02-29-2008 03:15 AM - edited 03-11-2019 05:10 AM
Hi,
I have ASA 5505 running IOS 7.2(3) and ASDM 5.2(3). I configured remote access VPN with IP Pool 192.168.1.0/24. I can connect via VPN to the ASA but I can not access any resource on the LAN (192.168.0.0/24). I couldn't even PING the server on the LAN(192.168.0.1). Also, I could not launch ASDM via the VPN connection I established.
Does anyone have any idea on what is missing out in my config.
Thanks for your help and time.
02-29-2008 07:53 AM
Can you confirm what your default gateway on the 192.168.0.0/24 network is?
Is it the firewall internal address?
If not, you need to ensure you have a route configured for the 192.168.1.0/24 network pointing at your internal ASA interface address.
Besides this, you will not be able to connect to the internal interface of the ASA from a VPN connection the terminates on any other interface. This is not permitted by the ASA.
02-29-2008 08:33 AM
Hi,
The default gateway for the 192.168.0.0/24 is the ASA Inside Interface IP address (192.168.0.254). I created a route like this:
route inside 192.168.1.0 255.255.255.0 192.168.0.254 1
yet I still can't launch ASDM nor able to ssh/TELNET to the ASA. I could not PING ASA inside interface IP address or any node on the 192.168.0.0/24 network too.
02-29-2008 09:57 AM
Hi,
Please try to add these commands and check if it works,
access-list 110 permit ip 192.168.0.0 255.255.255.0 any
group-policy Ideal-PR attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 110
thiese commands will spesify the traffic that will be use the cvpn tunnel.
regards
03-04-2008 05:36 AM
split tunneling will not fix this problem. Besides this, I would not suggest applying split tunneling unless you need it, e.g need to allow access to the internet for the client out of local internet link whilst still connected to the VPN.
The reason I say this is because there are risks associated with allowing split-tunneling whereby the client may allow access to your corporate LAN due to the client's local LAN not being secure.
02-29-2008 10:02 AM
Hi,
also change this access list
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.224
to
access-list inside_nat0_outbound extended permit ip any 192.168.1.0 255.255.255.0
regards
03-04-2008 06:50 AM
Can you confirm which clients you are testing from?
I took your config and installed it on a spare ASA. It works fine from a windows client, but not from a Mac client.
03-04-2008 07:42 AM
Also, it seems you ARE able to access the PIX/ASA internal interface from the outside/other interface. You need to apply the following command:
'management-access inside'
03-07-2008 04:55 AM
Hi,
Thanks for your response. I didn't want to implement Split tunnelling due to potential risks.
I corrected the ACL but still didn't work. I was testing from 192.168.1.0/24 network.
I added the command "crypto isakmp nat-traversal" from the CLI and I could access the 192.168.0.0/24 network.
Everything is working fine now. Thank you all for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide