Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
778
Views
0
Helpful
1
Replies

SA520 and SSLVPN, Routing Problem....

Pasadena01
Level 1
Level 1

‎01-17-2011 11:08 AM

(in english at the end)

Hallo,

Ich  versuche hier ein SA520 so zu konfigurieren, das ich von außen über  sslvpn zugreifen kann. Ich habe im sa520 den sslvpn server und sslvpb  client so eingerichtet, wie im handbuch steht.

Aber  ich kann immer nur vom Server auf den Clienten zugreifen, ich kann  nicht vom Client auf den Server zugreifen. Der Router ist am WAN über  ein DSL-Modem im Internet (PPPoE). LAN hat die Range 192.168.168.0/24.

Hier die Daten:
SSL-VPN-Server:
->Portal Layouts: SSLVPN-Standard-default
->SSL-VPN Policies: Global, all resources
->Resources: IP-Network: 192.168.168.0/24, all Ports
No Portforwarding, want to have a fulltunnel

SSL-VPN-Client:
->Address Range begin: 192.168.75.200
->Address Range End: 192.168.75.205
->LCP Timeout: 60 sec
no split

User angelegt als SSLVPN-User.

Wenn  ich nun von außen auf die Webseite gehe (DDNS), kann ich mich anmelden,  aber ich kann nur vom Server (also lokales LAN) auf den externen  Clienten (192.168.75.201) zugreifen. Ich kann nicht vom Clienten auf  mein lokales Lan (192.168.168.0/24) zugreifen.

Wo ist was falsch? Habe ich Adressen falsch eingetragen oder fehlt ein Routing irgendwo?

English:

Hi,

I'm trying to configure an SA520 so that I have access from the outside via SSL VPN. I setup the sa520 SSLVPN server and client as it is in the manual.

But I have only access from server to the client, I can not access from the client to the server. The WAN-Port of the Router is connected via a DSL modem to the internet (PPPoE). LAN has the range 192.168.168.0/24.

Here are the details:
SSL VPN server:
-> Portal Layouts: SSLVPN standard default
-> SSL-VPN Policies: Global, all resources
-> Resources: IP-Network: 192.168.168.0/24, all ports
No port forwarding, want to have a full tunnel

SSL-VPN client:
-> Address range begin: 192.168.75.200
-> Address Range End: 192.168.75.205
-> LCP timeout: 60 sec
no split

User created as SSLVPN users.

When I login now from outside on the website (DDNS) of my Router, I can login, but I can only see the client (192.168.75.201) from the server side (192.168.168.0/24). I can not see the server (local LAN 192.168.168.0) from the client side(192.168.75.201).

What is wrong? Do I have the addresses entered incorrectly ? missing routing somewhere?


Thanks for help or tips.

Pasadena

Labels:
0 Helpful
1 Reply 1

Jay Young
Cisco Employee
Cisco Employee

‎02-01-2011 08:38 AM

Pasadena01,

I think what you are saying it that if you do a ping from the client the echo request makes to the server; however the echo response from the server never makes it back to the client.

You may want to check the routing table on the server.  Have you confirmed that it has either a default route pointed at the SA520 or a more specific route.  You can check this by typing "netstat -rn" in a terminal window (DOS box/xterm window).

-Jay

0 Helpful
Customers Also Viewed These Support Documents