08-01-2008 07:20 AM - edited 03-11-2019 06:24 AM
NEED HELP!!
I am struggled with this for last three days. I have a very basic case. My client wants to connect to my ASA using Cisco VPN client and connect to one host in my network (192.168.1.51). This VPN configuration works and let me connect using Cisco VPN client. but I cannot go anywhere else after connected.
I cannot PING 192.168.1.51 from client and cannot run any protocols (telnet, ftp etc.) to my host (192.,168.1.51). BUT I can run these protocols while I am on the inside network without VPN.
I verify the route exists in my core router (192.168.1.254):
âIp route 192.168.11.0 255.255.255.0 192.168.1.252â
ASA Inside IP: 192.168.1.252
Core Router IP: 192.168.1.254
Server on the inside: 192.168.1.51
âSysopt permit-ipsecâ is enabled so that all VPN traffic bypass ACL on outside interface.
ASA 7.21 version
hostname ABC
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 15.15.15.15 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.252 255.255.255.0
#ACL 101 is used to bypass NAT
access-list 101 extended permit ip host 192.168.1.53 192.168.11.0 255.255.255.0
access-list 101 extended permit ip host 192.168.1.51 192.168.11.0 255.255.255.0
access-list 101 extended permit ip host 192.168.1.254 192.168.11.0 255.255.255.0
access-list aclout extended permit udp any interface outside eq 5008
#ACL 102 is for split-tunneling
access-list 102 extended permit ip 192.168.11.0 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool testpool 192.168.11.1-192.168.11.5
nat-control
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) udp interface 5008 192.168.1.53 5008 netmask 255.255.255.255
access-group aclout in interface outside
route outside 0.0.0.0 0.0.0.0 15.15.15.16 1
route inside 192.168.0.0 255.255.0.0 192.168.1.254 1
group-policy mypolicy internal
group-policy mypolicy attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102
crypto ipsec transform-set SprintVPN esp-3des esp-sha-hmac
crypto dynamic-map dyn1 1 set transform-set SprintVPN
crypto map Mymap 1 ipsec-isakmp dynamic dyn1
crypto map Mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
tunnel-group mytunnelgroup type ipsec-ra
tunnel-group mytunnelgroup general-attributes
address-pool testpool
default-group-policy mypolicy
tunnel-group mytunnelgroup ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none ï This is used to disabled user authentication for VPN client.
end
08-01-2008 07:25 AM
Your split tunnel acl is backwards.
access-list 102 extended permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide