Solved

remote vpn can't access inside network !!!

Posted on 2011-09-22
7
295 Views
Last Modified: 2012-05-12
Dear ,
i have 2 question

1 --  I'm  connected Remote VPN client took  this is ip 192.168.15.66 but I want access  to  pc inside (10.10.4.2) i can't reach to it no ping or any protocol work ! why !!

2--  how I let  when computer connect to Remote VPN client have internet also ( able to make browsing also )



Note :-
from ASA can access ping to this pc 10.10.4.2
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 144.144.144.20 255.255.255.248

!
interface Ethernet0/2
 nameif inside
 security-level 100
 ip address 10.10.4.1 255.255.255.0
!

ftp mode passive
same-security-traffic permit intra-interface
access-list REMOTE_SALES_NONAT extended permit ip 10.10.4.0 255.255.255.0 192.168.15.64 255.255.255.192
access-list out extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool REMOTE_SALES_POOL 192.168.15.66-192.168.15.127 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any echo outside
icmp permit any echo-reply outside
no asdm history enable
arp timeout 14400
nat-control
nat (inside) 0 access-list REMOTE_SALES_NONAT
access-group out in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set REMOTE_SALES_SET esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map REMOTE_SALES_MAP 65535 set transform-set REMOTE_SALES_SET
crypto dynamic-map REMOTE_SALES_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map REMOTE_SALES_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map mymap 1 set security-association lifetime seconds 28800
crypto map mymap 1 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP 10 ipsec-isakmp dynamic REMOTE_SALES_MAP
crypto map OUTSIDE_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5

ssh timeout 5
console timeout 0
dhcpd dns 198.6.1.3 4.2.2.2
!
dhcpd address 10.10.4.2-10.10.4.240 inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy REMOTE_SALES_POLICY internal
group-policy REMOTE_SALES_POLICY attributes
 banner value UNAUTHORIZED ACCESS IS STRICTLY PROHOBITTED
 dns-server value 4.2.2.2 198.6.1.3
 vpn-tunnel-protocol IPSec
username user1 password mbO2jYs13AXlIAGa encrypted
username user1 attributes
 vpn-group-policy REMOTE_SALES_POLICY
 vpn-tunnel-protocol IPSec
tunnel-group REMOTE_SALES_GROUP type remote-access
tunnel-group REMOTE_SALES_GROUP general-attributes
 address-pool REMOTE_SALES_POOL
 default-group-policy REMOTE_SALES_POLICY
tunnel-group REMOTE_SALES_GROUP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:13202282e1b9fb480e4afdf80c53a37a
: end
[OK]
ciscoasa# ping 10.10.4.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.4.2, timeout is 2 seconds:
!!!!!
0
Comment
Question by:memo12345678
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 10

Expert Comment

by:SuperTaco
ID: 36584352
To answer question #2, you will need to enable split tunneling on the firewall,

here's a link to help

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtm


I'm not clear on question #1.  Can you or can't you ping the inside pachine.l
0
 

Author Comment

by:memo12345678
ID: 36585384
i'm pc out side network  when I connect VPN i take this ip 192.168.15.66 i want ping or telnet  to server inside network who have ip 10.10.4.2 but i can't access to this server !!!
0
 

Author Comment

by:memo12345678
ID: 36585388
and this link u send to me doesn't  work  show this error in page please check this link that u sent to me .


The Page You Have Requested Is Not Available

 
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtm
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Expert Comment

by:SuperTaco
ID: 36586212
I will resend the link shortly.  Do you have a rule that allows access form the 192:168.x.x vlan to the 10.10.4.x vlan?  I don't see one in your configuration.
0
 

Author Comment

by:memo12345678
ID: 36588179
so please what i forget to wrote , write to me and write this rule that allow 192.168.x.x access to 10.10.4.x
0
 
LVL 10

Accepted Solution

by:
SuperTaco earned 500 total points
ID: 36590468
access list x permit vlan y vlant any any.  do you have those subnets defined as VLAN;s?  It' sjust a basic ACL.  I don't really see 192.168.2.x defined in your network.  Have you tried defining that as a network object, or setting the VPN DHCP to pull from the same pool?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

That should be a good link to show you how to enable split tunneling using ASDM
0
 

Author Closing Comment

by:memo12345678
ID: 36942267
s
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month9 days, 7 hours left to enroll

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question