Skip to main content

VPN connectivity

More
17 years 5 months ago #22423 by jrecto
VPN connectivity was created by jrecto
I have setup an ASA 5505 firewall to allow VPN connections. I am able to connect and authenticate but I’m not able to access any resources. I can ping the internal gateway but not any of the servers.

What am I doing wrong?

Thanks,
Jasper
More
17 years 5 months ago #22426 by lomaree
Replied by lomaree on topic Re: VPN connectivity
can you tell me what is your vpn-pool address and your local address? they should not reside in the same pool.
More
17 years 5 months ago #22442 by anti-hack
Replied by anti-hack on topic Re: VPN connectivity
Have you checked you NAT policies? As stated earlier in the forum the NAT excemption works only with "ip" not with the "tcp" or the "udp". I am sure you already had that covered.

If you could post a little bit more detail, we would be able to help you better,

Regards
More
17 years 5 months ago #22454 by jrecto
Replied by jrecto on topic Re: VPN connectivity

can you tell me what is your vpn-pool address and your local address? they should not reside in the same pool.


My VPN Pool is 10.0.0.253 to 10.0.0.254 SM: 255.255.255.0

I'm not sure what you mean by local address? If you mean the local network within our company, that would be the same subnet.

If you mean the local address of where I am when I connect through the VPN, it would differ everytime?

Thanks,
Jasper
More
17 years 5 months ago #22455 by jrecto
Replied by jrecto on topic Re: VPN connectivity

Have you checked you NAT policies? As stated earlier in the forum the NAT excemption works only with "ip" not with the "tcp" or the "udp". I am sure you already had that covered.

If you could post a little bit more detail, we would be able to help you better,

Regards


I missed that thread. Where canI find it?

Thanks!
More
17 years 5 months ago #22480 by Bikramjit
Replied by Bikramjit on topic Re: VPN connectivity
Hey,

- Cisco always recommends to keep the vpn client pool in a different subnet than your internal subnet for any possible routing issues..

- Make sure that the servers or machines that you are trying to access has a proper default gateway pointing towards the next hop and you should have a route in the intermediate device, which should have a route like anything meant for the vpn pool should go to the ASA.

- Please check the following links for configuration help:

1. www.cisco.com/en/US/products/ps6120/prod...186a0080702999.shtml

2. www.cisco.com/en/US/products/ps6120/prod...186a0080702992.shtml

If you are comfortable with CLI commands, then check the following sample config:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group REMOTEVPN type ipsec-ra
tunnel-group REMOTEVPN general-attributes
address-pool VPNPool
default-group-policy REMOTEVPN
tunnel-group REMOTEVPN ipsec-attributes
pre-shared-key *

group-policy REMOTEVPN internal
group-policy REMOTEVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value REMOTEVPN_splitTunnelAcl

Pool:
ip local pool VPNPool 192.168.20.1-192.168.20.50 mask 255.255.255.0


Nat:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

ACL:

access-list REMOTEVPN_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0


Nat t:

crypto isakmp nat-traversal 20

nat (inside) 0 access-list nonat
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0

Where the inside ip address of the ASA is 192.168.2.0 255.255.255.0.

You can choose any encryption and authentication, but the group has to be DH 2. This configuration is meant for vpn client with split tunneling.


FOR LOCAL AUTHENTICATION:

tunnel-group REMOTEVPN general-attributes
authentication-server-group LOCAL
username test password cisco encrypted privilege 15


HOPE THIS HELPS!!!!!

Cheers!!
Time to create page: 0.160 seconds