Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
0
Helpful
1
Replies

First-time VPN setup, routing problem?

vbutler
Level 1
Level 1

‎12-12-2006 02:39 PM - edited ‎02-21-2020 02:45 PM

I am the network admin at a school district and we recently installed an ASA 5520 to replace our very old PIX (6+ years old). We were not using VPN on the old box because it was not an option but not that we can we'd like to set it up for users to connect remotely (strictly IT staff at this point).

I ran through the VPN Wizard in the ASDM and then went back and tweaked some settings in the tunnel/profile settings. I tried connecting from my house and it does connect properly and lets me login (authenticating against a back-end RADIUS server). I am receiving an IP address from our site DHCP server (not from a pool on the ASA). However, I am not able to reach anything past the ASA. My assumption was that when I connected I should appear to be inside the ASA, and everything should be visible just like I was attached to the local LAN. However, I can't ping anything beyond the ASA (and when I ping the inside interface of that, the response is from the outside address).

I did notice something odd when I ran ipconfig on my computer after connecting:

Ethernet adapter Local Area Connection 4:

Connection-specific DNS Suffix . : ourdomain.com

Description . . . . . . . . . . . : Cisco Systems VPN Adapter

Physical Address. . . . . . . . . : 00-00-00-00-00-00

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.0.12.158

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 10.0.12.158

DNS Servers . . . . . . . . . . . : 10.x.x.x 10.x.x.x

*note that some information was munged for security reasons.

The IP Address and the Default Gateway are the same. Maybe this is normal (I am new to VPN, after all) but the problem I'm having does behave like a routing problem. What did I overlook when I created the VPN? FYI, I configured it with the following setting:

Enable inbound IPSec sessions to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.

Shouldn't this allow me to access any internal hosts after establishing the VPN connection?

Thanks in advance for your help!

Labels:
0 Helpful
1 Reply 1

vbutler
Level 1
Level 1

‎12-13-2006 01:06 PM

I think I figured out the problem - I did not add the exempt NAT entry to allow inside hosts to talk directly to VPN clients without NAT. I also did not create an access list for the VPN clients to allow them access to specific hosts. I set those both up and I'll try it again tonight.

Funny, the article on Cisco's website that I used didn't even mention those steps.

0 Helpful
Customers Also Viewed These Support Documents