Re: Can't Access Internal Computer After Connecting Via VPN

Discussion in 'Cisco' started by Blob, Mar 15, 2010.

  1. Blob

    Blob Guest

    I suspect it has to do with either your NAT ACL or Split tunnel ACL or Both...

    The VPN pool should be denied specificly from the NAT ACL

    I ran into the same problem last week ;-)

    -Blob

    On 2010-03-14 17:05:21 -0400, Buck Rogers said:

    > Hello All,
    >
    > I'm trying to access a client's new fileserver, remotely, via Cisco
    > VPN Client version 5.00 through an ASA 5505. I've tried remote
    > desktop and have tried via internet explorer with no success.
    >
    > The fileserver is running Windows 7 Pro. I've turned on access
    > remotely for any remote desktop version and set the users as Everyone.
    >
    > I can access the fileserver internally with no problem from a client
    > work station.
    >
    > I can connect to the ASA unit via VPN or Putty with no problem.
    >
    > My config is listed below and I'd apprecitate any input you might have
    > to help me access the fileserver......IP address = 192.168.1.2
    >
    > I am able to access the fileserver of another client successfully
    > using the same version of the VPN Client. It's through a Pix 501.
    >
    > Thanks in advance!
    >
    > hostname xxxxxx
    > domain-name xxxxxx
    > enable password encrypted
    > passwd encrypted
    > names
    > !
    > interface Vlan1
    > nameif inside
    > security-level 100
    > ip address 192.168.1.1 255.255.255.0
    > !
    > interface Vlan2
    > nameif outside
    > security-level 0
    > ip address x.x.x.x 255.255.255.x
    > !
    > interface Vlan3
    > no forward interface Vlan1
    > nameif dmz
    > security-level 50
    > ip address 10.10.10.1 255.255.255.0
    > !
    > interface Ethernet0/0
    > switchport access vlan 2
    > !
    > interface Ethernet0/1
    > !
    > interface Ethernet0/2
    > !
    > interface Ethernet0/3
    > !
    > interface Ethernet0/4
    > !
    > interface Ethernet0/5
    > !
    > interface Ethernet0/6
    > !
    > interface Ethernet0/7
    > !
    > ftp mode passive
    > dns server-group DefaultDNS
    > domain-name xxxxxx
    > access-list xxxx_splitTunnelAcl standard permit 192.168.1.0
    > 255.255.255.0
    > access-list inside_nat0_outbound extended permit ip 192.168.1.0
    > 255.255.255.0 192.168.3.0 255.255.255.240
    > pager lines 24
    > logging enable
    > logging asdm informational
    > mtu inside 1500
    > mtu outside 1500
    > mtu dmz 1500
    > ip local pool xxxx 192.168.3.3-192.168.3.12
    > icmp unreachable rate-limit 1 burst-size 1
    > asdm image disk0:/asdm-524.bin
    > no asdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 0 access-list inside_nat0_outbound
    > nat (inside) 1 0.0.0.0 0.0.0.0
    > route outside 0.0.0.0 0.0.0.0 gateway 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00
    > sip-disconnect 0:02:00
    > timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    > crypto dynamic-map outside_dyn_map 20 set pfs group1
    > crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
    > crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    > crypto map outside_map interface outside
    > crypto isakmp enable outside
    > crypto isakmp policy 10
    > authentication pre-share
    > encryption 3des
    > hash sha
    > group 2
    > lifetime 86400
    > crypto isakmp nat-traversal 20
    > telnet timeout 5
    > ssh 192.168.1.0 255.255.255.0 inside
    > ssh 0.0.0.0 0.0.0.0 outside
    > ssh timeout 10
    > console timeout 0
    > dhcpd auto_config outside
    > !
    > dhcpd address 192.168.1.5-192.168.1.45 inside
    > dhcpd dns x.x.x.x x.x.x.x interface inside
    > dhcpd enable inside
    > !
    > group-policy xxxxvpn internal
    > group-policy xxxxxvpn attributes
    > vpn-tunnel-protocol IPSec
    > split-tunnel-policy tunnelspecified
    > split-tunnel-network-list value xxxxxvpn_splitTunnelAcl
    > username xxx xxxxxxx privilege 0
    > username xxx attributes
    > vpn-group-policy xxxxxvpn
    > tunnel-group xxxxxvpn type ipsec-ra
    > tunnel-group xxxxxvpn general-attributes
    > address-pool xxxx
    > default-group-policy xxxxxvpn
    > tunnel-group xxxxxvpn ipsec-attributes
    > pre-shared-key *
    > !
    > prompt hostname context
    >
    >
    > Regards,
    >
    > Buck
    Blob, Mar 15, 2010
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page