02-27-2008 01:19 PM - edited 03-11-2019 05:09 AM
Hi, I have mangaged to connect to my Cisco ASA 5520 from the internet via the Cisco VPN client. I just used the ASDM wizard to create this. But I can't connect to any internal servers, or any thing really. I have yet to add any access rules but the wizard has added a nat exempt rule from the inside interface to the VPN network of 192.168.10.x/24.
Am I to add the access rules and if so is the VPN network seen as being on the Outside interface? so if I was to give the VPN users access to the internal network I would have to create a rule on the outside interface as the source being 192.168.10.x to the internal range on ip any any?
I just don't know where the VPN client network sites on the interfaces to create the access rules.
Thanks in advance
02-27-2008 02:08 PM
Hi,
check to see whether the below command is entered on your ASA. If it is not then you need to add it and try connecting again.
crypto isakmp nat-traversal 20
I hope it helps .. please rate if it does !!!
02-27-2008 02:31 PM
I will but what will this do? Also is the Remote VPN seen as being on the outside interface as I will need to add access rules?
02-28-2008 03:43 AM
Hi,
The nat exempt rule is a must, it will nat exempt between internal network and the remote access network (i.e 192.168.10.x), if that rule does not exist , the vpn will not work.
To check the problem, enable logging on the asa, then connect using remote access vpn, and check the asa log to see if you successfully connected. then, from the remote access machine,try to access any service, like telnet to the router or the asa, or ping any internal server or the router, if that fails, check the asa log, there must be a log for that.
You dont need to define an access list for remote access users, because they are connecting using secure connection (i.e IPSec VPN), the asa will forward trafiic between the internal and remote access users, based on the established secure connection. which is the idea of vpn.
regards
02-28-2008 07:46 AM
You are right. I re-created the remote client vpn and I can now connect to the servers on the internal network. The servers IP range are in a NAT exempt rule.
So you are saying only an exempt rule is needed for the servers and no access lists, why is this? Just need to get this right in my head as it's new to me.
Thanks
02-29-2008 08:59 AM
Hi,
The idea is that you can access the remote network devices using there real addresses, this will be like if you are connected directly to the network, you will not see the natted addresses of these devices. This is the case with site-to-site vpn, where you will access remote devices by there real ip's, not the natted one.
please rate if this solve the problem!!
with regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide