Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can't access remote resource on ASA VPN

Status
Not open for further replies.

msworld

MIS
Jun 28, 2005
534
US
I created a VPN on Cisco ASA 5510. I can establish the VPN, but can’t ping any LAN computers. Also I can’t access the Internet after establish the VPN. Any suggestions?


ASA Version 7.0(6)
!
hostname ASA5510
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.198 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.4 255.255.0.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.16.252.254 255.255.0.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 192.168
.198.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.
198.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
ip local pool vpn198 192.168.198.10-192.168.198.254 mask 255.255.255.0
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 10 172.16.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy VPN198 internal
group-policy VPN198 attributes
wins-server value 10.0.0.29 10.0.0.19
dns-server value 10.0.0.29 10.0.0.19
split-tunnel-policy tunnelall
default-domain value chicagobotanic.org
webvpn
vpn-group-policy VPN198
webvpn
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.0.0 inside
http x.x.x.208 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group VPN198 type ipsec-ra
tunnel-group VPN198 general-attributes
address-pool vpn198
default-group-policy VPN198
tunnel-group VPN198 ipsec-attributes
pre-shared-key *
telnet 0.0.0.0 0.0.0.0 inside
telnet x.x.x.208 255.255.255.255 outside
telnet timeout 5
ssh x.x.x.208 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd address 10.0.0.107-10.0.0.108 inside
dhcpd dns 4.2.2.1
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!


Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on
 
I'm not a pro on ASA's, but do these statements...

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 192.168
.198.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.
198.0 255.255.255.0

allow the VPN addresses to be NATted? If so, you don't want the VPN pool to be NATted back out.

Burt
 
You need

isakmp nat traversal

or

crypto isakmp nat traversal

Additionally you need to change your group to the following

access-list splitacl extended permit ip 10.0.0.0 255.255.0.0 192.168.198.0 255.255.255.0

group-policy VPN198 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitacl
 
I dont believe you are NATTing. access-list inside_nat0_outbound and access-list DMZ_nat0_outbound are just access-list names. right? If so where are you using these access-lists?

Your only natting traffic leaving the outside interface using "global (outside) 10 interface", right?

How can you tell you establish a VPN connection? Do you get an IP from you pool?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top