Remote access via NAT VPN client
I currently have a PIX506e configured to provide access to the Cisco VPN Clients remote vpn. A single client can connect successfully and have access to the planned network. However, as soon as I connect an additional client to the firewall from the same place (the two addresses are translated under the same address) the two tunnels will stop working or could not connect.
Is the problem that I face, because two customers have the same address public after NAT, or is - it something else? Is there a way to get around this?
Hello
A lot of THAT NAT will not work if you use ESP.
The solution for this is to allow NAT - t on PIX and VPN client.
PIX:
The following command active NAT - T (for codes plus late 6.3)
ISAKMP nat-traversal
The VPN Client:
On the Transport tab, under the tab "Enable Transport Tunneling" & select "IPSec over UDP (NAT/PAT).
HTH
Kind regards
GE.
Tags: Cisco Security
Similar Questions
-
VPN site to site access via a VPN client
Hi all
From our headquarters, we use a vpn site-to-site to connect to another site and it works great.
We have just configured the VPN client on our headquarters, remote VPN user can access the LAN in the seat.
We need the remote user can also access the LAN on the other site, but it does not work.
The site to site VPN and VPN client are configured on the same device, using even outside the interface.
Vpn client address pool is already included in the address that is allowed to go through the site to site VPN.
We would like to know if it is possible to access the site to site VPN, connecting to the VPN client and when the architecture is as above?
in the case where we use different devices and different internet connection for client VPN and site to site VPN, we can access the other site by the remote user VPN LAN?
Kind regards
Since you already have 10.13.0.0/16 in your site to site crypto ACL, which already includes the pool vpn so you need not configure it specifically.
You are missing the following command:
permit same-security-traffic intra-interface
ACL split tunnel should be standard ACL as follows:
access list ACL-CL-VPN allow 10.13.0.0 255.255.0.0
access list ACL-CL-VPN allow 10.14.0.0 255.255.248.0
-
Cannot ping via the VPN client host when static NAT translations are used
Hello, I have a SRI 3825 configured for Cisco VPN client access.
There are also several hosts on the internal network of the static NAT translations have a services facing outwards.
Everything works as expected with the exception that I cannot ping hosts on the internal network once connected via VPN client that is internal IP addresses have the static NAT translations in external public addresses, I ping any host that does not have static NAT translation.
For example, in the example below, I cannot ping 192.168.1.1 and 192.168.1.2, but I can ping to the internal interface of the router, and any other host on the LAN, I can ping all hosts in the router itself.
Any help would be appreciated.
Concerning
!
session of crypto consignment
!
crypto ISAKMP policy 10
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group vpnclient
key S3Cu4Ke!
DNS 192.168.1.1 192.168.1.2
domain domain.com
pool dhcppool
ACL 198
Save-password
PFS
netmask 255.255.255.0
!
!
Crypto ipsec transform-set-SECURE 3DES esp-3des esp-sha-hmac
!
Crypto-map dynamic dynmap 10
86400 seconds, life of security association set
game of transformation-3DES-SECURE
market arriere-route
!
card crypto client cryptomap of authentication list drauthen
card crypto isakmp authorization list drauthor cryptomap
client configuration address card crypto cryptomap answer
map cryptomap 65535-isakmp ipsec crypto dynamic dynmap
!
interface GigabitEthernet0/0
NAT outside IP
IP 1.2.3.4 255.255.255.240
cryptomap card crypto
!
interface GigabitEthernet0/1
IP 192.168.1.254 255.255.255.0
IP nat inside
!
IP local pool dhcppool 192.168.2.50 192.168.2.100
!
Note access-list 198 * Split Tunnel encrypted traffic *.
access-list 198 allow ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255!
Note access-list 199 * NAT0 ACL *.
access-list 199 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 any!
Sheep allowed 10 route map
corresponds to the IP 199!
IP nat inside source map route sheep interface GigabitEthernet0/0 overload!
IP nat inside source static 192.168.1.1 1.2.3.5
IP nat inside source static 192.168.1.2 1.2.3.6The problem seems to be that static NAT take your nat exemption.
The solution would be:
IP nat inside source static 192.168.1.1 1.2.3.5 sheep map route
IP nat inside source static 192.168.1.2 1.2.3.6 sheep map routeHTH
Herbert
-
Hello! I make a VPN with two clients, using the ASA5520 United Nations. Now I have to do what the customer has internet and the other does not. I can do using ACL? How?
The configuration is:
interface GigabitEthernet0/0
nameif outside
security-level 0
IP 172.16.31.252 255.255.255.248
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.16.1.237 255.255.255.240
Access extensive list ip 172.16.1.224 ACLnonat allow 255.255.255.240 host 172.16.1.230
Standard access list Split_tunnel allow 172.16.1.224 255.255.255.240
IP local pool testpool 172.16.1.230 - 172.16.1.232 mask 255.255.255.240
NAT (inside) 0-list of access ACLnonat
Route outside 0.0.0.0 0.0.0.0 172.16.31.254 1
Crypto ipsec transform-set esp-3des esp-md5-hmac hw_trans
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto dynamic-map dyn_map 1 transform-set hw_trans
Crypto dynamic-map dyn_map 1 the value reverse-road
stat_map 10000 card crypto ipsec-isakmp dynamic dyn_map
stat_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 3600
Crypto isakmp nat-traversal 30
internal hw_policy group policy
attributes of the strategy of group hw_policy
value of server DNS 193.205.160.3
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Split_tunnel
Split-dns value 193.205.160.3
username User1 encrypted password privilege 0 pqA3EDHB1cfLxwWn
password username User2 FIQ1c02tX8lU1wHJ encrypted privilege 0
attributes of user User2 name
VPN-framed-ip-address 172.16.1.233 255.255.255.240
allow password-storage
type tunnel-group hwclients remote access
tunnel-group hwclients General-attributes
address testpool pool
Group Policy - by default-hw_policy
hwclients group of tunnel ipsec-attributes
pre-shared key *.
ISAKMP retry threshold 30 keepalive 5
Thanks in advance.
Hello Jose,.
I see that you use LOCAL authentication, what you can do is, you can create another political group and link this political group for the user name, example:
attributes of group PALLET policy
Split-tunnel-policy tunnelall
name of User1 user attributes
RANGE of VPN-group-policy
The other username will use hw_policy, since it is the default value for the tunnel-group hwclients.
HTH
AMatahen
-
Windows 2003 cannot access remote network via Cisco VPN
I have two computers at home, an XP Pro SP2 and another is Windows 2003 server SP1. If I set Cisco VPN XP (version 4.6) the Office (ASA 5510), I can access the office network resources. However, if I set the Cisco VPN on 2003, can I? t do the same thing. After studying the two routing tables, I think XP has this road: 192.168.0.0 255.255.0.0 192.168.101.5 192.168.101.5 1, but the 2003 doesn't? t. If I add this route manually (rou? add 192.168.0.0 mask 255.255.255.0 192.168.101.3) 2003, then I can access resources. Why?
tale of 2003 routing.
Active routes:
Network Destination gateway metric Interface subnet mask
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.3 40
x.x.x.37 255.255.255.255 192.168.10.1 192.168.10.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.3 192.168.10.3 40
192.168.10.3 255.255.255.255 127.0.0.1 127.0.0.1 40
192.168.10.255 255.255.255.255 192.168.10.3 192.168.10.3 40
192.168.101.0 255.255.255.0 192.168.101.3 192.168.101.3 10
192.168.101.3 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.101.255 255.255.255.255 192.168.101.3 192.168.101.3 10
224.0.0.0 240.0.0.0 192.168.10.3 192.168.10.3 40
224.0.0.0 240.0.0.0 192.168.101.3 192.168.101.3 10
255.255.255.255 255.255.255.255 192.168.10.3 192.168.10.3 1
255.255.255.255 255.255.255.255 192.168.101.3 192.168.101.3 1
Default gateway: 192.168.10.1
===========================================================================
Persistent routes:
None
VPN client has not been tested on Win2003. Customer requirements are described here:
http://www.Cisco.com/univercd/CC/TD/doc/product/VPN/client/4_6/relnt/4604cln.htm#wp1024664
and the show to competition of WinXP is supported.
-
Internet via Tunnel VPN Client Access
Hello
We use the Cisco VPN Client to connect to our router CISCO1921 and want to go out again on the same interface to the internet. We have set up the connection with scurity IOS package, have no split tunneling - then the customer is obliged with its default gateway to our router - also, we pushed our local dns server on the client and he gets the results of dns. Now, I think we need is out with some sort of NAT, because our client has a private IP address of the IPSec Client pool. For the moment we have no NAT inside/outside, because we only use official IP address in - and outside (use of the data room).
-Is it possible to get the NAT function passes to the same entry with crypto_map IPSec user interface and out to the internet?
-It is safer for this set up with vrf?
-Some has a link to example of it configurations?
Thank you!
NISITNETC
Hello
For building you have to create the political map and the loopback interface, have you come across this link below?, follow the example in this link.
Concerning
-
Connected to the ASA via the "VPN Client" software, but cannot ping devices.
I have a network that looks like this:
I successfully connected inside the ASA via a software "Client VPN" tunnel network and got an IP address of 10.45.99.100/16.
I am trying to ping the 10.45.99.100 outside 10.45.7.2, but the ping fails (request timed out).
On the SAA, including the "logging console notifications" value, I notice the following message is displayed:
"% 305013-5-ASA: rules asymmetrical NAT matched for flows forward and backward; "Connection for icmp src, dst outside: 10.45.99.100 inside: 10.45.7.2 (type 8, code 0) rejected due to the failure of reverse path of NAT.
I have a vague feeling that I'm missing a NAT rule of course, but not all. What did I miss?
Here is my configuration of ASA: http://pastebin.com/raw.php?i=ad6p1Zac
Hello
You seem to have a configured ACL NAT0 but is not actually in use with a command "nat"
You would probably need
NAT (inside) 0-list of access inside_nat0_outside
He must manage the NAT0
Personally, I would avoid using large subnets/networks. You probably won't ever have host behind ASA who would fill / 16 subnet mask.
I would also keep the pool VPN as a separate network from LANs behind ASA. The LAN 10.45.0.0/16 and 10.45.99.100 - 200 are on the same network.
-Jouni
-
Allow remote access to the VPN Cisco ASDM
Hello
I am trying to access asdm Setup for the user remote vpn. Our ASA running version 9.1 (1). ASDM is running version 7.1 (1) 52
I have apart from the interface within the interface enabled for vpn tunnel and I use 3rd interface (asdm_inf) dedicated to this purpose.
In the asdm, I enabled the management to asdm_inf interface. In the section ASDM, HTTPS, Telnet, SSH, I also add ASDM/HTTPS(port 444) for asdm_inf, ip_address 0.0.0.0 mask 0.0.0.0.
However, when I connect to the vpn client and try https://asdm_inf:444, the connection is broken with timeout.
Where could I go wrong? Any help would be appreciated.
Thank you
Hello
Well, split tunnel is incorrect, you are tunneling to 172.16.66.0/24, while your BFD which you want to manage the ASDM to is 192.168.244.0/24, so the ACL split tunnel should also 192.168.244.0/24 network.
-
Remote access via the internet between Windows 7 PCs and a Windows 7 Pro and a Windows PC Vista Home
I am running Windows 7 Professional on a laptop Dell Studio 1569 (64-bit). I want remote access to one Dell Inspiron, Windows 7 family, but also an another Dell Inspiron running Windows Vista Home edition, via an IP connection over the internet. I can do this and if so, how? I used GoToMeeting.com, but I hope that I can avoid paying their connecting directly. Thanks in advance.
Take a look at TeamViewer. Boulder computer Maven
-
I've recently updated to 8.3.2 and I have been informed of these NAT changes, but even after reading the https://supportforums.cisco.com/docs/DOC-12569 I am still unable to rectify the communication network 192.168.100.0 VPN with hosts on 172.16.1.0 and 172.16.9.0. VPN clients connect to the external interface, and I try to ping inside and the demilitarized zone, respectable 172.16.1.0 and 172.16.9.0 hosts. VPN client shows that the two previously mentioned networks such as roads of security, but still not to the ping pong.
# sh nat
Manual NAT policies (Section 1)
1 (inside) to the (whole) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
2 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
3 (inside) to the (whole) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
4 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - obj - unidirectional 192.168.100.0 192.168.100.0
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 172.16.12.0 obj - one-way 172.16.12.0
translate_hits = 0, untranslate_hits = 0
Auto NAT policies (Section 2)
1 (dmz), to the source (external) static obj - 172.16.9.5 interface tcp www www service
translate_hits = 0, untranslate_hits = 142
2 (dmz) (outdoor) source static obj - 172.16.9.5 - 01 interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 2
3 (dmz) (outdoor) source static obj - 172.16.9.5 - 02 interface tcp ldap ldap service
translate_hits = 0, untranslate_hits = 0
4 (dmz) (outdoor) source static obj interface - 172.16.9.5 - 03 service ftp ftp tcp
translate_hits = 0, untranslate_hits = 0
5 (dmz) to (outside) of the source static obj - 172.16.9.5 - 04 interface tcp smtp smtp service
translate_hits = 0, untranslate_hits = 267
6 (inside) source static obj - 172.16.9.0 172.16.9.0 (dmz)
translate_hits = 4070, untranslate_hits = 224
7 (inside) to (dmz) source static obj - 10.1.0.0 10.1.0.0
translate_hits = 0, untranslate_hits = 0
8 (inside) to (dmz) source static obj - 172.16.0.0 172.16.0.0
translate_hits = 152, untranslate_hits = 4082
9 (dmz) to dynamic interface of the obj - 172.16.9.0 - 01 source (outdoor)
translate_hits = 69, untranslate_hits = 0
10 (inside) to the obj_any interface dynamic source (external)
translate_hits = 196, untranslate_hits = 32
I think you must following two NAT config
NAT (inside, outside) source static obj - 172.16.1.0 obj - 172.16.1.0 destination static obj - 192.168.100.0 obj - 192.168.100.0
NAT (dmz, external) source static obj - 172.16.9.0 obj - 172.16.9.0 destination static obj - 192.168.100.0 obj - 192.168.100.0Please configure them and remove any additional NAT configuration and then try again.
-
SSLVPN via Cisco VPN Client (simultaneous use)
Hi, I'm working on a new show: 1) connect to the first network with Cisco VPN client. (2) to leave this connection, road to another Cisco SSLVPN device and perform a SSL - VPN connection. Has anyone tried this before? Are there problems, workarounds? Thanks in advance!
I do it all the time without any problems.
HTH >
-
Easy traffic between remote sites via Cisco VPN
We have a Cisco 2921 router at Headquarters (Easy VPN Server) and deployed Cisco 887VA (EasyVPN - Extension of remote network) for remote offices using EasyVPN. We allow voice traffic and data via VPN. Everything has been great to work until this problem has been discovered today:
When a remote user behind Cisco 887VA calls another remote user also behind Cisco 887VA, the call connects and Avaya IP phone rings but no voice in both feel.
Calls from Headquarters and external mobile/fixed are very good. Only calls between two remote sites are affected.
There is no need for DATA connection between the remote desktop, our only concern is the voice.
By the looks of it, I think that "hair - pinning" traffic on the interface VPN is necessary. But need some advice on the configuration. (Examples configs etc.).
Thanks in advance.
Thanks for your quick response.
I am sorry, I assumed that the clients have been configured in client mode.
No need to remove the SDM_POOL_1, given that customers already have configured NEM.
But add:
Configuration group customer isakmp crypto CliniEasyVPN
network extension mode
You are able to ping to talked to the other?
Please make this change:
105 extended IP access list
Licensing ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
* Of course free to do trafficking of translated on the shelves.
Let me know if you have any questions.
Thank you.
Portu.
-
VPN remote access - no network connectivity internal!
Hi Experts,
I understand that it is a very common problem when considering the implementations of IPSec VPN for remote access using Cisco VPN Client. But for the last six months, I have tried to configure remote VPN access to as many sites customer and gets stuck to the top with the same question!
-The remote VPN Client connects, authenticates successfully to the local user database (to make things easier, I used the local user authentication), the tunnel is set up (I could see the exit of the isakmp #show her as a AM_ACTIVE ). So I think that the parameters of encryption and authentication for Phase 1 /Phase 2 should work because the tunnel is having successfully established
-Now comes the question, no connectivity to the internal network. I tried all the possible solutions, that I could find online.
1. the most common problem is NAT - Traversal not active
-Compatible NAT - T with the time default keepalive of 20
2. None of the configurations NAT to exempt remote VPN traffic
-A ensured that Nat configurations not present in configuration and internal network 192.168.1.X VPN traffic networks VPN 192.168.5.X /192.168.10.X being exempted NAT
3-Split tunnel configurations
-Reconfigured Split tunnel access list configuration Standard access list expanded (although not required as a Standard access list is more than enouugh, if I'm not mistaken) to allow traffic selected from 192.168.1.X for 192.168.5.X/192.168.10.X that will create routes on Client that allows users to simultaneously access VPN resources and access Internet VPN client. The Tunnel from Split network group was added again to the group policy.
4 enabled Perfect Forward Secrecy (PFS) /Disabled
. It may be an extra charge, it has been disabled / enabled
5. the road opposite Injection
-Ensured that a temporary reverse route has been injected to the routing table by allowing the reverse Route Injection to insert automatically the temporary static routes to the remote tunnel using the command set reverse road networks
A few more interesting things were noted:
Encrypted and Bypassed packages found when a continuous ping started the ASA inside the interface.
No decryption happens of the VPN Client, which means that there is no answer back from the network traffic statistics.
Decryption and packages are found be increasing when I try to ping of the IP address to the customer (192.168.0.10) has published the SAA. But on the SAA, I'm not back any response and showing as? . So that would mean that there is communication of ASA to the customer via the VPN tunnel while no communication is happening from the internal network to the customer
The entire configuration is shown below
ASA Version 8.2 (1)
!
ciscoasa hostname
activate the encrypted password of AS3P3A8i0l6.JxwD
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
access-list extended SHEEP allowed ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
ST1 list extended access permitted ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
IP local pool testpool 192.168.0.10 - 192.168.0.15
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
Route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
Enable http server
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outdoors
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic dyn1 1jeu transform-set FirstSet
Crypto-map dynamic dyn1 1jeu reverse-road
dynamic mymap 1 dyn1 ipsec-isakmp crypto map
mymap outside crypto map interface
crypto ca server
SMTP address [email protected] / * /
crypto ISAKMP allow outside
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 43200
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 outdoors
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
dhcpd address 192.168.1.10 - 192.168.1.132 inside
dhcpd dns 8.8.8.8 4.4.4.4 interface inside
dhcpd allow inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal RAVPN group policy
RAVPN group policy attributes
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value ST1
the address value testpool pools
dk Z6zukyDvwVjP7o24 encrypted privilege 15 password username
sv i1gRUVsEALixX3ei encrypted password username
tunnel-group testgroup type remote access
tunnel-group testgroup General attributes
address testpool pool
Group Policy - by default-RAVPN
testgroup group tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:48f0863a70b8f382c7b71db0b88620fe
: end----
Could you please help me identify where I'm going wrong. Its been a long time I have trying to figure out but nothing seems to work! ;-(
Help, please!
Thank you
ANUP
(1) pls replace the tunnel ACL ACL standard split as follows:
no extended ST1 192.168.1.0 ip access list allow 255.255.255.0 192.168.0.0 255.255.255.0
access-list allowed ST1 192.168.1.0 255.255.255.0
(2) add icmp inspection:
Policy-map global_policy
class inspection_default
inspect the icmp
(3) Finally, I add the following so that you can test the ASA inside the interface:
management-access inside
-
Dear members
Please see the diagram for an easy understanding of the issue.
I am facing a problem with the SSL VPN configured on ASA 5520. Here's the simple network topology.
customer has an ERP server inside the segment, which is runniing Apche / Tomcat 5.5 and listening on port 8204.Complete URL to access the installed application is
http://192.168.2.1:8204 / system/servlet/login
ASA connects to a router in parameter, which has a configured AS VPN remote access. Cisco VPN client users can access this URL easily when they connect via VPN, also if I create a static translation for this IP 192.168.2.1, the full URL is accessible from the outside, but the problem of SSl VPN, when I enter the URL, nothing appears, and Session expires, however if I just enter http://192.168.2.1:8204 , Apache /Tomcat Page opens menas through SSL VPN can I reach the web server running on 192.168.2.1, but this particular URL is not accessible.
Here apache on the ERP server is listening on a nonstandard port, which could be the reason, I need to create a forwarding port or "smart."
I already tried with port forwarding, but that has not solved the problem.
