Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Remote Access VPN question

It's been a while since I've touched IOS and I'm apparently very rusty.  I attempted to setup a remote access VPN and am able to get it to the point where it connects.  Unfortunately, once connected, I can't ping or RDP to any of the workstations on the network.  Can someone please take a quick look at my config file and tell me where I went wrong?  I think I'm probably missing an access list or something.  Thanks

Important info..

internal network - 192.168.1.0/24

vpn ip address pool - 192.168.3.20-50

vpn tunnel group - Test-Remote

ASA Version 7.2(2)

!

hostname ciscoasa

domain-name test.local

enable password 9hD9oB3Vwt/w0k1P encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

ospf cost 10

!

interface Vlan2

description Optonline

nameif outside

security-level 0

ip address (removed for security) 255.255.255.248

ospf cost 10

!

interface Vlan3

no nameif

security-level 50

no ip address

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name test.local

object-group network MX_Logic

network-object 208.65.144.0 255.255.248.0

network-object 208.81.64.0 255.255.252.0

access-list Test_Remote_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.3.0 255.255.255.192

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.25.0 255.255.255.224

access-list outside_access_in extended permit tcp any host (removed for security) eq 3389

access-list outside_access_in extended permit tcp any host (removed for security) eq 631

access-list outside_access_in extended permit tcp any host (removed for security) eq smtp

access-list outside_access_in extended permit tcp any host (removed for security) eq https

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool TestVPN 192.168.3.20-192.168.3.50 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp (removed for security) https 192.168.1.10 https netmask 255.255.255.255

static (inside,outside) tcp (removed for security) 3389 192.168.1.10 3389 netmask 255.255.255.255

static (inside,outside) tcp (removed for security) smtp 192.168.1.10 smtp netmask 255.255.255.255

static (inside,outside) tcp (removed for security) 631 192.168.1.10 631 netmask 255.255.255.255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 (removed for security) 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

group-policy Test_Remote internal

group-policy Test_Remote attributes

dns-server value 192.168.1.30

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Test_Remote_splitTunnelAcl

default-domain value Test.local

username testuser password Djkrx0kiDkIn78Sp encrypted privilege 15

username testuser attributes

vpn-group-policy Test_Remote

username adminuser password jSaEJrOQZg2G4mM5 encrypted privilege 15

aaa authentication telnet console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group Test_Remote type ipsec-ra

tunnel-group Test_Remote general-attributes

address-pool TestVPN

default-group-policy Test_Remote

tunnel-group Test_Remote ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:932a738e403b38d79fda517664e39980

: end

452
Views
0
Helpful
0
Replies
CreatePlease to create content