Can't access remote computer via VPN

Unanswered Question
Jan 4th, 2008

We have setup ASA as VPN server. We can establish the VPN, but can't access any remote computers. The configuration can be found here: http://www.howtonetworking.com/vista/vistavpn.htm

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Sat, 01/05/2008 - 06:03

Can't see your config but might be a nat-t problem. Add isakmp nat-traversal or crypto isakmp nat-traversal.

chicagotech Tue, 01/08/2008 - 11:51

Still doesn't work. From the ASA I can ping inside computer by IP, but can't ping from the VPN client. Any other suggestions?

acomiskey Tue, 01/08/2008 - 12:03

You don't need these...

no access-list inside_nat0_inbound extended permit ip any 192.168.198.0 255.255.255

.0

no access-list inside_nat0_inbound extended permit tcp 192.168.198.0 255.255.255.0

10.0.0.0 255.255.0.0

no nat (inside) 0 access-list inside_nat0_inbound outside

chicagotech Tue, 01/08/2008 - 12:39

Thank you for the quick reply. I took those lines off, but still can't ping. here are part of configuration:

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.198 255.255.255.224

!

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.0.0.4 255.255.0.0

!

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 172.16.252.254 255.255.0.0

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 192.168

.198.0 255.255.255.0

access-list DMZ_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.

198.0 255.255.255.0

access-list test_splitTunnelAcl standard permit any

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

ip local pool vpn198 192.168.198.10-192.168.198.254 mask 255.255.255.0

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (DMZ) 10 172.16.0.0 255.255.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy test internal

group-policy test attributes

wins-server value 10.0.0.29 10.0.0.19

dns-server value 10.0.0.29 10.0.0.19

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test_splitTunnelAcl

default-domain value chicagotech.net

webvpn

group-policy CBGVPN198 internal

group-policy CBGVPN198 attributes

wins-server value 10.0.0.29 10.0.0.19

dns-server value 10.0.0.29 10.0.0.19

split-tunnel-policy tunnelall

default-domain value chicagotech.net

webvpn

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value inside_nat0_inbound

default-domain none

split-dns none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

client-firewall none

client-access-rule none

webvpn

functions url-entry

port-forward-name value Application Access

vpn-group-policy CBGVPN198

chicagotech Tue, 01/08/2008 - 12:53

Sorry, it work. The problem is all inside computers' default gateway is pointing to a PIX firewall. If I change the computer default gateway to the ASA, the VPN client can ping the computer. We don't have plan to replace the PIX as default gateway. We just want to this ASA as VPN server. How can we configure it so that VPN client access access the LAN resources? Should we make the VPN IP pool to 10.0.0.0/16?

acomiskey Tue, 01/08/2008 - 13:33

Do you have an inside router?

What version is the pix?

You don't want the address pool to be the same as the inside.

All else fails you would have to create persistant routes on your inside hosts to the vpn client subnet.

chicagotech Tue, 01/08/2008 - 13:59

I also tried to use inside DHCP server to assign IP to the VPN client. The VPN client receives all TCP/IP settings such as IP, DNS, WINS, DHCP server except the default gateway. The default gateway is the VPN client IP. After that, the inside computers can ping the VPN client, but VPN client can't ping the inside computers. Why? Does the VPN client should use itself IP as default gateway? If not, how do you fix it?

chicagotech Tue, 01/08/2008 - 17:52

OK, I think we had a network problem after I added inside IP pool or used inside DHCP. Some of computers could not access their Outlook. So, I should use inside IP. right?

Can I add a route command on the PIX to route all VPN traffic to the ASA? If yes, what's the command?

Actions

This Discussion