Solved: Re: Trouble reaching external devices from an external computer

Daniel Davidson · ‎07-08-2010

I have my vpn working, but only on our local network, which makes it kinda useless. My setup is almost exactly like that shown in:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml

so I have been following it very closely. But when I access from my verizon aircard (IP 75.205.5.10) I can connect to the VPN, but I cannot access any devices, either on the public or private side. My configuration is below, anyone know what I am doing wrong?

ASA Version 8.2(1)
!
hostname ciscoasa
enable password encrypted
passwd encrypted
names
!
interface Ethernet0/0
nameif igbpublic
security-level 0
ip address a.b.c.42 255.255.252.0
!
interface Ethernet0/1
nameif igbprivate
security-level 100
ip address 172.16.16.1 255.255.254.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
same-security-traffic permit intra-interface
access-list 101 extended permit ip 172.16.16.0 255.255.255.0 172.16.17.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu igbpublic 1500
mtu igbprivate 1500
ip local pool IGBVPNPOOL 172.16.17.20-172.16.17.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply igbpublic
icmp permit any echo igbpublic
icmp permit any time-exceeded igbpublic
icmp permit any unreachable igbpublic
icmp permit any echo-reply igbprivate
icmp permit any echo igbprivate
icmp permit any time-exceeded igbprivate
icmp permit any unreachable igbprivate
no asdm history enable
arp timeout 14400
global (igbpublic) 1 interface
nat (igbpublic) 1 172.16.17.0 255.255.255.0
nat (igbprivate) 0 access-list 101
nat (igbprivate) 1 0.0.0.0 0.0.0.0
route igbpublic 0.0.0.0 0.0.0.0 a.b.c.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server IGBRADIUS protocol radius
aaa-server IGBRADIUS (igbpublic) host a.b.c.107
key igbvpn
authentication-port 1812
accounting-port 1813
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set GENVPNTRANS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map RMT-DYNA-MAP-1 10 set transform-set GENVPNTRANS
crypto map RMT-USER-MAP-1 10 ipsec-isakmp dynamic RMT-DYNA-MAP-1
crypto map RMT-USER-MAP-1 interface igbpublic
crypto isakmp enable igbpublic
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns a.b.c.16 a.b.c.17
dhcpd domain bob.edu
dhcpd option 3 ip 172.16.16.1
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
dhcpd address 172.16.16.2-172.16.16.254 igbprivate
dhcpd enable igbprivate
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy (IGBVPN) internal
group-policy (IGBVPN) attributes
dns-server value a.b.c.16 a.b.c.17
vpn-idle-timeout 600
split-tunnel-policy tunnelall
default-domain value bob.edu
tunnel-group (IGBVPN) type remote-access
tunnel-group (IGBVPN) general-attributes
address-pool IGBVPNPOOL
authentication-server-group IGBRADIUS
tunnel-group (IGBVPN) ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 30 retry 10
!
class-map inpection_default
class-map instpection_defalut
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global

Jennifer Halim · ‎07-09-2010

Configuration is correct, except that the ip pool is in the same subnet as your internal interface (igbprivate).

Please change the ip pool to be in a totally different subnet than your internal interface, and also change the corresponding ACL 101 to the new ip pool subnet and the "nat (igbpublic) 1" to the corresponding new ip pool subnet.

Hope that helps.

View solution in original post

Jennifer Halim · ‎07-09-2010

Configuration is correct, except that the ip pool is in the same subnet as your internal interface (igbprivate).

Please change the ip pool to be in a totally different subnet than your internal interface, and also change the corresponding ACL 101 to the new ip pool subnet and the "nat (igbpublic) 1" to the corresponding new ip pool subnet.

Hope that helps.

Daniel Davidson · ‎07-09-2010

Ahh, that did it thanks. I just changed my private network to 255.255.255.0 because the .254.0 was a typo. Thanks.

Jennifer Halim · ‎07-09-2010

Great to hear it's working now. Pls mark the question as answered. Thx.