Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10043
Views
75
Helpful
51
Replies

ASA 5520 - VPN users have no internet.

Go to solution
rcoote5902_2
Level 2
Level 2

‎04-06-2010 01:42 PM

Hello,

We just migrated from a Pix 515 and VPN Concentrator to an ASA 5520.  The firewall portion is working well but we are having some issue with our remote VPN.

Everything on the inside network is accessible when using remote VPN however there is no access to our DMZ or internet.  I'm sure there is something simple needed that I'm missing, and hoping someone might be able to shed some light on what is needed to allow the VPN tunnel to go back outside and into our DMZ.

The ASA is running 8.2(2)9 and ASDM 6.2(1).

Cheers,

Rob

Labels:
0 Helpful
51 Replies 51

Go to solution
rcoote5902_2
Level 2
Level 2
In response to Federico Coto Fajardo

‎04-07-2010 03:27 PM

Ok I made those changes, not seeing anything different.  Pings both ways time out.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to rcoote5902_2

‎04-07-2010 03:35 PM

From the 172.16.68.0/24 you can PING 10.10.10.1 correct?

From the 10.10.10.0/24 you can PING 172.16.68.1 correct?

I am having a hard time now figuring out how this tunnel is up since you have PFS
enabled on the ASA but not on the PIX.

Federico.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Federico Coto Fajardo

‎04-07-2010 07:41 PM

I checked the configuration again.

I would like to know if you can PING:

From the 172.16.68.0/24 you can PING 10.10.10.1

From the 10.10.10.0/24 you can PING 172.16.68.1

Basically from either network reaching the inside IP of the other side of the tunnel endpoint.

Let me know if both PINGs are succesful.

Federico.

Go to solution
rcoote5902_2
Level 2
Level 2
In response to Federico Coto Fajardo

‎04-08-2010 07:11 AM

No, I cannot ping the gateways of the other network from either 172.16.68.0/22 or 10.10.10.0/24

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to rcoote5902_2

‎04-08-2010 01:08 PM

Try to PING again, but remember that you should have these commands:

management access-dmz --> On the ASA

management access-inside --> On the PIX

Federico.

0 Helpful

Go to solution
rcoote5902_2
Level 2
Level 2
In response to Federico Coto Fajardo

‎04-08-2010 05:05 PM

Alright, the good news is - it works.

The bad news, I had to blow out the config on both sides (we'd had a contractor code the tunnel for us initially and I don't think he really had a clue) and reconfigure it from scratch.  Removing the PFS was one thing I made sure of because it didn't make any sense to me after you mentioned it that it was set on the ASA but not the firewall.  I'm not even sure that old PIX supports PFS so I just eliminated it.

Federico you are so patient and helpful, thank you so much for all your support with this.  I learned a lot.

Cheers,

Rob

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to rcoote5902_2

‎04-08-2010 05:35 PM

Very good news.

That's the idea.. I also learned something here everyday!

Thank you very much!

Federico.

0 Helpful
Customers Also Viewed These Support Documents