08-13-2012 08:37 AM
Hi all,
I have two ASA 5515 configured in failover (active / standby).
I used the ASDM wizard to create connections through ipsec cisco client.
Currently users are able to connect but can not do a ping to anywhere inside the network.
The ping request is received from the internal client but the internal client can not communicate with the remote user.
The ping fail also directly from the ASA.
When the remote client is connected an entry is added to the routing table:
S 192.168.10.130 255 255 255 255 [1/0] via <ip of the ISP>, "WAN"
as if that IP was reachable directly from the Internet.
I tried changing the settings of the NAT but in no way I can make them communicate.
The ultimate goal would be to create different users with different access permissions to the LAN and the other subnets in the company.
Thanks in advance for your answer
08-13-2012 08:58 AM
How is the NAT configued? Sounds like it is confused on what IP it should be sending that to. Also can you give us more config info.
08-17-2012 12:33 AM
This is my situation:
3 interfaces connected
- WAN (public IP)
- LAN (192.168.10.0/24)
- Remote LAN devices connect via wireless (192.160.20.0, 192.168.30.0, etc.)
Here is an extract from the command sh run:
interface GigabitEthernet0/0
nameif Internal
security-level 100
ip address 192.168.10.251 255.255.255.0 standby 192.168.10.252
!
interface GigabitEthernet0/1
nameif WAN
security-level 0
ip address
!
interface GigabitEthernet0/2
nameif Radio
security-level 50
ip address 193.168.1.148 255.255.255.0
object network NETWORK_OBJ_10.10.10.128_28
subnet 10.10.10.128 255.255.255.240
access-list VPN-MY_splitTunnelAcl standard permit 192.168.0.0 255.255.0.0
ip local pool Pool-VPN-MY 10.10.10.130-10.10.10.140 mask 255.255.255.0
nat (Internal,WAN-Infostrada) source static any any destination static NETWORK_OBJ_10.10.10.128_28 NETWORK_OBJ_10.10.10.128_28 no-proxy-arp
group-policy VPN-MY internal
group-policy VPN-MY attributes
dns-server value 192.168.10.250
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN-MY_splitTunnelAcl
username
username
vpn-group-policy VPN-MY
tunnel-group VPN-MY type remote-access
tunnel-group VPN-MY general-attributes
address-pool Pool-VPN-MY
default-group-policy VPN-MY
tunnel-group VPN-MY ipsec-attributes
ikev1 pre-shared-key *****
The ultimate goal would be that a user is connected to the VPN-MY can communicate with the LAN and the Remote LAN.
Then create other tunnel in which users can access only to some remote LAN (maybe this is possible via ACL)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide