Solved: Hi Rizwan, My above

tranminhc · ‎02-25-2015

Hi community,

I configured IPSec remote Access VPN in ASA, and remote client use Cisco VPN client to connect to the HQ. The VPN is working now, VPN clients can connect to Servers inside and IT's subnet, but from my PC or Servers inside LAN cannot ping or initial a RDP to connected VPN clients. Below is my configuration:

!

object-group network RemoteVPN_LocalNet
network-object 172.29.168.0 255.255.255.0
network-object 172.29.169.0 255.255.255.0
network-object 172.29.173.0 255.255.255.128
network-object 172.29.172.0 255.255.255.0

!

access-list Split_Tunnel remark The Corporation network behind ASA
access-list Split_Tunnel extended permit ip object-group RemoteVPN_LocalNet 10.88.61.0 255.255.255.0

!

ip local pool remotevpnpool 10.88.61.10-10.88.61.15 mask 255.255.255.0

!

nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool

!

crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac

crypto dynamic-map dyn1 1 set ikev1 transform-set myset

crypto map mymap 65000 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside

!

tunnel-group remotevpngroup type remote-access
tunnel-group remotevpngroup general-attributes
address-pool remotevpnpool
authentication-server-group MS_LDAP LOCAL
default-group-policy Split_Tunnel_Policy

I don't know what I miss in order to have internal LANs initial connection to connected vpn clients. Please guide me.

Thanks in advanced.

rizwanr74 · ‎03-07-2015

Hi tranminhc,

Step 1: Create an object.

object network vpn_clients
subnet 10.88.61.0 mask 255.255.255.0

Step 2: Create a standard ACL.

access-list my-split standard permit ip object RemoteVPN_LocalNet

Step 3: Remove this line, because I am not sure what "Allow_Go_Internet" included for nat-exemption.

no nat (inside,outside) source static Allow_Go_Internet Allow_Go_Internet destination static remotevpnpool remotevpnpool

Step 4: Create new nat exemption.

nat (inside,outside) source static RemoteVPN_LocalNet RemoteVPN_LocalNet destination static vpn_clients vpn_clients

Step 5: Apply ACL on the tunnel.

group-policy Split_Tunnel_Policy attributes

split-tunnel-policy tunnelspecified
split-tunnel-network-list value my-split

Step 6:

I assume you have a default route on your inside L3 switch point back to ASA's inside address. If you don't have one.

Please add a default or add static route as shown below.

route 10.88.61.0 mask 255.255.255.0 xxx.xxx.xxx.xxx

xxx.xxx.xxx.xxx = equal to ASA's inside interface address.

Hope this helps.

Thanks

Rizwan Rafeek

View solution in original post

rizwanr74 · ‎03-07-2015