08-15-2008 04:02 PM - edited 03-11-2019 06:31 AM
hi,i am new in the security world, so i having connectivity problems from the vpn clients to the internal lan, when a remote vpn client connects with the asa, the vpn works fine, but the vpn clien is not able to ping any inside host , and the remote vpn client stops to navigate in internet, but it has internet....what could happen?
thanks
Solved! Go to Solution.
08-15-2008 06:04 PM
hi
u have to stages to resolve ur problems
u said the client is connected and geting ip address but unable to comunicat or ping this ca be solved by nat exmption or nat 0
for example
if u r local LAN network is 192.168.1.0 /24
and the vpn clients pool ip addresses is 172.16.1.0 /24
then do the following
access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list 100
now they will be able to ping
about the second issue which is the internet browsing this can be sovled wiht feature called siplet tunneling
in this feature u gonna let the client to sed traffic only to ur LAN behind the firewall as tunneled traffic anything els will go based on user local machine setting
first creat ACL for the split tunling
assuming ur LAN is 192.168.1.0
access-list split standard permit 192.168.1.0 255.255.255.0
group-policy [ ur gorup policy name] internal
group-policy [ur gorup policy name] attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
and the folowing example for refrence
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml
good luck
please, if helpful rate
08-15-2008 06:04 PM
hi
u have to stages to resolve ur problems
u said the client is connected and geting ip address but unable to comunicat or ping this ca be solved by nat exmption or nat 0
for example
if u r local LAN network is 192.168.1.0 /24
and the vpn clients pool ip addresses is 172.16.1.0 /24
then do the following
access-list 100 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
nat (inside) 0 access-list 100
now they will be able to ping
about the second issue which is the internet browsing this can be sovled wiht feature called siplet tunneling
in this feature u gonna let the client to sed traffic only to ur LAN behind the firewall as tunneled traffic anything els will go based on user local machine setting
first creat ACL for the split tunling
assuming ur LAN is 192.168.1.0
access-list split standard permit 192.168.1.0 255.255.255.0
group-policy [ ur gorup policy name] internal
group-policy [ur gorup policy name] attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
and the folowing example for refrence
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml
good luck
please, if helpful rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide