I am the network admin at a school district and we recently installed an ASA 5520 to replace our very old PIX (6+ years old). We were not using VPN on the old box because it was not an option but not that we can we'd like to set it up for users to connect remotely (strictly IT staff at this point).
I ran through the VPN Wizard in the ASDM and then went back and tweaked some settings in the tunnel/profile settings. I tried connecting from my house and it does connect properly and lets me login (authenticating against a back-end RADIUS server). I am receiving an IP address from our site DHCP server (not from a pool on the ASA). However, I am not able to reach anything past the ASA. My assumption was that when I connected I should appear to be inside the ASA, and everything should be visible just like I was attached to the local LAN. However, I can't ping anything beyond the ASA (and when I ping the inside interface of that, the response is from the outside address).
I did notice something odd when I ran ipconfig on my computer after connecting:
*note that some information was munged for security reasons.
The IP Address and the Default Gateway are the same. Maybe this is normal (I am new to VPN, after all) but the problem I'm having does behave like a routing problem. What did I overlook when I created the VPN? FYI, I configured it with the following setting:
Enable inbound IPSec sessions to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic.
Shouldn't this allow me to access any internal hosts after establishing the VPN connection?
I think I figured out the problem - I did not add the exempt NAT entry to allow inside hosts to talk directly to VPN clients without NAT. I also did not create an access list for the VPN clients to allow them access to specific hosts. I set those both up and I'll try it again tonight.
Funny, the article on Cisco's website that I used didn't even mention those steps.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...