Solved: Re: VPN on Cisco ASA doesnt work - Page 2

amit · ‎01-19-2009

Attached is the config for Cisco ASA. The VPN doesnt work. Please let me know whats wrong with this one. Also if anyone has a sample config, please send over.

Thanks

Amit

Ivan Martinon · ‎01-20-2009

nope, as soon as you enable the crypto map traffic will be processed by the asa

amit · ‎01-20-2009

I can connect to the VPN and also get the valid ip. I can ping the inside of the ASA but cant ping or get to the machines on the network. Also looks like split tunneling doesnt work as my internet connection stops working as soon as I connect to the vpn.

Ivan Martinon · ‎01-20-2009

Please post the last config from your ASA.

amit · ‎01-20-2009

Attached is the updated config.

Thanks

Ivan Martinon · ‎01-20-2009

Ok, go ahead and add the next:

access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list MooreVPN_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0

and type:

no access-list MooreVPN_splitTunnelAcl standard permit any

no access-list port500 extended permit udp interface Outside eq isakmp interface inside

no access-list port4500 extended permit udp interface Outside eq 4500 interface inside

Remove this line from the group-policy MooreVPN:

no split-tunnel-network-list value port500

And change it to:

split-tunnel-network-list value MooreVPN_splitTunnelAcl

Also, your access list to allow RDP into your network, is not right, change it from:

access-list outside_access_in extended permit tcp any eq 3389 host 10.1.1.10 eq 3389

to

access-list outside_access_in extended permit tcp any host 10.1.1.10 eq 3389

Pretty much your config should look like the attached one.

amit · ‎01-20-2009

Thanks a lot. The VPN works now and I can access the machines inside the network.

I Couldnt RDP to the server even after adding the access-list.

Thanks

amit · ‎01-21-2009

What I am trying to do is NAT one of the public IP to 10.1.1.10 which is one of the servers, so that I can RDP to it.

So I am using x.x.139.162 to translate to 10.1.1.10.

Ivan Martinon · ‎01-21-2009

yes, you need a static translation, I am glad to hear that the vpn works now

amit · ‎01-21-2009

I added these lines for natting

static (inside,outside) x.x.139.162 10.1.1.10 netmask 255.255.255.255

access-list outside_access_in extended permit tcp any host x.x.139.162 eq 3389

access-group outside_access_in in interface Outside.

Still it doesnt work.

Ivan Martinon · ‎01-21-2009

Can you paste the "show conn" when you are trying as well as the logs that you see when trying as well?

amit · ‎01-21-2009

I tried again and its working now. As I was trying to get the sh conn results it started working.

Thanks a lot for all you prompt help.

Ivan Martinon · ‎01-21-2009

Glad it all works fine, please be sure to rate this post