sanderjc
asked on
Allowing local and remote lan access
Ok I am new to the new ASA devices, i have setup Pix's to do this but im lost with this one.
Ok i have ASA5505 and the vpn is working, i can connect and ping devices on the network.
But my problems are
1) cant access then through either explore or IE7 (sharepoint on SBS2003)
2) I lose internet access on the local client, i would like the internet to still function
Here is the running config
ASA Version 7.2(3)
!
hostname firewall
domain-name nfc.local
enable password XXXXXXXXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name nfc.local
object-group network Inside
network-object 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.192 255.255.255.192
access-list outside_cryptomap_65535.20 extended permit ip any object-group Inside
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNACCESS 192.168.0.200-192.168.0.22 5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_65535.20
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.11-192.168.0.50 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy XXXXXX internal
group-policy XXXXXX attributes
wins-server value 192.168.0.1
dns-server value 192.168.0.1 192.168.0.254
vpn-tunnel-protocol IPSec
default-domain value nfc.local
username XXXXXX password 0A/I7GjKbUI8eUud encrypted privilege 0
username XXXXXX attributes
vpn-group-policy XXXXXX
tunnel-group XXXXXX type ipsec-ra
tunnel-group XXXXXX general-attributes
address-pool VPNACCESS
default-group-policy XXXXX
tunnel-group XXXXX ipsec-attributes
pre-shared-key XXXXX
isakmp ikev1-user-authentication none
tunnel-group-map default-group XXXXXX
prompt hostname context
Cryptochecksum:9a7bcd2051b 4fb3b1b8cc 36dce43f6c 8
: end
Ok i have ASA5505 and the vpn is working, i can connect and ping devices on the network.
But my problems are
1) cant access then through either explore or IE7 (sharepoint on SBS2003)
2) I lose internet access on the local client, i would like the internet to still function
Here is the running config
ASA Version 7.2(3)
!
hostname firewall
domain-name nfc.local
enable password XXXXXXXXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name nfc.local
object-group network Inside
network-object 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.0.192 255.255.255.192
access-list outside_cryptomap_65535.20
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPNACCESS 192.168.0.200-192.168.0.22
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_65535.20
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5 ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.0.11-192.168.0.50 inside
!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
group-policy XXXXXX internal
group-policy XXXXXX attributes
wins-server value 192.168.0.1
dns-server value 192.168.0.1 192.168.0.254
vpn-tunnel-protocol IPSec
default-domain value nfc.local
username XXXXXX password 0A/I7GjKbUI8eUud encrypted privilege 0
username XXXXXX attributes
vpn-group-policy XXXXXX
tunnel-group XXXXXX type ipsec-ra
tunnel-group XXXXXX general-attributes
address-pool VPNACCESS
default-group-policy XXXXX
tunnel-group XXXXX ipsec-attributes
pre-shared-key XXXXX
isakmp ikev1-user-authentication none
tunnel-group-map default-group XXXXXX
prompt hostname context
Cryptochecksum:9a7bcd2051b
: end
ASKER
Thanks for the response
to answer your questions
1) yes i can ping it and the server gateway is the ASA, and the subnet is the same as the server.
2) Im not sure how to do this, do you have the commands for this? I am lost in the GUI trying to find this.
to answer your questions
1) yes i can ping it and the server gateway is the ASA, and the subnet is the same as the server.
2) Im not sure how to do this, do you have the commands for this? I am lost in the GUI trying to find this.
ASKER
I figured it out myself.
I oppose closing the question, refunding the points and selecting the askers comments as the accepted solution.
1) User states that he has solved the question himself and wishes to have that selected as the accepted answer. (The statement of "I figured it out myself" has no technical merit or value)
2) If someone else has a similar issue, and finds his answer, it really does nothing for anyone else.
3) I will remove my objection if the user posts his technical fix and even endorse the action
1) User states that he has solved the question himself and wishes to have that selected as the accepted answer. (The statement of "I figured it out myself" has no technical merit or value)
2) If someone else has a similar issue, and finds his answer, it really does nothing for anyone else.
3) I will remove my objection if the user posts his technical fix and even endorse the action
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have no further objections. Thank you sanderjc for posting the solution.
Closed, 500 points refunded.
Netminder
Site Admin
Netminder
Site Admin
2) Modify your vpn so that you can split tunnels and you will have the ability to access the Internet whilst the vpn is up