remote access VPN users

I'm having users starting to call in saying that their cisco vpn client connects, but they cannot get anywhere once connected. I have verified that they are connected, but they can't get to anything on the network. below is my config pertaining to the remote access vpn.

access-list nonat-vpn extended permit ip any DTVPN 255.255.255.0

access-list split-tunnel extended permit ip 10.0.0.0 255.0.0.0 DTVPN 255.255.255.0

ip local pool Remote-Access 10.3.2.1-10.3.2.254 mask 255.255.255.0

aaa-server remoteaccess protocol nt
 max-failed-attempts 5
aaa-server remoteaccess host kdc02
 nt-auth-domain-controller kdc02


crypto ipsec transform-set vpn-3des esp-3des esp-md5-hmac
crypto dynamic-map remote-access 20 set transform-set vpn-3des
crypto dynamic-map remote-access 20 set reverse-route

group-policy DTVPN internal
group-policy DTVPN attributes
 wins-server value 10.1.200.17 10.1.200.16
 dns-server value 10.1.200.16 10.1.200.108
 vpn-idle-timeout 120
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
 default-domain value ad.davey-tree.com


tunnel-group DTVPN type remote-access
tunnel-group DTVPN general-attributes
 address-pool Remote-Access
 authentication-server-group remoteaccess
 default-group-policy DTVPN
tunnel-group DTVPN ipsec-attributes
 pre-shared-key *



dtadminAsked:
Who is Participating?
 
nasirshCommented:
Use this command in the "reverse-route"
e.g
crypto dynamic-map vpndynmap 1
set transform-set 3DES-SHA
reverse-route.

Hope this helps
0
 
Voltz-dkCommented:
What is the definition of the name DTVPN, in terms of your access-lists?

You may have a NAT-T issue, try with:

isak nat-t 20
0
 
dtadminAuthor Commented:
that is the "name" of my vpn group. The subnet is "10.3.2.0/24".
0
 
MikeKaneCommented:
How are you checking connectivity?    "SHOW IPSEC SA" ?         If yes, then lets start with the basics.  

1) Have you made any modifications that coincide with the reported lack of connectivity?  Any new devices?
2) Is the remote user getting an ip assigned from the IP pool?
3) Can the remote user access via ICMP or even a telnet any host on the inside?  
4) Attempt Step 2 and then watch the logging for dropped packets (ASDM console log or in a syslog).  
0
 
dtadminAuthor Commented:
I am checking connectivity by both ASDM and "sh vpn-sessiondb remote".

The remote user is getting an ip from the correct pool

the remote user is unable to ping or access anything on the inside.

I have added the isakmp nat-t 20. Let me see if that helps at all.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.