05-14-2009 08:47 AM - edited 03-11-2019 08:32 AM
Hi Folks,
I have a remote access VPN setup on an ASA5510. I am making a connection using Cisco VPN client (5.0.04.300).
I am able to make the connection and authenticate, but I am not able to access any of the local resources. I can't ping them or access in anyway. If I go into the statistics screen of the VPN client, it shows no LAN routes and and the only route I see is for 0.0.0.0
What's interesting is that one of the machines on the internal network can ping the machine that has initiated the VPN. In fact, I was able to Remote Desktop into it from the internal network. So I can access the VPN client from the internal network, but not the otherway around.
I initially configured the VPN using the ASDM wizard. (not sure that makes a difference)
Here is a partial config of the information that is relevant to the VPN. Please let me know if you need more.
The internal network is 192.168.0.X and the VPN network is 192.168.10.x.
Thanks...Scott
access-list AINC_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.10.0 255.255.255.0
ip local pool REMOTE_POOL 192.168.10.50-192.168.10.150 mask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
group-policy AINC internal
group-policy AINC attributes
dns-server value 192.168.0.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value AINC_splitTunnelAcl
vpn-group-policy AINC
tunnel-group AINC type remote-access
tunnel-group AINC general-attributes
address-pool REMOTE_POOL
default-group-policy AINC
tunnel-group AINC ipsec-attributes
pre-shared-key *
05-14-2009 09:50 AM
Please try two things:
1. Try entering the command: crypto isakmp nat-t
After that, see if you can ping anything.
2. Get rid of the permit any statement in the split tunnel ACL and enter the specific network:
access-list AINC_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
You should also modify the nat0 access-list with the same rule permitting 192.168.0.0 255.255.255.0 to 192.168.10.0 255.255.255.0.
05-14-2009 10:14 AM
Thank-you...
The crypto command didn't fix it, but as soon as I modified the access-list, it worked.
One more question...What if I want my remote VPN clients to have the ability to administer machines in the DMS (10.30.30.0) from the inside? What would I need to add to make that happen as well.
05-14-2009 10:19 AM
You would need to add another line to your split tunnel access list permitting that network and also put that network in the NAT0 access list.
From there, make sure your ASA has a route to that network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide