Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
0
Helpful
6
Replies

IPsec VPN help on ASA 5510

Go to solution
shortnathan
Level 1
Level 1

‎02-19-2008 04:50 PM - edited ‎03-11-2019 05:05 AM

Hi,

I'm trying to set up a remote VPN on the ASA. I've simply used the wizard on the asdm because I'm new to this. I can connect to the VPN fine, but once connected I cannot access anything on the internal network, nor can I get out the internet.

I'm using an IP pool of 10.39.230.50-100. The internal network that I want to access is across another router connected to the inside interface, 10.39.1.0. 10.39.239.3 is the router. (it has a subinterface of 10.39.230.3 as well)

It seems like it might be a NAT problem but I can't figure it out. Any ideas?

Labels:
Preview file
7 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alan Huseyin Kayahan
Level 7
Level 7
In response to dongdongliu

‎02-19-2008 08:17 PM

Hi Nathan

Identify subnets individually for routes as much as possible so remove the following route

no inside 10.0.0.0 255.0.0.0 10.39.239.3 1

and add routes to subnets individually like

inside 10.39.1.0 255.255.255.0 10.39.239.3 1

Most important, add the return trip traffic route for your VPN clients in router(the router with 10.39.239.3 IP)! But since (it has a subinterface of 10.39.230.3 as well) is correct, it assumes 10.39.230.0 is a connected route, so you should use a VPN IP range that does not exist in router or firewall. For ex

ip local pool fds_pool 192.168.120.1-192.168.120.126 mask 255.255.255.128

tunnel-group fds general-attributes

no address-pool fdspool

address-pool fds_pool

then

no access-list inside_nat0_outbound_1 extended permit ip 10.39.1.0 255.255.255.0 10.39.230.0 255.255.255.128

access-list inside_nat0_outbound_1 extended permit ip 10.39.1.0 255.255.255.0 192.168.120.0 255.255.255.128

add the following acl

access-list inside_access_in permit 10.39.1.0 255.255.255.0 192.168.120.0 255.255.255.128

Add the following route in router

ip route 192.168.120.0 255.255.255.128 10.39.239.20

Finally a split-tunnel

access-list split_t permit ip 10.39.1.0 255.255.255.0 192.168.1.120 255.255.255.128

group-policy fds attributes

split-tunnel-policy tunnelall

split-tunnel-network list split_t

Regards

View solution in original post

0 Helpful
6 Replies 6

Go to solution
dongdongliu
Level 1
Level 1

‎02-19-2008 06:53 PM

Hi, Nathan

it seems like you access internal server from inside interface, so the traffic is input and output at same interface(inside ifterface), doesn`t it?

regard

dongdong

0 Helpful

Go to solution
Alan Huseyin Kayahan
Level 7
Level 7
In response to dongdongliu

‎02-19-2008 08:17 PM

Hi Nathan

Identify subnets individually for routes as much as possible so remove the following route

no inside 10.0.0.0 255.0.0.0 10.39.239.3 1

and add routes to subnets individually like

inside 10.39.1.0 255.255.255.0 10.39.239.3 1

Most important, add the return trip traffic route for your VPN clients in router(the router with 10.39.239.3 IP)! But since (it has a subinterface of 10.39.230.3 as well) is correct, it assumes 10.39.230.0 is a connected route, so you should use a VPN IP range that does not exist in router or firewall. For ex

ip local pool fds_pool 192.168.120.1-192.168.120.126 mask 255.255.255.128

tunnel-group fds general-attributes

no address-pool fdspool

address-pool fds_pool

then

no access-list inside_nat0_outbound_1 extended permit ip 10.39.1.0 255.255.255.0 10.39.230.0 255.255.255.128

access-list inside_nat0_outbound_1 extended permit ip 10.39.1.0 255.255.255.0 192.168.120.0 255.255.255.128

add the following acl

access-list inside_access_in permit 10.39.1.0 255.255.255.0 192.168.120.0 255.255.255.128

Add the following route in router

ip route 192.168.120.0 255.255.255.128 10.39.239.20

Finally a split-tunnel

access-list split_t permit ip 10.39.1.0 255.255.255.0 192.168.1.120 255.255.255.128

group-policy fds attributes

split-tunnel-policy tunnelall

split-tunnel-network list split_t

Regards

0 Helpful

Go to solution
shortnathan
Level 1
Level 1
In response to Alan Huseyin Kayahan

‎02-20-2008 01:44 PM

Thanks for the response! I've made the changes you suggested, but no split tunneling because we aren't going to be using it. It's still not working correctly. I can't get internet when connected to the VPN.

access-list inside_access_in permit 10.39.0.0/16 255.255.255.0 192.168.20.0 255.255.255.0

I changed to the above for test purposes. I can talk to the network connected to the interface on the ASA (10.39.239.0) but not to the remote segment (10.39.1.0). I've added an ip route 192.168.20.0 255.255.255.0 10.39.239.0 to the router. Any more ideas?

0 Helpful

Go to solution
Sighclops
Level 1
Level 1

‎02-20-2008 07:33 AM

Try a tunneled gateway.

route inside 0.0.0.0 0.0.0.0 10.39.239.3 tunneled

Also make sure you have a route on the inside router for the VPN IP pool.

0 Helpful

Go to solution
Alan Huseyin Kayahan
Level 7
Level 7
In response to Sighclops

‎02-21-2008 04:23 PM

Nathan,

Please post your current running config after modifications

0 Helpful

Go to solution
shortnathan
Level 1
Level 1
In response to Alan Huseyin Kayahan

‎02-21-2008 05:04 PM

Got it working now. Turns out that I needed a route back on the router at the other office. Thanks guys!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card