ASA 5510 internet on VPN doesn't work

Posted on 2006-06-28
Medium Priority
Last Modified: 2010-04-08
I have configured the VPN on the ASA 5510 and the VPN itself works well. However you can not connect to the internet while the VPN i active. I figuer I have missed something in the config. Can someone please help me out? Here is the current config:

ASA Version 7.0(4)
hostname fw01
domain-name sargem.office
enable password IfsTwrsRylpv1cmS encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit intra-interface
object-group service webmail tcp
 port-object eq www
 port-object eq 480
 port-object eq 8080
 port-object eq https
access-list outside_access_in extended permit icmp any
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp host interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside object-group webmail
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound extended permit ip any
access-list sargem_VPN_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any
access-list sargem_Office_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_40 extended permit ip any
access-list RAsargem_splitTunnelAcl standard permit any
access-list inside_cryptomap_dyn_20 extended permit ip any
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool bVPN mask
ip local pool OfficeVPN mask
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10
static (inside,outside) tcp interface smtp smtp netmask
static (inside,outside) tcp interface pop3 pop3 netmask
static (inside,outside) tcp interface www www netmask
static (inside,outside) tcp interface https https netmask
static (inside,outside) tcp interface 8080 8080 netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server value
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value sargem.Office
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
  functions url-entry
  port-forward-name value Application Access
group-policy RAsargem internal
group-policy RAsargem attributes
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RAsargem_splitTunnelAcl
 default-domain value sargem.office
group-policy sargem_VPN internal
group-policy sargem_VPN attributes
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value sargem_VPN_splitTunnelAcl
 default-domain value sargem.office
username johnny.kola password eMRIIbNRESWsQuPt encrypted privilege 15
username johnny.kola attributes
 vpn-group-policy sargem_VPN
http server enable
http inside
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 match address inside_cryptomap_dyn_20
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
isakmp enable outside
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group sargem_VPN type ipsec-ra
tunnel-group sargem_VPN general-attributes
 address-pool bVPN
 default-group-policy sargem_VPN
tunnel-group sargem_VPN ipsec-attributes
 pre-shared-key *
tunnel-group RAsargem type ipsec-ra
tunnel-group RAsargem general-attributes
 address-pool OfficeVPN
 default-group-policy RAsargem
tunnel-group RAsargem ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd address management
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain sargem.office
dhcpd enable inside
dhcpd enable management
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
service-policy global_policy global
: end
Question by:matthh

Accepted Solution

stressedout2004 earned 2000 total points
ID: 17005666
I am not sure which group is active, but regardless make the following modification:

access-list sargem_VPN_splitTunnelAcl standard permit
no access-list sargem_VPN_splitTunnelAcl standard permit any
access-list  RAsargem_splitTunnelAcl standard permit
no access-list RAsargem_splitTunnelAcl standard permit any

If you still have difficulty accessing the internet once connected to the VPN after making the changes, I would suggest changing the VPN pool to a totally different subnet. and still overlaps with which is the internal network.


Author Comment

ID: 17014519
Thank you stressedout! Worked like a charm!

Featured Post

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
When you have multiple client accounts to manage, it often feels like there aren’t enough hours in the day. With too many applications to juggle, you can’t focus on your clients, much less your growing to-do list. But that doesn’t have to be the cas…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question