unable to access inside network-remote access VPN

Unanswered Question
Mar 12th, 2008
User Badges:

Hi,

I have cisco ASA5520 in which i have configured remote access vpn for cisco vpn client.the problem is from vpn client i am able to establisdh the tunnel and in asa also it's showing tunnel is up but i am unable to access inside network.

i have given access list also..

acess-list nonat extended permit ip any 192.168.10.0 255.255.255.0

where 192.168.10.0/24 is my ra vpn client pool.

please guide to resolve this issue.


thanks,

som

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 03/13/2008 - 07:16
User Badges:
  • Green, 3000 points or more

Could you post more of the config? Make sure you have nat-traversal enabled.

somnath21 Wed, 03/19/2008 - 21:51
User Badges:

Hi,


My problem is resolved now.Please check the below mentioned things...

1)VPN client pool should be in different subnet from your internal network.


2)if ur VPN pool is 192.168.150.0/24

provide access list for outbound traffic..

access-list nonat extended permit ip any 192.168.150.0 mask 255.255.255.0


3)inbound traffic permit for vpn client:

access-list outside_in extended permit ip any any


group policy settings:


group-policy reomoteVPN internal

group-policy reomoteVPN attributes

dns-server value x.x.x.x x.x.x.x

vpn-filter value outside_in

vpn-tunnel-protocol IPSec

address-pools value vpnpool



husycisco Sat, 03/22/2008 - 10:43
User Badges:
  • Gold, 750 points or more

"3)inbound traffic permit for vpn client:

access-list outside_in extended permit ip any any "


I certainly do NOT! recommend the above ACL. It has nothing to do with VPN connections, yet it simply permits any connection from outside including intrusions.

Thanks for the help. Finally got on the phone with Cisco and we got a solution:


According to Cisco. The ASA does not handle ESP protocol and Port Address Translation at well. So, I had to NAT an extra public IP to a static internal address. Then create two access rules; 1. open port 500 to the NAT rule and 2. allow any ESP traffic also to the NAT rule.


Essentially, IPSEC communicates on the ESP protocol and port 500. Since ESP is a portless protocol, my old configuration would drop that traffic, never getting to the client. With the new configuration my VPN to the remote site works fine. BTW, the remote site had a PIX515, probably running an old IOS without NAT Transversal enabled.


-6x.1xx.2xx.1xx = free public ip

-nat(inside,outside) 6x.1xx.2xx.1xx 10.12.10.9

-access-list outside_access_in line 5 permit udp any host 6x.1xx.2xx.1xx eq 500

-access-list outside_access_in permit esp any host 6x.1xx.2xx.1xx


Hope this helps others.

Actions

This Discussion