I used the wizard to set up my VPN. I'm sorry I'm not a Cisco guru by any means.
My current situation is that I can VPN in fine, and ping my inside/internal LAN interface, but I can not ping past it. I can't pass anything past it whatsoever.
I also noticed that I didn't receive a default gateway from my dhcp address on the clients Cisco VPN adapter. I manually added it though, and can fix that issue myself later.
The "VPNUser" group, and user "longdrive" is how I'm authenticating. Please any assistance is greatly appreciated, I'm not a NAT or ACL fan. I'm a windows admin :)
I failed to mention that I could use the adsm tool if that mattered whatsoever.
I'll add that statement when I get in tomorrow and get back to you.
'management-access inside' isn't for lan access. that's for accessing the inside interface of the PIX/asa over a vpn connection, nothing else.
He is probably better off trying 'sysopt connection permit-ipsec' or 'sysopt connection permit-vpn', depending on OS version
and it looks like he already has the command 'management-access Internal'...that's why he's able to ping/asdm to the inside interface over the vpn.
make sure whatever hosts you're trying to connect to over the vpn are allowed over the vpn - if you can ping them over the vpn, they are probably allowed.
Do you have any ACL's on the inside/Internal interface? make sure you're connecting to the right address in the vpn, whether you specified an external or internal IP, it should be the same that you are trying to connect to.
The only ACL is one I put on that is all services, permit any any.
I starting to go nuts. I can't ping anymore other than the inside interface, nothing really seems to be working except the following:
-vmware vi client console to a host I can't ping
I'm getting very confused :)
New config attached.
re-add the command sysopt connection permit-ipsec
take out teh split tunneling from your group policy, it looks like you dont' want to do split tunneling anyway, based on your tunnel acl.
are you actually using the the crypto map applied to the inside interface?
My whole goal here is to get this VPN setup so I can build the rest of the network/servers remotely (vmware esx server, and ms terminal services). I'm not horrible concerned with the security yet, hense the wide open ACL.
I'm actually back out of the office now and was just trying to tweak the vpn from my home. Needless to say I just broke it and I'll have to go back into the office to make it half work again. I'll add/remote those commands as soon as I can and repost the results.
Sorry about the delay here.
I've got back to the point establishing a tunnel fine, using ADSM, web access to my inside interface, and pinging my inside interface... NO traffic past the inside still.
I've added the sysopt connection permit-ipsec command, but it doesn't seem to show up in my show run.
Attached is the newest config.
I'm not going to touch it whatsoever without guidance now, no more guesswork for me.
So I wiped the entire device today, and here is the new config.
-Ping 2x ESX Hosts consistently.
-Ping VM machines on the ESX hosts 1 time, then rest time out (may be ESX issue somehow, but I don't see it internally)
-Open ADSM Web console
-Open ESX web console
-Ping VM machines more than once
-Use Terminal Services
-Pretty much everything
I would love assistance if anyone is still reading this thread at all. The Config is brand new and should be pretty easy to weed through.