Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
0
Helpful
5
Replies

Access lists help for remote VPN clients to ASA

jamesgonzo
Level 1
Level 1

‎02-27-2008 01:19 PM - edited ‎03-11-2019 05:09 AM

Hi, I have mangaged to connect to my Cisco ASA 5520 from the internet via the Cisco VPN client. I just used the ASDM wizard to create this. But I can't connect to any internal servers, or any thing really. I have yet to add any access rules but the wizard has added a nat exempt rule from the inside interface to the VPN network of 192.168.10.x/24.

Am I to add the access rules and if so is the VPN network seen as being on the Outside interface? so if I was to give the VPN users access to the internal network I would have to create a rule on the outside interface as the source being 192.168.10.x to the internal range on ip any any?

I just don't know where the VPN client network sites on the interfaces to create the access rules.

Thanks in advance

Labels:
0 Helpful
5 Replies 5

Fernando_Meza
Level 7
Level 7

‎02-27-2008 02:08 PM

Hi,

check to see whether the below command is entered on your ASA. If it is not then you need to add it and try connecting again.

crypto isakmp nat-traversal 20

I hope it helps .. please rate if it does !!!

0 Helpful

jamesgonzo
Level 1
Level 1
In response to Fernando_Meza

‎02-27-2008 02:31 PM

I will but what will this do? Also is the Remote VPN seen as being on the outside interface as I will need to add access rules?

0 Helpful

alanajjar
Level 1
Level 1

‎02-28-2008 03:43 AM

Hi,

The nat exempt rule is a must, it will nat exempt between internal network and the remote access network (i.e 192.168.10.x), if that rule does not exist , the vpn will not work.

To check the problem, enable logging on the asa, then connect using remote access vpn, and check the asa log to see if you successfully connected. then, from the remote access machine,try to access any service, like telnet to the router or the asa, or ping any internal server or the router, if that fails, check the asa log, there must be a log for that.

You dont need to define an access list for remote access users, because they are connecting using secure connection (i.e IPSec VPN), the asa will forward trafiic between the internal and remote access users, based on the established secure connection. which is the idea of vpn.

regards

0 Helpful

jamesgonzo
Level 1
Level 1
In response to alanajjar

‎02-28-2008 07:46 AM

You are right. I re-created the remote client vpn and I can now connect to the servers on the internal network. The servers IP range are in a NAT exempt rule.

So you are saying only an exempt rule is needed for the servers and no access lists, why is this? Just need to get this right in my head as it's new to me.

Thanks

0 Helpful

alanajjar
Level 1
Level 1
In response to jamesgonzo

‎02-29-2008 08:59 AM

Hi,

The idea is that you can access the remote network devices using there real addresses, this will be like if you are connected directly to the network, you will not see the natted addresses of these devices. This is the case with site-to-site vpn, where you will access remote devices by there real ip's, not the natted one.

please rate if this solve the problem!!

with regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card