Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

vpn problem with asa ver 7.2

hi,i am new in the security world, so i having connectivity problems from the vpn clients to the internal lan, when a remote vpn client connects with the asa, the vpn works fine, but the vpn clien is not able to ping any inside host , and the remote vpn client stops to navigate in internet, but it has internet....what could happen?

thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: vpn problem with asa ver 7.2

hi

u have to stages to resolve ur problems

u said the client is connected and geting ip address but unable to comunicat or ping this ca be solved by nat exmption or nat 0

for example

if u r local LAN network is 192.168.1.0 /24

and the vpn clients pool ip addresses is 172.16.1.0 /24

then do the following

access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list 100

now they will be able to ping

about the second issue which is the internet browsing this can be sovled wiht feature called siplet tunneling

in this feature u gonna let the client to sed traffic only to ur LAN behind the firewall as tunneled traffic anything els will go based on user local machine setting

first creat ACL for the split tunling

assuming ur LAN is 192.168.1.0

access-list split standard permit 192.168.1.0 255.255.255.0

group-policy [ ur gorup policy name] internal

group-policy [ur gorup policy name] attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

and the folowing example for refrence

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml

good luck

please, if helpful rate

1 REPLY

Re: vpn problem with asa ver 7.2

hi

u have to stages to resolve ur problems

u said the client is connected and geting ip address but unable to comunicat or ping this ca be solved by nat exmption or nat 0

for example

if u r local LAN network is 192.168.1.0 /24

and the vpn clients pool ip addresses is 172.16.1.0 /24

then do the following

access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

nat (inside) 0 access-list 100

now they will be able to ping

about the second issue which is the internet browsing this can be sovled wiht feature called siplet tunneling

in this feature u gonna let the client to sed traffic only to ur LAN behind the firewall as tunneled traffic anything els will go based on user local machine setting

first creat ACL for the split tunling

assuming ur LAN is 192.168.1.0

access-list split standard permit 192.168.1.0 255.255.255.0

group-policy [ ur gorup policy name] internal

group-policy [ur gorup policy name] attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split

and the folowing example for refrence

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml

good luck

please, if helpful rate

279
Views
0
Helpful
1
Replies
CreatePlease to create content