12-12-2006 02:39 PM - edited 02-21-2020 02:45 PM
I am the network admin at a school district and we recently installed an ASA 5520 to replace our very old PIX (6+ years old). We were not using VPN on the old box because it was not an option but not that we can we'd like to set it up for users to connect remotely (strictly IT staff at this point).
I ran through the VPN Wizard in the ASDM and then went back and tweaked some settings in the tunnel/profile settings. I tried connecting from my house and it does connect properly and lets me login (authenticating against a back-end RADIUS server). I am receiving an IP address from our site DHCP server (not from a pool on the ASA). However, I am not able to reach anything past the ASA. My assumption was that when I connected I should appear to be inside the ASA, and everything should be visible just like I was attached to the local LAN. However, I can't ping anything beyond the ASA (and when I ping the inside interface of that, the response is from the outside address).
I did notice something odd when I ran ipconfig on my computer after connecting:
Ethernet adapter Local Area Connection 4:
Connection-specific DNS Suffix . : ourdomain.com
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.0.12.158
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.0.12.158
DNS Servers . . . . . . . . . . . : 10.x.x.x 10.x.x.x
*note that some information was munged for security reasons.
The IP Address and the Default Gateway are the same. Maybe this is normal (I am new to VPN, after all) but the problem I'm having does behave like a routing problem. What did I overlook when I created the VPN? FYI, I configured it with the following setting:
Enable inbound IPSec sessions to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.
Shouldn't this allow me to access any internal hosts after establishing the VPN connection?
Thanks in advance for your help!
12-13-2006 01:06 PM
I think I figured out the problem - I did not add the exempt NAT entry to allow inside hosts to talk directly to VPN clients without NAT. I also did not create an access list for the VPN clients to allow them access to specific hosts. I set those both up and I'll try it again tonight.
Funny, the article on Cisco's website that I used didn't even mention those steps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide