Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
787
Views
5
Helpful
2
Replies

connected VPN users can't access any resources

Go to solution
1salvarez
Level 1
Level 1

‎01-13-2011 09:30 AM 

User is able to connect, get's assigned an IP, we can see them connected
via ASDM, they can't access anything in our network.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-13-2011 09:33 AM

Hi,


Check the following:

When attempting to send traffic check the output of ''sh cry ips sa'' to make sure packets encrypted/decrypted increments.

If not...

Could be that NAT-T is not configured.

Check the configuration for:

crypto isakmp nat-t

sh run all sysopt--> should show sysopt connection permit-vpn

Test:

Add the command

management-access inside

And try to PING the inside IP of the ASA from the VPN client.

Let's take it from here...

Federico.

View solution in original post

2 Replies 2

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-13-2011 09:33 AM

Hi,


Check the following:

When attempting to send traffic check the output of ''sh cry ips sa'' to make sure packets encrypted/decrypted increments.

If not...

Could be that NAT-T is not configured.

Check the configuration for:

crypto isakmp nat-t

sh run all sysopt--> should show sysopt connection permit-vpn

Test:

Add the command

management-access inside

And try to PING the inside IP of the ASA from the VPN client.

Let's take it from here...

Federico.

Go to solution
1salvarez
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-13-2011 11:22 AM

someone made a change which affected the users. Below are his remarks:

I added crypto map 10 for connectivity to site1 and the crypto map ACL that I added for that tunnel to match was too broad in scope and included all 192.168.0.0/16 networks.  Will get more specific on the allowed traffic for that tunnel.

Thanx for your help Federico.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents