cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
696
Views
0
Helpful
7
Replies

ASA VPN Configuration

welaish77
Level 1
Level 1

When i connect the client says lan Access is disabled and the check box in the client is checked but i am not able to ping any server in the lan. below is the ASA configuration.

ASA Version 7.0(6)

!

hostname HCASA

domain-name default.domain.invalid

enable password NjVk0ak/KEllGQF7 encrypted

names

name 172.19.134.34 i_ibrahim

name 172.19.134.35 i_wael

dns-guard

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 83.111.190.178 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.19.134.22 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

passwd NjVk0ak/KEllGQF7 encrypted

ftp mode passive

dns domain-lookup outside

dns name-server 213.42.20.20

access-list acl_out extended permit icmp any any

access-list Local_LAN_Access remark VPN Client Local LAN Access

access-list Local_LAN_Access standard permit host 0.0.0.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnpool 172.19.134.61-172.19.134.70 mask 255.255.255.0

no failover

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 172.19.134.0 255.255.255.0

access-group acl_out in interface outside

route outside 0.0.0.0 0.0.0.0 83.111.191.177 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy afhcvpn internal

group-policy afhcvpn attributes

dns-server value 172.19.134.2

vpn-tunnel-protocol IPSec

split-tunnel-policy excludespecified

split-tunnel-network-list value Local_LAN_Access

default-domain value test.com

webvpn

username username password password encrypted privilege 15

username username password password encrypted

http server enable

http i_wael 255.255.255.255 inside

http 172.19.134.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 10 set transform-set esp-3des-sha

crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds

288000

crypto dynamic-map outside_dyn_map 10 set reverse-route

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 43200

isakmp nat-traversal 20

tunnel-group afhcvpn type ipsec-ra

tunnel-group afhcvpn general-attributes

address-pool vpnpool

tunnel-group afhcvpn ipsec-attributes

pre-shared-key *

telnet i_wael 255.255.255.255 inside

telnet i_ibrahim 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd lease 3600

dhcpd ping_timeout 50

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

Cryptochecksum:55672133bd1911826fe2d31b2a360b0e

HCASA#

1 Accepted Solution

Accepted Solutions

if you are configuring throught ASDM,go to security policy & access rule.

here are the steps

Source/host or network -----any

Dest/host or network -----Inside ip address

Rule Applied to traffic-----incomin

Interface Outbound -----Outside

Service -----HTTPS,TCP,UDP

View solution in original post

7 Replies 7

sibgathullah
Level 1
Level 1

Dear,

Where are the access-list ?

what access-list command i should issue?

Just mention an access-list for your server, then try it as i have got the same thing in my network n as i have given access-list according to the servers ip n it working.

rgds

!!!! Actually i dont understand what server are you talking about? simply i need people to connect to the ASA VPN and do remote desktop on their machines. so they need to access the local lan. which they cannot do.

You have to specify the access-list according to the IP's or server's you wanna access from out,and give the permission...It will work.As i have specified according to the IP and given the Allow Access-list n its working.

give me an example i want them to access the whole internal lan.

thanks

if you are configuring throught ASDM,go to security policy & access rule.

here are the steps

Source/host or network -----any

Dest/host or network -----Inside ip address

Rule Applied to traffic-----incomin

Interface Outbound -----Outside

Service -----HTTPS,TCP,UDP

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: