Can't Access Internal Computer After Connecting Via VPN

Hello All,

I'm trying to access a client's new fileserver, remotely, via Cisco VPN Client version 5.00 through an ASA 5505. I've tried remote desktop and have tried via internet explorer with no success.

The fileserver is running Windows 7 Pro. I've turned on access remotely for any remote desktop version and set the users as Everyone.

I can access the fileserver internally with no problem from a client work station.

I can connect to the ASA unit via VPN or Putty with no problem.

My config is listed below and I'd apprecitate any input you might have to help me access the fileserver......IP address = 192.168.1.2

I am able to access the fileserver of another client successfully using the same version of the VPN Client. It's through a Pix 501.

Thanks in advance!

hostname xxxxxx domain-name xxxxxx enable password encrypted passwd encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address x.x.x.x 255.255.255.x ! interface Vlan3 no forward interface Vlan1 nameif dmz security-level 50 ip address 10.10.10.1 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! ftp mode passive dns server-group DefaultDNS domain-name xxxxxx access-list xxxx_splitTunnelAcl standard permit 192.168.1.0

255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.240 pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 ip local pool xxxx 192.168.3.3-192.168.3.12 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-524.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 gateway 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute http server enable http 192.168.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 20 telnet timeout 5 ssh 192.168.1.0 255.255.255.0 inside ssh 0.0.0.0 0.0.0.0 outside ssh timeout 10 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.5-192.168.1.45 inside dhcpd dns x.x.x.x x.x.x.x interface inside dhcpd enable inside ! group-policy xxxxvpn internal group-policy xxxxxvpn attributes vpn-tunnel-protocol IPSec split-tunnel-policy tunnelspecified split-tunnel-network-list value xxxxxvpn_splitTunnelAcl username xxx xxxxxxx privilege 0 username xxx attributes vpn-group-policy xxxxxvpn tunnel-group xxxxxvpn type ipsec-ra tunnel-group xxxxxvpn general-attributes address-pool xxxx default-group-policy xxxxxvpn tunnel-group xxxxxvpn ipsec-attributes pre-shared-key * ! prompt hostname context

Regards,

Buck

Reply to
Buck Rogers
Loading thread data ...

I suspect it has to do with either your NAT ACL or Split tunnel ACL or Both...

The VPN pool should be denied specificly from the NAT ACL

I ran into the same problem last week ;-)

-Blob

Reply to
Blob

Bob,

Thanks for the input. I'll try removing the VPN pool from the NAT ACL tonight. Further, if that doesn't work, I'll add the VPN pool to the split tunnel ACL to see if that helps. I'll get back with the results.

Thanks Again!!!

Buck

Reply to
Buck Rogers

Hello,

I wanted to give everyone a heads up on the solution to my problem.

I started a TAC case with Cisco and the tech spent about 3 hrs messing with my configuration file through my computer which was connected to the ASA 5505 via Putty.

Well, as I said, after hours of changes and re-changes, the problem was my IP pool! For some reason the firewall didn't like the

192.168.3.3-192.168.3.12 range. In fact it didn't like any other IP range outside of 192.168.1.x Once the tech changed the IP pool to 192.168.1.240-192.168.1.252 everything worked fine....ping, remote desktop, access via web browser......everything!

Sounds crazy, but that was the issue. I've always been told to use a different IP range than your dhcpd address but I guess it's okay since the IP pool now is above the dhcpd range of 192.168.1.5-192.168.1.45.

I hope this helps someone in the future.

Regards,

Buck

Reply to
Buck Rogers

Hello,

Im my haste to explain my solution, I forgot to mention that since posting the above configuration, I configured port 3389 and www to go through the firewall and directed the traffic to 192.168.1.2.

When I did that, I could access the fileserver via remote desktop but couldn't ping or access it via web browser. The above TAC case was opened after I opened the ports through the firewall.

Sorry for any confusion.

Buck

Reply to
Buck Rogers

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.