Your config looks good, what is the error message you get on your client? Your outside shows a private ip address are you using nat in front? have you opened the needed ports? can you send the client log or the asa debugs?
Port UDP 500, port UDP 4500 and protocol ESP need to be opened, also after adding these, go ahead and enable the next command "crypto isakmp nat-t"
Those ports need to be opened yes, but not on the firewall that you have, but in the router that is in front providing NAT (if any) that command enables encryption over UDP 4500 to alleviate NAT environments
I saw you opened those ports on the ASA by adding an ACL, ASA does not need to have this opened since this guy will accept vpn client connections by enabling the following commands "crypto isakmp enable outside" and "crypto map XXXX interface outside" which... now that I look again at your config you don't have.
Please go ahead and add this line to your ASA:
crypto map outside_map interface outside
And try to connect again.
Do you think I need to make any more changes to the config? Could you please check the config again. Why I am saying this is because I have to go to client side to do this, and if it doesnt work then I will have to wait again for your response and then go again.
Thanks for all your help.
Understood, you can go ahead and remove these:
access-list port500 extended permit udp interface Outside eq isakmp interface in
access-list port4500 extended permit udp interface Outside eq 4500 interface ins
Add those commands that I mentioned you and please check the following line:
route Outside 0.0.0.0 0.0.0.0 10.1.10.1 1
This does not make sense to the addressing scheme on the outside interface, just let me know if this was edited for privacy matters.
no this is how it is. It wasnt edited for privacy matters. But If I remove this route, I cannot get out to the internet. This is the IP of the Comcast Router.
I can connect to the VPN and also get the valid ip. I can ping the inside of the ASA but cant ping or get to the machines on the network. Also looks like split tunneling doesnt work as my internet connection stops working as soon as I connect to the vpn.
Ok, go ahead and add the next:
access-list nonat permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 0 access-list nonat
access-list MooreVPN_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
no access-list MooreVPN_splitTunnelAcl standard permit any
no access-list port500 extended permit udp interface Outside eq isakmp interface inside
no access-list port4500 extended permit udp interface Outside eq 4500 interface inside
Remove this line from the group-policy MooreVPN:
no split-tunnel-network-list value port500
And change it to:
split-tunnel-network-list value MooreVPN_splitTunnelAcl
Also, your access list to allow RDP into your network, is not right, change it from:
access-list outside_access_in extended permit tcp any eq 3389 host 10.1.1.10 eq 3389
access-list outside_access_in extended permit tcp any host 10.1.1.10 eq 3389
Pretty much your config should look like the attached one.
Thanks a lot. The VPN works now and I can access the machines inside the network.
I Couldnt RDP to the server even after adding the access-list.
What I am trying to do is NAT one of the public IP to 10.1.1.10 which is one of the servers, so that I can RDP to it.
So I am using x.x.139.162 to translate to 10.1.1.10.
I added these lines for natting
static (inside,outside) x.x.139.162 10.1.1.10 netmask 255.255.255.255
access-list outside_access_in extended permit tcp any host x.x.139.162 eq 3389
access-group outside_access_in in interface Outside.
Still it doesnt work.