cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2613
Views
5
Helpful
23
Replies

ASA RA VPN

sonitadmin
Level 1
Level 1

I've just set up a RA VPN on a new ASA5505. I followed documentation from Cisco on getting it set up. I can connect, but I cannot ping anything on the inside. At first I had vpn pool giving out IP's on the inside but I read that this was incorrect. So I assigned a different IP scheme. I'm just not sure how to make it NAT correctly so that I can get to inside IP addresses. If anyone could help, I would appreciate it.

Thanks!

1 Accepted Solution

Accepted Solutions

Check the firewall config for...

crypto isakmp nat-traversal

and add it if it is missing.

View solution in original post

23 Replies 23

acomiskey
Level 10
Level 10

If you could post a config, you would probably get a quick solution. Clean out passwords, public ip's etc.

Attached is a copy of the config.

I've set it so that the vpn pool uses 172.20.50.115-118 as the IP's. I think where I am running into the problem is the fact that there are two internal IP schemes. There is a 172.20.5 network and a 192.168.1 network. With the way it's set now, I can connect and I get a 172.20.50 address and I can ping the 192.168.1 network but I'm not sure how to go about accessing the 172.20.5 network. This is where I need VPN clients to have access to.

Thanks for any help!

access-list inside_nat0_outbound extended permit ip 172.20.5.0 255.255.255.0 172.20.50.0 255.255.255.0

That should get you to 172.20.5.0/24. Just make sure that network has a route to the vpn client subnet.

Please rate helpful posts.

I tried that but it didn't work. Could you explain what you mean with "Just make sure that network has a route to the vpn client subnet."

This could be where my problem is.

Thanks!

Well, you definitely need the access-list statement I posted above.

Where does 172.20.5.0 sit? If you were sitting on that network, what is your default gateway? Does that gatway know how to route to 172.20.50.0?

If you topology was something like this...

VPN Clients 172.20.50.0 - ASA - 192.168.1.0 -Inside Router - 172.20.5.0

In this case the inside router would need a route like this

ip route 172.20.50.0 255.255.255.0 192.168.1.75

Unless of course 192.168.1.1 is it's default route.

I made a mistake in my original post above. I did correct it. I had 172.25 instead of 172.20.

access-list inside_nat0_outbound extended permit ip 172.20.5.0 255.255.255.0 172.20.50.0 255.255.255.0

Hi,

After checking all the details posted in previous post by acomiskey.

Also, check and make sure that you have a route on the ASA for the 172.20.5.x and ping the 172.20.5.x IP Address from the ASA.

I hope it helps.

Regards,

Arul

Ok, I entered the access-list inside_nat0_outbound extended permit ip 172.20.5.0 255.255.255.0 172.20.50.0 255.255.255.0 command. I tried pinging the 172.20.5.x network and couldn't get anything. I added a static route on the ASA on the inside port for 172.20.5.0 255.255.255.0 with the gateway of 172.20.5.2. I could then ping 172.20.5.2 from the ASA and from the VPN 172.20.50.115 client but could still not ping anything else on the 172.20.5.0 network.

What am I missing?

So you added this statement?

route inside 172.20.5.0 255.255.255.0 172.20.5.2

That doesn't make sense as the gateway to the 172.20.5.0 network is on the 172.20.5.0 network.

Could you give us a topology from a client on the 172.20.5.0 network all the way to the ASA?

Yes, I added the route inside command above.

PC (172.20.5.7) ----Network Switch--(Fiber between two buildings)----DLink(172.20.5.2)-----ASA(192.168.1.75)

Hope this helps.

Ok, thanks. I still see a problem that the route you added doesn't really make sense. Doesn't the DLink have an address on the 192.168.1.0 network?

Not that I am aware of. I only know of it with the 172.20.5.2 address.

If the dlink is a router and connects the two networks it would have 2 addresses.

PC (172.20.5.7) ----Network Switch--(Fiber between two buildings)----(172.20.5.2)DLink(192.168.1.x)-----ASA(192.168.1.75)

Then your route statment in the ASA would be

route inside 172.25.5.0 255.255.255.0 192.168.1.x

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: