VPN access

Answered Question
Aug 30th, 2007

I have an ASA5510 running ios 7.2(2). When a client VPN is established they are not able to access any server that dose not have a static translation built. Is it necessary to build static translations for every server that needs to accessed or is there a more simple way of doing this. I've tried the sysopt command and building a vpn-filter under the policy setting neither seems to help. Any suggestions would be appreciated.

I have this problem too.
0 votes
Correct Answer by srue about 9 years 3 months ago

access-list nat0_acl permit 10.3.0.0 255.255.0.0 remoteaccess_pool

access-list nat0_acl permit 10.2.0.0 255.255.0.0 remoteaccess_pool

nat (inside) 0 access-list nat0_acl

substitute 'remoteaccess_pool' with whatever the IP range is of your actual pool

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
srue Thu, 08/30/2007 - 08:46

which sysopt command? permit-vpn?

Do your crypto acl's allow the communication to said servers? are you using split tunneling?

can you post a partial config?

dvanhaaren Thu, 08/30/2007 - 09:04

sysopt connection permit-vpn is the command I used.

This is a client to ASA VPN with no split tunneling.

The ACL's I tried were allowing all traffic from the tunnel-group to the server network.

access-list 10 remark verizonVPN

access-list 10 extended permit ip any 10.3.0.0 255.255.0.0

access-list 10 extended permit ip any 10.2.0.0 255.255.0.0

__________

group-policy verizon attributes

dns-server value 10.3.1.48 207.78.40.49

vpn-simultaneous-logins 10

default-domain value QDINC.net

vpn-filter value 10

________

tunnel-group verizon type ipsec-ra

tunnel-group verizon general-attributes

address-pool qdi

authentication-server-group TACACS+ LOCAL

default-group-policy verizon

tunnel-group verizon ipsec-attributes

pre-shared-key *

Correct Answer
srue Thu, 08/30/2007 - 09:34

access-list nat0_acl permit 10.3.0.0 255.255.0.0 remoteaccess_pool

access-list nat0_acl permit 10.2.0.0 255.255.0.0 remoteaccess_pool

nat (inside) 0 access-list nat0_acl

substitute 'remoteaccess_pool' with whatever the IP range is of your actual pool

srue Thu, 08/30/2007 - 09:53

you're welcome...and thanks for the rating.

Actions

This Discussion