Adam D
asked on
Cisco ASA 5505 - Remote VPN connection problem getting to internal machine
I believe I am missing one line but cannot think of what it is. Here is an excerpt of the setup:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
access-list 101 extended permit udp any any eq isakmp
access-list 101 extended permit udp any any eq 4500
access-list 101 extended permit esp any any
access-list 101 extended permit tcp any any eq ftp
access-list nonat_clientvpn extended permit ip 10.1.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list splittunnel standard permit 10.1.10.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
(this may not be necessary) route inside 10.1.10.0 255.255.255.0 192.168.10.1 1
Layout:
Modem -> Cisco ASA 5505 (Vlan1 192.168.10.1) -> (Wan 192.168.10.2) Netgear N600 router (Lan 10.1.10.0) -> workstations (server=10.1.10.34)
I can make a VPN connection with the Cisco ASA 5505. I am unable to ping or use the built-in Microsoft remote control (terminal services) to get on any machine. The "packet-tracer" indicates the traffic is being dropped due to the implicit deny.
What am I missing? Thanks.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
access-list 101 extended permit udp any any eq isakmp
access-list 101 extended permit udp any any eq 4500
access-list 101 extended permit esp any any
access-list 101 extended permit tcp any any eq ftp
access-list nonat_clientvpn extended permit ip 10.1.10.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list splittunnel standard permit 10.1.10.0 255.255.255.0
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 101 in interface outside
(this may not be necessary) route inside 10.1.10.0 255.255.255.0 192.168.10.1 1
Layout:
Modem -> Cisco ASA 5505 (Vlan1 192.168.10.1) -> (Wan 192.168.10.2) Netgear N600 router (Lan 10.1.10.0) -> workstations (server=10.1.10.34)
I can make a VPN connection with the Cisco ASA 5505. I am unable to ping or use the built-in Microsoft remote control (terminal services) to get on any machine. The "packet-tracer" indicates the traffic is being dropped due to the implicit deny.
What am I missing? Thanks.
ASKER
Hello, thank you for your reply.
192.168.20.0 is the client (remote) vpn pool
192.168.10.0 is the local network (VLan1 inside interface is: 192.168.10.1)
10.1.10.0 is on the other side of the 3rd party router with its (Netgear) WAN interface having an IP address of 192.168.10.2
ASA
WAN - outside (also the remote VPN clients are coming in through here with the IP address of 192.168.20.x)
Lan - 192.168.10.1 (Vlan 1 inside)
Netgear
Wan - 192.168.10.2 (directly connected to ASA on the ASA's inside interface)
Lan - 10.1.10.0 (all workstations are on this side)
Does that help?
Thanks.
192.168.20.0 is the client (remote) vpn pool
192.168.10.0 is the local network (VLan1 inside interface is: 192.168.10.1)
10.1.10.0 is on the other side of the 3rd party router with its (Netgear) WAN interface having an IP address of 192.168.10.2
ASA
WAN - outside (also the remote VPN clients are coming in through here with the IP address of 192.168.20.x)
Lan - 192.168.10.1 (Vlan 1 inside)
Netgear
Wan - 192.168.10.2 (directly connected to ASA on the ASA's inside interface)
Lan - 10.1.10.0 (all workstations are on this side)
Does that help?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No answer provided, found work around.
access-list nonat extended permit ip 10.1.10.0 255.255.255.0 192.168.20.0 255.255.255.0
is it supporse to be 192.168.20.0 or 192.168.10.0 that you are trying to access??