Re: ASA VPN Problem

hany_samara · ‎11-13-2012

Hi,

i have a small problem: i want to create a ASA remote acces VPN to my site, the schema is as the following:

ISP---} Internet Router 2800 ----} Edge SW(2960G) ------} ASA(5540) -----} Core SW (6513E)

Configuration

Internet Router

Outside Interface : Real IP

Inside Interface : Privite IP 192.168.10.3

ASA Interfaces

Outside Interface : 192.168.10.17

Inside Interface : 192.168.21.17

i configured the vpn on the asa and it working probably from the edge SW but i have two problem

(i connect my laptop to the ASA outside vlan port on the edge SW and by cisco VPN client i established the connection with the ASA)

1- I cant access any servers or ping any hosts inside (what i miss on the ASDM or what i shoud configure on the ASA security policies

or the core SW to allow the traffic)

2- what i must configure on the internet router to pass the vpn traffic; i typed this command on the 2800 RW (Internet RW)

ip nat outside global static (Real IP) (ASA Outside Interface)

so what i miss, please any one can help me? and for any more information just ask, thanks

Jennifer Halim · ‎11-13-2012

1) Did you configure any NAT exemption on the ASA with source subnet of 192.168.21.0 and the destination subnet of the VPN Client pool.

2) On the internet router, you would need to configure:

ip nat inside source static 192.168.10.17

Assuming that you would like to configure 1:1 NAT on the router.

hany_samara · ‎11-17-2012

Dear Jennifer ,

about your first ask, no i'didn'tconfigure any NAT rule...what i should do exactly

about number 2, did this rule must be configured beside the other one i made
(ip nat outside source static 192.168.10.17)

Thanks

hany_samara · ‎11-18-2012

,

Dear Jennifer

I configured the 2800 router with the nat rule as u say and i worked now, but i cant access the inside zone (the servers or the hostes)

u can find the attached image of the NAT rules i already configured

The VPN pool is 50.0.0.0/24

Jennifer Halim · ‎11-21-2012

NAT rule looks correct, do you have split tunnel policy configured on the ASA?

Also, does the inside host knows how to route to the vpn pool subnet? if the default gateway is the ASA inside interface then it should be ok.

Next thing is to also check if the host that you are trying to access has any firewall that might be blocking the inbound access.

hany_samara · ‎11-27-2012

no i dont have a split tunnel on the ASA,the default gateway inside is 192.168.21.1,
i have a IPS IBM Provintia inside between the ASA and the core switch....but even the IPS block the traffic why i cant ping the inside asa interface IP

hany_samara · ‎11-29-2012

Dear Jennifer,

Now i create this ACL from CLI on the ASA :

"access-list OUTBOUND-TRAFFIC extended permit ip any PIV_VPN 255.255.255.0"

(vpn client subnet is 172.20.200.0/24)

and the inside users subnet "10.21.10.x/24" can access the vpn client laptops over any protocol(Ping ,RDP,...) but the vpn client can only ping all subnets inside not RDP...how to allow the RDP from the VPN client to the users and the server farm subnet.

Note:

the ASA log show this msg while i trying to RDP server or users

"built inbound tcp connection from outside"

but no deny msgs appers in the log

something wear else...i have to core SW 6500 inside , the vpn client can only ping the IP of the failover SW and the load balancing IP but when pinging the active one reply with destination host unreachable.

Please Advise

Jennifer Halim · ‎12-13-2012

Apology for the super late reply. Not sure if you have resolved the issue or not.

In regards to RDP, have you allowed RDP access on the inside host? and also, you mention that the vpn client can now ping the inside subnet, right? only RDP is not working?

Can you pls share the configuration on the ASA?

hany_samara · ‎12-05-2012

Any Update??

Muhammed Safwan · ‎12-05-2012

Please try below command this will allow the vpn traffic on both direction regardless of interface acl.

sysopt connection permit-vpn

With Regards,

Safwan

Don't forget to rate helpful posts