We have a ASA 5505 that we are currently trying to set up for remote access VPN so staff and some volunteers (especially computer volunteers ) don't have to drive in to the office to do network things.
We ran the 'wizard' (not extremely helpful), then I found the spots in ASDM to set up the authentication and other settings to get the system to work with our setup. Now we can connect via VPN and access the ASA, but not any of the internal machines.
My guess based on the evidence is that our problem is related to the ASA blocking the relevant ports/protocols/services (RDP, CIFS, etc.) Since there's no separate entry for VPN in the firewall rulesets the VPN must be on the full internal network, which leads me to suspect the problem is with the page setting in the "remote access VPN wizard" titled "Specifying Address Translation Exception and Split Tunneling, where you set NAT settings for the VPN section of the network.
I have been over all of the settings on the ADSM menu (I think), and can't find where you modify this setting after running the wizard. I don't want to run the wizard again and mess up all the other settings I've had to modify.
Is this likely the problem? How do I change this setting without re-running the wizard?
We're running ASA software version 8.2-2 and ASDM 6.3-1. I can connect the console if necessary (haven't straightend out why the SSL access isn't working yet, probably something with TeraTerm). I've already used the console to straighten out things that haven't been handled right by ASDM once...
you are correct that NAT indeed could be the problem. As mentioned, you will need a NAT exemption configured for traffic from your local neytwork to the POOL of IPs for the VPN clients. Below is a doc for configuration using ASDM:
Though this is for ASDM 6.2 i am thinking that configuring NAT exempeion should be relatively the same. you will need to specify the original interface as your local network interface, the real address as the local network and the destination address as the pool of IPs. Hoipe this helps.
Thanks for the replied - it turned out that NAT was indeed the issue. After the initial wizard setup the DHCP server was changed so VPN clients would request their IPs from the network DHCP/DNS server, and the change in the VPN address block was confusing the ASA. After trying to modify the routes and the DHCP server (which was impractical - figuring out how to issue a limited block of IPs to VPN clients over a tunnel interface (i.e. no fixed MAC) we wound up dropping the single DHCP server (which means VPN clients won't be registered with the DNS, a little less useful, but not a big deal) it started working fine.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :