VPN Auth fine, but no LAN access

jamesk1792 · ‎01-19-2008

I used the wizard to set up my VPN. I'm sorry I'm not a Cisco guru by any means.

My current situation is that I can VPN in fine, and ping my inside/internal LAN interface, but I can not ping past it. I can't pass anything past it whatsoever.

I also noticed that I didn't receive a default gateway from my dhcp address on the clients Cisco VPN adapter. I manually added it though, and can fix that issue myself later.

The "VPNUser" group, and user "longdrive" is how I'm authenticating. Please any assistance is greatly appreciated, I'm not a NAT or ACL fan. I'm a windows admin :)

Config attached.

v/r

Jim

jamesk1792 · ‎01-19-2008

had to pull the original attachment, private info.

JORGE RODRIGUEZ · ‎01-19-2008

Add management-access inside statement in your config.

Rgds

Jorge

Jorge Rodriguez

jamesk1792 · ‎01-19-2008

That's it?

I failed to mention that I could use the adsm tool if that mattered whatsoever.

I'll add that statement when I get in tomorrow and get back to you.

Thanks!

JORGE RODRIGUEZ · ‎01-19-2008

that should resolve your problem for lan access through vpn session.. try that and post results.

Jorge Rodriguez

srue · ‎01-20-2008

'management-access inside' isn't for lan access. that's for accessing the inside interface of the PIX/asa over a vpn connection, nothing else.

He is probably better off trying 'sysopt connection permit-ipsec' or 'sysopt connection permit-vpn', depending on OS version

....

and it looks like he already has the command 'management-access Internal'...that's why he's able to ping/asdm to the inside interface over the vpn.

jamesk1792 · ‎01-20-2008

I just got to the office.

I added the "sysopt connection permit-ipsec" command and it took it successfully.

Testing VPN now.

jamesk1792 · ‎01-20-2008

I've managed to get networks pingable, but things like http, dns, mstsc will not work.

Suggestions?

srue · ‎01-20-2008

make sure whatever hosts you're trying to connect to over the vpn are allowed over the vpn - if you can ping them over the vpn, they are probably allowed.

Do you have any ACL's on the inside/Internal interface? make sure you're connecting to the right address in the vpn, whether you specified an external or internal IP, it should be the same that you are trying to connect to.

jamesk1792 · ‎01-20-2008

The only ACL is one I put on that is all services, permit any any.

I starting to go nuts. I can't ping anymore other than the inside interface, nothing really seems to be working except the following:

-vmware vi client console to a host I can't ping

-adsm

I'm getting very confused :)

New config attached.

jamesk1792 · ‎01-20-2008

I lied. Now it's attached.

srue · ‎01-20-2008

re-add the command sysopt connection permit-ipsec

take out teh split tunneling from your group policy, it looks like you dont' want to do split tunneling anyway, based on your tunnel acl.

are you actually using the the crypto map applied to the inside interface?

jamesk1792 · ‎01-20-2008

My whole goal here is to get this VPN setup so I can build the rest of the network/servers remotely (vmware esx server, and ms terminal services). I'm not horrible concerned with the security yet, hense the wide open ACL.

I'm actually back out of the office now and was just trying to tweak the vpn from my home. Needless to say I just broke it and I'll have to go back into the office to make it half work again. I'll add/remote those commands as soon as I can and repost the results.

Thank again.

jamesk1792 · ‎01-24-2008

Sorry about the delay here.

I've got back to the point establishing a tunnel fine, using ADSM, web access to my inside interface, and pinging my inside interface... NO traffic past the inside still.

I've added the sysopt connection permit-ipsec command, but it doesn't seem to show up in my show run.

Attached is the newest config.

I'm not going to touch it whatsoever without guidance now, no more guesswork for me.

Thanks,

Jim

jamesk1792 · ‎01-24-2008

forgot the attachment... again.