07-24-2008 07:23 AM - edited 02-21-2020 03:51 PM
Hi,
I am trying for the first time to setup VPN connections from outside back to the company's network. Using the wizard from the ADSM to configure the VPN access and it looks ok at first. I can login to the ASA without problems but I cannot see any hosts on the network at all! I had created a pool to assign the addresses 10.0.1.240 to 10.0.1.250 to the VPN clients so that they can access devices on the 10.0.1.0 network. Nothing works from this point on. Can anyone suggest what could be wrong? Is there a need to do any NAT in order to ping devices on the same network?
Thanks in advance,
Tan
Solved! Go to Solution.
07-28-2008 03:38 AM
Tan,
By going through and adding your configurations, it works. I can now ping to a host 10.0.1.119 and it looks like it is working"
Thats great.
"By going through and adding your configurations, it works. I can now ping to a host 10.0.1.119 and it looks like it is working"
Sure you can. Just keep in mind that you should use different VPN pools for different profiles in order to specify exempt NATs per VPN pool, which will accomplish the goal of "form of restrictions in that when user VPN to network 10.0.1.0, he cannot ping or even see hosts on the other two"
Another method for accomplishing what you want is Downloadable ACLs using a RADIUS server, which is a little more complicated
07-24-2008 07:38 AM
Hello Tan,
Please post your sanitized running config. Can client connect? Connects but no traffic?
Regards
07-24-2008 08:01 AM
Hello husycisco,
Thanks for your reply. I remembered that you helped me in the past too and really appreciated your help. Many thanks in advance.
The running config is as attached.
Also,
a. The client can connect using V4.8 of the Cisco VPN client. A password is also prompted and successfully login.
b. The client connects but no traffic at all.
c. Once the client starts to ping, there are a lot of translation errors shown on the logs.
d. You may also want to take note that once the client connects, he is NOT allowed to go internet (that's why I did not enable the split tunneling feature) and can only access devices locally in the VPN.
e. Is it ok that there are no DNS servers located within the VPN client 10.x.x.x network?
Many thanks for your help and hope to hear from you soon.
Tan
07-24-2008 08:26 AM
Tan,
"I remembered that you helped me in the past too and really appreciated your help"
You are welcome :)
Lets follow the best practise line. First of all, your VPN pool is in same subnet with ethernet3 interface. Use a different pool
ip local pool VPN_Pool 172.16.30.241-172.16.30.254 netmask 255.255.255.240
tunnel-group Photo general-attributes
address-pool VPN_Pool
no address-pool Photo_auto
no ip local pool Photo_auto
access-list Inside_nat0_outbound permit ip 192.168.10.0 255.255.255.0 172.16.30.240 255.255.255.240
crypto isakmp nat-traversal 20
Please post the most recent config if problem still exists.
"e. Is it ok that there are no DNS servers located within the VPN client 10.x.x.x network?"
Thats fine, but if you did not assign a DNS server that you were afraid of letting them to be able to connect internet, dont worry, you can safely assign DNS server to them since they wont be able to connect to internet without having an outside nat configured in firewall
Regards
07-24-2008 07:02 PM
Hello Husycisco,
Thanks for your reply.
Problem still persists as the client is able to connect but cannot ping. The updates are added to the firewall and is as attached.
On the firewall syslog, it is showing "No translation group found for icmp src Outside: 172.16.10.100 dst Play 10.0.1.2 (type 8, code0)" when I try to ping when connected on VPN.
As for the client side, no problems connecting at all.
Thanks for your help as always,
Tan
07-25-2008 03:02 AM
Tan,
Your config is not modified as exactly as I mentioned.
While my suggestion advises "networks", your config permits "host 10.0.1.0 to host 172.16.10.100". This is causing translation error. Also 255.240 is not the correct mask for 10.100-10.101.
Please modify your config exactly as I suggested
Regards
07-26-2008 07:59 AM
Hi Husycisco,
Some updates on the configuration. I had managed to figure out the masks and add in the changes you mentioned and there are some improvements to the situations. Updated config as attached.
I can now see that when I connected via the VPN, the gateway is now correct and when I ping, I can see "Built..." and "Teardown" messages. However, I think there are still something missing as I still cannot ping the host 10.0.1.2 which is already on the network. I believed the translation are correct as there are changes but the pinging still does not go through to the host (now the FW is saying 10.0.1.2 has no translation group error). Any suggestions?
Many many many thanks,
Tan
07-26-2008 08:09 AM
Tan,
First missing line I saw is
crypto isakmp nat-traversal 20
Also the default global inspection policy is modified. Did you do that on purpose? Most of the inspections are missing. If it was on purpose, then you should add this one
policy-map asa_global_fw_policy
class inspection_default
inspect icmp
I am going on checking the config, will let you know about other issues if any,
07-26-2008 08:24 AM
I still couldnt understand why do you still insist on not using the pool I suggested. You use 254 subnetmask which may not be supported, this is relatively a new subnetting. If you want to have only 2 IPs, then I will set you a new pool accordingly
Second, I catched that 10.0.1.0 is now resides in play interface, then we should create the exempt nat for that specific interface as following
ip local pool VPN_Pool 172.16.30.9-172.16.30.10 netmask 255.255.255.252
tunnel-group Photo_Automation general-attributes
address-pool VPN_Pool
no Photo_auto_VPN_IP_Pool
no ip local pool Photo_Subt_VPN_IP_Pool 172.16.30.20-172.16.30.21 mask 255.255.255.240
no ip local pool Photo_auto_VPN_IP_Pool 172.16.30.10-172.16.30.11 mask 255.255.255.240
no ip local pool Photo_Om_VPN_IP_Pool 172.16.30.30-172.16.30.31 mask 255.255.255.240
no nat (Inside) 0 access-list Inside_nat0_outbound
no access-list Inside_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 172.16.30.10 255.255.255.254
access-list play_nat0_outbound extended permit ip 10.0.1.0 255.255.255.0 172.16.30.8 255.255.255.252
nat (play) o access-list play_nat0_outbound
clear xlate
Please post the most recent configuration after you do the above modifications and check the connectivity issue again
Regards
07-28-2008 03:07 AM
Hello Husycisco,
thanks for the help.
By going through and adding your configurations, it works. I can now ping to a host 10.0.1.119 and it looks like it is working.
I believed I can just follow the same exact configurations to create VPN profiles for 10.0.2.0 and 10.0.3.0 such that there are 3 different profiles for three different networks? This is the idea so that we can have some form of restrictions in that when user VPN to network 10.0.1.0, he cannot ping or even see hosts on the other two.
Thanks a lot once again,
Tan
07-28-2008 03:38 AM
Tan,
By going through and adding your configurations, it works. I can now ping to a host 10.0.1.119 and it looks like it is working"
Thats great.
"By going through and adding your configurations, it works. I can now ping to a host 10.0.1.119 and it looks like it is working"
Sure you can. Just keep in mind that you should use different VPN pools for different profiles in order to specify exempt NATs per VPN pool, which will accomplish the goal of "form of restrictions in that when user VPN to network 10.0.1.0, he cannot ping or even see hosts on the other two"
Another method for accomplishing what you want is Downloadable ACLs using a RADIUS server, which is a little more complicated
08-16-2008 09:27 PM
Hi Husycisco,
Thanks for all your help. After running it for 3 weeks without any problems, the VPN are now working properly. Once again, many thanks for your help.
Regards,
Tan
08-17-2008 05:19 AM
You are welcome :)
02-18-2010 08:41 AM
This was a very good thread. I have been having the same issues with setting up VPN on our ASA. I have a question regarding the IP Pools for VPN users. Should you assing the pool to a specific interface? Say for instance I have a DMZ interface that is assigned an IP address of 192.168.1.0/24. What issues would arise if I were to assign a VPN IP pool of 192.168.2.0/24 to the DMZ interface? Does that affect in any way the hosts that are on the 192.168.1.0/24 subnet? I hope this makes sense.
Thanks for the great info and thanks in advance for your reply.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: