NO VPN throughput once connected

Answered Question
Nov 17th, 2009

Hi all,

I have a cisco ASA 5505 which has 2 different connection profiles configured. 1 of them is an old connection profile which used a local user database for authentication and a local DHCP IP pool for giving out IP addresses.

I have created a new profile which now authenticates remote access clients to our internal LDAP server and hands out DHCP addresses from our internal DHCP server.

The problem now is that there is no throughput. I.e. I cannot ping anything on the LAN. The only IP i can ping is the internal IP of the ASA.

A point to note is that I want to fade out the old connection profile once I have the new one working sweetly. At the moment, both are handing out IPs from the same subnet, would that confuse the firewall in any way? Or is it just a case of ACLs need to be configured to allow the traffic from the VPN clients to the rest of the network?

Mario

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
marioderosa2008 Tue, 11/17/2009 - 05:52

Hi ANdrew,

the old connection profile uses a local DHCP pool of 192.168.10.100 - 192.168.10.200. this profile is working absolutely fine.

Now, because the LAN on the inside interface is using the same subnet 192.168.10.0/24 I have to configure a second profile so that DHCP leases for remote access clients come from our internal DHCP server, also giving out addresses on the same subnet causing problems until I eliminate the old connection profile.

I have been reading a couple of guides that Heather posted in my post yesterday and they take me through setting up crypto maps and nat 0 policies which seems a bit beyond me.

Out internal LAN is 192.168.10.0/24

DMZ is 192.168.20.0/24

What do you mean by checking to see what IP subnets are protected?

Mario

Mario,

The fact that a device other than the PIX/ASA is allocating DHCP addresses is the issue. When the PIX/ASA issues the addresses - it then knows what needs to be encrypted etc.

When you have another device doing that job - you need to tell the PIX/ASA what needs to be encrypted and what does not.

Read the below config example - pay attention to "Split Tunneling"

HTH>

marioderosa2008 Tue, 11/17/2009 - 06:09

thanks Andrew,

I do not think you posted the sample config.

Thanks for your help so far!!

marioderosa2008 Tue, 11/17/2009 - 06:44

Thanks Andrew,

I will try that. Will this work in conjunction with the existing local DHCP pool configured on the old connection profile?

The problem I have is that I cannot disable the old profile until I am sure the new one is working.

Thanks again!

marioderosa2008 Tue, 11/17/2009 - 07:57

Hi Andrew,

given the security concerns in enabling split-tunneling. Are there ways to achieve the same thing without comprimising security?

Mario

marioderosa2008 Tue, 11/17/2009 - 08:19

Hi Andrew, sorry about that.

I dont quite understand how the config code on that page relates to my original query but I am going to read a couple of the referal documents listed on that page about restricting access to local LAN only and the PIX/ASA 7.x as a Remote VPN Server using ASDM Configuration Example for IPSec.

I'll let you know how it goes!!

Mario

marioderosa2008 Fri, 11/20/2009 - 04:55

Hi Andrew,

thanks for your help so far.

I have followed the wizard to create a new remote access VPN which uses an internal DHCP pool and authenticates to our internal DCs like a tret.

Traffic flow is also working absolutely fine.

Now,

In order for me to use our internal DHCP server to hand out addresses instead of using a local pool on the ASA, do I simply specify our internal DHCP server in the connection profile?

Or is there underlying stuff I need to do?

Mario

Actions

This Discussion