cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
756
Views
0
Helpful
3
Replies

VPN on ASA5550

Leo Bruni
Level 1
Level 1

I have set up a Remote Access VPN using IPSEC on an ASA 5550. All group and user configurations are completed. A VPN session is establised using Cisco Client software, but I am not able to access the internal network.  Any suggestions?

1 Accepted Solution

Accepted Solutions

check the following:

- ACL's on the interface

- NAT rules

- routes on the internal destination, make sure it knows how to get back to the ASA, either by default GW or specific route to the VPN pool subnet (assigned IP address)

- make sure you don't use a VPN-filter

- try to assign a specific IP address to a user and test

- capture tool on the ASA is very useful to see if you are getting a response from the destination

- look for anything suspicious in the log

TIP:

Address space overlaps can be cumbersome to troubleshoot, especially if you use a lot or object groups.

Also to avoid ARP issues, try to use a subnet other then the inside assigned netblock. I've also seen duplicate IP address and all sorts of strange things.

View solution in original post

3 Replies 3

rahgovin
Level 4
Level 4

I would suggest in looking through the nat rules(nat exempt between pool and internal network to be specific), vpn filters if any and also if all the routes are right between the client pool abd the internal network. Also if you have configured split tunnneling, if all you internal networks are included.

check the following:

- ACL's on the interface

- NAT rules

- routes on the internal destination, make sure it knows how to get back to the ASA, either by default GW or specific route to the VPN pool subnet (assigned IP address)

- make sure you don't use a VPN-filter

- try to assign a specific IP address to a user and test

- capture tool on the ASA is very useful to see if you are getting a response from the destination

- look for anything suspicious in the log

TIP:

Address space overlaps can be cumbersome to troubleshoot, especially if you use a lot or object groups.

Also to avoid ARP issues, try to use a subnet other then the inside assigned netblock. I've also seen duplicate IP address and all sorts of strange things.

Thanks all. It is working fine now.