cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

remote access VPN users cannot access inside network on ASA 5505

cliveschneider
Beginner
Beginner

I have configured a Cisco ASA 5505 with remote access VPN as follows:

  • ASA outside: 192.168.0.254/24
  • ASA inside 169.254.1.254/24 
  • VPN address pool: 192.168.3.0/24
  • inside network: 169.254.1.0/24

The VPN pool of hosts should have full access to the inside network. Config file is attached.

 

As far as I can tell, the NAT rules and access rules are correct (Im obviously missing something) but VPN remote access hosts cannot contact the inside network. I have trued varouos combinations of NAT and access rules and cannot get the VPN network talking to the inside network.

6 REPLIES 6

rizwanr74
Rising star
Rising star

Remove these lines and try it.

 

global (inside) 2 interface
nat (outside) 2 vpn-network 255.255.255.0 outside


access-group inside_access_in in interface inside
access-group inside_access_out out interface inside

Hi rizwanr74,

 

That didnt work, on a Windows machine connected over VPN, I get

Ping:transmit failed. General failure.

when I try ping an inside device, like there is no route on the ASA?

Can you remove the below line and try it?

 

access-group outside_access_out out interface outside

Hi rizwanr74,

That didn't work either. I ran the packet tracer and an implicit access rule is denying access, even though there is a configured rule that should override it.

See screenshot attached.

The clients inside network was for some reason configured as 169.254.1.0/24, which is is which is in the reserved link-local address range that Microsoft dishes out to hosts when they cant find a DHCP server. 

Is there any chance the ASA wont route traffic to that address range for that reason?

I've set up a couple of ASA 5505s now with similar configs and havent had seen issue before.

I just changed the inside interface and network as a test (I didn't actually change the inside network devices) and I'm still being blocked by the same access rule, so it may be unrelated to being within the reserved link-local address range.

Interestingly, however, attempting to ping the inside network on a Windows machine from the VPN network, the result has changed from:

PING: transmit failed. General failure.

to:

Re