05-10-2013 06:11 AM - edited 02-21-2020 06:53 PM
Hi All,
I have a problem where I'm unable to remote desktop into any of the LAN PCs when I'm connected through the VPN. I can ping all nodes inside the network and I can open an inside addressed web page from my local PC, as well. So, it seems like it's only RDP (3389) that is affected. Remote access to those PCs are enabled, as I'm able to get to them via a different method (SBS Remote Web Access).
I'm somewhat new to ASAs, so any help is greatly appreciated. TIA
ASA 5505
ASA Version 8.2(5)
!
hostname asa
enable password IqUJj3NwPkd23LO9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.0.1.0 Net-10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 11.11.11.11 255.255.255.0
!
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
!
ftp mode passive
object-group service RDP tcp
port-object eq 3389
access-list TSTGRP_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 12.0.1.0 255.255.255.224
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 12.0.1.0 255.255.255.224
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
ip local pool IPSec-12 12.0.1.1-12.0.1.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 11.11.11.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate fecf8751
308202da 308201c2 a0030201 020204fe cf875130 0d06092a 864886f7 0d010105
0500302f 31153013 06035504 03130c70 61732d61 73612e6e 756c6c31 16301406
092a8648 86f70d01 09021607 7061732d 61736130 1e170d31 33303530 36323134
3131365a 170d3233 30353034 32313431 31365a30 2f311530 13060355 0403130c
7061732d 6173612e 6e756c6c 31163014 06092a86 4886f70d 01090216 07706173
2d617361 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a
02820101 00dc6f5c 584be603 1219ad4a 43085a97 b8fd7e33 c887933d 1b46dbca
deada1da 7689ab5e 9b6fa20b d6f7e5e3 049285e7 65778c15 a9447e1e 8ba749cb
61e0e985 9a90c09f b4c28af0 c6b5263c d2c13107 cce6c207 62f17cbe 99d9d5c2
86870084 25c035e4 ea9ab8ae 8b664464 40305c4d e40dd774 506f6c0a 6f4ca4d1
0c81d2dd bcdc8393 3f4fbcba 1b477d45 502063b8 af862bdf 50499615 7b9dac1b
67252db8 1473feec c39d9c32 9d9f3564 74fdf1bd 71ca9310 e5ad6cba 999ae711
c381347c a6508759 eb405cc0 a4adbe94 fb8204a2 382fad46 bc0fc43d 35df1b83
6379a040 90469661 63868410 e16bf23b 05b724a3 edbd13e1 caa49238 ee6d1024
a32a1003 af020301 0001300d 06092a86 4886f70d 01010505 00038201 010084b1
62698729 c96aeec0 4e65cace 395b9053 62909905 e6f2e325 df31fbeb 8d767c74
434c5fde 6b76779f 278270e0 10905abc a8f1e78e f2ad2cd9 6980f0be 56acfe53
f1d715b9 89da338b f5ac9726 34520055 2de50629 55d1fcc5 f59c1271 ad14cd7e
14adc454 f9072744 bf66ffb5 20c04069 375b858c 723999f8 5cc2ae38 4bb4013a
2bdf51b3 1a36b7e6 2ffa3bb7 025527e1 e12cb2b2 f4fc624a 143ff416 d31135ff
6c57d226 7d5330c4 c2fa6d3f a1472abc a6bd4d4c be7380b8 6214caa5 78d53ef0
f08b2946 be8e04d7 9d15ef96 2e511fc5 33987858 804c402b 46a7b473 429a1936
681a0caa b189d4f8 6cfe6332 8fc428df f07a21f8 acdb8594 0f57ffd4 376d
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 10.0.1.1 255.255.255.255 outside
ssh timeout 5
console timeout 0
dhcpd auto_config inside
!
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 11.11.11.12 11.11.12.12 interface inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
vpn-tunnel-protocol svc
group-policy DfltGrpPolicy attributes
dns-server value 11.11.11.12 11.11.12.12
vpn-tunnel-protocol IPSec webvpn
username test password 1w1.F5oqiDOWdcll encrypted privilege 0
username test attributes
vpn-group-policy SSLClientPolicy
username test1 password lQ8frBN8p.5fQvth encrypted privilege 15
username test2 password w4USQXpU8Wj/RFt8 encrypted privilege 0
username test2 attributes
vpn-group-policy SSLClientPolicy
username test3 password SC8q/LweL74qU0Zu encrypted privilege 0
username test3 attributes
vpn-group-policy SSLClientPolicy
tunnel-group DefaultRAGroup general-attributes
address-pool IPSec-12
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://11.11.11.11/PAS_VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:7f67d8c8b24bc533cf546b545aa33327
Solved! Go to Solution.
05-10-2013 04:38 PM
Looks like traffic is going in for RDP but there is no reply packet
7: 22:24:58.824954 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535
8: 22:24:59.824740 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535
This could be due to Neatgear (192.168.1.1) dropping packets. You can have solution on ASA by patting the traffic on inside interface on ASA. Here is what you have to do :
access-list vpn_nat_inside permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (outside) 10 access-list vpn_nat_inside outside
global (inside) 10 interface
This will only pat the vpn pool traffic coming in and will not have have affect on any other thing.
Regards,
Varinder
P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
05-10-2013 12:03 PM
Is your ASA inside ip address 192.168.1.98 is the default gateway for 192.168.1.0/24 subnet?
you config looks fine for allowing traffic from vpn pool to inside network.
Incase ASA is not the default gateway, there would be assymmentric routing in inside.
Either add a route on terminal server machine for 12.0.1.0 255.255.255.224 to point towards ASA inside IP address.
Else take a capture on inside. Here is the command
capture capin interface inside mat ip 12.0.1.0 255.255.255.224 host
sh capture capin
Regards,
Varinder
P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
05-10-2013 01:17 PM
Varinder,
thanks for the suggestions.
The 192.168.1.0 /24 network's default gateway is 192.168.1.1, which is a NetGear router for the LAN's primary Internet connection (cable modem). The ASA's connection to the outside is through a T1 circuit our office uses for VoIP services. I already had a static route setup on the NetGear router (10.0.1.0 255.255.255.224 192.168.1.98), so the inside PCs know how to talk with the 10.0.1.0 - pool addresses.
capture capin interface inside match ip 10.0.1.0 255.255.255.224 host 192.168.1.20, shows the following:
0 packet captured
0 packet shown
... it's bizarre. With VPN established, I can ping to 192.168.1.x and also load an internal web page without a problem.
05-10-2013 03:22 PM
Run the ping command as well try to access the RDP to host 192.168.1.20 and check the capture
sh capture capin
Regards,
Varinder
P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
05-10-2013 03:32 PM
Here's the capture ...
62 packets captured
1: 19:49:15.500355 802.1Q vlan#1 P0 10.0.1.1.46518 > 192.168.1.100.33435: udp 24
2: 19:49:26.526217 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.100: icmp: echo request
3: 19:49:26.527514 802.1Q vlan#1 P0 192.168.1.100 > 10.0.1.1: icmp: echo reply
4: 19:49:27.452201 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.100: icmp: echo request
5: 19:49:27.452506 802.1Q vlan#1 P0 192.168.1.100 > 10.0.1.1: icmp: echo reply
6: 22:24:57.830477 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535
7: 22:24:58.824954 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535
8: 22:24:59.824740 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535
9: 22:25:00.230044 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
10: 22:25:00.231204 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
11: 22:25:00.830248 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535
12: 22:25:01.232013 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
13: 22:25:01.232287 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
14: 22:25:01.826846 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535
15: 22:25:02.231860 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
16: 22:25:02.232119 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
17: 22:25:02.826602 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535
18: 22:25:03.231555 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
19: 22:25:03.231860 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
20: 22:25:04.231524 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
21: 22:25:04.231845 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
22: 22:25:04.828616 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535
23: 22:25:05.230945 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
24: 22:25:05.231357 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
25: 22:25:06.230929 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
26: 22:25:06.231158 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
27: 22:25:07.230761 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
28: 22:25:07.231006 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
29: 22:25:08.230472 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
30: 22:25:08.230746 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
31: 22:25:09.227740 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
32: 22:25:09.228015 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
33: 22:25:10.231051 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
34: 22:25:10.231433 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
35: 22:25:11.229800 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
36: 22:25:11.230136 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
37: 22:25:12.229526 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
38: 22:25:12.229770 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
39: 22:25:13.231204 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
40: 22:25:13.231448 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
41: 22:25:14.228900 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
42: 22:25:14.229220 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
43: 22:25:15.228641 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
44: 22:25:15.228915 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
45: 22:25:16.230990 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
46: 22:25:16.231265 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
47: 22:25:17.230823 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
48: 22:25:17.231067 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
49: 22:25:18.230563 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
50: 22:25:18.230838 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
51: 22:25:19.237765 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
52: 22:25:19.237994 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
53: 22:25:20.232516 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
54: 22:25:20.232791 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
55: 22:25:21.234698 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
56: 22:25:21.235003 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
57: 22:25:22.234545 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
58: 22:25:22.234790 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
59: 22:25:23.234698 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
60: 22:25:23.235064 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
61: 22:25:24.234195 802.1Q vlan#1 P0 10.0.1.1 > 192.168.1.20: icmp: echo request
62: 22:25:24.234439 802.1Q vlan#1 P0 192.168.1.20 > 10.0.1.1: icmp: echo reply
62 packets shown
05-10-2013 04:38 PM
Looks like traffic is going in for RDP but there is no reply packet
7: 22:24:58.824954 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535
8: 22:24:59.824740 802.1Q vlan#1 P0 10.0.1.1.49162 > 192.168.1.20.3389: S 3361152799:3361152799(0) win 65535
This could be due to Neatgear (192.168.1.1) dropping packets. You can have solution on ASA by patting the traffic on inside interface on ASA. Here is what you have to do :
access-list vpn_nat_inside permit ip 10.0.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (outside) 10 access-list vpn_nat_inside outside
global (inside) 10 interface
This will only pat the vpn pool traffic coming in and will not have have affect on any other thing.
Regards,
Varinder
P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
05-10-2013 06:53 PM
Varinder-
you are a genius ... problem's fixed!!
Looks like I'm going to have to read more about PATing ... I don't have the slightest idea of what those commands mean.
Thanks!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide