cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
928
Views
0
Helpful
5
Replies

VPN access

dvanhaaren
Level 1
Level 1

I have an ASA5510 running ios 7.2(2). When a client VPN is established they are not able to access any server that dose not have a static translation built. Is it necessary to build static translations for every server that needs to accessed or is there a more simple way of doing this. I've tried the sysopt command and building a vpn-filter under the policy setting neither seems to help. Any suggestions would be appreciated.

1 Accepted Solution

Accepted Solutions

access-list nat0_acl permit 10.3.0.0 255.255.0.0 remoteaccess_pool

access-list nat0_acl permit 10.2.0.0 255.255.0.0 remoteaccess_pool

nat (inside) 0 access-list nat0_acl

substitute 'remoteaccess_pool' with whatever the IP range is of your actual pool

View solution in original post

5 Replies 5

srue
Level 7
Level 7

which sysopt command? permit-vpn?

Do your crypto acl's allow the communication to said servers? are you using split tunneling?

can you post a partial config?

sysopt connection permit-vpn is the command I used.

This is a client to ASA VPN with no split tunneling.

The ACL's I tried were allowing all traffic from the tunnel-group to the server network.

access-list 10 remark verizonVPN

access-list 10 extended permit ip any 10.3.0.0 255.255.0.0

access-list 10 extended permit ip any 10.2.0.0 255.255.0.0

__________

group-policy verizon attributes

dns-server value 10.3.1.48 207.78.40.49

vpn-simultaneous-logins 10

default-domain value QDINC.net

vpn-filter value 10

________

tunnel-group verizon type ipsec-ra

tunnel-group verizon general-attributes

address-pool qdi

authentication-server-group TACACS+ LOCAL

default-group-policy verizon

tunnel-group verizon ipsec-attributes

pre-shared-key *

access-list nat0_acl permit 10.3.0.0 255.255.0.0 remoteaccess_pool

access-list nat0_acl permit 10.2.0.0 255.255.0.0 remoteaccess_pool

nat (inside) 0 access-list nat0_acl

substitute 'remoteaccess_pool' with whatever the IP range is of your actual pool

That seems to have worked.

I thank you kind sir.

David

you're welcome...and thanks for the rating.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: