Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 VPN Network access problem

I have been working on this thing all night and I can't seem to get any where. I have a very straight forward set up, and so far the only issue I'm having is being able to access the network when connected through VPN, I have internet access, but nothing else and it's really strange.

Here is my config, I thought this would be a pretty straight forward set up, and I got everything else up and running with in a few minutes, but not being able to access the network via VPN is frustrating after I have tried all night to get it to work. I have read a lot of stuff online, and I keep on thinking im close but never get anywhere. Any help is appreciated.

Attached is the config.

Thanks

2 REPLIES

Re: ASA 5505 VPN Network access problem

I have a few comments on your config:-

1) Do you only have the 192.168.1.0/24 network on the inside?

2) Do you have a router on the inside?

3) I do not see any no-nat statements from the inside IP subnet to the RVPN subnet

4) I don't think The DNS will work over the RVPN, as you have not configured "Hairpining"

5) Do you really want to tunnel everything over the RVPN?

6) Why have you applied an allow ALL filter on the RVPN - by default nothing is blocked.

Some food for thought!

HTH>

Re: ASA 5505 VPN Network access problem

Your NAT config confuses me. Are those "static (inside,inside)" lines for real?

try this:

no global (inside) 1 interface

no nat (T1) 1 access-list outside_nat dns

nat (inside) 0 access-list Local_LAN_Access

And remove those dodgy "static (inside,inside)" NATs!

I recommend staying with tunnelling everything.

You should tighten "access-list T1_access_in" because at the moment all IP is allowed from the internet to those "static (inside,T1)" NATs.

If you put "no sysopt connection permit-vpn" then all VPN traffic is forced through "access-list T1_access_in" - an easy way of filtering it.

I would tighten "access-list inside_access_in" but unapply and remove "access-list inside_access_out".

113
Views
0
Helpful
2
Replies