Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
896
Views
0
Helpful
2
Replies

VPN users can not communicate with the internal network

salvatore.baldizzi
Level 1
Level 1

‎08-13-2012 08:37 AM

Hi all,

I have two ASA 5515 configured in failover (active / standby).

I used the ASDM wizard to create connections through ipsec cisco client.

Currently users are able to connect but can not do a ping to anywhere inside the network.

The ping request is received from the internal client but the internal client can not communicate with the remote user.

The ping fail also directly from the ASA.

When the remote client is connected an entry is added to the routing table:

S 192.168.10.130 255 255 255 255 [1/0] via <ip of the ISP>, "WAN"

as if that IP was reachable directly from the Internet.

I tried changing the settings of the NAT but in no way I can make them communicate.

The ultimate goal would be to create different users with different access permissions to the LAN and the other subnets in the company.

Thanks in advance for your answer

Labels:
0 Helpful
2 Replies 2

Chris Izatt
Level 1
Level 1

‎08-13-2012 08:58 AM

How is the NAT configued? Sounds like it is confused on what IP it should be sending that to. Also can you give us more config info.

0 Helpful

salvatore.baldizzi
Level 1
Level 1
In response to Chris Izatt

‎08-17-2012 12:33 AM

This is my situation:

3 interfaces connected

- WAN (public IP)

- LAN (192.168.10.0/24)

- Remote LAN devices connect via wireless (192.160.20.0, 192.168.30.0, etc.)

Here is an extract from the command sh run:

interface GigabitEthernet0/0

nameif Internal

security-level 100

ip address 192.168.10.251 255.255.255.0 standby 192.168.10.252

!

interface GigabitEthernet0/1

nameif WAN

security-level 0

ip address 255.255.255.248

!

interface GigabitEthernet0/2

nameif Radio

security-level 50

ip address 193.168.1.148 255.255.255.0

object network NETWORK_OBJ_10.10.10.128_28

subnet 10.10.10.128 255.255.255.240

access-list VPN-MY_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0

ip local pool Pool-VPN-MY 10.10.10.130-10.10.10.140 mask 255.255.255.0

nat (Internal,WAN-Infostrada) source static any any destination static NETWORK_OBJ_10.10.10.128_28 NETWORK_OBJ_10.10.10.128_28 no-proxy-arp

group-policy VPN-MY internal

group-policy VPN-MY attributes

dns-server value 192.168.10.250

vpn-tunnel-protocol ikev1

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-MY_splitTunnelAcl

username password encrypted privilege 0

username attributes

vpn-group-policy VPN-MY

tunnel-group VPN-MY type remote-access

tunnel-group VPN-MY general-attributes

address-pool Pool-VPN-MY

default-group-policy VPN-MY

tunnel-group VPN-MY ipsec-attributes

ikev1 pre-shared-key *****

The ultimate goal would be that a user is connected to the VPN-MY can communicate with the LAN and the Remote LAN.

Then create other tunnel in which users can access only to some remote LAN (maybe this is possible via ACL)

0 Helpful
Customers Also Viewed These Support Documents