Hello. I'm new to the Cisco ASA 5505, and I'm exhausted. I offered to help a friend with a small business to set up VPN remote access to the business from home. I recommended that he buy the ASA, and months later, and I don't have things set up.
Prior to installing in his network, I'm testing at home.
My setup is:
[shared drive] ---- [ASA] ---- [Verizon MI424WR] ---- [Internet]
1) I'm using the ASDM to configure the ASA.
2) The inside interface is doing DHCP.
3) The outside interface is getting its IP on a different network from the Verizon modem/router.
4) I also used the VPN wizard to create the VPN.
5) The IP pool is the same network as the inside interface of the ASA, but a different range.
6) I also created an ACL/ACE on the VPN to allow for split tunneling.
When I connect my laptop to the Verizon home router, I can establish a VPN connection, and I can access the shared drive.
When I try VPN access from my workplace, I am able to establish a VPN connection, but I CANNOT access the shared drive. I can't even Ping it.
I'm stuck, and I can really use some help. I don't know if I need to add another port forwarding rule to the Verizon home router, or if I need to configure something on the ASA. I've seen other posts regarding static routes, etc. I haven't configured any static routes, etc. To this point, I haven't had to do much on the ASA. Verify that the outside interface was using DHCP, use the VPN wizard, and add the ACL for split tunneling.
Could someone point me to a good resource or help with my config? I can provide snapshots, outputs, etc.
The VPN client software will inject a route into the PCs routing table based on whatever you have in the split tunnel ACL.
Also, you'll want to modify that NAT exemption ACL, as it is probably ineffective in its current state. You'll need to no-nat the traffic between the 192.168.1.x network and the client VPN network (10.10.1.x), so the statement would need to look something like:
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0
You can also just add the above statement to what you currently have if you're afraid of messing anything up.
1. Your vpn client pool should always be completely different than your inside network. Change to something other than 192.168.1.0.
2. Add 'crypto isakmp nat-traversal'