VPN Connected (5505) - but no access to internal server

Unanswered Question
Aug 2nd, 2007

I can connect to our VPN using VPN Client(IPSEC) and what I want to do is then access a linked called "http://192.168.2.100/mrshproject" on our server. I can ping the 192.168.2.100 when connected to the VPN, but when I try to go to this link, it says page cannot be displayed.

Any ideas? Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dpatkins Thu, 08/02/2007 - 17:31

Good evening,

Do you have an access-list statement that will allow http to the inside or are they all on the same subnet? I am assuming that the 192.168.2.100 is inside. The ASA is a little different beast than the VPN concentrators used to be and you need to check static non-connected routes, nat address configuration and also access-lists. Remember that your endpoint is the outside interface so you will have to tell the ASA that you address pool needs to access port TCP port 80 on the inside. hope this helps some.

Dwane

kenmuhr12 Thu, 08/02/2007 - 18:02

Hey Dwane, thanks for the response. I dont know if I have http allowed to be accessed. How do I do that? Also I will check our address pool to see if it is allowing Port 80 on the inside.

The 192.168.2.100 is on the inside. It is where our program is and where I want users to connect to.

Another thing that I didn't mention is that I created a VLan with the ipaddress of 192.168.2.100. Im not sure if that is right. Also the server where the program is, I set the ip address manually to 192.168.2.100 and a default gateway as the same. Not sure if thats right but when I go to the link http://192.168.2.100/mrshproject on that server, I can access the program.

Any more help will be greatly appreciated!

Thanks

acomiskey Thu, 08/02/2007 - 18:17

And you can ping 192.168.2.100 from the vpn? The ip of the server should not be the same as the vlan on the asa. Change the ip of the server to something else 192.168.2.x and keep the default gateway at 192.168.2.100.

You should not have to worry about an acl entry to allow the traffic. I'm sure you have sysopt conn permit-vpn enabled.

kenmuhr12 Tue, 08/07/2007 - 12:58

Hello All, I posted previously but I have changed som ethings and though it would be better to start new. We put in a ASA-5505 and we are able to connect to the Firewall using a VPN Client. The problem comes into play when I try to access our program that is located on the server. Here is our set up:

- I have the original Vlan1 and VLan2, thats it.

- The default of the ASA is 10.10.10.1

- Our address pools range from 10.10.20.10 to 10.10.20.50

- I set our server to ip address to 10.10.20.100 with the default gatewayy to 10.10.10.1.

- If I try to access the server link on another INTERNAL computer, I can access the server and where I want my clients to go.

- If I try from home, I can connect to the VPN CLient and it gives me an ipaddress of 10.10.20.10, (in the ip pool), but if I try to ping the 10.10.20.100, it times out.

Question:

Should I change the server location to something else? If so, what range to where someone in that 10.10.20.10 - 10.10.20.50 range can access from the outside.

Thanks in advance for all your help. Much Appreciated!!

acomiskey Tue, 08/07/2007 - 13:56

What are the masks of these 10. networks? Are they all in the same 10.0.0.0/8?

The vpn client subnet should not be the same as any other subnet inside your asa.

kenmuhr12 Tue, 08/07/2007 - 14:33

The Server is actually ip 10.10.10.100 with mask of 255.255.255.0.

The ip Pools clients use are set to 10.10.20.10 through 50 with same subnet as above (255.255.255.0)

If that needs to be changed, what should it be?

Thanks in advance!

kenmuhr12 Tue, 08/07/2007 - 15:27

I changed them to different masks. I attached my config so you can take a better look at it. (Changing some ip addresses of course)

Thank You so much for the assistance!

P.S. - By looking at your name - are you a Whitesox fan? If so I am right with yah!

mattiaseriksson Wed, 08/08/2007 - 01:20

try to add this command

nat (inside) 0 access-list mrsh_nat0_outbound

The server is in the 10.10.10.0/24 subnet right?

kenmuhr12 Wed, 08/08/2007 - 06:10

Yes, it is subnet /24.

I will have to try this command later because this is my part time job. I will go on my lunch and let you know if this worked.

Unless there is a way to access it from an external location, ie hyperterminal?

acomiskey Wed, 08/08/2007 - 06:20

Well, turns out you didn't need to change anything with the subnets. As long as they weren't the same, you're ok. But the change you made is ok too. Most likely when you changed the pool and the associated acl, it removed the nat exemption statement posted above.

Not really a white sox fan, it's just my last name. Unfortunately I don't own any ballparks!

kenmuhr12 Wed, 08/08/2007 - 06:27

So my config I have attached to this forum is ok? And your saying that the command "nat (inside) 0 access-list mrsh_nat0_outbound " should be entered and then it should work?

"Yeah, it would be nice to own a ballpark, sorry about that. "

acomiskey Wed, 08/08/2007 - 06:37

I think so.

You could clean it up a little by removing these lines which are not in use...

no access-list inside_nat0_outbound extended permit ip host 60.20.60.100 10.10.10.0 255.255.255.240

no access-list Nat_vpn extended permit ip 10.10.20.0 255.255.255.192 any

no access-list outside_access_in extended permit ip any host 60.20.60.100

no access-list inside_access_in extended permit ip any any

no access-list inside_access_out extended permit tcp any any

no access-list inside-mrsh standard permit 10.10.10.0 255.255.255.0

no access-list PIM_ACCPTREG_ACL extended permit tcp interface outside interface inside eq www

no access-list outside_cryptomap_1 extended permit tcp interface outside interface

kenmuhr12 Wed, 08/08/2007 - 06:42

Cool! I will try that when I get a chance, then I will retry and post results.

Another quick question: Now when I connect to the VPN remotely, I lose internet connection. This never happened before and I don't know if I added or removed something I shouldn't have.

Thanks again. When all is solved I am rating your assistance a 100% ++++++!!!!

acomiskey Wed, 08/08/2007 - 07:20

Your split tunnel appears to be set up properly except one line. "split-tunnel-policy tunnelspecified"

access-list DefaultRAGroup_splitTunnelAcl extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.192

group-policy DefaultRAGroup attributes

DefaultRAGroup_splitTunnelAcl

split-tunnel-policy tunnelspecified

kenmuhr12 Thu, 08/09/2007 - 06:43

I tried running the command but I still looses connection to the internet when I connect to the VPN Clinet. I attached my most recent config.

Thanks

Attachment: 
acomiskey Thu, 08/09/2007 - 07:02

Looks ok. What do you have for routes in your vpn client under Status -> Statistics -> Route Details?

You should get 10.10.10.0/24 under secured routes.

This shouldn't make a difference but you could try...

no access-list DefaultRAGroup_splitTunnelAcl extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.192

access-list DefaultRAGroup_splitTunnelAcl standard permit ip 10.10.10.0 255.255.255.0

kenmuhr12 Thu, 08/09/2007 - 09:39

I get 0.0.0.0 for under secure routes.

I attached most recent with your changes from the previous post.

Thanks

Attachment: 
acomiskey Thu, 08/09/2007 - 09:51

Split tunnel is still not working. Under "group-policy DefaultRAGroup attributes" you have "split-tunnel-policy tunnelall", which means do not split tunnel. You need to change that to "split-tunnel-policy tunnelspecified"

group-policy DefaultRAGroup attributes

dns-server value 68.94.156.1 68.94.157.1

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl

Actions

This Discussion