I can connect to our VPN using VPN Client(IPSEC) and what I want to do is then access a linked called "http://192.168.2.100/mrshproject" on our server. I can ping the 192.168.2.100 when connected to the VPN, but when I try to go to this link, it says page cannot be displayed.
Any ideas? Thanks
Do you have an access-list statement that will allow http to the inside or are they all on the same subnet? I am assuming that the 192.168.2.100 is inside. The ASA is a little different beast than the VPN concentrators used to be and you need to check static non-connected routes, nat address configuration and also access-lists. Remember that your endpoint is the outside interface so you will have to tell the ASA that you address pool needs to access port TCP port 80 on the inside. hope this helps some.
Hey Dwane, thanks for the response. I dont know if I have http allowed to be accessed. How do I do that? Also I will check our address pool to see if it is allowing Port 80 on the inside.
The 192.168.2.100 is on the inside. It is where our program is and where I want users to connect to.
Another thing that I didn't mention is that I created a VLan with the ipaddress of 192.168.2.100. Im not sure if that is right. Also the server where the program is, I set the ip address manually to 192.168.2.100 and a default gateway as the same. Not sure if thats right but when I go to the link http://192.168.2.100/mrshproject on that server, I can access the program.
Any more help will be greatly appreciated!
And you can ping 192.168.2.100 from the vpn? The ip of the server should not be the same as the vlan on the asa. Change the ip of the server to something else 192.168.2.x and keep the default gateway at 192.168.2.100.
You should not have to worry about an acl entry to allow the traffic. I'm sure you have sysopt conn permit-vpn enabled.
Hello All, I posted previously but I have changed som ethings and though it would be better to start new. We put in a ASA-5505 and we are able to connect to the Firewall using a VPN Client. The problem comes into play when I try to access our program that is located on the server. Here is our set up:
- I have the original Vlan1 and VLan2, thats it.
- The default of the ASA is 10.10.10.1
- Our address pools range from 10.10.20.10 to 10.10.20.50
- I set our server to ip address to 10.10.20.100 with the default gatewayy to 10.10.10.1.
- If I try to access the server link on another INTERNAL computer, I can access the server and where I want my clients to go.
- If I try from home, I can connect to the VPN CLient and it gives me an ipaddress of 10.10.20.10, (in the ip pool), but if I try to ping the 10.10.20.100, it times out.
Should I change the server location to something else? If so, what range to where someone in that 10.10.20.10 - 10.10.20.50 range can access from the outside.
Thanks in advance for all your help. Much Appreciated!!
What are the masks of these 10. networks? Are they all in the same 10.0.0.0/8?
The vpn client subnet should not be the same as any other subnet inside your asa.
The Server is actually ip 10.10.10.100 with mask of 255.255.255.0.
The ip Pools clients use are set to 10.10.20.10 through 50 with same subnet as above (255.255.255.0)
If that needs to be changed, what should it be?
Thanks in advance!
I changed them to different masks. I attached my config so you can take a better look at it. (Changing some ip addresses of course)
Thank You so much for the assistance!
P.S. - By looking at your name - are you a Whitesox fan? If so I am right with yah!
try to add this command
nat (inside) 0 access-list mrsh_nat0_outbound
The server is in the 10.10.10.0/24 subnet right?
Yes, it is subnet /24.
I will have to try this command later because this is my part time job. I will go on my lunch and let you know if this worked.
Unless there is a way to access it from an external location, ie hyperterminal?
Well, turns out you didn't need to change anything with the subnets. As long as they weren't the same, you're ok. But the change you made is ok too. Most likely when you changed the pool and the associated acl, it removed the nat exemption statement posted above.
Not really a white sox fan, it's just my last name. Unfortunately I don't own any ballparks!
So my config I have attached to this forum is ok? And your saying that the command "nat (inside) 0 access-list mrsh_nat0_outbound " should be entered and then it should work?
"Yeah, it would be nice to own a ballpark, sorry about that. "
I think so.
You could clean it up a little by removing these lines which are not in use...
no access-list inside_nat0_outbound extended permit ip host 188.8.131.52 10.10.10.0 255.255.255.240
no access-list Nat_vpn extended permit ip 10.10.20.0 255.255.255.192 any
no access-list outside_access_in extended permit ip any host 184.108.40.206
no access-list inside_access_in extended permit ip any any
no access-list inside_access_out extended permit tcp any any
no access-list inside-mrsh standard permit 10.10.10.0 255.255.255.0
no access-list PIM_ACCPTREG_ACL extended permit tcp interface outside interface inside eq www
no access-list outside_cryptomap_1 extended permit tcp interface outside interface
Cool! I will try that when I get a chance, then I will retry and post results.
Another quick question: Now when I connect to the VPN remotely, I lose internet connection. This never happened before and I don't know if I added or removed something I shouldn't have.
Thanks again. When all is solved I am rating your assistance a 100% ++++++!!!!
Your split tunnel appears to be set up properly except one line. "split-tunnel-policy tunnelspecified"
access-list DefaultRAGroup_splitTunnelAcl extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.192
group-policy DefaultRAGroup attributes
Looks ok. What do you have for routes in your vpn client under Status -> Statistics -> Route Details?
You should get 10.10.10.0/24 under secured routes.
This shouldn't make a difference but you could try...
no access-list DefaultRAGroup_splitTunnelAcl extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.192
access-list DefaultRAGroup_splitTunnelAcl standard permit ip 10.10.10.0 255.255.255.0
Split tunnel is still not working. Under "group-policy DefaultRAGroup attributes" you have "split-tunnel-policy tunnelall", which means do not split tunnel. You need to change that to "split-tunnel-policy tunnelspecified"
group-policy DefaultRAGroup attributes
dns-server value 220.127.116.11 18.104.22.168
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl