ASA 5505 - VPN Concentrator - Static IPs - no workee

Unanswered Question

Hi there,

I apologize if this is a repeat. But, the network I have is situated this way: No DMZ (yet), No NAT'ng, 1 Class C subnet, class C IPs assigned to devices, ASA 5505 in transparent mode, and a Cisco VPN Concentrator 3005. (This is going to ultimately change to NAT and DMZ but not quite yet.)

Anyways, we need the VPN concentrator working with the ASA Firewall. VPN Conc is only using its public interface. VPN Conc uses our DHCP server to assign IP addresses. ASA 5505 is connected to the router and the VPN concentrator is sitting on the network.

Routing seems to be a problem. Since I'm not using NAT, I don't see that it's necessary to set up a static route (inside,outside) for IP outside to NAT inside translation.

But, VPN clients can't route through our network once they connect. I've made a VPN Concentrator gateway change so that the firewall IP is seen as the gateway but that didn't help. VPN clients ipconfig doesn't list a gateway at all. I unchecked the remote gateway option on clients. Can't ping any server on the remote network. Clients can't do anything on our network once they're connected.

I have tried to find the answer everywhere on the internet and I know our network design isn't recommended but it's a transition phase for the agency.

Any ideas? It would be greatly appreciated.

Carol

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kaachary Wed, 03/05/2008 - 13:50

If split tunnel is enabled, VPN client's ipconfig will not show any default gateway. So, that is normal.

Do you see bytes Rx increasing on the concentrator ? Where is the Private interface of the CVPN 3000 connected ?

Hi

Thanks for replying. All I see at the concentrator is that client X logged in and then nothing after that...no errors etc...until it's logged that client X logged off.

The private interface on the VPN 3005 is not in use. Although, I had a thought this morning (long driving commutes give you good thinking time) that I should plug the VPN 3005 public interface cable into one of the ASA 5505 free inside ports and then plug the VPN's private interface into the switch. Just give the ports unique IPs from the single class C subnet we have right now. But, I'm now wondering if that VPN will nix that attempt since the ports will be on the same subnet.

I did try an ASA inside route from VPN IP to router IP.

Would that help? Thanks again.

Actions

This Discussion