Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Access Remote VPN clients

Hello,

I have set up Remote IPSec VPN and it is working just fine. I need to access the connected VPN clients and it is not working. I have already added an entry to the nonat ACL allowing traffic from inside my network to the VPN Network.

More info:

Inside net: 10.1.1.0/24

VPN Pool: 172.30.1.0/24

Is it possible to have access originating from my internal net to the VPN users?

Thanks in advance.

Best regards.

Marcelo

VPN Users have access to certain servers thru Split Tunnel list.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Access Remote VPN clients

Marcelo,

Split tunnel acl should be an IP acl, it is not recommended and supported to define TCP ports on the split tunnel ACL, the vpn client will only interpret this ACl as a full IP rathern than TCP ports, and this could be causing you an issue. You might want to change your config to reflect this. As for the split tunnel ACL it should contain the range of servers|networks that this vpn clients should reach, let me remind you this is bidirectional as you may know.

So if the IT support ip range is on this vpnExample ACL the vpn clients will be able to reach the IT support guys and viceversa.

I would advise you to change your split tunnel acl from specific ports to only the desired servers and hosts these clients need to reach.

Remove the ports out of this Split tunnel acl.

If you need to restrict services for those vpn clients rather use VPN filters.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

4 REPLIES

Re: Access Remote VPN clients

Marcelo, Have you tested basic connectivity? Are you able to ping any of the connected vpn clients IP Addresses? What services do you need to reach on those vpn clients?

New Member

Re: Access Remote VPN clients

Hi,

VPN users can access their resources normally. For instance, one specific group can access the oracle application and some internal web servers. I have created an extended ACL and applied to the SplitTunnel parameter, inside the group policy.

I am not able to ping any connected client. I just need to access the remote machines thru VNC connection so our help desk team can provide technical support.

More info:

group-policy GP_Example attributes

dns-server value 10.1.30.200

vpn-simultaneous-logins 1

vpn-idle-timeout 15

vpn-session-timeout none

vpn-tunnel-protocol IPSec

group-lock value TG_Example

split-tunnel-policy tunnelspecified

split-tunnel-network-list value vpnExample

All other values are inherited from the DefaultGrpPolicy, which has nothing explicitly set but vpn-simultaneous-logins 0.

Here is the vpnExample ACL:

access-list vpnExample extended permit udp host srv-domain eq domain 10.1.240.0 255.255.255.0

access-list vpnExample extended permit udp host srv2-domain eq domain 10.1.240.0 255.255.255.0

access-list vpnExample extended permit tcp host someinternalweb eq www 10.1.240.0 255.255.255.0

access-list vpnExample extended permit tcp host sqlServer eq 1433 10.1.240.0 255.255.255.0

access-list vpnExample extended permit tcp host appserver-int eq 8000 10.1.240.0 255.255.255.0

Where 10.1.240.0 is the pool associated with this specific Tunnel-group.

Thank you for your help.

Rgs.

Marcelo

Re: Access Remote VPN clients

Marcelo,

Split tunnel acl should be an IP acl, it is not recommended and supported to define TCP ports on the split tunnel ACL, the vpn client will only interpret this ACl as a full IP rathern than TCP ports, and this could be causing you an issue. You might want to change your config to reflect this. As for the split tunnel ACL it should contain the range of servers|networks that this vpn clients should reach, let me remind you this is bidirectional as you may know.

So if the IT support ip range is on this vpnExample ACL the vpn clients will be able to reach the IT support guys and viceversa.

I would advise you to change your split tunnel acl from specific ports to only the desired servers and hosts these clients need to reach.

Remove the ports out of this Split tunnel acl.

If you need to restrict services for those vpn clients rather use VPN filters.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

New Member

Re: Access Remote VPN clients

Thank you Ivan for your time and attention.

One thing just to register is that in the old PIX, it would not allow you to apply an extended ACL to a splitTunnel config. Using ASA, it does allow and it does filter the traffic at the splitTunnel, however, it causes some other issues.

Thank you once more.

134
Views
0
Helpful
4
Replies
CreatePlease to create content