Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5505 VPN client problems

my ASA5505Plus connect to the internet and to a laptop, the laptop can access the internet.

a VPN client connect to ASA but can't access either internal or external IPs

I see that the default gateway is wrong but can't find how to change it:

********************************

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Cisco Systems VPN Adapter

Physical Address. . . . . . . . . : 00-05-9A-3C-78-00

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.200.5

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.200.1

DNS Servers . . . . . . . . . . . : 4.2.2.2

************************************

I hope this is why I can't access either the laptop (192.168.200.2), management by telnet (192.168.200.4) or the internet via the client. I'm not sure if that part is configured correctly

see attached configuration

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA5505 VPN client problems

Ofir,

Try the following

ip local pool VPN_Pool 172.16.20.1-172.16.20.254 netmask 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.200.4 255.255.255.252

no access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list Split_T permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0

tunnel-group test general-attributes

address-pool VPN_Pool

no address-pool test

group-policy test attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_T

crypto isakmp nat-traversal 20

management-access inside

Regards

23 REPLIES
Gold

Re: ASA5505 VPN client problems

access-list inside_nat0_outbound doesn't exist.

try something like:

access-list inside_nat0_outbound permit ip 192.168.200.0 255.255.255.0 192.168.200.0 255.255.255.0

New Member

Re: ASA5505 VPN client problems

I see the request hitting ASA but can't access 200.x from the VPN client

Re: ASA5505 VPN client problems

no ip verify reverse-path interface outside

or

crypto dynamic-map outside_dyn_map 20 set reverse-route

New Member

Re: ASA5505 VPN client problems

is it in addition to the access-list that was suggested?

Re: ASA5505 VPN client problems

I thought that you had applyed access-list without success.

First of all apply STEVEN's solution.

New Member

Re: ASA5505 VPN client problems

I did apply the access-list and it didn't work

then tried both commands, separately and together and it is still getting the same result - I see it coming on the ASA log but there is no reply:

Teardown ICMP connection for faddr 192.168.200.5/768 gaddr 192.168.200.2/0 laddr 192.168.200.2/0 (test)

I still wonder if it isn't for the wrong default gateway on the VPN client (and how to change it?)

connection doesn't work on the reverse direction (from my test machine to the VPN machine)

Re: ASA5505 VPN client problems

Hello Ofir,

Please upload the most recent config that appeared after above experts' suggestions.

Also do not use PING for connectivity tests when firewalls are involved. Use telnet and a port that you are sure it is listened.

Regards

New Member

Re: ASA5505 VPN client problems

I've tested other ports with a port-listener utility and I see they DO get from the VPN client to the test machine (telnet with few different port numbers) but telnet to the ASA itself didn't connect.

from the VPN client machine I can't get to the web or use nslookup to resolve names

see attached config

Re: ASA5505 VPN client problems

add the following line

crypto isakmp nat-traversal 20

Re: ASA5505 VPN client problems

Ofir,

Try the following

ip local pool VPN_Pool 172.16.20.1-172.16.20.254 netmask 255.255.255.0

access-list inside_nat0_outbound permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0

no access-list inside_nat0_outbound extended permit ip any 192.168.200.4 255.255.255.252

no access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 192.168.200.0 255.255.255.0

access-list Split_T permit ip 192.168.200.0 255.255.255.0 172.16.20.0 255.255.255.0

tunnel-group test general-attributes

address-pool VPN_Pool

no address-pool test

group-policy test attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_T

crypto isakmp nat-traversal 20

management-access inside

Regards

New Member

Re: ASA5505 VPN client problems

once again you nailed it! thanks

can you quickly explain the logic behind this config?

Re: ASA5505 VPN client problems

Ofir,

You are welocme. The major change I applied is split tunnelling, which lets VPN clinets to use their local gateway to connect to internet while connecting to the networks specified in tunnel acl over VPN

Second, Using a VPN pool within a subnet which is already used in ASA , and specifying an unusual exempt nat statement like "permit ip 192.168.200.0 255.255.255.0 192.168.200.0 255.255.255.0" is not the best practise. Does it work like that? Yes it does, nothing wrong with that, but is not the best practise, can cause issues like IP conflicts, overlaps while configuring dynamic&static routing in campus. I made changes accordingly.

IPSEC has some problems when NAT is involved, nat-traversal resolves that one. Main symptom is connection established but no traffic.

management-access lets outside clients connect to the interface specified within command.

Regards

New Member

Re: ASA5505 VPN client problems

well, something is still wrong with this config.

I noticed that the VPN client still get the 192.168.200.x IP so using the console I changed the IP Pool for that security profile to use VPN_Pool (172.16.20.0/24) other then the original test(192.168.200.5-7)

so, doing that the client connect and does get a 172.16 IP, it is still connecting the internet but the connection to ASA (192.168.200.4) or the attached PC stopped working.

when I switch teh IP Pool back to test, it is working as before.

Re: ASA5505 VPN client problems

Can you upload the working and non working configs?

New Member

Re: ASA5505 VPN client problems

see the 2 attachments:

current is what I have NOW - both test & VPN_Pool options get the client connected, access to the internet via own network and access to the ASA console. no access to 192.168.200.2

before is the previous version. I'm not 100% sure it is the one that worked sinc I test so many options and change it all the time but I think it's the right one (and see nothing that ring a bell)

thanks

Re: ASA5505 VPN client problems

Ofir,

group-policy test attributes

no address-pools value test

Disconnect, reconnect and try again. Couple of things to check if still no joy,

Modify the VPN_Pool to start from 172.16.20.1 not 172.16.20.0 .

When VPN client is connected, right-click VPN lock icon at right-bottom> click statistics> click route details tab and make sure 192.168.200.0 255.255.255.0 is listed in right pane.

Make sure that the station with IP address 192.168.200.2 you try to reach has 192.168.200.4 as default gateway. As I previously mentioned, try for example remote desktop to that station instead pinging.

Also open your ASDM and monitor the logs in real-time as you try to connect 192.168.200.2 from a VPN client and see if any logs appear about that.

Try installing the latest version of Cisco VPN client or at least 5.x

New Member

Re: ASA5505 VPN client problems

* typed in the commands. still not working

* modified the pool to start at 172.16.20.1

it doesn't have a D\G - is it normal?

* 192.168.200.0 route show on the statistics page as expected

* 192.168.200.4 is the D\G for 192.168.200.2

* RDP from the VPN machine couldn't find the computer 192.168.200.2

* ADSM show the following message multiple times:

no translation group found src 176.16.20.1/x dst 192.168.200.2/y

also - VPN client can't access ASA telnet console (when I use test pool it can)

* I'm using client v5.0.01.0600

Re: ASA5505 VPN client problems

Lol how could I have missed that, thanks for the ASDM output

add the following and you are good to go

nat (inside) 0 access-list inside_nat0_outside

New Member

Re: ASA5505 VPN client problems

thanks.

so now the VPN access any port including RDP to the inside station, it can ping ASA but not telnet to console.

if I want it to allow management access, what should I permit (and is it per user?)

and what if I want to allow and NAT outside connections to the same test station (outside will go to 63.x.y.26 on port abc and be routed to the internal 192.168.200.x using the same port)

Re: ASA5505 VPN client problems

For telnet,

telnet VPNPool VpnMask outside

For port forwarding,

static (inside,outside) tcp interface abc 192.168.200.x abc netmask 255.255.255.255

access-list outside_access_in permit tcp any interface outside eq abc

access-group outside_access_in in interface outside

New Member

Re: ASA5505 VPN client problems

port forwarding is working

telnet does not:

telnet 192.168.200.0 255.255.255.0 inside

telnet 172.16.20.0 255.255.255.0 outside

telnet timeout 15

I do have access from teh test station at 192.168.200.2, not from the VPN

Re: ASA5505 VPN client problems

Ah, management-access inside is issued. So you should enter the following

no telnet 172.16.20.0 255.255.255.0 outside

telnet 172.16.20.0 255.255.255.0 inside

New Member

Re: ASA5505 VPN client problems

it is working. thanks

384
Views
0
Helpful
23
Replies