VPN Clients can't access resources on the LAN when connected via VPN

a.ajiboye · ‎02-29-2008

Hi,

I have ASA 5505 running IOS 7.2(3) and ASDM 5.2(3). I configured remote access VPN with IP Pool 192.168.1.0/24. I can connect via VPN to the ASA but I can not access any resource on the LAN (192.168.0.0/24). I couldn't even PING the server on the LAN(192.168.0.1). Also, I could not launch ASDM via the VPN connection I established.

Does anyone have any idea on what is missing out in my config.

Thanks for your help and time.

brettmilborrow · ‎02-29-2008

Can you confirm what your default gateway on the 192.168.0.0/24 network is?

Is it the firewall internal address?

If not, you need to ensure you have a route configured for the 192.168.1.0/24 network pointing at your internal ASA interface address.

Besides this, you will not be able to connect to the internal interface of the ASA from a VPN connection the terminates on any other interface. This is not permitted by the ASA.

a.ajiboye · ‎02-29-2008

Hi,

The default gateway for the 192.168.0.0/24 is the ASA Inside Interface IP address (192.168.0.254). I created a route like this:

route inside 192.168.1.0 255.255.255.0 192.168.0.254 1

yet I still can't launch ASDM nor able to ssh/TELNET to the ASA. I could not PING ASA inside interface IP address or any node on the 192.168.0.0/24 network too.

alanajjar · ‎02-29-2008

Hi,

Please try to add these commands and check if it works,

access-list 110 permit ip 192.168.0.0 255.255.255.0 any

group-policy Ideal-PR attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 110

thiese commands will spesify the traffic that will be use the cvpn tunnel.

regards

brettmilborrow · ‎03-04-2008

split tunneling will not fix this problem. Besides this, I would not suggest applying split tunneling unless you need it, e.g need to allow access to the internet for the client out of local internet link whilst still connected to the VPN.

The reason I say this is because there are risks associated with allowing split-tunneling whereby the client may allow access to your corporate LAN due to the client's local LAN not being secure.

alanajjar · ‎02-29-2008

Hi,

also change this access list

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.224

to

access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

regards

brettmilborrow · ‎03-04-2008

Can you confirm which clients you are testing from?

I took your config and installed it on a spare ASA. It works fine from a windows client, but not from a Mac client.

brettmilborrow · ‎03-04-2008

Also, it seems you ARE able to access the PIX/ASA internal interface from the outside/other interface. You need to apply the following command:

'management-access inside'

a.ajiboye · ‎03-07-2008

Hi,

Thanks for your response. I didn't want to implement Split tunnelling due to potential risks.

I corrected the ACL but still didn't work. I was testing from 192.168.1.0/24 network.

I added the command "crypto isakmp nat-traversal" from the CLI and I could access the 192.168.0.0/24 network.

Everything is working fine now. Thank you all for your help.