I have set up a remote-access VPN using the ASA VPN wizard. When I test the connection with the Cisco VPN Client I connect successfully and get assigned an IP address from the pool I specified. However I can't send any traffic to the network behind the firewall.
The syslog records things like this:
No translation group found for icmp src WAN:10.0.0.10 dst Internal:SERVER-1 (type 8, code 0)
No translation group found for udp sec WAN: 10.0.0.10/49245 dst Internal:SERVER-1/53
10.0.0.10 is the IP the client PC is assigned. The same thing happens whether I specify a separate subnet as the pool, or if I try and use the same subnet as is used on the internal interface.
Is this because an extra NAT exemption rule is required?
Thanks - that was the problem. Turns out that the ASDM wizard was adding an exemption rule, but for some reason it was adding it as management -> inside, instead of inside -> outside.
I have noticed one other thing though - the default route on the client PC is being set as the IP being assigned via the VPN, which means that while I can access the servers behind the VPN, I lose access to normal network resources.
I have got split tunnelling enabled in the VPN config and 'allow local LAN access' ticked in the VPN client - any ideas what else I should be doing?
I didn't need 'allow local LAN access' ticked in the client.
The problem was that although split tunnelling was enabled, the ACL added by the wizard was for destination 0.0.0.0. I changed this to the network behind the ASA and the client stopped receiving a default route.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :