Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
2
Replies

ASA vpn client access issue

paul amaral
Level 4
Level 4

‎06-28-2012 02:10 PM - edited ‎03-11-2019 04:24 PM

Hi, im new to ASA and have a quick question I got a ipsec vpn over the WAN interface that is working via a client and im assigned the ip from the correct pool below which is part of nameif ADMINSTAFF, however I can’t ssh to the ASA once the tunnel is connected I suspect it has something to do with NAT/policy-group but im not sure. When I VNC to 192.168.2.32 1st then ssh to the ASA it works but from my vpn assigned ip 192.168.2.90-99 I ssh to the ASA 192.168.2.1 ip doesn’t work. when connected via the vpn client i can't ping 192.168.2.1 but i can ping 192.168.2.32.

interface Ethernet0/0

nameif WAN

security-level 0

ip address x.x.x.17 255.255.255.248

!

interface Ethernet0/1

nameif LAN

security-level 50

no ip address

!

interface Ethernet0/2

no nameif

no security-level

no ip address

!

interface Ethernet0/2.100

vlan 101

nameif STAFF

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/2.101

vlan 102

nameif ADMINSTAFF

security-level 50

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/2.102

vlan 1

nameif Default

security-level 50

ip address 192.168.254.1 255.255.255.0

!

access-list skip-nat-inside extended permit ip any 192.168.2.0 255.255.255.0

access-list skip-nat-inside extended permit ip host 192.168.1.32 192.168.3.0 255.255.255.0

access-list skip-nat-inside extended permit ip host 192.168.1.31 192.168.3.0 255.255.255.0

access-list skip-nat-inside extended permit ip host 192.168.2.32 192.168.3.0 255.255.255.0

access-list skip-nat-inside extended permit ip host 192.168.2.31 192.168.3.0 255.255.255.0

ssh 192.168.1.0 255.255.255.0 STAFF

ssh 192.168.2.0 255.255.255.0 ADMINSTAFF

ssh 192.168.254.0 255.255.255.0 Default

ssh 10.0.0.0 255.255.255.0 management

global (WAN) 2 x.x.x.18-x.x.x.20

global (WAN) 1 interface

nat (STAFF) 0 access-list skip-nat-inside

nat (STAFF) 1 192.168.1.0 255.255.255.0

nat (ADMINSTAFF) 0 access-list skip-nat-inside

nat (ADMINSTAFF) 2 192.168.2.28 255.255.255.255

nat (ADMINSTAFF) 2 192.168.2.29 255.255.255.255

nat (ADMINSTAFF) 1 192.168.2.0 255.255.255.0

nat (Default) 0 access-list skip-nat-inside

nat (Default) 1 192.168.254.0 255.255.255.0

nat (management) 0 access-list management_nat0_outbound

ip local pool X 192.168.2.90-192.168.2.99 mask 255.255.255.0

group-policy X internal

group-policy X attributes

dns-server value x.x.x.x x.x.x.x

username X password xxx encrypted privilege 0

username X attributes

vpn-group-policy X

tunnel-group X type remote-access

tunnel-group X general-attributes

address-pool X

default-group-policy X

tunnel-group X ipsec-attributes

pre-shared-key *

tunnel-group-map default-group X

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-28-2012 07:54 PM

Pls add teh following to be able to manage the ASA via VPN Client:

management-access ADMINSTAFF

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎06-28-2012 07:55 PM

Oh and BTW, you shouldn't really have the ip pool in the same subnet as your internal network. It should be a completely unique subnet.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card