01-19-2008 03:35 PM - edited 02-21-2020 03:29 PM
I used the wizard to set up my VPN. I'm sorry I'm not a Cisco guru by any means.
My current situation is that I can VPN in fine, and ping my inside/internal LAN interface, but I can not ping past it. I can't pass anything past it whatsoever.
I also noticed that I didn't receive a default gateway from my dhcp address on the clients Cisco VPN adapter. I manually added it though, and can fix that issue myself later.
The "VPNUser" group, and user "longdrive" is how I'm authenticating. Please any assistance is greatly appreciated, I'm not a NAT or ACL fan. I'm a windows admin :)
Config attached.
v/r
Jim
01-19-2008 03:37 PM
01-19-2008 07:06 PM
Add management-access inside statement in your config.
Rgds
Jorge
01-19-2008 07:15 PM
That's it?
I failed to mention that I could use the adsm tool if that mattered whatsoever.
I'll add that statement when I get in tomorrow and get back to you.
Thanks!
01-19-2008 07:41 PM
that should resolve your problem for lan access through vpn session.. try that and post results.
01-20-2008 10:14 AM
'management-access inside' isn't for lan access. that's for accessing the inside interface of the PIX/asa over a vpn connection, nothing else.
He is probably better off trying 'sysopt connection permit-ipsec' or 'sysopt connection permit-vpn', depending on OS version
....
and it looks like he already has the command 'management-access Internal'...that's why he's able to ping/asdm to the inside interface over the vpn.
01-20-2008 10:34 AM
I just got to the office.
I added the "sysopt connection permit-ipsec" command and it took it successfully.
Testing VPN now.
01-20-2008 11:14 AM
I've managed to get networks pingable, but things like http, dns, mstsc will not work.
Suggestions?
01-20-2008 02:14 PM
make sure whatever hosts you're trying to connect to over the vpn are allowed over the vpn - if you can ping them over the vpn, they are probably allowed.
Do you have any ACL's on the inside/Internal interface? make sure you're connecting to the right address in the vpn, whether you specified an external or internal IP, it should be the same that you are trying to connect to.
01-20-2008 02:32 PM
The only ACL is one I put on that is all services, permit any any.
I starting to go nuts. I can't ping anymore other than the inside interface, nothing really seems to be working except the following:
-vmware vi client console to a host I can't ping
-adsm
I'm getting very confused :)
New config attached.
01-20-2008 02:33 PM
01-20-2008 02:50 PM
re-add the command sysopt connection permit-ipsec
take out teh split tunneling from your group policy, it looks like you dont' want to do split tunneling anyway, based on your tunnel acl.
are you actually using the the crypto map applied to the inside interface?
01-20-2008 02:55 PM
My whole goal here is to get this VPN setup so I can build the rest of the network/servers remotely (vmware esx server, and ms terminal services). I'm not horrible concerned with the security yet, hense the wide open ACL.
I'm actually back out of the office now and was just trying to tweak the vpn from my home. Needless to say I just broke it and I'll have to go back into the office to make it half work again. I'll add/remote those commands as soon as I can and repost the results.
Thank again.
01-24-2008 03:43 PM
Sorry about the delay here.
I've got back to the point establishing a tunnel fine, using ADSM, web access to my inside interface, and pinging my inside interface... NO traffic past the inside still.
I've added the sysopt connection permit-ipsec command, but it doesn't seem to show up in my show run.
Attached is the newest config.
I'm not going to touch it whatsoever without guidance now, no more guesswork for me.
Thanks,
Jim
01-24-2008 03:45 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide