Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Re: Can't Access Internal Computer After Connecting Via VPN (http://www.velocityreviews.com/forums/t717806-re-cant-access-internal-computer-after-connecting-via-vpn.html)

Blob 03-15-2010 06:30 PM

Re: Can't Access Internal Computer After Connecting Via VPN
 
I suspect it has to do with either your NAT ACL or Split tunnel ACL or Both...

The VPN pool should be denied specificly from the NAT ACL

I ran into the same problem last week ;-)

-Blob

On 2010-03-14 17:05:21 -0400, Buck Rogers said:

> Hello All,
>
> I'm trying to access a client's new fileserver, remotely, via Cisco
> VPN Client version 5.00 through an ASA 5505. I've tried remote
> desktop and have tried via internet explorer with no success.
>
> The fileserver is running Windows 7 Pro. I've turned on access
> remotely for any remote desktop version and set the users as Everyone.
>
> I can access the fileserver internally with no problem from a client
> work station.
>
> I can connect to the ASA unit via VPN or Putty with no problem.
>
> My config is listed below and I'd apprecitate any input you might have
> to help me access the fileserver......IP address = 192.168.1.2
>
> I am able to access the fileserver of another client successfully
> using the same version of the VPN Client. It's through a Pix 501.
>
> Thanks in advance!
>
> hostname xxxxxx
> domain-name xxxxxx
> enable password encrypted
> passwd encrypted
> names
> !
> interface Vlan1
> nameif inside
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address x.x.x.x 255.255.255.x
> !
> interface Vlan3
> no forward interface Vlan1
> nameif dmz
> security-level 50
> ip address 10.10.10.1 255.255.255.0
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> interface Ethernet0/1
> !
> interface Ethernet0/2
> !
> interface Ethernet0/3
> !
> interface Ethernet0/4
> !
> interface Ethernet0/5
> !
> interface Ethernet0/6
> !
> interface Ethernet0/7
> !
> ftp mode passive
> dns server-group DefaultDNS
> domain-name xxxxxx
> access-list xxxx_splitTunnelAcl standard permit 192.168.1.0
> 255.255.255.0
> access-list inside_nat0_outbound extended permit ip 192.168.1.0
> 255.255.255.0 192.168.3.0 255.255.255.240
> pager lines 24
> logging enable
> logging asdm informational
> mtu inside 1500
> mtu outside 1500
> mtu dmz 1500
> ip local pool xxxx 192.168.3.3-192.168.3.12
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-524.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 1 0.0.0.0 0.0.0.0
> route outside 0.0.0.0 0.0.0.0 gateway 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
> sip-disconnect 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map outside_dyn_map 20 set pfs group1
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp nat-traversal 20
> telnet timeout 5
> ssh 192.168.1.0 255.255.255.0 inside
> ssh 0.0.0.0 0.0.0.0 outside
> ssh timeout 10
> console timeout 0
> dhcpd auto_config outside
> !
> dhcpd address 192.168.1.5-192.168.1.45 inside
> dhcpd dns x.x.x.x x.x.x.x interface inside
> dhcpd enable inside
> !
> group-policy xxxxvpn internal
> group-policy xxxxxvpn attributes
> vpn-tunnel-protocol IPSec
> split-tunnel-policy tunnelspecified
> split-tunnel-network-list value xxxxxvpn_splitTunnelAcl
> username xxx xxxxxxx privilege 0
> username xxx attributes
> vpn-group-policy xxxxxvpn
> tunnel-group xxxxxvpn type ipsec-ra
> tunnel-group xxxxxvpn general-attributes
> address-pool xxxx
> default-group-policy xxxxxvpn
> tunnel-group xxxxxvpn ipsec-attributes
> pre-shared-key *
> !
> prompt hostname context
>
>
> Regards,
>
> Buck





All times are GMT. The time now is 02:02 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.