Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
286
Views
0
Helpful
1
Replies

vpn client connected to ASA but cannot do anything after connected.HELP!

donlin123
Level 1
Level 1

‎08-01-2008 07:20 AM - edited ‎03-11-2019 06:24 AM

NEED HELP!!

I am struggled with this for last three days. I have a very basic case. My client wants to connect to my ASA using Cisco VPN client and connect to one host in my network (192.168.1.51). This VPN configuration works and let me connect using Cisco VPN client. but I cannot go anywhere else after connected.

I cannot PING 192.168.1.51 from client and cannot run any protocols (telnet, ftp etc.) to my host (192.,168.1.51). BUT I can run these protocols while I am on the inside network without VPN.

I verify the route exists in my core router (192.168.1.254):

“Ip route 192.168.11.0 255.255.255.0 192.168.1.252”

ASA Inside IP: 192.168.1.252

Core Router IP: 192.168.1.254

Server on the inside: 192.168.1.51

“Sysopt permit-ipsec” is enabled so that all VPN traffic bypass ACL on outside interface.

ASA 7.21 version

hostname ABC

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 15.15.15.15 255.255.255.248

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.1.252 255.255.255.0

#ACL 101 is used to bypass NAT

access-list 101 extended permit ip host 192.168.1.53 192.168.11.0 255.255.255.0

access-list 101 extended permit ip host 192.168.1.51 192.168.11.0 255.255.255.0

access-list 101 extended permit ip host 192.168.1.254 192.168.11.0 255.255.255.0

access-list aclout extended permit udp any interface outside eq 5008

#ACL 102 is for split-tunneling

access-list 102 extended permit ip 192.168.11.0 255.255.255.0 192.168.1.0 255.255.255.0

ip local pool testpool 192.168.11.1-192.168.11.5

nat-control

global (outside) 1 interface

nat (inside) 0 access-list 101

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) udp interface 5008 192.168.1.53 5008 netmask 255.255.255.255

access-group aclout in interface outside

route outside 0.0.0.0 0.0.0.0 15.15.15.16 1

route inside 192.168.0.0 255.255.0.0 192.168.1.254 1

group-policy mypolicy internal

group-policy mypolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 102

crypto ipsec transform-set SprintVPN esp-3des esp-sha-hmac

crypto dynamic-map dyn1 1 set transform-set SprintVPN

crypto map Mymap 1 ipsec-isakmp dynamic dyn1

crypto map Mymap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

crypto isakmp ipsec-over-tcp port 10000

tunnel-group mytunnelgroup type ipsec-ra

tunnel-group mytunnelgroup general-attributes

address-pool testpool

default-group-policy mypolicy

tunnel-group mytunnelgroup ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none  This is used to disabled user authentication for VPN client.

end

Labels:
0 Helpful
1 Reply 1

acomiskey
Level 10
Level 10

‎08-01-2008 07:25 AM

Your split tunnel acl is backwards.

access-list 102 extended permit ip 192.168.1.0 255.255.255.0 192.168.11.0 255.255.255.0

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card