Solved: VPN on ASA 5505 can't access remote (local) network

twebb · ‎06-21-2008

I have a ASA 5505 up and running, all the static NAT statements I need to forward ports to internal services such as smtp, remote desktop and it works fine, however I set up a IPSEC vpn connection that authenticates to our domain controller and that part works. However, after I get connected and can't ping anything on the local network or access any of the services. I'm sure it's a NAT statement that I don't have correct. Here's the config. I really need to get this up and going tomorrow. Thanks for any help.

Tyler

nomair_83 · ‎06-21-2008

Just remove nat(outside) line and outside_nat0_outbound ACL.

And mention these statments:

1 sysopt connection permit-ipsec.. (If it is disabled,u can check with sh run sysopt).

2, crypto isakmp nat traversal 10 or 20

3 In no nat ACL, mention your local subnets as source and vpn client pool as destination.

4, create other ACL(ST) with different name and same source and destination like no nat ACL.

5, Then type nat (inside) 0 access-list nonat

6, In group-policy dwgavpn, mention splittunnel tunnelspecified and mention the split tunnel ACL (ST).

Regards

View solution in original post

nomair_83 · ‎06-21-2008

Just remove nat(outside) line and outside_nat0_outbound ACL.

And mention these statments:

1 sysopt connection permit-ipsec.. (If it is disabled,u can check with sh run sysopt).

2, crypto isakmp nat traversal 10 or 20

3 In no nat ACL, mention your local subnets as source and vpn client pool as destination.

4, create other ACL(ST) with different name and same source and destination like no nat ACL.

5, Then type nat (inside) 0 access-list nonat

6, In group-policy dwgavpn, mention splittunnel tunnelspecified and mention the split tunnel ACL (ST).

Regards

twebb · ‎06-22-2008

Thanks for the reply.

I removed the nat(outside) and the outside_nat0_outbound ACL.

I did number 1.) sysopt connection permit-ipsec

I did number 2.) crypto isakmp nat traversal 20

on number 3, 4, 5 and 6, I'm not sure I understand. I can't seem to get these one right...or at least the ASA doesn't understand me..

oh, and I'd rather not enable split-tunneling if I could help from it.

here's what I have now. I can still connect via the cisco client, I just can't do anything after it authenticates and connects.

Thanks for the help so far.

JORGE RODRIGUEZ · ‎06-22-2008

Create nat0 acl

example - allow vpn pool access to inside subnet 10.10.10.0/24

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.96.0 255.255.255.0

you may add others subnets behind inside that are being routed through 10.10.10.1/24 to be access by vpn pool net.

exmaple

access-list inside_nat0_outbound extended permit ip 192.168.76.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.86.0 255.255.255.0 192.168.96.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.96.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

"oh, and I'd rather not enable split-tunneling if I could help from it."

then you need full tunnel and allow vpn pool access to internet through asa firewall, to accomplish this you need these two statements.

same-security-traffic permit intra-interface <- allows for traffic go out in same interface it came in

nat (outside) 1 192.168.96.0 255.255.255.0 <- PAT for vpn pool outbound internet access in RA full tunnel - no split

Rgds

-Jorge

Jorge Rodriguez