Cant access internal network resources through Remote Access VPN

Unanswered Question
May 14th, 2009

Hi Folks,

I have a remote access VPN setup on an ASA5510. I am making a connection using Cisco VPN client (5.0.04.300).

I am able to make the connection and authenticate, but I am not able to access any of the local resources. I can't ping them or access in anyway. If I go into the statistics screen of the VPN client, it shows no LAN routes and and the only route I see is for 0.0.0.0

What's interesting is that one of the machines on the internal network can ping the machine that has initiated the VPN. In fact, I was able to Remote Desktop into it from the internal network. So I can access the VPN client from the internal network, but not the otherway around.

I initially configured the VPN using the ASDM wizard. (not sure that makes a difference)

Here is a partial config of the information that is relevant to the VPN. Please let me know if you need more.

The internal network is 192.168.0.X and the VPN network is 192.168.10.x.

Thanks...Scott

access-list AINC_splitTunnelAcl standard permit any

access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0

ip local pool REMOTE_POOL 192.168.10.50-192.168.10.150 mask 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

group-policy AINC internal

group-policy AINC attributes

dns-server value 192.168.0.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value AINC_splitTunnelAcl

vpn-group-policy AINC

tunnel-group AINC type remote-access

tunnel-group AINC general-attributes

address-pool REMOTE_POOL

default-group-policy AINC

tunnel-group AINC ipsec-attributes

pre-shared-key *

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jjohnston1127 Thu, 05/14/2009 - 09:50

Please try two things:

1. Try entering the command: crypto isakmp nat-t

After that, see if you can ping anything.

2. Get rid of the permit any statement in the split tunnel ACL and enter the specific network:

access-list AINC_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

You should also modify the nat0 access-list with the same rule permitting 192.168.0.0 255.255.255.0 to 192.168.10.0 255.255.255.0.

sgoethals1 Thu, 05/14/2009 - 10:14

Thank-you...

The crypto command didn't fix it, but as soon as I modified the access-list, it worked.

One more question...What if I want my remote VPN clients to have the ability to administer machines in the DMS (10.30.30.0) from the inside? What would I need to add to make that happen as well.

jjohnston1127 Thu, 05/14/2009 - 10:19

You would need to add another line to your split tunnel access list permitting that network and also put that network in the NAT0 access list.

From there, make sure your ASA has a route to that network.

Actions

This Discussion