Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2399
Views
0
Helpful
10
Replies

No local lan access Ipsec VPN

Go to solution
Bert Kelchtermans
Level 1
Level 1

‎10-01-2010 01:06 AM

Hi

This week i configured a remote access vpn to an asa 5510.

See this topic: https://supportforums.cisco.com/message/3191344#3191344

Thanks to the support, i can connect now, but i still don't have any local lan access.

When i connect with my vpn client.

My internal dhcp pool is 192.0.0.0 255.255.255.0

My dhcp pool is 192.0.1.0 255.255.255.0

I have attachted my running config, and some screenshots from my VPN client when connected.

Any help would be appreciated

Labels:
Preview file
31 KB
Preview file
22 KB
72871-running config.TXT.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-01-2010 01:14 AM

You've added an incorrect NAT exemption ACL. It should be:

access-list inside_nat0_outbound_1 extended permit ip any 192.0.1.0 255.255.255.0

and to test pinging the inside interface, pls add:

management-access inside

Hope that resolves the issue.

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎10-01-2010 01:14 AM

You've added an incorrect NAT exemption ACL. It should be:

access-list inside_nat0_outbound_1 extended permit ip any 192.0.1.0 255.255.255.0

and to test pinging the inside interface, pls add:

management-access inside

Hope that resolves the issue.

0 Helpful

Go to solution
Bert Kelchtermans
Level 1
Level 1
In response to Jennifer Halim

‎10-01-2010 01:31 AM

Hi Jennifer

Thank you for the quick responce, but i still don't have local lan access.

when i'mconnected, my default gateway that i get from the asa, is the same as the ip

address i get from the asa.

Connection-specific DNS Suffix  . : xxxxxxxxxxxxxxxxx
IP Address. . . . . . . . . . . . : 192.0.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.0.1.2

Is this correct, it seems odd, but i don't know much about vpn's, as you may already know.

Thanks for all the help

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Bert Kelchtermans

‎10-01-2010 01:34 AM

yes, that is OK. from the statistics page, your vpn client is sending the traffic towards the ASA, but no traffic is returning.

Can you share the output of:

show crypto ipsec sa

Can you ping the ASA inside interface from vpn client?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎10-01-2010 01:35 AM

Also, enable this command:

crypto isakmp nat-traversal

0 Helpful

Go to solution
Bert Kelchtermans
Level 1
Level 1
In response to Jennifer Halim

‎10-01-2010 01:40 AM

Ok here is the output

72877-ipsecsa.txt.zip
0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Bert Kelchtermans

‎10-01-2010 01:43 AM

is ping to 192.0.0.40 successful?

0 Helpful

Go to solution
Bert Kelchtermans
Level 1
Level 1
In response to Jennifer Halim

‎10-01-2010 01:46 AM

Yes now ping to 192.0.0.40 is succesfull

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Bert Kelchtermans

‎10-01-2010 01:48 AM

Perfect,..

What other hosts are you trying to access internally? ping as well? you might want to check if personal firewall is turned on the inside host as it blocks incoming/inbound traffic from other subnets normally.

0 Helpful

Go to solution
Bert Kelchtermans
Level 1
Level 1
In response to Jennifer Halim

‎10-01-2010 02:02 AM

Hi

Now, i can ping to clients in the local network.

In my vpn client, it still says: Local access: Disabeld.

But it works, i'm happy.

Thank you very much for your help and quick responses Jennifer.



0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to Bert Kelchtermans

‎10-01-2010 02:05 AM

Great, thanks for the update. Please kindly mark the post as answered.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents