- Posts: 11
- Thank you received: 0
VPN connectivity
17 years 4 months ago #22423
by jrecto
VPN connectivity was created by jrecto
I have setup an ASA 5505 firewall to allow VPN connections. I am able to connect and authenticate but I’m not able to access any resources. I can ping the internal gateway but not any of the servers.
What am I doing wrong?
Thanks,
Jasper
What am I doing wrong?
Thanks,
Jasper
17 years 4 months ago #22426
by lomaree
Replied by lomaree on topic Re: VPN connectivity
can you tell me what is your vpn-pool address and your local address? they should not reside in the same pool.
17 years 4 months ago #22442
by anti-hack
Replied by anti-hack on topic Re: VPN connectivity
Have you checked you NAT policies? As stated earlier in the forum the NAT excemption works only with "ip" not with the "tcp" or the "udp". I am sure you already had that covered.
If you could post a little bit more detail, we would be able to help you better,
Regards
If you could post a little bit more detail, we would be able to help you better,
Regards
17 years 4 months ago #22454
by jrecto
My VPN Pool is 10.0.0.253 to 10.0.0.254 SM: 255.255.255.0
I'm not sure what you mean by local address? If you mean the local network within our company, that would be the same subnet.
If you mean the local address of where I am when I connect through the VPN, it would differ everytime?
Thanks,
Jasper
Replied by jrecto on topic Re: VPN connectivity
can you tell me what is your vpn-pool address and your local address? they should not reside in the same pool.
My VPN Pool is 10.0.0.253 to 10.0.0.254 SM: 255.255.255.0
I'm not sure what you mean by local address? If you mean the local network within our company, that would be the same subnet.
If you mean the local address of where I am when I connect through the VPN, it would differ everytime?
Thanks,
Jasper
17 years 4 months ago #22455
by jrecto
I missed that thread. Where canI find it?
Thanks!
Replied by jrecto on topic Re: VPN connectivity
Have you checked you NAT policies? As stated earlier in the forum the NAT excemption works only with "ip" not with the "tcp" or the "udp". I am sure you already had that covered.
If you could post a little bit more detail, we would be able to help you better,
Regards
I missed that thread. Where canI find it?
Thanks!
17 years 4 months ago #22480
by Bikramjit
Replied by Bikramjit on topic Re: VPN connectivity
Hey,
- Cisco always recommends to keep the vpn client pool in a different subnet than your internal subnet for any possible routing issues..
- Make sure that the servers or machines that you are trying to access has a proper default gateway pointing towards the next hop and you should have a route in the intermediate device, which should have a route like anything meant for the vpn pool should go to the ASA.
- Please check the following links for configuration help:
1. www.cisco.com/en/US/products/ps6120/prod...186a0080702999.shtml
2. www.cisco.com/en/US/products/ps6120/prod...186a0080702992.shtml
If you are comfortable with CLI commands, then check the following sample config:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group REMOTEVPN type ipsec-ra
tunnel-group REMOTEVPN general-attributes
address-pool VPNPool
default-group-policy REMOTEVPN
tunnel-group REMOTEVPN ipsec-attributes
pre-shared-key *
group-policy REMOTEVPN internal
group-policy REMOTEVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTEVPN_splitTunnelAcl
Pool:
ip local pool VPNPool 192.168.20.1-192.168.20.50 mask 255.255.255.0
Nat:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
ACL:
access-list REMOTEVPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
Nat t:
crypto isakmp nat-traversal 20
nat (inside) 0 access-list nonat
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
Where the inside ip address of the ASA is 192.168.2.0 255.255.255.0.
You can choose any encryption and authentication, but the group has to be DH 2. This configuration is meant for vpn client with split tunneling.
FOR LOCAL AUTHENTICATION:
tunnel-group REMOTEVPN general-attributes
authentication-server-group LOCAL
username test password cisco encrypted privilege 15
HOPE THIS HELPS!!!!!
Cheers!!
- Cisco always recommends to keep the vpn client pool in a different subnet than your internal subnet for any possible routing issues..
- Make sure that the servers or machines that you are trying to access has a proper default gateway pointing towards the next hop and you should have a route in the intermediate device, which should have a route like anything meant for the vpn pool should go to the ASA.
- Please check the following links for configuration help:
1. www.cisco.com/en/US/products/ps6120/prod...186a0080702999.shtml
2. www.cisco.com/en/US/products/ps6120/prod...186a0080702992.shtml
If you are comfortable with CLI commands, then check the following sample config:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group REMOTEVPN type ipsec-ra
tunnel-group REMOTEVPN general-attributes
address-pool VPNPool
default-group-policy REMOTEVPN
tunnel-group REMOTEVPN ipsec-attributes
pre-shared-key *
group-policy REMOTEVPN internal
group-policy REMOTEVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTEVPN_splitTunnelAcl
Pool:
ip local pool VPNPool 192.168.20.1-192.168.20.50 mask 255.255.255.0
Nat:
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
ACL:
access-list REMOTEVPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
Nat t:
crypto isakmp nat-traversal 20
nat (inside) 0 access-list nonat
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
Where the inside ip address of the ASA is 192.168.2.0 255.255.255.0.
You can choose any encryption and authentication, but the group has to be DH 2. This configuration is meant for vpn client with split tunneling.
FOR LOCAL AUTHENTICATION:
tunnel-group REMOTEVPN general-attributes
authentication-server-group LOCAL
username test password cisco encrypted privilege 15
HOPE THIS HELPS!!!!!
Cheers!!
Time to create page: 0.141 seconds