Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1596
Views
0
Helpful
6
Replies

remote access VPN users cannot access inside network on ASA 5505

cliveschneider
Level 1
Level 1

‎08-23-2015 03:12 AM - edited ‎03-11-2019 11:28 PM

I have configured a Cisco ASA 5505 with remote access VPN as follows:

  • ASA outside: 192.168.0.254/24
  • ASA inside 169.254.1.254/24 
  • VPN address pool: 192.168.3.0/24
  • inside network: 169.254.1.0/24

The VPN pool of hosts should have full access to the inside network. Config file is attached.

 

As far as I can tell, the NAT rules and access rules are correct (Im obviously missing something) but VPN remote access hosts cannot contact the inside network. I have trued varouos combinations of NAT and access rules and cannot get the VPN network talking to the inside network.

Labels:
Preview file
8 KB
0 Helpful
6 Replies 6

rizwanr74
Level 7
Level 7

‎08-24-2015 07:58 AM

Remove these lines and try it.

 

global (inside) 2 interface
nat (outside) 2 vpn-network 255.255.255.0 outside


access-group inside_access_in in interface inside
access-group inside_access_out out interface inside

0 Helpful

cliveschneider
Level 1
Level 1
In response to rizwanr74

‎08-25-2015 01:02 PM

Hi rizwanr74,

 

That didnt work, on a Windows machine connected over VPN, I get

Ping:transmit failed. General failure.

when I try ping an inside device, like there is no route on the ASA?

0 Helpful

rizwanr74
Level 7
Level 7
In response to cliveschneider

‎08-25-2015 01:40 PM

Can you remove the below line and try it?

 

access-group outside_access_out out interface outside

0 Helpful

cliveschneider
Level 1
Level 1
In response to rizwanr74

‎08-28-2015 06:53 PM

Hi rizwanr74,

That didn't work either. I ran the packet tracer and an implicit access rule is denying access, even though there is a configured rule that should override it.

See screenshot attached.

The clients inside network was for some reason configured as 169.254.1.0/24, which is is which is in the reserved link-local address range that Microsoft dishes out to hosts when they cant find a DHCP server. 

Is there any chance the ASA wont route traffic to that address range for that reason?

I've set up a couple of ASA 5505s now with similar configs and havent had seen issue before.

Preview file
54 KB
0 Helpful

cliveschneider
Level 1
Level 1
In response to cliveschneider

‎08-28-2015 07:11 PM

I just changed the inside interface and network as a test (I didn't actually change the inside network devices) and I'm still being blocked by the same access rule, so it may be unrelated to being within the reserved link-local address range.

Interestingly, however, attempting to ping the inside network on a Windows machine from the VPN network, the result has changed from:

PING: transmit failed. General failure.

to:

Request timed out.

 

0 Helpful

cliveschneider
Level 1
Level 1

‎09-28-2015 07:43 PM

Correct Answer:

So I restored the original configuration and changed the inside network address range and found that, while the packet tracer still failed, physically, the network began working correctly instantly.

It appears that the clients inside address range falling within the reserved link-local range was causing the ASA to drop packets.

The inside network has now been modified, problem solved.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card