Advertisement

03.30.2008 at 08:38AM PDT, ID: 23280794
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.9

ASA 5510 Remote Access VPN Internet Access

Asked by andyoww in Cisco PIX Firewall, Networking Hardware Firewalls

Tags: , ,

I now have my VPN working (thanks to PeteLong & batry boy).

I did not configure split tunneling hoping that enabling local lan access on the client would allow clients to access the Internet via their local lans.

Now that I can test, I see that doesn't work.

Again, I'm sure it's only a couple lines I'm missing.

Thanks for your help.

Here's my entire config.Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:

asa# sh run
 
ASA Version 7.0(7)
!
hostname asa
domain-name domain.com
enable password 122334455 encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 69.x.x.x 255.255.255.252
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.68.3.1 255.255.255.0
!
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 172.x.x.x 255.255.0.0
 management-only
!
passwd 122334455 encrypted
ftp mode passive
clock timezone cst -6
clock summer-time cst recurring
dns domain-lookup inside
dns name-server 192.168.3.101
access-list outside_acl extended permit udp any host 192.168.3.101 eq ntp
access-list outside_acl extended deny ip host 24.x.x.x any
access-list outside_acl extended deny tcp any any eq 161
access-list outside_acl extended deny udp any any eq snmp
access-list outside_acl extended deny tcp any any eq telnet
access-list outside_acl extended permit ip any any
access-list Local_LAN_Access remark VPN Client Local LAN Access
access-list Local_LAN_Access standard permit host 0.0.0.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.3.0 255.255.255.0
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 69.x.x.x 1
route inside 10.x.x.x 255.255.255.255 192.x.x.x 1
route inside 10.x.x.x 255.255.255.255 192.x.x.x 1
route inside 10.x.x.x 255.255.255.255 192.x.x.x 1
route inside 10.x.x.x 255.255.255.255 192.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server value 192.168.3.101
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 18
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp enable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp enable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value domain.com
 split-dns none
 secure-unit-authentication disable
 user-authentication enable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy MYPolicy internal
group-policy MYPolicy attributes
 split-tunnel-policy excludespecified
 split-tunnel-network-list value Local_LAN_Access
 default-domain value domain.com
 webvpn
username user1 password 122334455 encrypted
username user1 attributes
 vpn-group-policy MYPolicy
 vpn-framed-ip-address 192.168.50.2 255.255.255.0
 webvpn
username user2 password 122334455 encrypted
username user2 attributes
 vpn-group-policy MYPolicy
 vpn-tunnel-protocol IPSec webvpn
 vpn-framed-ip-address 192.168.50.3 255.255.255.0
 webvpn
http server enable
http 192.168.3.0 255.255.255.0 inside
http 172.x.x.x 255.255.0.0 management
!
access-list nonat permit ip any 192.168.50.0 255.255.255.0
nat (inside) 0 access-list nonat
!
no snmp-server location
no snmp-server contact
crypto ipsec transform-set MYset esp-3des esp-md5-hmac
crypto dynamic-map MYmap 10 set transform-set MYset
crypto dynamic-map MYmap 10 set reverse-route
crypto map IPSec_map 65535 ipsec-isakmp dynamic MYmap
crypto map IPSec_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group MYGROUPVPN type ipsec-ra
tunnel-group MYGROUPVPN ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh scopy enable
ssh 128.X.X.X 255.255.255.248 outside
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
Cryptochecksum:122334455
: end
[+][-]03.30.2008 at 11:00AM PDT, ID: 21241400

View this solution now by starting your 14-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Cisco PIX Firewall, Networking Hardware Firewalls
Tags: Cisco, ASA, 5510
Sign Up Now!
Solution Provided By: batry_boy
Participating Experts: 1
Solution Grade: A
 
 
 
Loading Advertisement...
20081112-EE-VQP-43 / EE_QW_2_20070628