ASA RA VPN

Answered Question
Sep 24th, 2007

I've just set up a RA VPN on a new ASA5505. I followed documentation from Cisco on getting it set up. I can connect, but I cannot ping anything on the inside. At first I had vpn pool giving out IP's on the inside but I read that this was incorrect. So I assigned a different IP scheme. I'm just not sure how to make it NAT correctly so that I can get to inside IP addresses. If anyone could help, I would appreciate it.

Thanks!

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 2 months ago

Check the firewall config for...

crypto isakmp nat-traversal

and add it if it is missing.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Mon, 09/24/2007 - 10:24

If you could post a config, you would probably get a quick solution. Clean out passwords, public ip's etc.

sonitadmin Mon, 09/24/2007 - 12:12

I've set it so that the vpn pool uses 172.20.50.115-118 as the IP's. I think where I am running into the problem is the fact that there are two internal IP schemes. There is a 172.20.5 network and a 192.168.1 network. With the way it's set now, I can connect and I get a 172.20.50 address and I can ping the 192.168.1 network but I'm not sure how to go about accessing the 172.20.5 network. This is where I need VPN clients to have access to.

Thanks for any help!

acomiskey Mon, 09/24/2007 - 12:25

access-list inside_nat0_outbound extended permit ip 172.20.5.0 255.255.255.0 172.20.50.0 255.255.255.0

That should get you to 172.20.5.0/24. Just make sure that network has a route to the vpn client subnet.

Please rate helpful posts.

sonitadmin Mon, 09/24/2007 - 12:39

I tried that but it didn't work. Could you explain what you mean with "Just make sure that network has a route to the vpn client subnet."

This could be where my problem is.

Thanks!

acomiskey Mon, 09/24/2007 - 12:43

Well, you definitely need the access-list statement I posted above.

Where does 172.20.5.0 sit? If you were sitting on that network, what is your default gateway? Does that gatway know how to route to 172.20.50.0?

If you topology was something like this...

VPN Clients 172.20.50.0 - ASA - 192.168.1.0 -Inside Router - 172.20.5.0

In this case the inside router would need a route like this

ip route 172.20.50.0 255.255.255.0 192.168.1.75

Unless of course 192.168.1.1 is it's default route.

acomiskey Mon, 09/24/2007 - 12:47

I made a mistake in my original post above. I did correct it. I had 172.25 instead of 172.20.

access-list inside_nat0_outbound extended permit ip 172.20.5.0 255.255.255.0 172.20.50.0 255.255.255.0

ajagadee Mon, 09/24/2007 - 12:49

Hi,

After checking all the details posted in previous post by acomiskey.

Also, check and make sure that you have a route on the ASA for the 172.20.5.x and ping the 172.20.5.x IP Address from the ASA.

I hope it helps.

Regards,

Arul

sonitadmin Tue, 09/25/2007 - 12:20

Ok, I entered the access-list inside_nat0_outbound extended permit ip 172.20.5.0 255.255.255.0 172.20.50.0 255.255.255.0 command. I tried pinging the 172.20.5.x network and couldn't get anything. I added a static route on the ASA on the inside port for 172.20.5.0 255.255.255.0 with the gateway of 172.20.5.2. I could then ping 172.20.5.2 from the ASA and from the VPN 172.20.50.115 client but could still not ping anything else on the 172.20.5.0 network.

What am I missing?

acomiskey Tue, 09/25/2007 - 12:28

So you added this statement?

route inside 172.20.5.0 255.255.255.0 172.20.5.2

That doesn't make sense as the gateway to the 172.20.5.0 network is on the 172.20.5.0 network.

Could you give us a topology from a client on the 172.20.5.0 network all the way to the ASA?

sonitadmin Wed, 09/26/2007 - 04:26

Yes, I added the route inside command above.

PC (172.20.5.7) ----Network Switch--(Fiber between two buildings)----DLink(172.20.5.2)-----ASA(192.168.1.75)

Hope this helps.

acomiskey Wed, 09/26/2007 - 04:44

Ok, thanks. I still see a problem that the route you added doesn't really make sense. Doesn't the DLink have an address on the 192.168.1.0 network?

sonitadmin Wed, 09/26/2007 - 05:32

Not that I am aware of. I only know of it with the 172.20.5.2 address.

acomiskey Wed, 09/26/2007 - 07:07

If the dlink is a router and connects the two networks it would have 2 addresses.

PC (172.20.5.7) ----Network Switch--(Fiber between two buildings)----(172.20.5.2)DLink(192.168.1.x)-----ASA(192.168.1.75)

Then your route statment in the ASA would be

route inside 172.25.5.0 255.255.255.0 192.168.1.x

sonitadmin Wed, 09/26/2007 - 07:44

Thanks for all of your help.

I needed the route inside 172.20.5.0 255.255.255.0 192.168.1.x 255.255.255.0 command.

Evertything appears to be working correctly now.

sonitadmin Thu, 09/27/2007 - 05:20

Ran into another problem this morning. I've tested everything on my end and it works great. Client has a new web server that we are supposed to RDP into once connected to VPN and set up. From my office logged in with our account, I can RDP to the server fine. From a different office, my web developer tries to log in and gets connected fine but can't RDP into the server. Any ideas why it would work from here but not from there?

Thanks!

Correct Answer
acomiskey Thu, 09/27/2007 - 05:23

Check the firewall config for...

crypto isakmp nat-traversal

and add it if it is missing.

sonitadmin Thu, 09/27/2007 - 05:35

It wasn't in there. I added it and it worked. Can you tell me exactly what that command does?

Thanks again for all your help!

acomiskey Thu, 09/27/2007 - 05:43

It enables nat-traversal which allow you to have ipsec esp packets encapsulated in udp. To put it simply, if a vpn client is behind a pat/nat device, ipsec and pat are incompatible, therefore nat-t must be enabled and used. It runs over udp port 4500.

Actions

This Discussion