Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: VPN connectivity

VPN connectivity 9 years 5 months ago #22423

  • jrecto
  • jrecto's Avatar
  • Offline
  • New Member
  • Posts: 11
  • Karma: 0
I have setup an ASA 5505 firewall to allow VPN connections. I am able to connect and authenticate but I’m not able to access any resources. I can ping the internal gateway but not any of the servers.

What am I doing wrong?

Thanks,
Jasper
The administrator has disabled public write access.

Re: VPN connectivity 9 years 5 months ago #22426

  • lomaree
  • lomaree's Avatar
  • Offline
  • Frequent Member
  • Posts: 21
  • Karma: 0
can you tell me what is your vpn-pool address and your local address? they should not reside in the same pool.
The administrator has disabled public write access.

Re: VPN connectivity 9 years 5 months ago #22442

  • anti-hack
  • anti-hack's Avatar
  • Offline
  • Frequent Member
  • Posts: 38
  • Karma: 0
Have you checked you NAT policies? As stated earlier in the forum the NAT excemption works only with "ip" not with the "tcp" or the "udp". I am sure you already had that covered.

If you could post a little bit more detail, we would be able to help you better,

Regards
The administrator has disabled public write access.

Re: VPN connectivity 9 years 5 months ago #22454

  • jrecto
  • jrecto's Avatar
  • Offline
  • New Member
  • Posts: 11
  • Karma: 0
can you tell me what is your vpn-pool address and your local address? they should not reside in the same pool.

My VPN Pool is 10.0.0.253 to 10.0.0.254 SM: 255.255.255.0

I'm not sure what you mean by local address? If you mean the local network within our company, that would be the same subnet.

If you mean the local address of where I am when I connect through the VPN, it would differ everytime?

Thanks,
Jasper
The administrator has disabled public write access.

Re: VPN connectivity 9 years 5 months ago #22455

  • jrecto
  • jrecto's Avatar
  • Offline
  • New Member
  • Posts: 11
  • Karma: 0
Have you checked you NAT policies? As stated earlier in the forum the NAT excemption works only with "ip" not with the "tcp" or the "udp". I am sure you already had that covered.

If you could post a little bit more detail, we would be able to help you better,

Regards

I missed that thread. Where canI find it?

Thanks!
The administrator has disabled public write access.

Re: VPN connectivity 9 years 5 months ago #22480

  • Bikramjit
  • Bikramjit's Avatar
  • Offline
  • New Member
  • Posts: 16
  • Karma: 0
Hey,

- Cisco always recommends to keep the vpn client pool in a different subnet than your internal subnet for any possible routing issues..

- Make sure that the servers or machines that you are trying to access has a proper default gateway pointing towards the next hop and you should have a route in the intermediate device, which should have a route like anything meant for the vpn pool should go to the ASA.

- Please check the following links for configuration help:

1. www.cisco.com/en/US/products/ps6120/prod...186a0080702999.shtml

2. www.cisco.com/en/US/products/ps6120/prod...186a0080702992.shtml

If you are comfortable with CLI commands, then check the following sample config:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group REMOTEVPN type ipsec-ra
tunnel-group REMOTEVPN general-attributes
address-pool VPNPool
default-group-policy REMOTEVPN
tunnel-group REMOTEVPN ipsec-attributes
pre-shared-key *

group-policy REMOTEVPN internal
group-policy REMOTEVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTEVPN_splitTunnelAcl

Pool:
ip local pool VPNPool 192.168.20.1-192.168.20.50 mask 255.255.255.0


Nat:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

ACL:

access-list REMOTEVPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0


Nat t:

crypto isakmp nat-traversal 20

nat (inside) 0 access-list nonat
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0

Where the inside ip address of the ASA is 192.168.2.0 255.255.255.0.

You can choose any encryption and authentication, but the group has to be DH 2. This configuration is meant for vpn client with split tunneling.


FOR LOCAL AUTHENTICATION:

tunnel-group REMOTEVPN general-attributes
authentication-server-group LOCAL
username test password cisco encrypted privilege 15


HOPE THIS HELPS!!!!!

Cheers!!
The administrator has disabled public write access.
Time to create page: 0.084 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup