06-28-2012 02:10 PM - edited 03-11-2019 04:24 PM
Hi, im new to ASA and have a quick question I got a ipsec vpn over the WAN interface that is working via a client and im assigned the ip from the correct pool below which is part of nameif ADMINSTAFF, however I can’t ssh to the ASA once the tunnel is connected I suspect it has something to do with NAT/policy-group but im not sure. When I VNC to 192.168.2.32 1st then ssh to the ASA it works but from my vpn assigned ip 192.168.2.90-99 I ssh to the ASA 192.168.2.1 ip doesn’t work. when connected via the vpn client i can't ping 192.168.2.1 but i can ping 192.168.2.32.
interface Ethernet0/0
nameif WAN
security-level 0
ip address x.x.x.17 255.255.255.248
!
interface Ethernet0/1
nameif LAN
security-level 50
no ip address
!
interface Ethernet0/2
no nameif
no security-level
no ip address
!
interface Ethernet0/2.100
vlan 101
nameif STAFF
security-level 50
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2.101
vlan 102
nameif ADMINSTAFF
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2.102
vlan 1
nameif Default
security-level 50
ip address 192.168.254.1 255.255.255.0
!
access-list skip-nat-inside extended permit ip any 192.168.2.0 255.255.255.0
access-list skip-nat-inside extended permit ip host 192.168.1.32 192.168.3.0 255.255.255.0
access-list skip-nat-inside extended permit ip host 192.168.1.31 192.168.3.0 255.255.255.0
access-list skip-nat-inside extended permit ip host 192.168.2.32 192.168.3.0 255.255.255.0
access-list skip-nat-inside extended permit ip host 192.168.2.31 192.168.3.0 255.255.255.0
ssh 192.168.1.0 255.255.255.0 STAFF
ssh 192.168.2.0 255.255.255.0 ADMINSTAFF
ssh 192.168.254.0 255.255.255.0 Default
ssh 10.0.0.0 255.255.255.0 management
global (WAN) 2 x.x.x.18-x.x.x.20
global (WAN) 1 interface
nat (STAFF) 0 access-list skip-nat-inside
nat (STAFF) 1 192.168.1.0 255.255.255.0
nat (ADMINSTAFF) 0 access-list skip-nat-inside
nat (ADMINSTAFF) 2 192.168.2.28 255.255.255.255
nat (ADMINSTAFF) 2 192.168.2.29 255.255.255.255
nat (ADMINSTAFF) 1 192.168.2.0 255.255.255.0
nat (Default) 0 access-list skip-nat-inside
nat (Default) 1 192.168.254.0 255.255.255.0
nat (management) 0 access-list management_nat0_outbound
ip local pool X 192.168.2.90-192.168.2.99 mask 255.255.255.0
group-policy X internal
group-policy X attributes
dns-server value x.x.x.x x.x.x.x
username X password xxx encrypted privilege 0
username X attributes
vpn-group-policy X
tunnel-group X type remote-access
tunnel-group X general-attributes
address-pool X
default-group-policy X
tunnel-group X ipsec-attributes
pre-shared-key *
tunnel-group-map default-group X
06-28-2012 07:54 PM
Pls add teh following to be able to manage the ASA via VPN Client:
management-access ADMINSTAFF
06-28-2012 07:55 PM
Oh and BTW, you shouldn't really have the ip pool in the same subnet as your internal network. It should be a completely unique subnet.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide