Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
754
Views
0
Helpful
3
Replies

Internal Interface VPN access

Jon Moots
Level 1
Level 1

‎09-16-2011 12:42 PM

Ok, I have a question for everyone. I have an ASA 5510 that I want to do VPN testing on for users that remote into the system from home. What I am wanting to do is create a VPN connection on the internal interface so that I can test the connections and connectivity before I give it to them and find out it does not work when they get home. I have tried to set up using the ASDM Wizard to the internal interface and got all the way through the set up OK. Once I try to connect, using the Cisco Client, it will connect and authenticate fine, but will not remote to or ping anything on the network.

Here are the settings that I am using:

Remote Access

Internal interface

Cisco VPN Client Release 3.x or higher

Authenticate via AAA server

Address Pool name: test

Address Pool Range: 192.168.1.1 - 192.168.1.5

Address Pool Subnet Mask: 255.255.0.0

Leaveing DNS and Wins server selections blank

Using the default Encryption

Internal access (NAT) with the exempt network of 192.168.0.0 /16 network, internal interface

Split Tunneling is not enabled

I can connect to the ASA fine, just cant get to the server with an address of 192.168.100.1.

I tried manual entery of an ACL rule for ANY to ANY on the internal network and that made no difference at all.

Any suggestions??

-Jon

Labels:
0 Helpful
3 Replies 3

JORGE RODRIGUEZ
Level 10
Level 10

‎09-16-2011 12:53 PM

Hi,

It is very possible you do not have NAT-T enabled, this is a very common behavior when seting up RA vpns for the first time.

look in your config to confirm you have nat-t enabled , if not add the line bellow to your config

securityappliance(config)#crypto isakmp nat-traversal 20


http://www.cisco.com/en/US/partner/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution01

If you have that already configured and still no access to inside resources please post configuration to review

Regards

Jorge Rodriguez
0 Helpful

Jon Moots
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎09-19-2011 05:17 AM

Jeorge,

This is the only statement that I can find that has Nat-T in it.

crypto map Outside_map 6 set nat-t-disable

Would this be part of the problem? The contractor that set this up priginally has three site-to-site tunnels on it already, Just  don't want to mess up those tunnels.

-Jon

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to Jon Moots

‎09-19-2011 07:01 AM

Jon,

Is  your crypto map #6  your  RA VPN tunnel ? if  so that  could be one of your problems,   if you're  running code  8.x and above nat-t is enabled by default, so you just need t remove that line  ( not crypto map_Outside_map 6 set nat-t disable )  and try accessing inside resources ,  if your asa is running 7.x codes  use  the command  above in  the link  previously provided in addition to  removing the line you have found in your crypoto map.   You should be fine removing it

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/c5.html#wp2266389

Regards

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents