Question

Locked

Cisco ASA 5505 VPN problem

By sinteur ·
I've got a new 5505, and I've run through two wizards: one to start up, one to add client VPN.

As a result, I can now connect from a client, the client gets the right info (ip adress, dns, gateway), but it cannot connect to any of the servers on the 'inside' network.

The config is here: <a href="/www.dubbele.com/asaconfig.txt</a>.">http://www.dubbele.com/asaconfig.txt">/www.dubbele.com/asaconfig.txt</a>.

I've tried a lot of different things, but I cannot seem to get what's going wrong. Any clues would be very welcome!

This conversation is currently closed to new comments.

14 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

VPN Problem

by japonzio In reply to Cisco ASA 5505 VPN probl ...

I am having a similar issue with my 5505 as well. I am looking into possible solutions with a couple of people and we cannot seem to find out why. I can access the 5505 through a VPN tunnel but cannot get through to the inside network.

Collapse -

No progress here

by sinteur In reply to VPN Problem

I'm trying to escalate to cisco right now. I suggest you do the same.

Collapse -

Which VPN Wizard

by NetMan1958 In reply to Cisco ASA 5505 VPN probl ...

did you run? The "Remote Access" or the "Site-to-Site" ?
Are you trying to connect using the Cisco VPN client running on a PC or from another VPN device such as a router or PIX or another ASA?

Collapse -

Remote access, Cisco client on a PC

by sinteur In reply to Which VPN Wizard

And once that works, I've got a RSA Authentication manager and a bunch of secureID tokens to take over authentication. There will also be a site-to-site vpn, but first I have to fix the remote access vpn.

Collapse -

Suggestion

by NetMan1958 In reply to Remote access, Cisco clie ...

I see several things in your config that are not correct. I suggest resetting the config to defaults and starting over.
Use this guide to configure it:
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/remvpn.html

When you get to this section "Configuring an IPsec Remote-Access VPN" be sure to select the checkbox next to "Enable inbound ipsec sessions to bypass interface access lists"

When you get to this step "Configuring Address Pools" use a completely different subnet than your LAN...that is if your LAN is 192.168.6.0/24 use 10.0.1.0/24

After you complete that, try it out and post the new config if you need additional help.

Collapse -

Already tried that

by sinteur In reply to Suggestion

Already tried that - I'm waiting for confirmation on a smartnet subscription, and then I'll escalate to Cisco..

Collapse -

Well, no you didn't

by NetMan1958 In reply to Already tried that

already try my suggestions. I didn't see
"sysopt connection permit-ipsec"
in the config you posted the link to.

That config also listed the following address pools:
ip local pool vpnhaarlem 192.168.6.150-192.168.6.175 mask 255.255.255.0
ip local pool rotterdam 192.168.5.150-192.168.5.175 mask 255.255.255.0

That config also included the following NAT statement:
access-list inside_nat0_outbound_2 extended permit ip 192.168.6.0 255.255.255.0 192.168.6.128 255.255.255.192
(Those are overlapping subnets)

If you had tried what I posted, those would be corrected.

Collapse -

There's more that I tried...

by sinteur In reply to Well, no you didn't

The nat pool inside has been 10.0.0 for a week now, I have tried what you said (both the nat and the sysopt), with email assistance from a network admin the results of which don't show on this site. And I thank you very much for the suggestion, I apologize if I gave you the impression I was ignoring your suggestions.

The results so far are still the same. I get a valid address on connection, but no access to any network resource whatsoever.

Collapse -

I would be interested

by NetMan1958 In reply to There's more that I tried ...

in seeing your current config if you would like to post it.

Collapse -

current config

by sinteur In reply to Suggestion

http://www.dubbele.com/asaconfig4.txt

(and note the "sysopt connection permit-ipsec" still doesn't show up, despite giving that command on the command-line)

Back to Networks Forum
14 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums