Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
4
Replies

VPN ping application issue

Go to solution
rhopkins_rcps
Level 1
Level 1

‎09-16-2009 09:10 AM

I have setup a vpn for vendor access to hvac equipment.

The profile is RCPS_Vendor

DHCP pool is RCPS_Vendor

Terminated to Outside int

These are the steps I took:

remote access, outside->psk(password), name RCPS_Vendors->local authen->Hoff_Vendor(password)->RCPS_Vendors 192.168.10.2-192.168.10.128->10.1.252.101/103->3DES SHA 2->3DES SHA->10.0.0.0/8 en split tunnel

from: http://www.cisco.com/en/US/docs/security/asa/asa71/getting_started/asa5500/quick/guide/rem_acc.html

The issue is the vendor needs ping to internal units, and his program will not connect to the units.

Modified config attached.

Thanks in advance.

Labels:
Preview file
23 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
slmansfield
Level 4
Level 4
In response to rhopkins_rcps

‎09-16-2009 06:10 PM

If all of the internal units are one hop away from the ASA, then you could put that static route on each of those units. That would point them to the inside interface on the ASA. The ASA would use its default route to send traffic back to the VPN clients.

If the internal units are further inside your network and you are using a dynamic routing protocol, you can redistribute the static route to 192.168.10.0/24 on the next hop router (from the ASA) inside your network so that the default gateways of the internal units know where to send traffic destined for 192.168.10.0/24.

Since your remote clients are sending traffic through VPN tunnels I don't believe you need to add an ACL on the ASA to allow specific traffic from the VPN clients to the internal units.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
slmansfield
Level 4
Level 4

‎09-16-2009 12:33 PM

Just wondering if you verified that you have network reachability between your internal hosts and the ranges of address pools assigned to your VPN clients.

The address pool for RCPS_Vendors is in the 192.168.10.x range, which does not have a specific static route on the ASA so it is using your default route, which points outside to 192.175.57.1.

0 Helpful

Go to solution
rhopkins_rcps
Level 1
Level 1
In response to slmansfield

‎09-16-2009 02:55 PM

You wondered right, just tested and I cant access anything inside.

Ok, so to get RCPS_Vendors, going would I put a route inside 192.168.10.0 0.0.0.255 10.200.1.3 ? Do I need to create and acl for ping traffic?

Thanks for the quick response.

0 Helpful

Go to solution
slmansfield
Level 4
Level 4
In response to rhopkins_rcps

‎09-16-2009 06:10 PM

If all of the internal units are one hop away from the ASA, then you could put that static route on each of those units. That would point them to the inside interface on the ASA. The ASA would use its default route to send traffic back to the VPN clients.

If the internal units are further inside your network and you are using a dynamic routing protocol, you can redistribute the static route to 192.168.10.0/24 on the next hop router (from the ASA) inside your network so that the default gateways of the internal units know where to send traffic destined for 192.168.10.0/24.

Since your remote clients are sending traffic through VPN tunnels I don't believe you need to add an ACL on the ASA to allow specific traffic from the VPN clients to the internal units.

0 Helpful

Go to solution
rhopkins_rcps
Level 1
Level 1
In response to slmansfield

‎09-22-2009 02:13 PM

Well I did a little work around and kept the vpn pool in the 10.0.0.0 subnet, works fine. Thanks for your advice

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents