01-04-2008 05:45 PM - edited 03-11-2019 04:43 AM
We have setup ASA as VPN server. We can establish the VPN, but can't access any remote computers. The configuration can be found here: http://www.howtonetworking.com/vista/vistavpn.htm
01-05-2008 06:03 AM
Can't see your config but might be a nat-t problem. Add isakmp nat-traversal or crypto isakmp nat-traversal.
01-05-2008 06:30 AM
Sorry. This is the configuration.
http://www.howtocisco.com/cisco/samples/5510config1.htm
Can you give me step by step details? Thanks
01-05-2008 08:29 AM
I only see about the last 30 lines of the config.
01-05-2008 10:16 AM
Sorry, I just re-post it.
01-05-2008 12:53 PM
add this command...
isakmp nat-traversal
01-05-2008 04:48 PM
Thank you. Will try that Monday and post back with the result.
01-08-2008 11:51 AM
Still doesn't work. From the ASA I can ping inside computer by IP, but can't ping from the VPN client. Any other suggestions?
01-08-2008 12:03 PM
You don't need these...
no access-list inside_nat0_inbound extended permit ip any 192.168.198.0 255.255.255
.0
no access-list inside_nat0_inbound extended permit tcp 192.168.198.0 255.255.255.0
10.0.0.0 255.255.0.0
no nat (inside) 0 access-list inside_nat0_inbound outside
01-08-2008 12:39 PM
Thank you for the quick reply. I took those lines off, but still can't ping. here are part of configuration:
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.198 255.255.255.224
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 10.0.0.4 255.255.0.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 172.16.252.254 255.255.0.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 192.168
.198.0 255.255.255.0
access-list DMZ_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.
198.0 255.255.255.0
access-list test_splitTunnelAcl standard permit any
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
ip local pool vpn198 192.168.198.10-192.168.198.254 mask 255.255.255.0
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list DMZ_nat0_outbound
nat (DMZ) 10 172.16.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
wins-server value 10.0.0.29 10.0.0.19
dns-server value 10.0.0.29 10.0.0.19
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl
default-domain value chicagotech.net
webvpn
group-policy CBGVPN198 internal
group-policy CBGVPN198 attributes
wins-server value 10.0.0.29 10.0.0.19
dns-server value 10.0.0.29 10.0.0.19
split-tunnel-policy tunnelall
default-domain value chicagotech.net
webvpn
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value inside_nat0_inbound
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
vpn-group-policy CBGVPN198
01-08-2008 12:53 PM
Sorry, it work. The problem is all inside computers' default gateway is pointing to a PIX firewall. If I change the computer default gateway to the ASA, the VPN client can ping the computer. We don't have plan to replace the PIX as default gateway. We just want to this ASA as VPN server. How can we configure it so that VPN client access access the LAN resources? Should we make the VPN IP pool to 10.0.0.0/16?
01-08-2008 01:33 PM
Do you have an inside router?
What version is the pix?
You don't want the address pool to be the same as the inside.
All else fails you would have to create persistant routes on your inside hosts to the vpn client subnet.
01-08-2008 01:59 PM
I also tried to use inside DHCP server to assign IP to the VPN client. The VPN client receives all TCP/IP settings such as IP, DNS, WINS, DHCP server except the default gateway. The default gateway is the VPN client IP. After that, the inside computers can ping the VPN client, but VPN client can't ping the inside computers. Why? Does the VPN client should use itself IP as default gateway? If not, how do you fix it?
01-08-2008 05:52 PM
OK, I think we had a network problem after I added inside IP pool or used inside DHCP. Some of computers could not access their Outlook. So, I should use inside IP. right?
Can I add a route command on the PIX to route all VPN traffic to the ASA? If yes, what's the command?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide