Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4947
Views
0
Helpful
17
Replies

ASA with VPN - problems

blakemunro
Level 1
Level 1

‎08-30-2011 03:13 AM

Hi,

I used the VPN wizard to create a site-site VPN connection today. The plan is to have an Endian Firewall device at the new branch office and connect it back via IPSec to the ASA at head office.


After I did that, I may have played around with some of the settings for the normal remote access VPN - as in the one end users can use with the VPN client software. Whenever they connect now, they aren't getting assigned a default gateway.

I manually connected using the client on a Win7 machine and then even tried going into the Cisco network adapter after I was connected and adding in our default gateway (the IP of the ASA) but it seems the route is not there either.

I've spent about 4 hours on this today and it's doing my head in. I'm not particularly good with Cisco stuff, but I know enough to break things and sometimes if I'm lucky fix them. Today I haven't been so lucky...

I've attached a 'show run' - can anyone have a look at this and let me know if you can see any obvious problems?

Further info:

Main office LAN:    192.168.1.0/24

New branch office:   192.168.5.0/24

WiFi VLAN:             192.168.8.0/24

DMZ:                    192.168.10.0/24

IP of ASA:     192.168.1.1 / 255.255.255.0

IP block reserved for VPN clients:     192.168.1.200/255.255.255.248

The client is getting assigned everything (IP, DNS, Subnet mask etc) just not the default gateway.

I really need to get this fixed tomorrow as I'm travelling to the other side of the country this weekend to set up the branch office, and this is the last thing I need with people complaining they can't VPN in from home!

Thanks in advance if anyone can help.

Labels:
112833-asa config.txt.zip
0 Helpful
17 Replies 17

MCCC.Administrator
Level 1
Level 1
In response to blakemunro

‎08-30-2011 06:46 PM

Thats great info.

Since it's every profile I am leaning toward the defaultGroupPolicy.

I'll let you know if I need the screenshots.

0 Helpful

MCCC.Administrator
Level 1
Level 1
In response to MCCC.Administrator

‎08-30-2011 07:33 PM

Sorry its late,the head is not the clearest.

Why are you assigning IP's for a pool that is inside the same range as your LAN?

Has it always been that way?

I dont understand how your split-tunnel is the entire 192.168.1.0 network and yet your ip is 192.168.1.x.

Wouldn't everything bound for you just go right back down the tunnel?

Let try something.

Use the wizard.

Set up a new profile and use a new IP pool of, say 172.1.1.1-172.1.1.20.

Make sure you exclude them from NAT.

Set it up just like the other for the split-include network lists.

Under the Connection Profile section make sure yuo have the "Allow inbound vpn to bypass access lists".

I dont know your network well enough so you may have to do a little routing.

If necessary, either on your router or on your server add a route of 172.1.1.0 mask 255.255.255.0 192.168.1.1

0 Helpful

MCCC.Administrator
Level 1
Level 1
In response to MCCC.Administrator

‎08-30-2011 07:35 PM

Sorry.

Then test the new vpn profile and see if you can reach the servers.

0 Helpful
Customers Also Viewed These Support Documents