VPN can access internet but not internal network

nguyenvinnie · ‎02-28-2008

I have ASA 5540

here is my vpn config

access-lisst VPNRA extended permit ip 172.17.1.0 255.255.255.0 10.0.0.0 255.255.255.0

ip loacl pool AAA 10.0.0.10-10.0.0.254 mask 255.255.255.0

nat (inside) 0 acces-list VPNRA

vpn-tunnel-protocol IPsec

When I connect to VPN, I can access the internet. But I can not access or ping anything that is in the internal network.

mvsheik123 · ‎02-28-2008

Did you use Split-tunneling..?

vpn-tunnel-protocol IPsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value test

access-list test standard permit 172.17.1.0.255.255.255.0 -->internal LAN subnet

hth

MS

nguyenvinnie · ‎02-28-2008

ip local pool AAA 10.17.70.10-10.17.70.254 mask 255.255.255.0

access-list VPNRA extended permit ip 172.0.0.0 255.0.0.0 172.0.0.0 255.0.0.0

access-list splittunnel standard permit 172.0.0.0 255.0.0.0

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

still unable to connect the internal network, use packet tracer, and fail at VPN nat. On the internal Layer 3 switch, we add a static route, 10.17.70.0 255.255.255.0 10.0.0.2(the ASA Interface).

tomek0001 · ‎02-29-2008

do you have a NAT exemption rule that bypasses the LAN subnet to VPN pool from being selected to nat?

Check the commands below:

access-list Private_nat0_outbound remark SSL VPN traffic exemption

access-list Private_nat0_outbound extended permit ip LOCAL-LAN 255.0.0.0 VPN-SSL 255.255.255.0

nat (Private) 0 access-list Private_nat0_outbound

nat (Public) 0 LOCAL-LAN 255.0.0.0

*LOCAL-LAN is "name 10.0.0.0 LOCAL-LAN"

*VPN-SSL is "name 10.32.2.x VPN-SSL" which is the vpn pool

Hope that helps.

(please rate the comment if you found it useful)