09-16-2011 12:42 PM
Ok, I have a question for everyone. I have an ASA 5510 that I want to do VPN testing on for users that remote into the system from home. What I am wanting to do is create a VPN connection on the internal interface so that I can test the connections and connectivity before I give it to them and find out it does not work when they get home. I have tried to set up using the ASDM Wizard to the internal interface and got all the way through the set up OK. Once I try to connect, using the Cisco Client, it will connect and authenticate fine, but will not remote to or ping anything on the network.
Here are the settings that I am using:
Remote Access
Internal interface
Cisco VPN Client Release 3.x or higher
Authenticate via AAA server
Address Pool name: test
Address Pool Range: 192.168.1.1 - 192.168.1.5
Address Pool Subnet Mask: 255.255.0.0
Leaveing DNS and Wins server selections blank
Using the default Encryption
Internal access (NAT) with the exempt network of 192.168.0.0 /16 network, internal interface
Split Tunneling is not enabled
I can connect to the ASA fine, just cant get to the server with an address of 192.168.100.1.
I tried manual entery of an ACL rule for ANY to ANY on the internal network and that made no difference at all.
Any suggestions??
-Jon
09-16-2011 12:53 PM
Hi,
It is very possible you do not have NAT-T enabled, this is a very common behavior when seting up RA vpns for the first time.
look in your config to confirm you have nat-t enabled , if not add the line bellow to your config
securityappliance(config)#crypto isakmp nat-traversal 20
If you have that already configured and still no access to inside resources please post configuration to review
Regards
09-19-2011 05:17 AM
Jeorge,
This is the only statement that I can find that has Nat-T in it.
crypto map Outside_map 6 set nat-t-disable
Would this be part of the problem? The contractor that set this up priginally has three site-to-site tunnels on it already, Just don't want to mess up those tunnels.
-Jon
09-19-2011 07:01 AM
Jon,
Is your crypto map #6 your RA VPN tunnel ? if so that could be one of your problems, if you're running code 8.x and above nat-t is enabled by default, so you just need t remove that line ( not crypto map_Outside_map 6 set nat-t disable ) and try accessing inside resources , if your asa is running 7.x codes use the command above in the link previously provided in addition to removing the line you have found in your crypoto map. You should be fine removing it
http://www.cisco.com/en/US/partner/docs/security/asa/asa83/command/reference/c5.html#wp2266389
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide