VPN on ASA5550

Answered Question
Aug 23rd, 2010

I have set up a Remote Access VPN using IPSEC on an ASA 5550. All group and user configurations are completed. A VPN session is establised using Cisco Client software, but I am not able to access the internal network.  Any suggestions?

I have this problem too.
0 votes
Correct Answer by uwkleinh about 6 years 3 months ago

check the following:

- ACL's on the interface

- NAT rules

- routes on the internal destination, make sure it knows how to get back to the ASA, either by default GW or specific route to the VPN pool subnet (assigned IP address)

- make sure you don't use a VPN-filter

- try to assign a specific IP address to a user and test

- capture tool on the ASA is very useful to see if you are getting a response from the destination

- look for anything suspicious in the log

TIP:

Address space overlaps can be cumbersome to troubleshoot, especially if you use a lot or object groups.

Also to avoid ARP issues, try to use a subnet other then the inside assigned netblock. I've also seen duplicate IP address and all sorts of strange things.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Rahul Govindan Mon, 08/23/2010 - 06:30

I would suggest in looking through the nat rules(nat exempt between pool and internal network to be specific), vpn filters if any and also if all the routes are right between the client pool abd the internal network. Also if you have configured split tunnneling, if all you internal networks are included.

Correct Answer
uwkleinh Mon, 08/23/2010 - 15:07

check the following:

- ACL's on the interface

- NAT rules

- routes on the internal destination, make sure it knows how to get back to the ASA, either by default GW or specific route to the VPN pool subnet (assigned IP address)

- make sure you don't use a VPN-filter

- try to assign a specific IP address to a user and test

- capture tool on the ASA is very useful to see if you are getting a response from the destination

- look for anything suspicious in the log

TIP:

Address space overlaps can be cumbersome to troubleshoot, especially if you use a lot or object groups.

Also to avoid ARP issues, try to use a subnet other then the inside assigned netblock. I've also seen duplicate IP address and all sorts of strange things.

Actions

This Discussion