mmercaldi
asked on
asa ssl and ipsec vpns not able to ping my internet network
in my network I have an ASA infront a router
The ASA router internal 172.16.2.1
router external is 172.16.2.3
router internal is 50.0.0.1
right now I can vpn in but I cannot reach anything in the 50.0.0.0 /24 network
Is there anything I am missing my config
The ASA router internal 172.16.2.1
router external is 172.16.2.3
router internal is 50.0.0.1
right now I can vpn in but I cannot reach anything in the 50.0.0.0 /24 network
Is there anything I am missing my config
login as: mercxi
mercxi@sslvpn.mercdomain.com's password:
Type help or '?' for a list of available commands.
ciscoasa> en
Password:
ciscoasa# sh run
: Saved
:
ASA Version 8.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
mac-address 0024.141e.0454
nameif outside
security-level 0
!
interface Vlan3
nameif inside
security-level 100
ip address 172.16.2.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list NONAT extended permit ip 50.0.0.0 255.255.255.0 50.0.1.0 255.255.255.0
access-list NONAT extended permit ip 50.0.0.0 255.255.255.0 50.0.200.0 255.255.255.0
access-list Split_Tunnel_List standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool SSLVPN 50.0.1.100-50.0.1.120 mask 255.255.255.0
ip local pool ipsecpool 50.0.200.20-50.0.200.40
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
route inside 10.10.10.0 255.255.255.0 172.16.2.2 1
route inside 50.0.0.0 255.255.255.0 172.16.2.2 1
route inside 50.0.1.0 255.255.255.0 50.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ts2 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dmap 10 set transform-set ts2
crypto map imap 10 ipsec-isakmp dynamic dmap
crypto map imap interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.testdomain.com
subject-name CN=sslvpn.testdomain.com
keypair sslvpnkey
crl configure
crypto ca certificate chain localtrust
certificate 9dbea54d
30820203 3082016c a0030201 0202049d bea54d30 0d06092a 864886f7 0d010105
05003046 311e301c 06035504 03131573 736c7670 6e2e6d65 7263646f 6d61696e
2e636f6d 31243022 06092a86 4886f70d 01090216 1573736c 76706e2e 6d657263
646f6d61 696e2e63 6f6d301e 170d3131 30343136 31323534 34305a17 0d323130
34313331 32353434 305a3046 311e301c 06035504 03131573 736c7670 6e2e6d65
7263646f 6d61696e 2e636f6d 31243022 06092a86 4886f70d 01090216 1573736c
76706e2e 6d657263 646f6d61 696e2e63 6f6d3081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 81810097 6c015cc8 bfc77e00 d1abd13c df20ad7e
fe98a191 c74fdedd 4b599580 bde953e7 47d78772 a5dcfbd9 e2edb782 d3cb363f
e1c0f9ea 71eeab04 ba60da98 ee226c18 206267b9 271bac67 6ee15ee9 c5a22611
ae81db28 1a6d887f d88722b5 8937d1cc 96731cb4 b28a6550 561c5974 563fbe93
62754c34 22ef538d 6d1ff6a3 ea5e4102 03010001 300d0609 2a864886 f70d0101
05050003 81810068 0487cfcc 9a1efb0d 53000bcb 4e84db11 e01bbfaf 8b4e535f
c6bca0d5 4190924b 1d33628f 21ca4ffa f5e13291 f34f0ce4 a56bb0ed dc7b8b9f
7e29d8ff 8ab2527e c978e950 5b1f9895 5aa18f32 e0a32018 6f07caf5 02a79b5e
0d543fa9 ac231e14 93da7d51 d5d02080 ac9f73c8 64ce97c5 4464cd24 c123bb61
f9c0034d 0a7fec
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 172.16.2.2-172.16.2.3 inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-dart-win-2.5.2017-k9.pkg 1
svc image disk0:/anyconnect-linux-2.5.2019-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSL_GROUP_POLICY internal
group-policy SSL_GROUP_POLICY attributes
vpn-tunnel-protocol svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
address-pools value SSLVPN
username aaaaaaaaaa
username mercxi attributes
service-type remote-access
tunnel-group SSLCLIENTPROFILE type remote-access
tunnel-group SSLCLIENTPROFILE general-attributes
default-group-policy SSL_GROUP_POLICY
tunnel-group SSLCLIENTPROFILE webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group mercgroup type remote-access
tunnel-group mercgroup general-attributes
address-pool ipsecpool
tunnel-group mercgroup ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:53194f28681c8aca0a63e79dec6dcbd0
: end
can you run a debug and see what`s going on?
ASKER
what should I debug, I ran debug webvpn, but thats not the problem since the sessions are created fine its just the 50.0.1.0 traffic is not being routed to the 50.0.0.0 traffic i think but I could be wrong
debug crypto ipsec and debug crypto isakmp
ASKER
apparently there I did not configure split tunneling for the ipsec part,
I added the lines
ciscoasa(config)# group-policy mercgroup internal
ciscoasa(config)# group-policy mercgroup attributes
ciscoasa(config-group-poli cy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-poli cy)# split-tunnel-network-list value Split_Tunnel_L$
but still unable to keep my connection to the ASA or the internet when I vpn into the device with ipsec
I added the lines
ciscoasa(config)# group-policy mercgroup internal
ciscoasa(config)# group-policy mercgroup attributes
ciscoasa(config-group-poli
ciscoasa(config-group-poli
but still unable to keep my connection to the ASA or the internet when I vpn into the device with ipsec
can you try to run a debug now? if you don`t get anything just increase the verbosity level
ASKER
I am having some issues with the vpn client, is there anything I can do to test out he anyconnect?
ASKER
honestly the webvpn is what I care more about
well there can be many things that can be wrong thats why the best approach is to run a debug on the switch... you can`t really see a whole lot from the client side.
ASKER
I will be able to do testing later on tonight
ASKER
unfortunately I have no way of testing this out atleast for another couple of days. I do know there there is an issue with webvpn becuase I should be able to get to the sslvpn site even when I am on location which I cannot do right now in the network. I have usually set these up on cisco ios routers and 1 standalone vpn device, I know there is definitely a route or an ACL missing somethere, anyone have any clues?
try adding these attributes to you policy for webvpn:
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
webvpn
functions url-entry file-access file-entry file-browsing mapi port-forward filter
http-proxy auto-download citrix
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
webvpn
functions url-entry file-access file-entry file-browsing mapi port-forward filter
http-proxy auto-download citrix
ASKER
tried adding it, i found out why i couldnt test it out successfully earlier, turns out the network i have access too shared the same lan as the other lan ont he remote end. I will try this tomorrow
ASKER
I also got the split tunneling working, I ran the debug as I am pinging 50.0.0.1 on the ipsec vpn, and I am not really seeing much that is telling me any issues
here is my log, which gives me no errors, as I said before its a route I am missing
Apr 20 06:00:59 [IKEv1]: IP = 1, IKE_DECODE RECEIVED Message (msgid=7247e6d8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, processing hash payload
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, processing notify payload
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, Received keep-alive of type DPD R-U-THERE (seq number 0x40a0a7d)
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x40a0a7d)
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, constructing blank hash payload
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, constructing qm hash payload
Apr 20 06:00:59 [IKEv1]: IP = 1, IKE_DECODE SENDING Message (msgid=ac46f1c5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
here is my log, which gives me no errors, as I said before its a route I am missing
Apr 20 06:00:59 [IKEv1]: IP = 1, IKE_DECODE RECEIVED Message (msgid=7247e6d8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, processing hash payload
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, processing notify payload
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, Received keep-alive of type DPD R-U-THERE (seq number 0x40a0a7d)
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x40a0a7d)
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, constructing blank hash payload
Apr 20 06:00:59 [IKEv1 DEBUG]: Group = test, Username = user, IP = 1, constructing qm hash payload
Apr 20 06:00:59 [IKEv1]: IP = 1, IKE_DECODE SENDING Message (msgid=ac46f1c5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
can you go through this guide?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
and then run a debug again with increased verbouse level?
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml
and then run a debug again with increased verbouse level?
ASKER
I did, I also do not use the gui I used the CLI
Debug showed nothing
Debug showed nothing
ASKER
also debugging hte vpn will nto work, as I said before it connects fine which is what the debugs for both crypto and webvpn would troubleshoot, its just not connecting to my local routes attached is my config
ASA Version 8.2(3)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan2
mac-address 0024.141e.0454
nameif outside
security-level 0
ip address 1111111111111111
!
