Accessing LAN while VPNing

Unanswered Question
Jun 19th, 2008

Yes I've gone through this article:


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml


I can't seem to get it working. I'm getting NO TRANSLATION GROUP FOUND FOR TCP... when I try testing using a UNC path to a machine on the LAN. I'm new to playing around with ASA so bare with me. I know it has something to do with access-list and NAT.


ciscoasa# sh run

: Saved

:

ASA Version 8.0(2)

!

hostname ciscoasa

enable password xxx

names

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address x.x.x.x 255.255.255.224

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 172.17.193.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

clock timezone MST -7

clock summer-time MDT recurring

pager lines 24

logging enable

logging asdm informational

mtu Outside 1500

mtu inside 1500

mtu management 1500

ip local pool Addr_Pool_1 192.168.10.101-192.168.10.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-602.bin

no asdm history enable

arp timeout 14400

global (Outside) 1 interface

nat (inside) 1 172.17.193.0 255.255.255.0

route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 172.17.193.101-172.17.193.254 inside

dhcpd dns x.x.x.x x.x.x.x interface inside

dhcpd enable inside

!

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

webvpn

enable Outside

svc image disk0:/anyconnect-win-2.2.0133-k9.pkg 1

svc enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

address-pools value Addr_Pool_1

username user1 password tJsDL6po9m1UFs.h encrypted

prompt hostname context

Cryptochecksum:xxx

: end

ciscoasa#


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Fri, 06/20/2008 - 06:01

You are missing nat exemption.


access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

Actions

This Discussion