Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA RA VPN

I've just set up a RA VPN on a new ASA5505. I followed documentation from Cisco on getting it set up. I can connect, but I cannot ping anything on the inside. At first I had vpn pool giving out IP's on the inside but I read that this was incorrect. So I assigned a different IP scheme. I'm just not sure how to make it NAT correctly so that I can get to inside IP addresses. If anyone could help, I would appreciate it.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: ASA RA VPN

Check the firewall config for...

crypto isakmp nat-traversal

and add it if it is missing.

20 REPLIES
Green

Re: ASA RA VPN

If you could post a config, you would probably get a quick solution. Clean out passwords, public ip's etc.

New Member

Re: ASA RA VPN

Attached is a copy of the config.

New Member

Re: ASA RA VPN

I've set it so that the vpn pool uses 172.20.50.115-118 as the IP's. I think where I am running into the problem is the fact that there are two internal IP schemes. There is a 172.20.5 network and a 192.168.1 network. With the way it's set now, I can connect and I get a 172.20.50 address and I can ping the 192.168.1 network but I'm not sure how to go about accessing the 172.20.5 network. This is where I need VPN clients to have access to.

Thanks for any help!

Green

Re: ASA RA VPN

access-list inside_nat0_outbound extended permit ip 172.20.5.0 255.255.255.0 172.20.50.0 255.255.255.0

That should get you to 172.20.5.0/24. Just make sure that network has a route to the vpn client subnet.

Please rate helpful posts.

New Member

Re: ASA RA VPN

I tried that but it didn't work. Could you explain what you mean with "Just make sure that network has a route to the vpn client subnet."

This could be where my problem is.

Thanks!

Green

Re: ASA RA VPN

Well, you definitely need the access-list statement I posted above.

Where does 172.20.5.0 sit? If you were sitting on that network, what is your default gateway? Does that gatway know how to route to 172.20.50.0?

If you topology was something like this...

VPN Clients 172.20.50.0 - ASA - 192.168.1.0 -Inside Router - 172.20.5.0

In this case the inside router would need a route like this

ip route 172.20.50.0 255.255.255.0 192.168.1.75

Unless of course 192.168.1.1 is it's default route.

Green

Re: ASA RA VPN

I made a mistake in my original post above. I did correct it. I had 172.25 instead of 172.20.

access-list inside_nat0_outbound extended permit ip 172.20.5.0 255.255.255.0 172.20.50.0 255.255.255.0

Cisco Employee

Re: ASA RA VPN

Hi,

After checking all the details posted in previous post by acomiskey.

Also, check and make sure that you have a route on the ASA for the 172.20.5.x and ping the 172.20.5.x IP Address from the ASA.

I hope it helps.

Regards,

Arul

New Member

Re: ASA RA VPN

Ok, I entered the access-list inside_nat0_outbound extended permit ip 172.20.5.0 255.255.255.0 172.20.50.0 255.255.255.0 command. I tried pinging the 172.20.5.x network and couldn't get anything. I added a static route on the ASA on the inside port for 172.20.5.0 255.255.255.0 with the gateway of 172.20.5.2. I could then ping 172.20.5.2 from the ASA and from the VPN 172.20.50.115 client but could still not ping anything else on the 172.20.5.0 network.

What am I missing?

Green

Re: ASA RA VPN

So you added this statement?

route inside 172.20.5.0 255.255.255.0 172.20.5.2

That doesn't make sense as the gateway to the 172.20.5.0 network is on the 172.20.5.0 network.

Could you give us a topology from a client on the 172.20.5.0 network all the way to the ASA?

New Member

Re: ASA RA VPN

Yes, I added the route inside command above.

PC (172.20.5.7) ----Network Switch--(Fiber between two buildings)----DLink(172.20.5.2)-----ASA(192.168.1.75)

Hope this helps.

Green

Re: ASA RA VPN

Ok, thanks. I still see a problem that the route you added doesn't really make sense. Doesn't the DLink have an address on the 192.168.1.0 network?

New Member

Re: ASA RA VPN

Not that I am aware of. I only know of it with the 172.20.5.2 address.

Green

Re: ASA RA VPN

If the dlink is a router and connects the two networks it would have 2 addresses.

PC (172.20.5.7) ----Network Switch--(Fiber between two buildings)----(172.20.5.2)DLink(192.168.1.x)-----ASA(192.168.1.75)

Then your route statment in the ASA would be

route inside 172.25.5.0 255.255.255.0 192.168.1.x

New Member

Re: ASA RA VPN

Thanks for all of your help.

I needed the route inside 172.20.5.0 255.255.255.0 192.168.1.x 255.255.255.0 command.

Evertything appears to be working correctly now.

Green

Re: ASA RA VPN

Good deal, glad it worked out. Thanks for the rating.

New Member

Re: ASA RA VPN

Ran into another problem this morning. I've tested everything on my end and it works great. Client has a new web server that we are supposed to RDP into once connected to VPN and set up. From my office logged in with our account, I can RDP to the server fine. From a different office, my web developer tries to log in and gets connected fine but can't RDP into the server. Any ideas why it would work from here but not from there?

Thanks!

Green

Re: ASA RA VPN

Check the firewall config for...

crypto isakmp nat-traversal

and add it if it is missing.

New Member

Re: ASA RA VPN

It wasn't in there. I added it and it worked. Can you tell me exactly what that command does?

Thanks again for all your help!

Green

Re: ASA RA VPN

It enables nat-traversal which allow you to have ipsec esp packets encapsulated in udp. To put it simply, if a vpn client is behind a pat/nat device, ipsec and pat are incompatible, therefore nat-t must be enabled and used. It runs over udp port 4500.

164
Views
5
Helpful
20
Replies