VPN can access internet but not internal network

Unanswered Question
Feb 28th, 2008
User Badges:

I have ASA 5540


here is my vpn config


access-lisst VPNRA extended permit ip 172.17.1.0 255.255.255.0 10.0.0.0 255.255.255.0


ip loacl pool AAA 10.0.0.10-10.0.0.254 mask 255.255.255.0


nat (inside) 0 acces-list VPNRA


vpn-tunnel-protocol IPsec


When I connect to VPN, I can access the internet. But I can not access or ping anything that is in the internal network.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mvsheik123 Thu, 02/28/2008 - 11:47
User Badges:
  • Gold, 750 points or more

Did you use Split-tunneling..?


vpn-tunnel-protocol IPsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test


access-list test standard permit 172.17.1.0.255.255.255.0 -->internal LAN subnet


hth

MS


nguyenvinnie Thu, 02/28/2008 - 13:34
User Badges:

ip local pool AAA 10.17.70.10-10.17.70.254 mask 255.255.255.0

access-list VPNRA extended permit ip 172.0.0.0 255.0.0.0 172.0.0.0 255.0.0.0

access-list splittunnel standard permit 172.0.0.0 255.0.0.0

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel


still unable to connect the internal network, use packet tracer, and fail at VPN nat. On the internal Layer 3 switch, we add a static route, 10.17.70.0 255.255.255.0 10.0.0.2(the ASA Interface).

tomek0001 Fri, 02/29/2008 - 07:19
User Badges:

do you have a NAT exemption rule that bypasses the LAN subnet to VPN pool from being selected to nat?


Check the commands below:


access-list Private_nat0_outbound remark SSL VPN traffic exemption

access-list Private_nat0_outbound extended permit ip LOCAL-LAN 255.0.0.0 VPN-SSL 255.255.255.0

nat (Private) 0 access-list Private_nat0_outbound

nat (Public) 0 LOCAL-LAN 255.0.0.0


*LOCAL-LAN is "name 10.0.0.0 LOCAL-LAN"

*VPN-SSL is "name 10.32.2.x VPN-SSL" which is the vpn pool


Hope that helps.




(please rate the comment if you found it useful)


Actions

This Discussion