01-19-2009 05:00 AM - edited 02-21-2020 03:13 AM
Attached is the config for Cisco ASA. The VPN doesnt work. Please let me know whats wrong with this one. Also if anyone has a sample config, please send over.
Thanks
Amit
Solved! Go to Solution.
01-20-2009 10:30 AM
nope, as soon as you enable the crypto map traffic will be processed by the asa
01-20-2009 04:10 PM
I can connect to the VPN and also get the valid ip. I can ping the inside of the ASA but cant ping or get to the machines on the network. Also looks like split tunneling doesnt work as my internet connection stops working as soon as I connect to the vpn.
01-20-2009 04:34 PM
Please post the last config from your ASA.
01-20-2009 05:11 PM
01-20-2009 05:27 PM
Ok, go ahead and add the next:
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list nonat
access-list MooreVPN_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
and type:
no access-list MooreVPN_splitTunnelAcl standard permit any
no access-list port500 extended permit udp interface Outside eq isakmp interface inside
no access-list port4500 extended permit udp interface Outside eq 4500 interface inside
Remove this line from the group-policy MooreVPN:
no split-tunnel-network-list value port500
And change it to:
split-tunnel-network-list value MooreVPN_splitTunnelAcl
Also, your access list to allow RDP into your network, is not right, change it from:
access-list outside_access_in extended permit tcp any eq 3389 host 10.1.1.10 eq 3389
to
access-list outside_access_in extended permit tcp any host 10.1.1.10 eq 3389
Pretty much your config should look like the attached one.
01-20-2009 06:00 PM
Thanks a lot. The VPN works now and I can access the machines inside the network.
I Couldnt RDP to the server even after adding the access-list.
Thanks
01-21-2009 06:02 AM
What I am trying to do is NAT one of the public IP to 10.1.1.10 which is one of the servers, so that I can RDP to it.
So I am using x.x.139.162 to translate to 10.1.1.10.
01-21-2009 07:41 AM
yes, you need a static translation, I am glad to hear that the vpn works now
01-21-2009 07:46 AM
I added these lines for natting
static (inside,outside) x.x.139.162 10.1.1.10 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host x.x.139.162 eq 3389
access-group outside_access_in in interface Outside.
Still it doesnt work.
01-21-2009 07:54 AM
Can you paste the "show conn" when you are trying as well as the logs that you see when trying as well?
01-21-2009 08:08 AM
I tried again and its working now. As I was trying to get the sh conn results it started working.
Thanks a lot for all you prompt help.
01-21-2009 08:11 AM
Glad it all works fine, please be sure to rate this post
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: