Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA vpn client access issue

Hi, im new to ASA and have a quick question I got a ipsec vpn over the WAN interface that is working via a client and im assigned the ip from the correct pool below which is part of nameif ADMINSTAFF, however I can’t ssh to the ASA once the tunnel is connected I suspect it has something to do with NAT/policy-group but im not sure. When I VNC to 192.168.2.32 1st then ssh to the ASA it works but from my vpn assigned ip 192.168.2.90-99 I ssh to the ASA 192.168.2.1 ip doesn’t work. when connected via the vpn client i can't ping 192.168.2.1 but i can ping 192.168.2.32.

interface Ethernet0/0

nameif WAN

security-level 0

ip address x.x.x.17 255.255.255.248

!

interface Ethernet0/1

nameif LAN

security-level 50

no ip address

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/2.100

vlan 101

nameif STAFF

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2.101

vlan 102

nameif ADMINSTAFF

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2.102

vlan 1

nameif Default

security-level 50

ip address 192.168.254.1 255.255.255.0

!

access-list skip-nat-inside extended permit ip any 192.168.2.0 255.255.255.0

access-list skip-nat-inside extended permit ip host 192.168.1.32 192.168.3.0 255.255.255.0

access-list skip-nat-inside extended permit ip host 192.168.1.31 192.168.3.0 255.255.255.0

access-list skip-nat-inside extended permit ip host 192.168.2.32 192.168.3.0 255.255.255.0

access-list skip-nat-inside extended permit ip host 192.168.2.31 192.168.3.0 255.255.255.0

ssh 192.168.1.0 255.255.255.0 STAFF

ssh 192.168.2.0 255.255.255.0 ADMINSTAFF

ssh 192.168.254.0 255.255.255.0 Default

ssh 10.0.0.0 255.255.255.0 management

global (WAN) 2 x.x.x.18-x.x.x.20

global (WAN) 1 interface

nat (STAFF) 0 access-list skip-nat-inside

nat (STAFF) 1 192.168.1.0 255.255.255.0

nat (ADMINSTAFF) 0 access-list skip-nat-inside

nat (ADMINSTAFF) 2 192.168.2.28 255.255.255.255

nat (ADMINSTAFF) 2 192.168.2.29 255.255.255.255

nat (ADMINSTAFF) 1 192.168.2.0 255.255.255.0

nat (Default) 0 access-list skip-nat-inside

nat (Default) 1 192.168.254.0 255.255.255.0

nat (management) 0 access-list management_nat0_outbound

ip local pool X 192.168.2.90-192.168.2.99 mask 255.255.255.0

group-policy X internal

group-policy X attributes

dns-server value x.x.x.x x.x.x.x

username X password xxx encrypted privilege 0

username X attributes

vpn-group-policy X

tunnel-group X type remote-access

tunnel-group X general-attributes

address-pool X

default-group-policy X

tunnel-group X ipsec-attributes

pre-shared-key *

tunnel-group-map default-group X

Everyone's tags (6)
2 REPLIES
Cisco Employee

ASA vpn client access issue

Pls add teh following to be able to manage the ASA via VPN Client:

management-access ADMINSTAFF

Cisco Employee

ASA vpn client access issue

Oh and BTW, you shouldn't really have the ip pool in the same subnet as your internal network. It should be a completely unique subnet.

448
Views
0
Helpful
2
Replies
CreatePlease login to create content