Solved

Cisco ASA 5505 - Remote VPN connection problem getting to internal machine

Posted on 2014-12-02
4
173 Views
Last Modified: 2014-12-09
I believe I am missing one line but cannot think of what it is.  Here is an excerpt of the setup:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0

access-list 101 extended permit udp any any eq isakmp
access-list 101 extended permit udp any any eq 4500
access-list 101 extended permit esp any any
access-list 101 extended permit tcp any any eq ftp
access-list nonat_clientvpn extended permit ip 10.1.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list splittunnel standard permit 10.1.10.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
(this may not be necessary)  route inside 10.1.10.0 255.255.255.0 192.168.10.1 1

Layout:

Modem -> Cisco ASA 5505 (Vlan1 192.168.10.1) -> (Wan 192.168.10.2) Netgear N600 router (Lan 10.1.10.0) -> workstations (server=10.1.10.34)

I can make a VPN connection with the Cisco ASA 5505.  I am unable to ping or use the built-in Microsoft remote control (terminal services) to get on any machine.  The "packet-tracer" indicates the traffic is being dropped due to the implicit deny.

What am I missing?  Thanks.
0
Comment
Question by:adrobnis
  • 3
4 Comments
 
LVL 17

Expert Comment

by:lruiz52
ID: 40479167
according to the rule below the 10.1.10.0 network has access to the 192.168.20.0 network.

access-list nonat extended permit ip 10.1.10.0 255.255.255.0 192.168.20.0 255.255.255.0

is it supporse to be 192.168.20.0 or 192.168.10.0 that you are trying to access??
0
 
LVL 1

Author Comment

by:adrobnis
ID: 40479182
Hello, thank you for your reply.

192.168.20.0 is the client (remote) vpn pool
192.168.10.0 is the local network (VLan1 inside interface is: 192.168.10.1)
10.1.10.0 is on the other side of the 3rd party router with its (Netgear) WAN interface having an IP address of 192.168.10.2

ASA
  WAN - outside (also the remote VPN clients are coming in through here with the IP address of 192.168.20.x)
  Lan - 192.168.10.1 (Vlan 1 inside)

Netgear
  Wan - 192.168.10.2  (directly connected to ASA on the ASA's inside interface)
  Lan - 10.1.10.0  (all workstations are on this side)

Does that help?

Thanks.
0
 
LVL 1

Accepted Solution

by:
adrobnis earned 0 total points
ID: 40482440
While I would still like an answer to this question, I decided to just use the wireless router (Netgear) as a wireless switch to solve this problem for now.  Thanks.
0
 
LVL 1

Author Closing Comment

by:adrobnis
ID: 40488424
No answer provided, found work around.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now