Velocity Reviews - Computer Hardware Reviews
Home Forums Reviews Guides Newsgroups Register Search
Member Login:

Velocity Reviews > Newsgroups > Computing > Cisco > Re: Can't Access Internal Computer After Connecting Via VPN

Reply
Thread Tools

Re: Can't Access Internal Computer After Connecting Via VPN

 
 
Blob
Guest
Posts: n/a
 
      03-15-2010
I suspect it has to do with either your NAT ACL or Split tunnel ACL or Both...

The VPN pool should be denied specificly from the NAT ACL

I ran into the same problem last week

-Blob

On 2010-03-14 17:05:21 -0400, Buck Rogers said:

> Hello All,
>
> I'm trying to access a client's new fileserver, remotely, via Cisco
> VPN Client version 5.00 through an ASA 5505. I've tried remote
> desktop and have tried via internet explorer with no success.
>
> The fileserver is running Windows 7 Pro. I've turned on access
> remotely for any remote desktop version and set the users as Everyone.
>
> I can access the fileserver internally with no problem from a client
> work station.
>
> I can connect to the ASA unit via VPN or Putty with no problem.
>
> My config is listed below and I'd apprecitate any input you might have
> to help me access the fileserver......IP address = 192.168.1.2
>
> I am able to access the fileserver of another client successfully
> using the same version of the VPN Client. It's through a Pix 501.
>
> Thanks in advance!
>
> hostname xxxxxx
> domain-name xxxxxx
> enable password encrypted
> passwd encrypted
> names
> !
> interface Vlan1
> nameif inside
> security-level 100
> ip address 192.168.1.1 255.255.255.0
> !
> interface Vlan2
> nameif outside
> security-level 0
> ip address x.x.x.x 255.255.255.x
> !
> interface Vlan3
> no forward interface Vlan1
> nameif dmz
> security-level 50
> ip address 10.10.10.1 255.255.255.0
> !
> interface Ethernet0/0
> switchport access vlan 2
> !
> interface Ethernet0/1
> !
> interface Ethernet0/2
> !
> interface Ethernet0/3
> !
> interface Ethernet0/4
> !
> interface Ethernet0/5
> !
> interface Ethernet0/6
> !
> interface Ethernet0/7
> !
> ftp mode passive
> dns server-group DefaultDNS
> domain-name xxxxxx
> access-list xxxx_splitTunnelAcl standard permit 192.168.1.0
> 255.255.255.0
> access-list inside_nat0_outbound extended permit ip 192.168.1.0
> 255.255.255.0 192.168.3.0 255.255.255.240
> pager lines 24
> logging enable
> logging asdm informational
> mtu inside 1500
> mtu outside 1500
> mtu dmz 1500
> ip local pool xxxx 192.168.3.3-192.168.3.12
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-524.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 1 0.0.0.0 0.0.0.0
> route outside 0.0.0.0 0.0.0.0 gateway 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
> sip-disconnect 0:02:00
> timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
> http server enable
> http 192.168.1.0 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map outside_dyn_map 20 set pfs group1
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp nat-traversal 20
> telnet timeout 5
> ssh 192.168.1.0 255.255.255.0 inside
> ssh 0.0.0.0 0.0.0.0 outside
> ssh timeout 10
> console timeout 0
> dhcpd auto_config outside
> !
> dhcpd address 192.168.1.5-192.168.1.45 inside
> dhcpd dns x.x.x.x x.x.x.x interface inside
> dhcpd enable inside
> !
> group-policy xxxxvpn internal
> group-policy xxxxxvpn attributes
> vpn-tunnel-protocol IPSec
> split-tunnel-policy tunnelspecified
> split-tunnel-network-list value xxxxxvpn_splitTunnelAcl
> username xxx xxxxxxx privilege 0
> username xxx attributes
> vpn-group-policy xxxxxvpn
> tunnel-group xxxxxvpn type ipsec-ra
> tunnel-group xxxxxvpn general-attributes
> address-pool xxxx
> default-group-policy xxxxxvpn
> tunnel-group xxxxxvpn ipsec-attributes
> pre-shared-key *
> !
> prompt hostname context
>
>
> Regards,
>
> Buck
 
Reply With Quote
 
 
 
Reply

« ASA 5505- get rid of class-map | Inside to the DMZ »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
connecting a cucme router via t-1 to main cucm server for internal calls ajn Cisco 1 03-06-2010 06:14 PM
Access from internal hosts to internal servers using external address HangaS Cisco 2 04-19-2007 10:14 AM
Cisco PIX 501 - Port forwarded to an internal host via Static NAT doesn't work from internal host JoelSeph Cisco 9 01-23-2006 03:52 PM
VPN 3030 - VPN Client 4.x - loss of internal network access after 4 hours nick.amido@gmail.com Cisco 0 07-12-2005 12:03 AM
Internal Client Accessing Internal Server Via Public IP Address GeekMarine1972 Cisco 1 01-15-2005 02:49 AM



Advertisments
 


Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc..
SEO by vBSEO ©2010, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57