Need help configuring ASA 5505 behind Verizon MI424WR for VPN access

Answered Question
Dec 14th, 2009

Hello. I'm new to the Cisco ASA 5505, and I'm exhausted.  I offered to help a friend with a small business to set up VPN remote access to the business from home.  I recommended that he buy the ASA, and months later, and I don't have things set up.

Prior to installing in his network, I'm testing at home.

My setup is:

[shared drive] ---- [ASA] ---- [Verizon MI424WR] ---- [Internet]

1) I'm using the ASDM to configure the ASA.

2) The inside interface is doing DHCP.

3) The outside interface is getting its IP on a different network from the Verizon modem/router.

4) I also used the VPN wizard to create the VPN.

5) The IP pool is the same network as the inside interface of the ASA, but a different range.

6) I also created an ACL/ACE on the VPN to allow for split tunneling.

When I connect my laptop to the Verizon home router, I can establish a VPN connection, and I can access the shared drive.

When I try VPN access from my workplace, I am able to establish a VPN connection, but I CANNOT access the shared drive.  I can't even Ping it.

I'm stuck, and I can really use some help.  I don't know if I need to add another port forwarding rule to the Verizon home router, or if I need to configure something on the ASA.  I've seen other posts regarding static routes, etc.  I haven't configured any static routes, etc.  To this point, I haven't had to do much on the ASA.  Verify that the outside interface was using DHCP, use the VPN wizard, and add the ACL for split tunneling.

Could someone point me to a good resource or help with my config?  I can provide snapshots, outputs, etc.

I have this problem too.
0 votes
Correct Answer by busterswt about 7 years 1 month ago

The VPN client software will inject a route into the PCs routing table based on whatever you have in the split tunnel ACL.

Also, you'll want to modify that NAT exemption ACL, as it is probably ineffective in its current state. You'll need to no-nat the traffic between the 192.168.1.x network and the client VPN network (10.10.1.x), so the statement would need to look something like:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

You can also just add the above statement to what you currently have if you're afraid of messing anything up.

James

Correct Answer by acomiskey about 7 years 1 month ago

1. Your vpn client pool should always be completely different than your inside network. Change to something other than 192.168.1.0.

2. Add 'crypto isakmp nat-traversal'

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
acomiskey Thu, 12/17/2009 - 08:29

1. Your vpn client pool should always be completely different than your inside network. Change to something other than 192.168.1.0.

2. Add 'crypto isakmp nat-traversal'

skveverka Thu, 12/17/2009 - 08:38

Thanks, I look forward to trying this.  I'll post with my results.

skveverka Sun, 12/20/2009 - 07:15

I'm currently on hold waiting for a USB serial adapter, so I can access the console.

I added a 10 net VPN client pool.

Question. When a VPN client connects and gets a 10 net IP (e.g. 10.10.1.2), how will he communicate with the 192.168.1.x devices behind the ASA?

Correct Answer
busterswt Tue, 12/22/2009 - 17:45

The VPN client software will inject a route into the PCs routing table based on whatever you have in the split tunnel ACL.

Also, you'll want to modify that NAT exemption ACL, as it is probably ineffective in its current state. You'll need to no-nat the traffic between the 192.168.1.x network and the client VPN network (10.10.1.x), so the statement would need to look something like:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

You can also just add the above statement to what you currently have if you're afraid of messing anything up.

James

skveverka Tue, 12/29/2009 - 09:02

Both the nat-traversal and access-list commands helped.  The Cisco ASA and my laptop are behind the Verizon router.  From my laptop, I can access the shared drive behind the ASA.  Now, I plan to test the VPN access from a remote location.

Thanks for the much needed help.

skveverka Fri, 01/08/2010 - 11:26

Thanks for all of the great help!  I plan to install at the non-paying customer site tomorrow.

Questions:

1) Should the ASA directly interface to the service provider?  If so, how do I configure the outside interface for DNS?  The service provider provided an IP, mask, gateway, and DNS servers.

2) Or, should I put the ASA behind the customer's router and forward UDP ports 500 and 4500?

Actions

This Discussion