Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
5
Replies

Remote VPN connected but doesnt go anywhere.

Go to solution
hanwucisco
Level 1
Level 1

‎05-29-2011 09:15 PM

inside network----ASA5505========internet===========Remote VPN client.

The ASA has one public IP on its outside interface and using PAT to the internet. It only has two interfaces, inside and outside using vlan. I created a IPSec VPN through CLI. My goal is for the remote client to browse the Internet throught tunnel.

Q1: Is it possible?

Q2: The remote side gets connected and has IP from the pool, with is part of inside network. But it cannot ping anything, including the gateway, which is the inside interface. I debug it, it shows the ASA receives the ping packages, but it doesnt send anything back to the client. Any recommand would be appreciated.

thanks,

Han

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to hanwucisco

‎05-30-2011 07:47 PM

Hi,

Can you please paste the output of ipconfig/all here??

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. do rate helpful posts.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
andamani
Cisco Employee
Cisco Employee

‎05-29-2011 09:58 PM

Hi Han,

It is very much possible.

You will have to configure u-turning on the ASA. and enable same-security permit intra interface.

Also try configuring "management-access inside" on ASA and let us know if the ASA replies to the ping from the client.

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved.Do rate helpful posts.

0 Helpful

Go to solution
hanwucisco
Level 1
Level 1
In response to andamani

‎05-30-2011 12:07 AM

what exactly is  u-turning?

"management-access inside" what is the command exactly do?

thanks,

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to hanwucisco

‎05-30-2011 01:01 AM

Hi,

U turning will be configuration of nat (outside,outside) statement. This is done because the traffic will come on ASA with the source ip as the pool ip and destination ip as a routable internet ip. for this packet to go on internet you will need to mask the actual pool ip to a routable ip.

With nat(outside,outside) statement you are telling the firewall to mask the traffic destined for outside coming from outside i.e. VPN pool.

therefore the U turning will have.

nat (outside,outside) interface

The command "management-access inside" enables the interface to respond to the pings. By default the ASA interface will not respond to the ping as it is a security device.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feelyour query is resolved. Do rate helpful posts.

0 Helpful

Go to solution
hanwucisco
Level 1
Level 1
In response to andamani

‎05-30-2011 03:05 PM

Anisha,

For some reason, I always think it is something to do with the gateway that the client gets. In my case, it gets the right gateway, but i didnt even configure it. So I feel something fishy here.

How can you configure the gateway that the client gets?

thanks,

Han

0 Helpful

Go to solution
andamani
Cisco Employee
Cisco Employee
In response to hanwucisco

‎05-30-2011 07:47 PM

Hi,

Can you please paste the output of ipconfig/all here??

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. do rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents