I'm trying to configure VPN access to our network. I have manged to setup vpn to connect and assign an address to the client. However no traffic is being routed between the client and the internal network. I have been racking my brains but cant figure out what the problem is. I can ping the internal interface but nothing else on the inside.
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: xxx.xxx.xxx.xxx
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.1/255.255.255.2
55/0/0)
current_peer: xxx.xxx.xxx.xxx, username: xxx
dynamic allocated peer ip: 192.168.2.1
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 21110, #pkts decrypt: 21110, #pkts verify: 21110
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.xxx/4500, remote crypto endpt.: xxx.xxx.xxx.xxx/48971
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: A79BA2BA
inbound esp sas:
spi: 0xEC79A443 (3967394883)
transform: esp-des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 17, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 15391
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xA79BA2BA (2811994810)
transform: esp-des esp-md5-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 17, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 15390
IV size: 8 bytes
replay detection support: Y
interface Ethernet0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.225
!
interface Ethernet1
nameif inside
security-level 100
ip address 192.168.1.xxx 255.255.255.0
!
object-group network LocalNetwork
network-object 192.168.1.0 255.255.255.0
object-group network Remote-clients
network-object 192.168.2.0 255.255.255.0
access-list remote-vpn extended permit ip object-group LocalNetwork object-group Remote-clients
access-list acl-inside extended permit ip object-group LocalNetwork object-group Remote-clients
ip local pool vpn-client 192.168.2.1-192.168.2.254
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-list acl-inside extended permit ip object-group LocalNetwork object-group Remote-clients
access-group acl-outside in interface outside
access-group acl-inside in interface inside
route outside 0.0.0.0 0.0.0.0 router 1
aaa-server RADIUS protocol radius
aaa-server RADIUS host 192.168.1.xxx
group-policy VPN_Client internal
group-policy VPN_Client attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value remote-vpn
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto map vpnmap 60 ipsec-isakmp dynamic outside_dyn_map
crypto map vpnmap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 5
lifetime 864000
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 2
lifetime 864000
crypto isakmp policy 40
authentication pre-share
encryption des
hash md5
group 2
lifetime 864000
crypto isakmp policy 50
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
Gateway of last resort is router to network 0.0.0.0
C xxx.xxx.xxx.xxx 255.255.255.225 is directly connected, outside
C 192.168.1.0 255.255.255.0 is directly connected, inside
S 192.168.2.1 255.255.255.255 [1/0] via router, outside
S* 0.0.0.0 0.0.0.0 [1/0] via router, outside
Start Free Trial
