Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

First-time VPN setup, routing problem?

I am the network admin at a school district and we recently installed an ASA 5520 to replace our very old PIX (6+ years old). We were not using VPN on the old box because it was not an option but not that we can we'd like to set it up for users to connect remotely (strictly IT staff at this point).

I ran through the VPN Wizard in the ASDM and then went back and tweaked some settings in the tunnel/profile settings. I tried connecting from my house and it does connect properly and lets me login (authenticating against a back-end RADIUS server). I am receiving an IP address from our site DHCP server (not from a pool on the ASA). However, I am not able to reach anything past the ASA. My assumption was that when I connected I should appear to be inside the ASA, and everything should be visible just like I was attached to the local LAN. However, I can't ping anything beyond the ASA (and when I ping the inside interface of that, the response is from the outside address).

I did notice something odd when I ran ipconfig on my computer after connecting:

Ethernet adapter Local Area Connection 4:

Connection-specific DNS Suffix . : ourdomain.com

Description . . . . . . . . . . . : Cisco Systems VPN Adapter

Physical Address. . . . . . . . . : 00-00-00-00-00-00

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 10.0.12.158

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 10.0.12.158

DNS Servers . . . . . . . . . . . : 10.x.x.x 10.x.x.x

*note that some information was munged for security reasons.

The IP Address and the Default Gateway are the same. Maybe this is normal (I am new to VPN, after all) but the problem I'm having does behave like a routing problem. What did I overlook when I created the VPN? FYI, I configured it with the following setting:

Enable inbound IPSec sessions to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.

Shouldn't this allow me to access any internal hosts after establishing the VPN connection?

Thanks in advance for your help!

1 REPLY
New Member

Re: First-time VPN setup, routing problem?

I think I figured out the problem - I did not add the exempt NAT entry to allow inside hosts to talk directly to VPN clients without NAT. I also did not create an access list for the VPN clients to allow them access to specific hosts. I set those both up and I'll try it again tonight.

Funny, the article on Cisco's website that I used didn't even mention those steps.

112
Views
0
Helpful
1
Replies