Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8675
Views
0
Helpful
8
Replies

Need help configuring ASA 5505 behind Verizon MI424WR for VPN access

Go to solution
skveverka
Level 1
Level 1

‎12-14-2009 09:08 PM

Hello. I'm new to the Cisco ASA 5505, and I'm exhausted.  I offered to help a friend with a small business to set up VPN remote access to the business from home.  I recommended that he buy the ASA, and months later, and I don't have things set up.

Prior to installing in his network, I'm testing at home.

My setup is:

[shared drive] ---- [ASA] ---- [Verizon MI424WR] ---- [Internet]

1) I'm using the ASDM to configure the ASA.

2) The inside interface is doing DHCP.

3) The outside interface is getting its IP on a different network from the Verizon modem/router.

4) I also used the VPN wizard to create the VPN.

5) The IP pool is the same network as the inside interface of the ASA, but a different range.

6) I also created an ACL/ACE on the VPN to allow for split tunneling.

When I connect my laptop to the Verizon home router, I can establish a VPN connection, and I can access the shared drive.

When I try VPN access from my workplace, I am able to establish a VPN connection, but I CANNOT access the shared drive.  I can't even Ping it.

I'm stuck, and I can really use some help.  I don't know if I need to add another port forwarding rule to the Verizon home router, or if I need to configure something on the ASA.  I've seen other posts regarding static routes, etc.  I haven't configured any static routes, etc.  To this point, I haven't had to do much on the ASA.  Verify that the outside interface was using DHCP, use the VPN wizard, and add the ACL for split tunneling.

Could someone point me to a good resource or help with my config?  I can provide snapshots, outputs, etc.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
acomiskey
Level 10
Level 10
In response to skveverka

‎12-17-2009 08:29 AM

1. Your vpn client pool should always be completely different than your inside network. Change to something other than 192.168.1.0.

2. Add 'crypto isakmp nat-traversal'

View solution in original post

0 Helpful

Go to solution
busterswt
Level 1
Level 1
In response to skveverka

‎12-22-2009 05:45 PM

The VPN client software will inject a route into the PCs routing table based on whatever you have in the split tunnel ACL.

Also, you'll want to modify that NAT exemption ACL, as it is probably ineffective in its current state. You'll need to no-nat the traffic between the 192.168.1.x network and the client VPN network (10.10.1.x), so the statement would need to look something like:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

You can also just add the above statement to what you currently have if you're afraid of messing anything up.

James

View solution in original post

0 Helpful
8 Replies 8

Go to solution
acomiskey
Level 10
Level 10

‎12-15-2009 07:22 AM

Steven, please post your ASA configuration.

0 Helpful

Go to solution
skveverka
Level 1
Level 1
In response to acomiskey

‎12-15-2009 12:31 PM

I've attached the running config.  Thanks for your help.

36861-show running-config asdm.txt.zip
0 Helpful

Go to solution
acomiskey
Level 10
Level 10
In response to skveverka

‎12-17-2009 08:29 AM

1. Your vpn client pool should always be completely different than your inside network. Change to something other than 192.168.1.0.

2. Add 'crypto isakmp nat-traversal'

0 Helpful

Go to solution
skveverka
Level 1
Level 1
In response to acomiskey

‎12-17-2009 08:38 AM

Thanks, I look forward to trying this.  I'll post with my results.

0 Helpful

Go to solution
skveverka
Level 1
Level 1
In response to acomiskey

‎12-20-2009 07:15 AM

I'm currently on hold waiting for a USB serial adapter, so I can access the console.

I added a 10 net VPN client pool.

Question. When a VPN client connects and gets a 10 net IP (e.g. 10.10.1.2), how will he communicate with the 192.168.1.x devices behind the ASA?

0 Helpful

Go to solution
busterswt
Level 1
Level 1
In response to skveverka

‎12-22-2009 05:45 PM

The VPN client software will inject a route into the PCs routing table based on whatever you have in the split tunnel ACL.

Also, you'll want to modify that NAT exemption ACL, as it is probably ineffective in its current state. You'll need to no-nat the traffic between the 192.168.1.x network and the client VPN network (10.10.1.x), so the statement would need to look something like:

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

You can also just add the above statement to what you currently have if you're afraid of messing anything up.

James

0 Helpful

Go to solution
skveverka
Level 1
Level 1
In response to busterswt

‎12-29-2009 09:02 AM

Both the nat-traversal and access-list commands helped.  The Cisco ASA and my laptop are behind the Verizon router.  From my laptop, I can access the shared drive behind the ASA.  Now, I plan to test the VPN access from a remote location.

Thanks for the much needed help.

0 Helpful

Go to solution
skveverka
Level 1
Level 1
In response to skveverka

‎01-08-2010 11:26 AM

Thanks for all of the great help!  I plan to install at the non-paying customer site tomorrow.

Questions:

1) Should the ASA directly interface to the service provider?  If so, how do I configure the outside interface for DNS?  The service provider provided an IP, mask, gateway, and DNS servers.

2) Or, should I put the ASA behind the customer's router and forward UDP ports 500 and 4500?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents