Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1341
Views
0
Helpful
7
Replies

ASA and ISA

pjscott13
Level 1
Level 1

‎06-24-2008 10:36 PM - edited ‎02-21-2020 02:53 AM

Hi All,

We previously had a Checkpoint Appliance along with and ISA Server. We are doing some upgrades and it was decided that the Checkpoint Appliance would be replaced with the Cisco ASA 5510.

I now need to get this working and I have not a lot of experience with ASA. I have set up a test lab, with an ISA server and the ASA and I can get almost everything working. In that I can get internal clients to access the Internet and I can get Internet Users to access an Internal web server.

The configuration looks like this:

Internet-ASA-ISA-InternalNetwork(WebServer/Servers/InternalClients)

Now I want to set up VPN on the ASA but this is where the problem lies. I have going through the VPN wizard on ASDM and made sure there are NAT exemptions. The remote client can connect to the ASA and successfully create a VPN tunnel, but is unable to access anything internally. I managed to get it to ping the ISA server, but I can't get it to do anything else.

Now to make sure I have no problems with my ISA server I have added a PC between the ISA and ASA and it is able to access the internal network the way i want it to without a problem.

On the ASA I have also set up a static route so that all Tunneled traffic is to go to the ISA server, but still it fails to work! What am I missing?

Any help would be greatly appreciated! Excuse the mess of the Config attached as it is a testing config and I am trying everything I can to get it working!

Preview file
8 KB
0 Helpful
7 Replies 7

JORGE RODRIGUEZ
Level 10
Level 10

‎06-24-2008 11:13 PM

The first problem I see is that you have your VPN RA IP local POOL network ip scheme the same as your inside interface network 172.16.6.0/24, you will run into problems configuring it this way. Create a separate IP local Pool for RA to be different from any other networks in your firewall interfaces or inside network.

Once that is fixed the nat0 access-list bound to your nat (inside ) 0 statement will be as:

access-list inside_nat0_outbound extended permit ip

here is quick reference on how to for RA with its unique vpn pool ip scheme.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

Rgds

-Jorge

Jorge Rodriguez
0 Helpful

pjscott13
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎06-25-2008 11:30 PM

Thanks for the post! I am getting a little bit further with using a different address... but now I think I have ISA issues.... that's another story.

I noticed in the example used in the link provided, that they are using an Address Pool that is in the same network as the Inside network. So I am a bit confused!

0 Helpful

pjscott13
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎06-26-2008 09:05 PM

ok so this is really starting to annoy me... I thought I might have had it, but the only traffic hitting the ISA server is broadcast traffic from the VPN client.

What am I missing? Where do i put access rules for the VPN client on the ASA? How can I get all the traffic of the VPN client to go to the ISA server? I already have my "tunneled" default gateway setup!

Very confused now! If there is someone out there willing to help I would greatly appreciate it!

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to pjscott13

‎06-27-2008 08:55 PM

Phillip, sorry did not see your replies.. could you post updated asa config, omit public IP addresses information .

Rgds

-Jorge

Jorge Rodriguez
0 Helpful

pjscott13
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎06-30-2008 09:59 PM

Ok.. so I have spent some serious time in getting this to work. I have attached a diagram of what I have in the test lab, and it explains where I have got with everything.

The goal is to have VPN client connect to ASA and then access internal network via ISA server.

In testing, I have broken it up into two stages.

1. Using just the ASA, I can VPN and access an Internal Windows 2003 Server.. no problem. That same server can access the internal network behind the ISA server. Config for this set up is in the attached config1.txt

2. Add ISA to the equation, I have used the config above and changed some of the rules on ASA to hopefully get it working, but still having no luck. Am I missing the whole "tunnel" static route thing? I do not see any issues with ISA... when I monitor the traffic hitting the ISA server, I do not see ANY traffic coming from the VPN client, which makes me think there is something not right in the ASA config for forwarding the VPN Client traffic to ISA. The config for this setup is in the attached file config2.txt.

Your help will be greatly appreciated!

Preview file
53 KB
0 Helpful

pjscott13
Level 1
Level 1
In response to pjscott13

‎07-06-2008 08:32 PM

Any ideas anyone on how I can get VPN working properly? Please?!

0 Helpful

pjscott13
Level 1
Level 1
In response to pjscott13

‎07-14-2008 10:19 PM

turns out I have solved the issue myself. For those who would like to know... The laptop I was using to connect to the ASA as a VPN client, also has the Checkpoint SecuRemote Client installed. As soon as I disabled the services for that all worked as it should!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card