08-20-2008 12:42 PM - edited 02-21-2020 03:54 PM
Hello,
I followed this guide to setup my vpn using the CLI:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
My setup is pretty basic except that I use radius authentication.
Right now, I can connect, the authentication works, the split tunneling works, but I can't access the inside LAN. I see the packets go in but they can't get out. I've been looking around for a while I can't figure out how to permit the packets back on the tunnel.
trying a ftp connection:
My logs show:
Built inbound UDP connection 4460548 for outside:192.168.1.200/63414 (192.168.1.200/63414) to inside:srv-office1/53 (srv-office1/53) (user)
and then
Teardown UDP connection 4460451 for outside:192.168.1.200/53943 to inside:srv-office1/53 duration 0:02:08 bytes 245 (user)
If I packet trace 192.168.1.200 (vpn client) to 192.168.1.10 (srv-office1) with ftp it shows that flow is denied by configured rule.
The rule is inside
2 any any ip Deny Default Implicit rule
So I'm guessing I'm missing a rule somewhere...
Someone pointed me to
sysopt connection permit-vpn
but when I run sh run sysopt there is no output. Is it normal?
I attached parts of the configuration.
Regards,
08-21-2008 12:54 AM
Etienne,
Try using a differnet IP subnet for the VPN access, say 192.168.2.0/24 and re-test.
Remember to also configure the layer 3 routing device (if you have one) with a static route for the new VPN subnet pointing to the ASA.
HTH>
08-21-2008 02:02 AM
Hello Etienne
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.0
no access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
clear xlate
Will solve your issue, but as Andrew mentioned, using a pool in a different subnet is the best practise.
Regards
08-21-2008 06:21 AM
Alright,
I have it working now.
Here is what I did:
no ip local pool Local_IPs 192.168.1.0 ...
ip local pool Local_IPs 192.168.2.1-192.168.2.15 mask 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.240
nat (inside) 0 access-list inside_nat0_outbound
And it works.
Thanks for the help!
08-21-2008 06:25 AM
np - glad to help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide