New install - IPSec VPN connects, however, VPN users can not access local LAN or Lnternet resources.
See router and firewall config attach.
Suggestion are much appreciated.
Note: IPAddress have been modified for security.
Scroll down toward bottom of the page you will find a thread that I posted regarding the same issues. Good luck.
thx for sharing - Split_tunnel was indeed setup and users can connect just ~ they just can't ping anywhere or access any resources.
Its a collapsed network design - Meaning the CORE does everything and the ASA hang off the CORE.
Hi, thank you for your comments [much appreciated] However, what does the above command do [provide]?
Do you have any URLs for additional reading.
This commands makes it possible to establish an IPSEC VPN tunnel from the clients, which are behind a device that applies NAT, like most of the routers/modems at home or busines apply, for public IP. Since port numbers and IP addresses are not stable and dynamically built in translation table in Network Address Translation, this creates some incmopability issues with IPSEC. NAT-T lets the original source to be exchanged and this bypasses the possible incompatibilities.
Here is a more technical explaination
Very Interesting - i will try that command - Were you able to review the config that I posted?
Temperary, it got it to work without using any additional commands but I had to place the VPN pool on the inside interface of the firewall uplink [in other words - the firewall inside interface resides on 172.16.50.x and and the VPN pool resides on 172.16.80.x]
Its the only way i was able to get VPN user to access local resources and the internet - although the current solution does compromise the design b/c I had to place the VPN pool on inside ip range assigned to the inside interface of the firewall which connects directly to the CORE infrastructure.
Toplogy Layout: Collapse CORE/DISTRIBUTION DESIGN
FW1 [inside] --> CORE1
FW1 [outside] --> CORE1 [ISP]
I'm not sure if the NAT TRAVERSAL command would be the solution but i'm open to trying all new recommendation since the environment has not yet went live.
"Were you able to review the config that I posted"
After we cover the basics, I will review it. But NAT-T should resolve the issue.
Nope - split-tunnel was enabled already - none of the recommendation have worked. I going to chg the design of the infrastructure [routing] just to get this to work.
I will post my solution over the next day or two when i get it working. All work if the VPN pools remains attached to the inside network of the firewall but when I place the vpn pool on another network - all breaks so it forces me to think that its a routing issue b/c the vpn works when the pool remains on the network range of the inside interface.
Please try this command
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route