Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
350
Views
5
Helpful
4
Replies

No reply from VPN connection on ASA 5505 7.2(4)

eringuet
Level 1
Level 1

‎08-20-2008 12:42 PM - edited ‎02-21-2020 03:54 PM

Hello,

I followed this guide to setup my vpn using the CLI:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

My setup is pretty basic except that I use radius authentication.

Right now, I can connect, the authentication works, the split tunneling works, but I can't access the inside LAN. I see the packets go in but they can't get out. I've been looking around for a while I can't figure out how to permit the packets back on the tunnel.

trying a ftp connection:

My logs show:

Built inbound UDP connection 4460548 for outside:192.168.1.200/63414 (192.168.1.200/63414) to inside:srv-office1/53 (srv-office1/53) (user)

and then

Teardown UDP connection 4460451 for outside:192.168.1.200/53943 to inside:srv-office1/53 duration 0:02:08 bytes 245 (user)

If I packet trace 192.168.1.200 (vpn client) to 192.168.1.10 (srv-office1) with ftp it shows that flow is denied by configured rule.

The rule is inside

2 any any ip Deny Default Implicit rule

So I'm guessing I'm missing a rule somewhere...

Someone pointed me to

sysopt connection permit-vpn

but when I run sh run sysopt there is no output. Is it normal?

I attached parts of the configuration.

Regards,

Labels:
Preview file
4 KB
0 Helpful
4 Replies 4

andrew.prince
Level 10
Level 10

‎08-21-2008 12:54 AM

Etienne,

Try using a differnet IP subnet for the VPN access, say 192.168.2.0/24 and re-test.

Remember to also configure the layer 3 routing device (if you have one) with a static route for the new VPN subnet pointing to the ASA.

HTH>

husycisco
Level 7
Level 7
In response to andrew.prince

‎08-21-2008 02:02 AM

Hello Etienne

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0

clear xlate

Will solve your issue, but as Andrew mentioned, using a pool in a different subnet is the best practise.

Regards

0 Helpful

eringuet
Level 1
Level 1
In response to husycisco

‎08-21-2008 06:21 AM

Alright,

I have it working now.

Here is what I did:

no ip local pool Local_IPs 192.168.1.0 ...

ip local pool Local_IPs 192.168.2.1-192.168.2.15 mask 255.255.255.240

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.240

nat (inside) 0 access-list inside_nat0_outbound

And it works.

Thanks for the help!

0 Helpful

andrew.prince
Level 10
Level 10
In response to eringuet

‎08-21-2008 06:25 AM

np - glad to help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents