05-08-2011 08:22 AM
Hello,
I have the following problem.
I have a client connected by vpn client accross Internet to my office.
The client is correctly connected to a router but.
1 - The client can ping all office network but the RDP session not work, the telnet too, and other application why?
The client receive from vpn pool an ip address on the network 192.168.2.x
I have permit
access-list 102 permit ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Few other thing to do?
2 - When the connection vpn is activate, the client cannot access to Internet, why?
Thank you.
05-09-2011 11:20 PM
Can you please post a copy of the router current configuration so we can check if there is any configuration error on the router.
05-10-2011 12:00 AM
Hello Jennifer,
Thank you for your assistance.Find under an extract of my configuration
username alizesclientvpn password 0 xxxxx
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group alizesvpn
key yyyyyyyyyy
dns 41.x.x.x
domain wr
pool vpnpool
acl 102
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0
ip address dhcp
ip nat outside
speed auto
crypto map clientmap
ip local pool vpnpool 192.168.2.10 192.168.2.20
ip nat pool POOL-NAT 41.x.x.x 41.x.x.x netmask 255.255.255.0 type rotary
ip nat inside source list 100 interface FastEthernet0 overload
ip nat inside destination list 100 pool POOL-NAT
ip nat inside destination list 102 pool sip
ip classless
ip route 0.0.0.0 0.0.0.0 41.205.79.1
!
!
!
!
access-list 102 permit ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
05-15-2011 07:10 AM
I try the following thing.
1 - When the client si connected, the client reveive an IP address 192.168.2.x but no gataway, it's normal? The client arrive to ping all IP in inside network 192.168.40.x and in 192.168.1.x
2 -From inside, the network 192.168.40.x or 192.168.1.0 cannot ping the network client in 192.168.2.x
Someone have an idea?
Thank you
05-15-2011 11:08 AM
Hi,
1 - This is normal. VPN software is directing all traffic to tunnel interface which have 192.168.2.x ip address.
2 - Adding nat-exempt rule may solve that issue. With this rule ASA device will not do any nat translation for inside to VPN client traffic.
Sample Commands :
access-list inside_nat0_outbound extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
Ufuk Guler
05-15-2011 12:38 PM
Ufuk, thank you for your assistance.
I add the following command on my router.
ip access-list extended inside_nat0_outbound
permit ip 192.168.40.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
but now I have some problem to adjust the nat inside commande from ASA to my config.
I add this line
ip nat inside source list inside_nat0_outbound interface FastEthernet0 overload
But always the same the problem the network 192.168.40.0 or 192.168.1.0 cannot ping the client network 192.168.2.0.
05-18-2011 02:12 PM
Hi,
Could you send log lines for ping request from inside to VPN client.
Ufuk Guler.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide