12-14-2009 09:08 PM
Hello. I'm new to the Cisco ASA 5505, and I'm exhausted. I offered to help a friend with a small business to set up VPN remote access to the business from home. I recommended that he buy the ASA, and months later, and I don't have things set up.
Prior to installing in his network, I'm testing at home.
My setup is:
[shared drive] ---- [ASA] ---- [Verizon MI424WR] ---- [Internet]
1) I'm using the ASDM to configure the ASA.
2) The inside interface is doing DHCP.
3) The outside interface is getting its IP on a different network from the Verizon modem/router.
4) I also used the VPN wizard to create the VPN.
5) The IP pool is the same network as the inside interface of the ASA, but a different range.
6) I also created an ACL/ACE on the VPN to allow for split tunneling.
When I connect my laptop to the Verizon home router, I can establish a VPN connection, and I can access the shared drive.
When I try VPN access from my workplace, I am able to establish a VPN connection, but I CANNOT access the shared drive. I can't even Ping it.
I'm stuck, and I can really use some help. I don't know if I need to add another port forwarding rule to the Verizon home router, or if I need to configure something on the ASA. I've seen other posts regarding static routes, etc. I haven't configured any static routes, etc. To this point, I haven't had to do much on the ASA. Verify that the outside interface was using DHCP, use the VPN wizard, and add the ACL for split tunneling.
Could someone point me to a good resource or help with my config? I can provide snapshots, outputs, etc.
Solved! Go to Solution.
12-17-2009 08:29 AM
1. Your vpn client pool should always be completely different than your inside network. Change to something other than 192.168.1.0.
2. Add 'crypto isakmp nat-traversal'
12-22-2009 05:45 PM
The VPN client software will inject a route into the PCs routing table based on whatever you have in the split tunnel ACL.
Also, you'll want to modify that NAT exemption ACL, as it is probably ineffective in its current state. You'll need to no-nat the traffic between the 192.168.1.x network and the client VPN network (10.10.1.x), so the statement would need to look something like:
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0
You can also just add the above statement to what you currently have if you're afraid of messing anything up.
James
12-15-2009 07:22 AM
Steven, please post your ASA configuration.
12-15-2009 12:31 PM
12-17-2009 08:29 AM
1. Your vpn client pool should always be completely different than your inside network. Change to something other than 192.168.1.0.
2. Add 'crypto isakmp nat-traversal'
12-17-2009 08:38 AM
Thanks, I look forward to trying this. I'll post with my results.
12-20-2009 07:15 AM
I'm currently on hold waiting for a USB serial adapter, so I can access the console.
I added a 10 net VPN client pool.
Question. When a VPN client connects and gets a 10 net IP (e.g. 10.10.1.2), how will he communicate with the 192.168.1.x devices behind the ASA?
12-22-2009 05:45 PM
The VPN client software will inject a route into the PCs routing table based on whatever you have in the split tunnel ACL.
Also, you'll want to modify that NAT exemption ACL, as it is probably ineffective in its current state. You'll need to no-nat the traffic between the 192.168.1.x network and the client VPN network (10.10.1.x), so the statement would need to look something like:
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0
You can also just add the above statement to what you currently have if you're afraid of messing anything up.
James
12-29-2009 09:02 AM
Both the nat-traversal and access-list commands helped. The Cisco ASA and my laptop are behind the Verizon router. From my laptop, I can access the shared drive behind the ASA. Now, I plan to test the VPN access from a remote location.
Thanks for the much needed help.
01-08-2010 11:26 AM
Thanks for all of the great help! I plan to install at the non-paying customer site tomorrow.
Questions:
1) Should the ASA directly interface to the service provider? If so, how do I configure the outside interface for DNS? The service provider provided an IP, mask, gateway, and DNS servers.
2) Or, should I put the ASA behind the customer's router and forward UDP ports 500 and 4500?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide