Access lists help for remote VPN clients to ASA

Unanswered Question
Feb 27th, 2008
User Badges:

Hi, I have mangaged to connect to my Cisco ASA 5520 from the internet via the Cisco VPN client. I just used the ASDM wizard to create this. But I can't connect to any internal servers, or any thing really. I have yet to add any access rules but the wizard has added a nat exempt rule from the inside interface to the VPN network of 192.168.10.x/24.


Am I to add the access rules and if so is the VPN network seen as being on the Outside interface? so if I was to give the VPN users access to the internal network I would have to create a rule on the outside interface as the source being 192.168.10.x to the internal range on ip any any?


I just don't know where the VPN client network sites on the interfaces to create the access rules.


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Fernando_Meza Wed, 02/27/2008 - 14:08
User Badges:
  • Gold, 750 points or more

Hi,


check to see whether the below command is entered on your ASA. If it is not then you need to add it and try connecting again.


crypto isakmp nat-traversal 20


I hope it helps .. please rate if it does !!!




jamesgonzo Wed, 02/27/2008 - 14:31
User Badges:

I will but what will this do? Also is the Remote VPN seen as being on the outside interface as I will need to add access rules?

alanajjar Thu, 02/28/2008 - 03:43
User Badges:

Hi,

The nat exempt rule is a must, it will nat exempt between internal network and the remote access network (i.e 192.168.10.x), if that rule does not exist , the vpn will not work.

To check the problem, enable logging on the asa, then connect using remote access vpn, and check the asa log to see if you successfully connected. then, from the remote access machine,try to access any service, like telnet to the router or the asa, or ping any internal server or the router, if that fails, check the asa log, there must be a log for that.

You dont need to define an access list for remote access users, because they are connecting using secure connection (i.e IPSec VPN), the asa will forward trafiic between the internal and remote access users, based on the established secure connection. which is the idea of vpn.


regards

jamesgonzo Thu, 02/28/2008 - 07:46
User Badges:

You are right. I re-created the remote client vpn and I can now connect to the servers on the internal network. The servers IP range are in a NAT exempt rule.


So you are saying only an exempt rule is needed for the servers and no access lists, why is this? Just need to get this right in my head as it's new to me.


Thanks

alanajjar Fri, 02/29/2008 - 08:59
User Badges:

Hi,

The idea is that you can access the remote network devices using there real addresses, this will be like if you are connected directly to the network, you will not see the natted addresses of these devices. This is the case with site-to-site vpn, where you will access remote devices by there real ip's, not the natted one.


please rate if this solve the problem!!


with regards

Actions

This Discussion