No local lan access Ipsec VPN

Answered Question
Oct 1st, 2010
User Badges:

Hi


This week i configured a remote access vpn to an asa 5510.


See this topic: https://supportforums.cisco.com/message/3191344#3191344


Thanks to the support, i can connect now, but i still don't have any local lan access.

When i connect with my vpn client.


My internal dhcp pool is 192.0.0.0 255.255.255.0

My dhcp pool is 192.0.1.0 255.255.255.0


I have attachted my running config, and some screenshots from my VPN client when connected.


Any help would be appreciated

Correct Answer by Jennifer Halim about 6 years 9 months ago

You've added an incorrect NAT exemption ACL. It should be:

access-list inside_nat0_outbound_1 extended permit ip any 192.0.1.0 255.255.255.0


and to test pinging the inside interface, pls add:

management-access inside


Hope that resolves the issue.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Fri, 10/01/2010 - 01:14
User Badges:
  • Cisco Employee,

You've added an incorrect NAT exemption ACL. It should be:

access-list inside_nat0_outbound_1 extended permit ip any 192.0.1.0 255.255.255.0


and to test pinging the inside interface, pls add:

management-access inside


Hope that resolves the issue.

Bert Kelchtermans Fri, 10/01/2010 - 01:31
User Badges:

Hi Jennifer


Thank you for the quick responce, but i still don't have local lan access.


when i'mconnected, my default gateway that i get from the asa, is the same as the ip

address i get from the asa.


Connection-specific DNS Suffix  . : xxxxxxxxxxxxxxxxx
IP Address. . . . . . . . . . . . : 192.0.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.0.1.2




Is this correct, it seems odd, but i don't know much about vpn's, as you may already know.



Thanks for all the help

Jennifer Halim Fri, 10/01/2010 - 01:34
User Badges:
  • Cisco Employee,

yes, that is OK. from the statistics page, your vpn client is sending the traffic towards the ASA, but no traffic is returning.


Can you share the output of:

show crypto ipsec sa


Can you ping the ASA inside interface from vpn client?

Jennifer Halim Fri, 10/01/2010 - 01:35
User Badges:
  • Cisco Employee,

Also, enable this command:

crypto isakmp nat-traversal

Jennifer Halim Fri, 10/01/2010 - 01:48
User Badges:
  • Cisco Employee,

Perfect,..

What other hosts are you trying to access internally? ping as well? you might want to check if personal firewall is turned on the inside host as it blocks incoming/inbound traffic from other subnets normally.

Bert Kelchtermans Fri, 10/01/2010 - 02:02
User Badges:

Hi


Now, i can ping to clients in the local network.


In my vpn client, it still says: Local access: Disabeld.


But it works, i'm happy.


Thank you very much for your help and quick responses Jennifer.






Jennifer Halim Fri, 10/01/2010 - 02:05
User Badges:
  • Cisco Employee,

Great, thanks for the update. Please kindly mark the post as answered.

Actions

This Discussion