VPN IPSec Client connectivity to ASA5510

MIBS, SMMPv1, SMMPv2, SMMPv3 and management
Guest

VPN IPSec Client connectivity to ASA5510

Post by Guest » Thu Nov 11, 2010 9:00 pm


I have an ASA5510 at a remote location. I used the IPSec VPN Wizard to configure Remote Access for the developers into the DMZ portion of the network, 192.168.100.0/24.I can connect using both the latest Cisco client on Windows and using VPNC on my Linux box.  A tunnel is created, I receive a valid IP within the 192.168.100.0 subnet and all looks great.But when I attempt to ssh to one of the servers, the SYN packet times out. I can see the connection attempt to be established looking at the logs on the firewall.There is no issue with the Linux servers themselves to which I am attempting to connect.  I flushed iptables and even attempted to connect without any firewall rules. Still no dice.I can post my running-config here if necessary.Thanks.

Guest

Re:VPN IPSec Client connectivity to ASA5510

Post by Guest » Thu Nov 11, 2010 10:34 pm


Update: Am attaching a screenshot of my home connection to the VPN.  As you can see, I am connected just fine and have an internal IP, 192.168.100.232 as well as viable outside IP.  Split tunneling is enabled.Note, the Bytes transmitted (Tx) and received (Rx).  Plenty received, but nothing transmitted. Am guessing that something on the firewall is preventing outside VPN'ed hosts from connecting to internal servers.  

Guest

Re:VPN IPSec Client connectivity to ASA5510

Post by Guest » Thu Nov 11, 2010 11:13 pm


How bout an ASA config?

Guest

Re:VPN IPSec Client connectivity to ASA5510

Post by Guest » Thu Nov 11, 2010 11:27 pm


You betcha...Have removed any incriminating evidence.Attempting to use the group "smiremoteusers" to connect.  Can connect just fine, but not access any internal servers in the DMZ or 192.168.100.0 subnet.  

Guest

Re:VPN IPSec Client connectivity to ASA5510

Post by Guest » Fri Nov 12, 2010 12:22 am


Ok here goes.1. Don't use the same subnet for your vpn users that you use for your dmz or inside. You used the same subnet for vpn client and dmz. 2. You have nat exemption set up for the dmz but not for the inside. access-list dmz_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.100.224 255.255.255.224 nat (dmz) 0 access-list dmz_nat0_outboundyou also need...access-list inside_nat0_outbound extended permit ip <inside.networks> <vpn.client.network>nat (inside) 0 access-list inside_nat0_outbound

Post Reply