topic Re: Can't access remote computer via VPN in Network Security

Can't access remote computer via VPN

chicagotech — Mon, 11 Mar 2019 11:43:52 GMT

We have setup ASA as VPN server. We can establish the VPN, but can't access any remote computers. The configuration can be found here: http://www.howtonetworking.com/vista/vistavpn.htm

Re: Can't access remote computer via VPN

acomiskey — Sat, 05 Jan 2008 14:03:11 GMT

Can't see your config but might be a nat-t problem. Add isakmp nat-traversal or crypto isakmp nat-traversal.

Re: Can't access remote computer via VPN

chicagotech — Sat, 05 Jan 2008 14:30:05 GMT

Sorry. This is the configuration.

http://www.howtocisco.com/cisco/samples/5510config1.htm

Can you give me step by step details? Thanks

Re: Can't access remote computer via VPN

acomiskey — Sat, 05 Jan 2008 16:29:17 GMT

I only see about the last 30 lines of the config.

Re: Can't access remote computer via VPN

chicagotech — Sat, 05 Jan 2008 18:16:53 GMT

Sorry, I just re-post it.

Re: Can't access remote computer via VPN

acomiskey — Sat, 05 Jan 2008 20:53:54 GMT

add this command...

isakmp nat-traversal

Re: Can't access remote computer via VPN

chicagotech — Sun, 06 Jan 2008 00:48:38 GMT

Thank you. Will try that Monday and post back with the result.

Re: Can't access remote computer via VPN

chicagotech — Tue, 08 Jan 2008 19:51:13 GMT

Still doesn't work. From the ASA I can ping inside computer by IP, but can't ping from the VPN client. Any other suggestions?

Re: Can't access remote computer via VPN

acomiskey — Tue, 08 Jan 2008 20:03:41 GMT

You don't need these...

no access-list inside_nat0_inbound extended permit ip any 192.168.198.0 255.255.255

no access-list inside_nat0_inbound extended permit tcp 192.168.198.0 255.255.255.0

10.0.0.0 255.255.0.0

no nat (inside) 0 access-list inside_nat0_inbound outside

Re: Can't access remote computer via VPN

chicagotech — Tue, 08 Jan 2008 20:39:47 GMT

Thank you for the quick reply. I took those lines off, but still can't ping. here are part of configuration:

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.198 255.255.255.224

interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address 10.0.0.4 255.255.0.0

interface Ethernet0/2

nameif DMZ

security-level 50

ip address 172.16.252.254 255.255.0.0

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

ftp mode passive

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.0.0 192.168

.198.0 255.255.255.0

access-list DMZ_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.

198.0 255.255.255.0

access-list test_splitTunnelAcl standard permit any

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

ip local pool vpn198 192.168.198.10-192.168.198.254 mask 255.255.255.0

asdm image disk0:/asdm506.bin

no asdm history enable

arp timeout 14400

global (outside) 10 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 10 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list DMZ_nat0_outbound

nat (DMZ) 10 172.16.0.0 255.255.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.193 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy test internal

group-policy test attributes

wins-server value 10.0.0.29 10.0.0.19

dns-server value 10.0.0.29 10.0.0.19

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test_splitTunnelAcl

default-domain value chicagotech.net

webvpn

group-policy CBGVPN198 internal

group-policy CBGVPN198 attributes

wins-server value 10.0.0.29 10.0.0.19

dns-server value 10.0.0.29 10.0.0.19

split-tunnel-policy tunnelall

default-domain value chicagotech.net

webvpn

group-policy DfltGrpPolicy attributes

banner none

wins-server none

dns-server none

dhcp-network-scope none

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

ipsec-udp-port 10000

split-tunnel-policy tunnelspecified

split-tunnel-network-list value inside_nat0_inbound

default-domain none

split-dns none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout 30

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

client-firewall none

client-access-rule none

webvpn

functions url-entry

port-forward-name value Application Access

vpn-group-policy CBGVPN198

Re: Can't access remote computer via VPN

chicagotech — Tue, 08 Jan 2008 20:53:51 GMT

Sorry, it work. The problem is all inside computers' default gateway is pointing to a PIX firewall. If I change the computer default gateway to the ASA, the VPN client can ping the computer. We don't have plan to replace the PIX as default gateway. We just want to this ASA as VPN server. How can we configure it so that VPN client access access the LAN resources? Should we make the VPN IP pool to 10.0.0.0/16?

Re: Can't access remote computer via VPN

acomiskey — Tue, 08 Jan 2008 21:33:42 GMT

Do you have an inside router?

What version is the pix?

You don't want the address pool to be the same as the inside.

All else fails you would have to create persistant routes on your inside hosts to the vpn client subnet.

Re: Can't access remote computer via VPN

chicagotech — Tue, 08 Jan 2008 21:59:27 GMT

I also tried to use inside DHCP server to assign IP to the VPN client. The VPN client receives all TCP/IP settings such as IP, DNS, WINS, DHCP server except the default gateway. The default gateway is the VPN client IP. After that, the inside computers can ping the VPN client, but VPN client can't ping the inside computers. Why? Does the VPN client should use itself IP as default gateway? If not, how do you fix it?

Re: Can't access remote computer via VPN

chicagotech — Wed, 09 Jan 2008 01:52:38 GMT

OK, I think we had a network problem after I added inside IP pool or used inside DHCP. Some of computers could not access their Outlook. So, I should use inside IP. right?

Can I add a route command on the PIX to route all VPN traffic to the ASA? If yes, what's the command?