Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN access

I have an ASA5510 running ios 7.2(2). When a client VPN is established they are not able to access any server that dose not have a static translation built. Is it necessary to build static translations for every server that needs to accessed or is there a more simple way of doing this. I've tried the sysopt command and building a vpn-filter under the policy setting neither seems to help. Any suggestions would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: VPN access

access-list nat0_acl permit 10.3.0.0 255.255.0.0 remoteaccess_pool

access-list nat0_acl permit 10.2.0.0 255.255.0.0 remoteaccess_pool

nat (inside) 0 access-list nat0_acl

substitute 'remoteaccess_pool' with whatever the IP range is of your actual pool

5 REPLIES
Gold

Re: VPN access

which sysopt command? permit-vpn?

Do your crypto acl's allow the communication to said servers? are you using split tunneling?

can you post a partial config?

New Member

Re: VPN access

sysopt connection permit-vpn is the command I used.

This is a client to ASA VPN with no split tunneling.

The ACL's I tried were allowing all traffic from the tunnel-group to the server network.

access-list 10 remark verizonVPN

access-list 10 extended permit ip any 10.3.0.0 255.255.0.0

access-list 10 extended permit ip any 10.2.0.0 255.255.0.0

__________

group-policy verizon attributes

dns-server value 10.3.1.48 207.78.40.49

vpn-simultaneous-logins 10

default-domain value QDINC.net

vpn-filter value 10

________

tunnel-group verizon type ipsec-ra

tunnel-group verizon general-attributes

address-pool qdi

authentication-server-group TACACS+ LOCAL

default-group-policy verizon

tunnel-group verizon ipsec-attributes

pre-shared-key *

Gold

Re: VPN access

access-list nat0_acl permit 10.3.0.0 255.255.0.0 remoteaccess_pool

access-list nat0_acl permit 10.2.0.0 255.255.0.0 remoteaccess_pool

nat (inside) 0 access-list nat0_acl

substitute 'remoteaccess_pool' with whatever the IP range is of your actual pool

New Member

Re: VPN access

That seems to have worked.

I thank you kind sir.

David

Gold

Re: VPN access

you're welcome...and thanks for the rating.

565
Views
0
Helpful
5
Replies