i have a 5510 with a working VPN but discovered that anyone connecting from a public IP can connect to VPN but can't go anywhere.
so if i have say a linksys wifi on my cable modem and a private IP i can connect no problem. but if i'm on like a verizon data card which gives me a public IP i can connect to VPN but receive the below errors in my asa logs and can not reach anything on the network.
6 22:44:44 166.*.*.35 500 68.*.*.41 500 Built inbound UDP connection 390865 for Outside:166.*.*.35/500 (166.*.*.35/500) to identity:68.*.*.41/500 (68.*.*.41/500)
6 Group = RA-yo, IP = 166.*.*.35, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
i've attached my current asa config for reference. What do i need added to allow remote ends without a nat device to also work?
You might want to enable IPSEC over TCP and see if they are able to connect with TCP as the transport instead.
On the ASA: crypto isakmp ipsec-over-tcp port 10000
On the VPN Client: go to the Transport tab, and choose: IPSec over TCP, and TCP Port: 10000
Hope that helps.
i completed the steps as you described which got me closer. I can now ping devices on the network and resolve dns. however RDP connections for example do not go through fully.
also can't access email over 443 note the below errors.
do i need to make any firewall changes or such?
6 Jan 30 2011 18:28:54 192.168.25.45 443 192.168.43.103 57604 Deny TCP (no connection) from 192.168.25.45/443 to 192.168.43.103/57604 flags ACK on interface Outside
6 Jan 30 2011 18:28:58 192.168.25.45 443 192.168.43.103 57604 Deny TCP (no connection) from 192.168.25.45/443 to 192.168.43.103/57604 flags RST ACK on interface Outside
thanks for the help
From the " Deny TCP (no connection)" message it looks like the initial three way handshake did not occur on this interface. Is there another route for your RDP server or email server that the client might be taking for the connection to get established? (take a look at your network connections for additional network interfaces and also take a look at the 'route PRINT' output of the connected client)
when i do this connection i have my ethernet unplugged, wifi disabled.
all i have is an at&t wireless connection which gives me an external non-nat IP.
as i mentioned i can ping and resolve dns while on the vpn.
if i try to connect on say webmail. which properly resolve the internal IP.
these happen in the logs within a second of each other
Built inbound TCP connection 873391 for Outside:192.168.43.103/49209 (192.168.43.103/49209) to Outside:192.168.25.45/443 (192.168.25.4/443) (vpnuser)
Teardown TCP connection 873344 for Outside:192.168.43.103/49202 to Outside:192.168.25.45/443 duration 0:00:38 bytes 6946 TCP Reset-O (vpnuser)