interface Vlan3
nameif inside
security-level 100
ip address 172.16.50.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list 101 extended permit tcp any interface outside eq telnet
access-list NONAT extended permit ip 50.0.0.0 255.255.255.0 50.0.1.0 255.255.255.0
access-list NONAT extended permit ip 50.0.0.0 255.255.255.0 50.0.200.0 255.255.255.0
access-list NONAT extended permit ip 172.16.50.0 255.255.255.0 50.0.1.0 255.255.255.0
access-list Split_Tunnel_List standard permit 50.0.0.0 255.255.255.0
access-list Split_Tunnel_List standard permit 172.16.50.0 255.255.255.0
access-list IPSEC_SPLIT_TUNNEL standard permit 50.0.0.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool SSLVPN 50.0.1.100-50.0.1.120 mask 255.255.255.0
ip local pool ipsecpool 50.0.200.20-50.0.200.40
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface telnet 50.0.0.1 telnet netmask 255.255.255.255
access-group 101 in interface outside
route inside 10.10.10.0 255.255.255.0 172.16.50.2 1
route inside 50.0.0.0 255.255.255.0 172.16.50.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ts2 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dmap 10 set transform-set ts2
crypto map imap 10 ipsec-isakmp dynamic dmap
crypto map imap interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn test
subject-name CN=test
keypair sslvpnkey
crl configure
crypto ca certificate chain localtrust
certificate 9dbea54d
30820203 3082016c a0030201 0202049d bea54d30 0d06092a 864886f7 0d010105
05003046 311e301c 06035504 03131573 736c7670 6e2e6d65 7263646f 6d61696e
2e636f6d 31243022 06092a86 4886f70d 01090216 1573736c 76706e2e 6d657263
646f6d61 696e2e63 6f6d301e 170d3131 30343136 31323534 34305a17 0d323130
34313331 32353434 305a3046 311e301c 06035504 03131573 736c7670 6e2e6d65
7263646f 6d61696e 2e636f6d 31243022 06092a86 4886f70d 01090216 1573736c
76706e2e 6d657263 646f6d61 696e2e63 6f6d3081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 81810097 6c015cc8 bfc77e00 d1abd13c df20ad7e
fe98a191 c74fdedd 4b599580 bde953e7 47d78772 a5dcfbd9 e2edb782 d3cb363f
e1c0f9ea 71eeab04 ba60da98 ee226c18 206267b9 271bac67 6ee15ee9 c5a22611
ae81db28 1a6d887f d88722b5 8937d1cc 96731cb4 b28a6550 561c5974 563fbe93
62754c34 22ef538d 6d1ff6a3 ea5e4102 03010001 300d0609 2a864886 f70d0101
05050003 81810068 0487cfcc 9a1efb0d 53000bcb 4e84db11 e01bbfaf 8b4e535f
c6bca0d5 4190924b 1d33628f 21ca4ffa f5e13291 f34f0ce4 a56bb0ed dc7b8b9f
7e29d8ff 8ab2527e c978e950 5b1f9895 5aa18f32 e0a32018 6f07caf5 02a79b5e
0d543fa9 ac231e14 93da7d51 d5d02080 ac9f73c8 64ce97c5 4464cd24 c123bb61
f9c0034d 0a7fec
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
<--- More --->webvpn_file_encoding.c:webvpn_get_file_encoding_db_first[68]
webvpn_db.c:webvpn_get_server_db_first[161]
enable outside
svc image disk0:/anyconnect-dart-win-2.5.2017-k9.pkg 1
svc image disk0:/anyconnect-linux-2.5.2019-k9.pkg 2
webvpn_file_encoding.c:webvpn_get_file_encoding_db_first[68]
svc enable
tunnel-group-list enable
group-policy SSL_GROUP_POLICY internal
group-policy SSL_GROUP_POLICY attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_Tunnel_List
address-pools value SSLVPN
group-policy mercgroup internal
group-policy mercgroup attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSEC_SPLIT_TUNNEL
username mercxi password aaaaaaaaaaaaaaaaaaaaaaaaaaa
username mercxi attributes
service-type remote-access
webvpn_db.c:webvpn_get_port_forward_db_first[818]
tunnel-group SSLCLIENTPROFILE type remote-access
tunnel-group SSLCLIENTPROFILE general-attributes
default-group-policy SSL_GROUP_POLICY
tunnel-group SSLCLIENTPROFILE webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group mercgroup type remote-access
tunnel-group mercgroup general-attributes
address-pool ipsecpool
default-group-policy mercgroup
tunnel-group mercgroup ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d286be586b492d6535244f301d06df1b
: end
are you receiving an ip address?
do you get the proper routes?
can you run a traceroute? where does it die?
do you get the proper routes?
can you run a traceroute? where does it die?
ASKER
I do get the proper IP address, and when I ran a tracert it looks like no routes are put in
what`s the output of netstat -nr
ASKER
50.0.0.0 255.0.0.0 50.0.200.21 50.0.200.21 10
50.0.0.0 255.255.255.0 50.0.200.21 50.0.200.21 1
50.0.200.21 255.255.255.255 127.0.0.1 127.0.0.1 10
50.255.255.255 255.255.255.255 50.0.200.21 50.0.200.21 10
50.0.0.0 255.255.255.0 50.0.200.21 50.0.200.21 1
50.0.200.21 255.255.255.255 127.0.0.1 127.0.0.1 10
50.255.255.255 255.255.255.255 50.0.200.21 50.0.200.21 10
i dont see 50.0.200.21 as a default gateway anywhere in your config
i think your getting the wrong ip can you verify?
i think your getting the wrong ip can you verify?
ASKER
the 50.0.200.21 is the ip i get when i vpn in, using the ipsec, using webvpn i would get a 50.0.1.X ip address
yes i understand however you need a gateway that points to your ASA, if your ip is 50.0.200.21 you can`t have a default gateway for that network yourself because your just going in to a loop
ASKER
hmm interesting, so how should I put in my gateway for either ipsec or ssl
do you get the same results in using webvpn and client vpn?
ASKER
yes
you got the wrong subnet here:
ip local pool SSLVPN 50.0.1.100-50.0.1.120 mask 255.255.255.0
that`s /24
what does interface reffer to in the following line? it should be an ip address
global (outside) 1 interface
The NAT statement to define what to encrypt
example
nat (outside) 1 192.168.10.0 255.255.255.0
which groupplocy are you ussing for the client vpn?
it should be configured like this:
group-policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20
split-tunnel-policy tunnelall
then you need to configure the crypto map`s for the ipsec
also add this line in:
crypto map imap 10 ipsec-isakmp dynamic ts2
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ip local pool SSLVPN 50.0.1.100-50.0.1.120 mask 255.255.255.0
that`s /24
what does interface reffer to in the following line? it should be an ip address
global (outside) 1 interface
The NAT statement to define what to encrypt
example
nat (outside) 1 192.168.10.0 255.255.255.0
which groupplocy are you ussing for the client vpn?
it should be configured like this:
group-policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20
split-tunnel-policy tunnelall
then you need to configure the crypto map`s for the ipsec
also add this line in:
crypto map imap 10 ipsec-isakmp dynamic ts2
isakmp identity address
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
also the tunnel group should have something like this:
tunnel-group name type ipsec-ra
tunnel-group name general-attributes
address-pool vpnpool
default-group-policy clientgroup
tunnel-group name ipsec-attributes
pre-shared-key *
make sure the pre-shared key you put in here you also put in the client for the group authentication setting i believe
tunnel-group name type ipsec-ra
tunnel-group name general-attributes
address-pool vpnpool
default-group-policy clientgroup
tunnel-group name ipsec-attributes
pre-shared-key *
make sure the pre-shared key you put in here you also put in the client for the group authentication setting i believe
ASKER
how is my mask wrong? also that code is for asa 7, I am on 8.2, sorry I should have put in there and all of these steps are for if I could not vpn in, I can vpn in just cannot communicate. also regarding my ip addresses I changed them around in the code I posted here so people would not find out my ip address
you are missing stuff in your config... you are able to connect that doesn`t mean that your config is correct.
ASKER
im not saying that its correct, but I did put all of that stuff in it is in my current config right now that posted a few posts ago, but I do not understand why I need to change the netmask for my ssl dhcp pool.
also just so you know mercgorup is for ipsec the other one is for ssl
also just so you know mercgorup is for ipsec the other one is for ssl
ASKER
i think i know the answer, i found some errors in my config, some rrors in my nat statements
good stuff let us know the results
ASKER
no dice
I read somewhere to add these lines
nat (outside) 1 50.0.100.0 255.255.255.0
nat (outside) 1 50.0.200.0 255.255.255.0
and I also did a router eigrp statement on both the asa and cisco router
router eigrp 100
network 50.0.0.0
network 172.16.50.0
still no luck
I read somewhere to add these lines
nat (outside) 1 50.0.100.0 255.255.255.0
nat (outside) 1 50.0.200.0 255.255.255.0
and I also did a router eigrp statement on both the asa and cisco router
router eigrp 100
network 50.0.0.0
network 172.16.50.0
still no luck
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
it worked thanks alot
ASKER
basically it was the match address command, I thought I did not need that for vpn clients, also whats weird is that none of the examples on the net require it
ASKER
also was missing the nat traversal