Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco ASA 5505 - Remote VPN connection problem getting to internal machine

Posted on 2014-12-02
4
Medium Priority
?
190 Views
Last Modified: 2014-12-09
I believe I am missing one line but cannot think of what it is.  Here is an excerpt of the setup:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0

access-list 101 extended permit udp any any eq isakmp
access-list 101 extended permit udp any any eq 4500
access-list 101 extended permit esp any any
access-list 101 extended permit tcp any any eq ftp
access-list nonat_clientvpn extended permit ip 10.1.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list splittunnel standard permit 10.1.10.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
(this may not be necessary)  route inside 10.1.10.0 255.255.255.0 192.168.10.1 1

Layout:

Modem -> Cisco ASA 5505 (Vlan1 192.168.10.1) -> (Wan 192.168.10.2) Netgear N600 router (Lan 10.1.10.0) -> workstations (server=10.1.10.34)

I can make a VPN connection with the Cisco ASA 5505.  I am unable to ping or use the built-in Microsoft remote control (terminal services) to get on any machine.  The "packet-tracer" indicates the traffic is being dropped due to the implicit deny.

What am I missing?  Thanks.
0
Comment
Question by:Adam D
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 40479167
according to the rule below the 10.1.10.0 network has access to the 192.168.20.0 network.

access-list nonat extended permit ip 10.1.10.0 255.255.255.0 192.168.20.0 255.255.255.0

is it supporse to be 192.168.20.0 or 192.168.10.0 that you are trying to access??
0
 
LVL 1

Author Comment

by:Adam D
ID: 40479182
Hello, thank you for your reply.

192.168.20.0 is the client (remote) vpn pool
192.168.10.0 is the local network (VLan1 inside interface is: 192.168.10.1)
10.1.10.0 is on the other side of the 3rd party router with its (Netgear) WAN interface having an IP address of 192.168.10.2

ASA
  WAN - outside (also the remote VPN clients are coming in through here with the IP address of 192.168.20.x)
  Lan - 192.168.10.1 (Vlan 1 inside)

Netgear
  Wan - 192.168.10.2  (directly connected to ASA on the ASA's inside interface)
  Lan - 10.1.10.0  (all workstations are on this side)

Does that help?

Thanks.
0
 
LVL 1

Accepted Solution

by:
Adam D earned 0 total points
ID: 40482440
While I would still like an answer to this question, I decided to just use the wireless router (Netgear) as a wireless switch to solve this problem for now.  Thanks.
0
 
LVL 1

Author Closing Comment

by:Adam D
ID: 40488424
No answer provided, found work around.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question