VPN Client is cannot able to connect to the internal network

Unanswered Question
Jul 11th, 2007

When a remote vpn client connects he can ssh to dmz network but cannot able to do ssh on the internal network.

There are 2 types of VPN are installed. First is Site-site and the second is remote vpnclient. please help me out.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Wed, 07/11/2007 - 06:33

Could you post a sanitized config from the ASA?

Is the traffic between the inside network and the vpn client subnet exempted from nat?

Is there any split tunnel configured?

mkmzaman Wed, 07/11/2007 - 06:40

access-list inside_outbound_nat0_acl extended permit ip INSIDE-NET 255.255.255.0 192.168.70.0 255.255.255.0

access-list dmz_outbound_nat0_acl extended permit ip DMZ-NET 255.255.255.0 192.168.70.0 255.255.255.0

access-list dmz_outbound_nat0_acl extended permit ip any host 10.1.19.4

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 INSIDE-NET 255.255.255.0

nat (dmz) 0 access-list dmz_outbound_nat0_acl

nat (dmz) 1 DMZ-NET 255.255.255.0

Split tunnel is enabled

acomiskey Fri, 07/13/2007 - 11:50

The config looks ok. The inside network is exempted from nat to the vpn client subnet and is also included in the split tunnel acl. Can you ping any devices on the inside network or is it specifically ssh traffic?

mkmzaman Mon, 07/16/2007 - 20:53

I tried to SSH to Internal network, the syslog gives the following:

3 Jul 16 2007 18:13:40 713042 IKE Initiator unable to find policy: Intf 1, Src: 192.168.60.10, Dst: 192.168.70.8

Please help me out.

acomiskey Tue, 07/17/2007 - 04:50

Try this...

crypto map outside_map interface outside

crypto isakmp identity address

no crypto map outside_map 40 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

This is all you should need. I would clean out all the rest.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

mkmzaman Tue, 07/24/2007 - 01:43

Crypto map access list was conflicting with the site-site vpn. i have changed that, it started working.

thanks for the support

Actions

This Discussion