba840a9a2cb80f8f27449f
: end
 
Upvote 0 Downvote
Use a different address pool and make sure you're not NATT'ing the interesting traffic.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
349
intel233
intel233
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
96
WhosYourDiffie
WhosYourDiffie
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
389
intel233
intel233
AllenH12
  • Locked
  • Question
Bandwidth in Cisco ASA 5505
Replies
2
Views
224
AllenH12
AllenH12
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
100
PauS0n
PauS0n

Part and Inventory Search

Sponsor

Back
Top