Re: unable to access inside network-remote access VPN

somnath21 · ‎03-12-2008

Hi,

I have cisco ASA5520 in which i have configured remote access vpn for cisco vpn client.the problem is from vpn client i am able to establisdh the tunnel and in asa also it's showing tunnel is up but i am unable to access inside network.

i have given access list also..

acess-list nonat extended permit ip any 192.168.10.0 255.255.255.0

where 192.168.10.0/24 is my ra vpn client pool.

please guide to resolve this issue.

thanks,

som

acomiskey · ‎03-13-2008

Could you post more of the config? Make sure you have nat-traversal enabled.

jprice · ‎03-19-2008

I'm having a similar situation. I also successfully connect to a VPN appliance and unable to ping or access services within that network. Please also keep me posted.

somnath21 · ‎03-19-2008

Hi,

My problem is resolved now.Please check the below mentioned things...

1)VPN client pool should be in different subnet from your internal network.

2)if ur VPN pool is 192.168.150.0/24

provide access list for outbound traffic..

access-list nonat extended permit ip any 192.168.150.0 mask 255.255.255.0

3)inbound traffic permit for vpn client:

access-list outside_in extended permit ip any any

group policy settings:

group-policy reomoteVPN internal

group-policy reomoteVPN attributes

dns-server value x.x.x.x x.x.x.x

vpn-filter value outside_in

vpn-tunnel-protocol IPSec

address-pools value vpnpool

jprice · ‎03-20-2008

Hi, thanks.

Are these settings all for the host side?

I'm on the client side. I'm looking more for settings I can apply to my ASA5510 that will allow us to connect to a host.

Any thoughts?

somnath21 · ‎03-22-2008

settings should be done in the ASA end

Alan Huseyin Kayahan · ‎03-22-2008

"3)inbound traffic permit for vpn client:

access-list outside_in extended permit ip any any "

I certainly do NOT! recommend the above ACL. It has nothing to do with VPN connections, yet it simply permits any connection from outside including intrusions.

jimmy · ‎04-21-2008

Hi,

I've the same problem but I can access inside network at home (same ISP) but not at my office (different ISP).

Thanks

jprice · ‎03-22-2008

Thanks for the help. Finally got on the phone with Cisco and we got a solution:

According to Cisco. The ASA does not handle ESP protocol and Port Address Translation at well. So, I had to NAT an extra public IP to a static internal address. Then create two access rules; 1. open port 500 to the NAT rule and 2. allow any ESP traffic also to the NAT rule.

Essentially, IPSEC communicates on the ESP protocol and port 500. Since ESP is a portless protocol, my old configuration would drop that traffic, never getting to the client. With the new configuration my VPN to the remote site works fine. BTW, the remote site had a PIX515, probably running an old IOS without NAT Transversal enabled.

-6x.1xx.2xx.1xx = free public ip

-nat(inside,outside) 6x.1xx.2xx.1xx 10.12.10.9

-access-list outside_access_in line 5 permit udp any host 6x.1xx.2xx.1xx eq 500

-access-list outside_access_in permit esp any host 6x.1xx.2xx.1xx

Hope this helps others.