Cisco IPSec VPN not passing traffic

I am trying to get a VPN established into our ASA 5510. I included what I think is the important parts of our config for review. I have been trying to use the ASDM to get this working and I am sure I'm missing something!

I can successfully connect to the VPN, traffic not going through the tunnel is OK. But I cannot reach any hosts through the tunnel, not even the inside interface of the ASA. The "Route Details" tab on the Client looks good 10.0.0.0 - 255.0.0.0 and 192.168.7.0 - 255.255.255.0. I can see that traffic is being encrypted but nothing being decrypted.


ASA Version 8.0(3) 
!
hostname LabASA1
enable password gNQNXMuAM.Aeew2L encrypted
names
name 10.0.0.0 Prod_Net
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 66.x.x.12 255.255.255.240 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.7.20 255.255.255.0 
!
 
!
 
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list VPN_ACL standard permit 192.168.7.0 255.255.255.0 
access-list VPN_ACL standard permit Prod_Net 255.0.0.0 
access-list Inside_access_in extended permit ip any any 
 
 
global (Outside) 101 66.x.x.11
nat (Inside) 101 0.0.0.0 0.0.0.0
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 66.x.x.1 1
route Inside Prod_Net 255.0.0.0 192.168.7.2 1
 
 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign local
 
 
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
 
 
group-policy Lab_Policy internal
group-policy Lab_Policy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_ACL
username Admin password RtMzMLN9zS8TkNnY encrypted privilege 15
 
tunnel-group VPN_Access type remote-access
tunnel-group VPN_Access general-attributes
 default-group-policy Lab_Policy
 dhcp-server 10.10.1.20
tunnel-group VPN_Access ipsec-attributes
 pre-shared-key *
!

Open in new window

Level12Asked:
Who is Participating?
 
Level12Author Commented:
I was able to get this working since the original post. After reviewing several other posts I dove into the CLI and added the following.

Created a DHCP pool for the VPN clients:
ip local pool VPN_Pool 192.168.6.100-192.168.6.120 mask 255.255.255.0

Nat VPN traffic :
access-list inside_nat0_outbound extended permit ip 192.168.7.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip Prod_Net 255.0.0.0 192.168.6.0 255.255.255.0
nat (Inside) 0 access-list inside_nat0_outbound

Added to the tunnel group
 address-pool VPN_Pool

Hopefully this will help someone!

0
 
fileinsterCommented:
If you are trying to set up a site-to-site VPN, you do not have any configuration for that setup; you only have the dynamic RA set on your outside interface used for VPN clients. A client based VPN will not meet your needs. If the following doesn't work you will also have to post the configuration of both sides, not just one to ensure they match. I'm not very familiar with the ASDM. You should need something like this on the cmd line:
 
 
 

access-list remotesite extended permit ip 10.0.0.0 255.0.0.0 192.168.7.0 255.255.255.0
crypto map Outside_map 10 match address remotesite
crypto map Outside_map 10 set peer x.x.x.x
crypto map Outside_map 10 set transform-set ESP-AES-256-SHA
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key *

Open in new window

0
 
lrmooreCommented:
Enable nat-t
  crypto isakmp nat-traversal 25
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.