Unanswered Question
Jun 24th, 2008

Hi All,

We previously had a Checkpoint Appliance along with and ISA Server. We are doing some upgrades and it was decided that the Checkpoint Appliance would be replaced with the Cisco ASA 5510.

I now need to get this working and I have not a lot of experience with ASA. I have set up a test lab, with an ISA server and the ASA and I can get almost everything working. In that I can get internal clients to access the Internet and I can get Internet Users to access an Internal web server.

The configuration looks like this:


Now I want to set up VPN on the ASA but this is where the problem lies. I have going through the VPN wizard on ASDM and made sure there are NAT exemptions. The remote client can connect to the ASA and successfully create a VPN tunnel, but is unable to access anything internally. I managed to get it to ping the ISA server, but I can't get it to do anything else.

Now to make sure I have no problems with my ISA server I have added a PC between the ISA and ASA and it is able to access the internal network the way i want it to without a problem.

On the ASA I have also set up a static route so that all Tunneled traffic is to go to the ISA server, but still it fails to work! What am I missing?

Any help would be greatly appreciated! Excuse the mess of the Config attached as it is a testing config and I am trying everything I can to get it working!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Tue, 06/24/2008 - 23:13

The first problem I see is that you have your VPN RA IP local POOL network ip scheme the same as your inside interface network, you will run into problems configuring it this way. Create a separate IP local Pool for RA to be different from any other networks in your firewall interfaces or inside network.

Once that is fixed the nat0 access-list bound to your nat (inside ) 0 statement will be as:

access-list inside_nat0_outbound extended permit ip

here is quick reference on how to for RA with its unique vpn pool ip scheme.



pjscott13 Wed, 06/25/2008 - 23:30

Thanks for the post! I am getting a little bit further with using a different address... but now I think I have ISA issues.... that's another story.

I noticed in the example used in the link provided, that they are using an Address Pool that is in the same network as the Inside network. So I am a bit confused!

pjscott13 Thu, 06/26/2008 - 21:05

ok so this is really starting to annoy me... I thought I might have had it, but the only traffic hitting the ISA server is broadcast traffic from the VPN client.

What am I missing? Where do i put access rules for the VPN client on the ASA? How can I get all the traffic of the VPN client to go to the ISA server? I already have my "tunneled" default gateway setup!

Very confused now! If there is someone out there willing to help I would greatly appreciate it!

JORGE RODRIGUEZ Fri, 06/27/2008 - 20:55

Phillip, sorry did not see your replies.. could you post updated asa config, omit public IP addresses information .



pjscott13 Mon, 06/30/2008 - 21:59

Ok.. so I have spent some serious time in getting this to work. I have attached a diagram of what I have in the test lab, and it explains where I have got with everything.

The goal is to have VPN client connect to ASA and then access internal network via ISA server.

In testing, I have broken it up into two stages.

1. Using just the ASA, I can VPN and access an Internal Windows 2003 Server.. no problem. That same server can access the internal network behind the ISA server. Config for this set up is in the attached config1.txt

2. Add ISA to the equation, I have used the config above and changed some of the rules on ASA to hopefully get it working, but still having no luck. Am I missing the whole "tunnel" static route thing? I do not see any issues with ISA... when I monitor the traffic hitting the ISA server, I do not see ANY traffic coming from the VPN client, which makes me think there is something not right in the ASA config for forwarding the VPN Client traffic to ISA. The config for this setup is in the attached file config2.txt.

Your help will be greatly appreciated!

pjscott13 Sun, 07/06/2008 - 20:32

Any ideas anyone on how I can get VPN working properly? Please?!

pjscott13 Mon, 07/14/2008 - 22:19

turns out I have solved the issue myself. For those who would like to know... The laptop I was using to connect to the ASA as a VPN client, also has the Checkpoint SecuRemote Client installed. As soon as I disabled the services for that all worked as it should!


This Discussion