Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
348
Views
13
Helpful
5
Replies

VPN Configuration on ASA 5505 - Please Help

rickpmonson
Level 1
Level 1

‎07-05-2007 10:38 AM - edited ‎02-21-2020 03:08 PM

I'm stuck and really having a tough time figuring out the VPN configuration.

One of my friends was trying to help but he couldn't figure it out.

Details: He has the Cisco VPN Client and can connect to the ASA5505, I have the Windows Client (XP Home) and couldn't even connect (will try again tonight). When he connects, he said that he couldn't see any of our internal machines (Ping, etc). I have made a couple of changes today, and hope to try connecting again tonight.

The setup is just basic VPN, and the connecting machine should be able to access the entire internal office network.

I attached the latest configuration.

(Note: IP's have been changed and are bogus - to provide some mystery.)

Labels:
Preview file
8 KB
0 Helpful
5 Replies 5

acomiskey
Level 10
Level 10

‎07-05-2007 10:50 AM

1. Add "crypto isakmp nat-traversal"

2. Change your vpn client pool to it's own subnet. It should never be the same as a subnet on your inside network.

3. Change your nat exemption acl to reflect the new vpn client subnet.

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.x.0 255.255.255.0

rickpmonson
Level 1
Level 1
In response to acomiskey

‎07-05-2007 11:17 AM

First Thanks for taking a look.

I did the requested changes, but I had to remove the VPNPool from the Assigned Pools on the General Client Parameters to edit the pool. Should I move it back into the Assigned Pools?

Also I have included a new Running configuration (just so you can see the changes I made).

If it all looks ok, I will try tonight and be sure to return and follow-up on this discussion (about 5 hours from now).

Preview file
8 KB
0 Helpful

acomiskey
Level 10
Level 10
In response to rickpmonson

‎07-05-2007 11:23 AM

Yes, you would have to remote the pool from the tunnel-group attributes, change the pool, then add the pool back to the group...

tunnel-group SuperParasite general-attributes

address-pool VPNPool

Also, you can execute this statement as it is no longer needed...

no access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.100.192 255.255.255.224

rickpmonson
Level 1
Level 1
In response to acomiskey

‎07-05-2007 11:37 AM

Cool,

I have made the changes and flashed them. It looks great (even if I don't understand it all). Can't wait to try it out.

Either way, I will come back at let you know.

Thanks again

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents