I was scheduled onsite to configure a client-to-site vpn connection.
I of course used the wizard :( and I got confused in the last bit as my concepts were not very clear.
It is all to do with "split tunneling" option and the NAT option.
Of course the VPN did work fine with xauth tunred on pointing to the local database. But the issues experienced are as follows:
1) The VPN client could not ping any internal servers.
2) The DHCP pool i.e. subnet mask on the client was defaulting to 255.0.0.0 and the ip address was from teh correct vpn-pool range i.e. 10.250.1.2 ( the site admin would want the subnet mask to be 255.255.255.0 )
3) The user could not access the internet without pointing to the office proxy server neither could I access any home pritners.
All the client test were carried out from a different lan which simulates a home network for all mobile users i.e. even a independant ISP cable line with linksys router installed.
Split tunneling tells the VPN client what internal network is on the other side of the tunnel.
ex. If your internal network is 10.250.1.2 255.255.255.0, you would add that in your split tunnel definition in the GUI.
To correct your subnet mistake on the VPN pool, you will have to delete the VPN configuration and run the wizard again. Make sure and delete the Policy related to the Client to Site VPN, then delete the IPSEC rule.
Apply this, and it will then let you edit the VPN-Pool. Correct your subnet, and you can specify this pool in the wizard when you reconfigure the VPN.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...