VPN

Cisco ASA - Remote access VPN user’s can’t connect to internal resources on the same network

So I was working with a Cisco ASA 5510. The inside network was 10.0.0.0/24. I had created a  remote access vpn policy for users and set them up to receive address’s on their inside network (10.0.0.0/24).

While the users we able to connect fine to the vpn they were not able to ping or access any resources on the internal network. The reason I found for this is that even though they are receiving address’s on the same network as the internal LAN, the ASA still considers them part of a separate network and will try to NAT the traffic using your dynamic NAT rule.

The way to resolve this is to create a NAT exemption rule from your inside network to your inside network. Sounds funny, but it works.

Hope this helps

Watchguard MUVPN not working due to Mcafee firewall

I hate personal firewall products but none so much as I hate mcafee. I was testing a MUVPN and the tunnell just wouldn’t established. I turned that thing into swiss cheese, it shouldn’t have been blocking anything but the VPN tunnel STILL wouldn’t come up until I actually turned off the service. Gah it’s frustrating.

Cisco ASA - Remote Access VPN not getting reserved address from DHCP

I have configured a Cisco ASA 5520 in an environment where the remote users need to get statically assigned IP addresses. In the past this was done by using MAC address reservations on the DHCP server. In replacing their old firewall and putting in the ASA what I have found is that even though Remote Access VPN is configured to assign IP address’s via the DHCP server and even though that works (You can see the lease on the DHCP server), it does not give them the address that has been reserved by their MAC address. Does anyone know a solution to this? I would love to hear it.

Watchguard MUVPN tunnel dropping after three minutes

Here’s a tip to developers if you don’t want to be universally hated by me. If you want to create your VPN software so that it drop’s the tunnel after 3 minutes if it doesn’t receive keep alive packets on UDP ports 500 and 4500 thats fine. However please have the software create exceptions in widows firewall or alert me or document it somewhere on your site so that I don’t have to waste an entire morning trying to figure out why it’s not working. ARGH!