11-12-2009 10:08 AM
Topology
Branch Office:
Pix501 - ass hardware client
Lan 192.168.10.0 255.255.255.0
HQ
ASA5510 - VPN Server
Lan 192.168.0.0 255.255.252.0
Remote Users
VPN CLient 5
Address Pool 192.168.95.0 255.255.255.0
Hello, i have problem with VPN tunnel for Remote Users
I configure VPN1 and VPN2 tunnel using asdm ipsec wizzard
First tunnel for Branch called VPN1 (tunel i sup, communication bidirectional is ok, ping, smb,rdp all working).
Second tunnel VPN2 for remote users.
When user connecting to HQ using VPN Client 5, tunnel is on but client can't ping, smb, rdp local network in HQ.
But when i ping or rdp from local computer to remote user i can.
i attach asa config please help
11-14-2009 07:27 PM
Hi,
If i understood it correct , then VPN clients connect fine on ASA. but they are neither able to ping nor able to do RDP/access internal resources.
I have reviewed the configuration,
RTP- Routing , Translation and Permissions seems to be OK.
Can you please make sure nat-t is turned ON ?
If you do not see it in " sh run all | in nat-t " , then please configure
crypto isakmp nat-traversal 20
and let me know if this helps.
If above does not help , then as a next step troubleshooting:-
Assuming that inside interface is a part of interesting traffic for VPN client.
-Turn on management-access inside
-Apply captures on inside interface of ASA.
-Run a continous ping from client to ASA's inside interface.
-Check the output for "show crypto ipsec sa", let me know if you see decrypts there.
-Also, reply with capture output taken on inside interface.
-output for show vpn-sessiondb remote.
You can refer the following document link to apply captures,
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml
Regards
Moh
11-16-2009 12:38 AM
THX for your help, ASA configuration is OK, fortigate drop all packets
11-16-2009 04:59 AM
OK.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: