• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 694
  • Last Modified:

asa ssl and ipsec vpns not able to ping my internet network

in my network I have an ASA infront a router

The ASA router internal 172.16.2.1
router external is 172.16.2.3
router internal is 50.0.0.1

right now I can vpn in but I cannot reach anything in the 50.0.0.0 /24 network

Is there anything I am missing my config
login as: mercxi
mercxi@sslvpn.mercdomain.com's password:
Type help or '?' for a list of available commands.
ciscoasa> en
Password:
ciscoasa# sh run
: Saved
:
ASA Version 8.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 mac-address 0024.141e.0454
 nameif outside
 security-level 0
 
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 172.16.2.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list NONAT extended permit ip 50.0.0.0 255.255.255.0 50.0.1.0 255.255.255.0
access-list NONAT extended permit ip 50.0.0.0 255.255.255.0 50.0.200.0 255.255.255.0
access-list Split_Tunnel_List standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool SSLVPN 50.0.1.100-50.0.1.120 mask 255.255.255.0
ip local pool ipsecpool 50.0.200.20-50.0.200.40
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route inside 10.10.10.0 255.255.255.0 172.16.2.2 1
route inside 50.0.0.0 255.255.255.0 172.16.2.2 1
route inside 50.0.1.0 255.255.255.0 50.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ts2 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dmap 10 set transform-set ts2
crypto map imap 10 ipsec-isakmp dynamic dmap
crypto map imap interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn sslvpn.testdomain.com
 subject-name CN=sslvpn.testdomain.com
 keypair sslvpnkey
 crl configure
crypto ca certificate chain localtrust
 certificate 9dbea54d
    30820203 3082016c a0030201 0202049d bea54d30 0d06092a 864886f7 0d010105
    05003046 311e301c 06035504 03131573 736c7670 6e2e6d65 7263646f 6d61696e
    2e636f6d 31243022 06092a86 4886f70d 01090216 1573736c 76706e2e 6d657263
    646f6d61 696e2e63 6f6d301e 170d3131 30343136 31323534 34305a17 0d323130
    34313331 32353434 305a3046 311e301c 06035504 03131573 736c7670 6e2e6d65
    7263646f 6d61696e 2e636f6d 31243022 06092a86 4886f70d 01090216 1573736c
    76706e2e 6d657263 646f6d61 696e2e63 6f6d3081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 81810097 6c015cc8 bfc77e00 d1abd13c df20ad7e
    fe98a191 c74fdedd 4b599580 bde953e7 47d78772 a5dcfbd9 e2edb782 d3cb363f
    e1c0f9ea 71eeab04 ba60da98 ee226c18 206267b9 271bac67 6ee15ee9 c5a22611
    ae81db28 1a6d887f d88722b5 8937d1cc 96731cb4 b28a6550 561c5974 563fbe93
    62754c34 22ef538d 6d1ff6a3 ea5e4102 03010001 300d0609 2a864886 f70d0101
    05050003 81810068 0487cfcc 9a1efb0d 53000bcb 4e84db11 e01bbfaf 8b4e535f
    c6bca0d5 4190924b 1d33628f 21ca4ffa f5e13291 f34f0ce4 a56bb0ed dc7b8b9f
    7e29d8ff 8ab2527e c978e950 5b1f9895 5aa18f32 e0a32018 6f07caf5 02a79b5e
    0d543fa9 ac231e14 93da7d51 d5d02080 ac9f73c8 64ce97c5 4464cd24 c123bb61
    f9c0034d 0a7fec
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 172.16.2.2-172.16.2.3 inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 enable outside
 svc image disk0:/anyconnect-dart-win-2.5.2017-k9.pkg 1
 svc image disk0:/anyconnect-linux-2.5.2019-k9.pkg 2
 svc enable
 tunnel-group-list enable
group-policy SSL_GROUP_POLICY internal
group-policy SSL_GROUP_POLICY attributes
 vpn-tunnel-protocol svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 address-pools value SSLVPN
username aaaaaaaaaa
username mercxi attributes
 service-type remote-access
tunnel-group SSLCLIENTPROFILE type remote-access
tunnel-group SSLCLIENTPROFILE general-attributes
 default-group-policy SSL_GROUP_POLICY
tunnel-group SSLCLIENTPROFILE webvpn-attributes
 group-alias SSLVPNClient enable
tunnel-group mercgroup type remote-access
tunnel-group mercgroup general-attributes
 address-pool ipsecpool
tunnel-group mercgroup ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:53194f28681c8aca0a63e79dec6dcbd0
: end

Open in new window

0
mmercaldi
Asked:
mmercaldi
  • 22
  • 16
1 Solution
 
c0sCommented:
can you run a debug and see what`s going on?
0
 
mmercaldiAuthor Commented:
what should I debug, I ran debug webvpn, but thats not the problem since the sessions are created fine  its just the 50.0.1.0 traffic is not being routed to the 50.0.0.0 traffic i think but I could be wrong
0
 
c0sCommented:
debug crypto ipsec and debug crypto isakmp
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
mmercaldiAuthor Commented:
apparently there I did not configure split tunneling for the ipsec part,
I added the lines
ciscoasa(config)# group-policy mercgroup internal
ciscoasa(config)# group-policy mercgroup attributes
ciscoasa(config-group-policy)#  split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)#  split-tunnel-network-list value Split_Tunnel_L$
but still unable to keep my connection to the ASA or the internet when I vpn into the device with ipsec
0
 
c0sCommented:
can you try to run a debug now? if you don`t get anything just increase the verbosity level
0
 
mmercaldiAuthor Commented:
I am having some issues with the vpn client, is there anything I can do to test out he anyconnect?
0
 
mmercaldiAuthor Commented:
honestly the webvpn is what I care more about
0
 
c0sCommented:
well there can be many things that can be wrong thats why the best approach is to run a debug on the switch... you can`t really see a whole lot from the client side.
0
 
mmercaldiAuthor Commented:
I will be able to do testing later on tonight
0
 
mmercaldiAuthor Commented:
unfortunately I have no way of testing this out atleast for another couple of days.  I do know there there is an issue with webvpn becuase I should be able to get to the sslvpn site even when I am on location which I cannot do right now in the network.  I have usually set these up on cisco ios routers and 1 standalone vpn device, I know there is definitely a route or an ACL missing somethere, anyone have any clues?
0
 
c0sCommented:
try adding these attributes to you policy for webvpn:

 vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
 webvpn
  functions url-entry file-access file-entry file-browsing mapi port-forward filter
   http-proxy auto-download citrix

0
 
mmercaldiAuthor Commented:
tried adding it, i found out why i couldnt test it out successfully earlier, turns out the network i have access too shared the same lan as the other lan ont he remote end.  I will try this tomorrow
0
 
mmercaldiAuthor Commented:
I also got the split tunneling working, I ran the debug as I am pinging 50.0.0.1 on the ipsec vpn, and I am not really seeing much that is telling me any issues
here is my log, which gives me no errors, as I said before its a route I am missing


Apr 20 06:00:59 [IKEv1]: IP = 1, IKE_DECODE RECEIVED Message (msgid=7247e6d8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, processing hash payload
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, processing notify payload
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, Received keep-alive of type DPD R-U-THERE (seq number 0x40a0a7d)
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x40a0a7d)
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, constructing blank hash payload
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, constructing qm hash payload
Apr 20 06:00:59 [IKEv1]: IP = 1, IKE_DECODE SENDING Message (msgid=ac46f1c5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
0
 
c0sCommented:
can you go through this guide?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

and then run a debug again with increased verbouse level?
0
 
mmercaldiAuthor Commented:
I did, I also do not use the gui I used the CLI

Debug showed nothing
0
 
mmercaldiAuthor Commented:
also debugging hte vpn will nto work, as I said before it connects fine which is what the debugs for both crypto and webvpn would troubleshoot, its just not connecting to my local routes  attached is my config
ASA Version 8.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
interface Vlan1
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 mac-address 0024.141e.0454
 nameif outside
 security-level 0
 ip address 1111111111111111
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 172.16.50.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit tcp any interface outside eq telnet
access-list NONAT extended permit ip 50.0.0.0 255.255.255.0 50.0.1.0 255.255.255.0
access-list NONAT extended permit ip 50.0.0.0 255.255.255.0 50.0.200.0 255.255.255.0
access-list NONAT extended permit ip 172.16.50.0 255.255.255.0 50.0.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 50.0.0.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.16.50.0 255.255.255.0
access-list IPSEC_SPLIT_TUNNEL standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool SSLVPN 50.0.1.100-50.0.1.120 mask 255.255.255.0
ip local pool ipsecpool 50.0.200.20-50.0.200.40
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface telnet 50.0.0.1 telnet netmask 255.255.255.255
access-group 101 in interface outside
route inside 10.10.10.0 255.255.255.0 172.16.50.2 1
route inside 50.0.0.0 255.255.255.0 172.16.50.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ts2 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dmap 10 set transform-set ts2
crypto map imap 10 ipsec-isakmp dynamic dmap
crypto map imap interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn test
 subject-name CN=test
 keypair sslvpnkey
 crl configure
crypto ca certificate chain localtrust
 certificate 9dbea54d
    30820203 3082016c a0030201 0202049d bea54d30 0d06092a 864886f7 0d010105
    05003046 311e301c 06035504 03131573 736c7670 6e2e6d65 7263646f 6d61696e
    2e636f6d 31243022 06092a86 4886f70d 01090216 1573736c 76706e2e 6d657263
    646f6d61 696e2e63 6f6d301e 170d3131 30343136 31323534 34305a17 0d323130
    34313331 32353434 305a3046 311e301c 06035504 03131573 736c7670 6e2e6d65
    7263646f 6d61696e 2e636f6d 31243022 06092a86 4886f70d 01090216 1573736c
    76706e2e 6d657263 646f6d61 696e2e63 6f6d3081 9f300d06 092a8648 86f70d01
    01010500 03818d00 30818902 81810097 6c015cc8 bfc77e00 d1abd13c df20ad7e
    fe98a191 c74fdedd 4b599580 bde953e7 47d78772 a5dcfbd9 e2edb782 d3cb363f
    e1c0f9ea 71eeab04 ba60da98 ee226c18 206267b9 271bac67 6ee15ee9 c5a22611
    ae81db28 1a6d887f d88722b5 8937d1cc 96731cb4 b28a6550 561c5974 563fbe93
    62754c34 22ef538d 6d1ff6a3 ea5e4102 03010001 300d0609 2a864886 f70d0101
    05050003 81810068 0487cfcc 9a1efb0d 53000bcb 4e84db11 e01bbfaf 8b4e535f
    c6bca0d5 4190924b 1d33628f 21ca4ffa f5e13291 f34f0ce4 a56bb0ed dc7b8b9f
    7e29d8ff 8ab2527e c978e950 5b1f9895 5aa18f32 e0a32018 6f07caf5 02a79b5e
    0d543fa9 ac231e14 93da7d51 d5d02080 ac9f73c8 64ce97c5 4464cd24 c123bb61
    f9c0034d 0a7fec
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
<--- More --->webvpn_file_encoding.c:webvpn_get_file_encoding_db_first[68]
webvpn_db.c:webvpn_get_server_db_first[161]
 enable outside
 svc image disk0:/anyconnect-dart-win-2.5.2017-k9.pkg 1
 svc image disk0:/anyconnect-linux-2.5.2019-k9.pkg 2
webvpn_file_encoding.c:webvpn_get_file_encoding_db_first[68]
 svc enable
 tunnel-group-list enable
group-policy SSL_GROUP_POLICY internal
group-policy SSL_GROUP_POLICY attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List
 address-pools value SSLVPN
group-policy mercgroup internal
group-policy mercgroup attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value IPSEC_SPLIT_TUNNEL
username mercxi password aaaaaaaaaaaaaaaaaaaaaaaaaaa
username mercxi attributes
 service-type remote-access
webvpn_db.c:webvpn_get_port_forward_db_first[818]
tunnel-group SSLCLIENTPROFILE type remote-access
tunnel-group SSLCLIENTPROFILE general-attributes
 default-group-policy SSL_GROUP_POLICY
tunnel-group SSLCLIENTPROFILE webvpn-attributes
 group-alias SSLVPNClient enable
tunnel-group mercgroup type remote-access
tunnel-group mercgroup general-attributes
 address-pool ipsecpool
 default-group-policy mercgroup
tunnel-group mercgroup ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d286be586b492d6535244f301d06df1b
: end

Open in new window

0
 
c0sCommented:
are you receiving an ip address?

do you get the proper routes?

can you run a traceroute? where does it die?
0
 
mmercaldiAuthor Commented:
I do get the proper IP address,  and when I ran a tracert it looks like no routes are put in
0
 
c0sCommented:
what`s the output of netstat -nr
0
 
mmercaldiAuthor Commented:
50.0.0.0        255.0.0.0      50.0.200.21     50.0.200.21       10
         50.0.0.0    255.255.255.0      50.0.200.21     50.0.200.21       1
      50.0.200.21  255.255.255.255        127.0.0.1       127.0.0.1       10
   50.255.255.255  255.255.255.255      50.0.200.21     50.0.200.21       10
0
 
c0sCommented:
i dont see 50.0.200.21 as a default gateway anywhere in your config

i think your getting the wrong ip can you verify?
0
 
mmercaldiAuthor Commented:
the 50.0.200.21 is the ip i get when i vpn in, using the ipsec, using webvpn i would get a 50.0.1.X ip address
0
 
c0sCommented:
yes i understand however you need a gateway that points to your ASA, if your ip is 50.0.200.21 you can`t have a default gateway for that network yourself because your just going in to a loop
0
 
mmercaldiAuthor Commented:
hmm interesting, so how should I put in my gateway for either ipsec or ssl
0
 
c0sCommented:
do you get the same results in using webvpn and client vpn?
0
 
mmercaldiAuthor Commented:
yes
0
 
c0sCommented:
you got the wrong subnet here:

ip local pool SSLVPN 50.0.1.100-50.0.1.120 mask 255.255.255.0

that`s /24

what does interface reffer to in the following line? it should be an ip address
global (outside) 1 interface

The NAT statement to define what to encrypt

example
nat (outside) 1 192.168.10.0 255.255.255.0

which groupplocy are you ussing for the client vpn?

it should be configured like this:

group-policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20

split-tunnel-policy tunnelall

then you need to configure the crypto map`s for the ipsec

also add this line in:

crypto map imap 10 ipsec-isakmp dynamic ts2

isakmp identity address
isakmp enable outside

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

0
 
c0sCommented:
also the tunnel group should have something like this:

tunnel-group name type ipsec-ra
tunnel-group name general-attributes
address-pool vpnpool

default-group-policy clientgroup
tunnel-group name ipsec-attributes
pre-shared-key *

make sure the pre-shared key you put in here you also put in the client for the group authentication setting i believe


0
 
mmercaldiAuthor Commented:
how is my mask wrong?  also that code is for asa 7, I am on 8.2, sorry I should have put in there and all of these steps are for if I could not vpn in, I can vpn in just cannot communicate.  also regarding my ip addresses I changed them around in the code I posted here so people would not find out my ip address
0
 
c0sCommented:
you are missing stuff in your config... you are able to connect that doesn`t mean that your config is correct.
0
 
mmercaldiAuthor Commented:
im not saying that its correct, but I did put all of that stuff in it is in my current config right now that posted a few posts ago, but I do not understand why I need to change the netmask for my ssl dhcp pool.


also just so you know mercgorup is for ipsec the other one is for ssl
0
 
mmercaldiAuthor Commented:
i think i know the answer, i found some errors in my config, some rrors in my nat statements
0
 
c0sCommented:
good stuff let us know the results
0
 
mmercaldiAuthor Commented:
no dice
I read somewhere to add these lines
nat (outside) 1 50.0.100.0 255.255.255.0
nat (outside) 1 50.0.200.0 255.255.255.0
and I also did a router eigrp statement on both the asa and cisco router
router eigrp 100
network 50.0.0.0
network 172.16.50.0

still no luck
0
 
c0sCommented:
take a look at this post and compare it with your configuration let us know of the findings

http://www.experts-exchange.com/Security/Software_Firewalls/Q_21960471.html
0
 
mmercaldiAuthor Commented:
it worked thanks alot
0
 
mmercaldiAuthor Commented:
basically it was the match address command, I thought I did not need that for vpn clients, also whats weird is that none of the examples on the net require it
0
 
mmercaldiAuthor Commented:
also was missing the nat traversal
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 22
  • 16
Tackle projects and never again get stuck behind a technical roadblock.
Join Now