VPN Auth fine, but no LAN access

Unanswered Question
Jan 19th, 2008
User Badges:

I used the wizard to set up my VPN. I'm sorry I'm not a Cisco guru by any means.


My current situation is that I can VPN in fine, and ping my inside/internal LAN interface, but I can not ping past it. I can't pass anything past it whatsoever.


I also noticed that I didn't receive a default gateway from my dhcp address on the clients Cisco VPN adapter. I manually added it though, and can fix that issue myself later.


The "VPNUser" group, and user "longdrive" is how I'm authenticating. Please any assistance is greatly appreciated, I'm not a NAT or ACL fan. I'm a windows admin :)


Config attached.


v/r

Jim



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
JORGE RODRIGUEZ Sat, 01/19/2008 - 19:06
User Badges:
  • Green, 3000 points or more

Add management-access inside statement in your config.


Rgds

Jorge

jamesk1792 Sat, 01/19/2008 - 19:15
User Badges:

That's it?


I failed to mention that I could use the adsm tool if that mattered whatsoever.


I'll add that statement when I get in tomorrow and get back to you.


Thanks!

JORGE RODRIGUEZ Sat, 01/19/2008 - 19:41
User Badges:
  • Green, 3000 points or more

that should resolve your problem for lan access through vpn session.. try that and post results.

srue Sun, 01/20/2008 - 10:14
User Badges:
  • Blue, 1500 points or more

'management-access inside' isn't for lan access. that's for accessing the inside interface of the PIX/asa over a vpn connection, nothing else.

He is probably better off trying 'sysopt connection permit-ipsec' or 'sysopt connection permit-vpn', depending on OS version


....

and it looks like he already has the command 'management-access Internal'...that's why he's able to ping/asdm to the inside interface over the vpn.

jamesk1792 Sun, 01/20/2008 - 10:34
User Badges:

I just got to the office.


I added the "sysopt connection permit-ipsec" command and it took it successfully.


Testing VPN now.

jamesk1792 Sun, 01/20/2008 - 11:14
User Badges:

I've managed to get networks pingable, but things like http, dns, mstsc will not work.


Suggestions?

srue Sun, 01/20/2008 - 14:14
User Badges:
  • Blue, 1500 points or more

make sure whatever hosts you're trying to connect to over the vpn are allowed over the vpn - if you can ping them over the vpn, they are probably allowed.

Do you have any ACL's on the inside/Internal interface? make sure you're connecting to the right address in the vpn, whether you specified an external or internal IP, it should be the same that you are trying to connect to.

jamesk1792 Sun, 01/20/2008 - 14:32
User Badges:

The only ACL is one I put on that is all services, permit any any.


I starting to go nuts. I can't ping anymore other than the inside interface, nothing really seems to be working except the following:


-vmware vi client console to a host I can't ping

-adsm


I'm getting very confused :)


New config attached.


srue Sun, 01/20/2008 - 14:50
User Badges:
  • Blue, 1500 points or more

re-add the command sysopt connection permit-ipsec


take out teh split tunneling from your group policy, it looks like you dont' want to do split tunneling anyway, based on your tunnel acl.

are you actually using the the crypto map applied to the inside interface?

jamesk1792 Sun, 01/20/2008 - 14:55
User Badges:

My whole goal here is to get this VPN setup so I can build the rest of the network/servers remotely (vmware esx server, and ms terminal services). I'm not horrible concerned with the security yet, hense the wide open ACL.


I'm actually back out of the office now and was just trying to tweak the vpn from my home. Needless to say I just broke it and I'll have to go back into the office to make it half work again. I'll add/remote those commands as soon as I can and repost the results.


Thank again.



jamesk1792 Thu, 01/24/2008 - 15:43
User Badges:

Sorry about the delay here.


I've got back to the point establishing a tunnel fine, using ADSM, web access to my inside interface, and pinging my inside interface... NO traffic past the inside still.


I've added the sysopt connection permit-ipsec command, but it doesn't seem to show up in my show run.


Attached is the newest config.


I'm not going to touch it whatsoever without guidance now, no more guesswork for me.


Thanks,

Jim

jamesk1792 Sat, 02/02/2008 - 11:42
User Badges:

So I wiped the entire device today, and here is the new config.


CAN:

-Authenticate

-Ping 2x ESX Hosts consistently.

-Ping VM machines on the ESX hosts 1 time, then rest time out (may be ESX issue somehow, but I don't see it internally)

-Open ADSM Web console

-Open ESX web console


CAN'T:

-Ping VM machines more than once

-Resolve DNS

-Use Terminal Services

-Pretty much everything


I would love assistance if anyone is still reading this thread at all. The Config is brand new and should be pretty easy to weed through.



Actions

This Discussion