All entries from your side will be highly appreciated.
Thank you
Ahad
Hi Ahad,
When you access the server ( http://192.168.2.1:8204 / system/servlet/connectionURL) from the inside, the URL in the browser address bar remains the same? Or it redirects?
On the login page is a java applet?
Now, there are several things to try:
-do a "view page source" on the work (internal or via IPsec vpn) login page and again on the default (via webvpn) page and compare - that provides any suspicion?
-You can install a software like Charles SSL Proxy (http://www.charlesproxy.com/ - note this is not a product of Cisco, or approved by Cisco) to see exactly what is happening above the SSL tunnel (i.e. it will show you the HTTP request in the browser to the server and the response.) Again, you can do this for both a job and the absence of case to compare.
-as a possible solution: create a bookmark HTTP on the portal of this URL and select "smart tunnel" for her.
HTH
Herbert
-
IP overlapping between VPN remote access and within the interface
Hi all
I tried to replace an ASA and configured vpn for remote access using cisco VPN client.
Remote access users are not able to access within the network, but have no problem accessing the network through a VPN site-to site.
One thing to note is that remote access VPN users are assigned an ip address of 10.X.3.1 - 10.X.3.200 mask 255.255.255.0. The inside interface is on 10.X.1.2 255.255.0.0.
Remote access users will have no problem to access within the network if the pool of the vpn client is changed to 192.168.1.1 to 192.168.1.100.
ASA errors
6 January 7, 2012 16:25:08 302013 10.X.3.1 27724 3389 10.X.1.66 built of TCP connections incoming 20940 for outside:10.X.3.1/27724 (10.X.3.1/27724)(LOCAL\Cisco) at inside:10.X.1.66/3389 (10.X.1.66/3389) (Cisco)
6 January 7, 2012 16:25:08 106015 10.X.1.66 3389 10.X.3.1 27724 Deny TCP 10.X.1.66/3389 to 10.X.3.1/27724 flags SYN ACK on dmz interface (no link)
I understand that the overlap between access ip address range remote vpn network interface network and inside will cause routing problems, but why the syn - ack makes its appearance in the DMZ interface? The interface of the DMZ is on ip address 172.16.Y.1 255.255.255.0.
I intend to reduce the interface 10.X.0.0 255.255.254.0 inside if it is in fact a routing problem due to the IP address that overlap, but I understand why the syn - ack comes from the dmz interface and the diagnosis of the problem is correct. I check with the customer and was informed that the existing design works on an another ASA with no such problems.
I agree what you said and also tried, but it does not work.
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a00807e0aca.shtml#overlap
Solution, that you already know
Solution
Always ensure that the IP addresses in the pool should be assigned to VPN, network clients internal head unit and the internal network to the VPN Client must be in different networks. You can assign the same major network with different subnets, but sometimes the routing problems.
Thank you
Ajay
Maybe you are looking for
-
Tecra A4 its 'unite them. "
A strange: Just got a Tecra A4 and some of my lower bitrate mp3s (which sound good on my satellite a60 friends) give a sound like wading / wobbleboard when they play. I've updated the drivers (SoundMAX). Anyone know what could be the cause?
-
How can I enter on my Satellite A200 windows?
How can I reach the windows? If I put the hdd1 password. But somehow I can't remember it. Now I can't reach the windows, nor I can format. What should I do? My laptop is PSAECE Satellite A200-1GHBIOS version: 5.60I use Windows XP Home, SP3 Profession
-
Re: Satellite A200 - start with BSOD
Hello. I have a Satellite A200 which I had for about 18 months. I recently installed a burning software and as soon as it was completed a blue screen was displayed telling me the computer had been shut down to prevent damage. It then restarts automat
-
Lenovo X120e in trouble with the system update
Hi, I am building a brand new X120e (0596) with an AMD E-350, 4 GB of RAM I have loaded with X 64 Win 7 Enterprise. Everything is fine, but whenever I try to run the Lenovo system update I get the message: "the server to update the system is currentl
-
HP 500-267 C: USB power output HP 500-267C
I recently bought an Eddie Bauer PSU which is repowered via a USB port. I wonder if it can be powered by the 2 amp for my mobile phone connector, so it would be good to know the output power of the USB 2.0 and 3.0 ports on this computer. He can not