cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1375
Views
0
Helpful
12
Replies

NO VPN throughput once connected

marioderosa2008
Level 1
Level 1

Hi all,

I have a cisco ASA 5505 which has 2 different connection profiles configured. 1 of them is an old connection profile which used a local user database for authentication and a local DHCP IP pool for giving out IP addresses.

I have created a new profile which now authenticates remote access clients to our internal LDAP server and hands out DHCP addresses from our internal DHCP server.

The problem now is that there is no throughput. I.e. I cannot ping anything on the LAN. The only IP i can ping is the internal IP of the ASA.

A point to note is that I want to fade out the old connection profile once I have the new one working sweetly. At the moment, both are handing out IPs from the same subnet, would that confuse the firewall in any way? Or is it just a case of ACLs need to be configured to allow the traffic from the VPN clients to the rest of the network?

Mario

1 Accepted Solution

Accepted Solutions

Yes under that specific VPN profile, you just name the external DHCP server by IP address like:-

      tunnel-group <> general-attributes
        dhcp-server  10.125.0.253

You also should enable DHCP relay - just incase

HTH>

View solution in original post

12 Replies 12

andrew.prince
Level 10
Level 10

Check to see what IP address subnets are configured to be "protected"

HTH>

Hi ANdrew,

the old connection profile uses a local DHCP pool of 192.168.10.100 - 192.168.10.200. this profile is working absolutely fine.

Now, because the LAN on the inside interface is using the same subnet 192.168.10.0/24 I have to configure a second profile so that DHCP leases for remote access clients come from our internal DHCP server, also giving out addresses on the same subnet causing problems until I eliminate the old connection profile.

I have been reading a couple of guides that Heather posted in my post yesterday and they take me through setting up crypto maps and nat 0 policies which seems a bit beyond me.

Out internal LAN is 192.168.10.0/24

DMZ is 192.168.20.0/24

What do you mean by checking to see what IP subnets are protected?

Mario

Mario,

The fact that a device other than the PIX/ASA is allocating DHCP addresses is the issue. When the PIX/ASA issues the addresses - it then knows what needs to be encrypted etc.

When you have another device doing that job - you need to tell the PIX/ASA what needs to be encrypted and what does not.

Read the below config example - pay attention to "Split Tunneling"

HTH>

thanks Andrew,

I do not think you posted the sample config.

Thanks for your help so far!!

Thanks Andrew,

I will try that. Will this work in conjunction with the existing local DHCP pool configured on the old connection profile?

The problem I have is that I cannot disable the old profile until I am sure the new one is working.

Thanks again!

yes - you can have multiple profiles that will work seemlessly side by side.

Hi Andrew,

given the security concerns in enabling split-tunneling. Are there ways to achieve the same thing without comprimising security?

Mario

Mario,

I posted "Read the below config example - pay attention to "Split Tunneling""

That does not read - you must configure split tunneling.

I said to use it as an example to what you need to check.

Hi Andrew, sorry about that.

I dont quite understand how the config code on that page relates to my original query but I am going to read a couple of the referal documents listed on that page about restricting access to local LAN only and the PIX/ASA 7.x as a Remote VPN Server using ASDM Configuration Example for IPSec.

I'll let you know how it goes!!

Mario

Hi Andrew,

thanks for your help so far.

I have followed the wizard to create a new remote access VPN which uses an internal DHCP pool and authenticates to our internal DCs like a tret.

Traffic flow is also working absolutely fine.

Now,

In order for me to use our internal DHCP server to hand out addresses instead of using a local pool on the ASA, do I simply specify our internal DHCP server in the connection profile?

Or is there underlying stuff I need to do?

Mario

Yes under that specific VPN profile, you just name the external DHCP server by IP address like:-

      tunnel-group <> general-attributes
        dhcp-server  10.125.0.253

You also should enable DHCP relay - just incase

HTH>

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: