Go Premium for a chance to win a PS4. Enter to Win


ASA 5510 internet on VPN doesn't work

Posted on 2006-06-28
Medium Priority
Last Modified: 2010-04-08
I have configured the VPN on the ASA 5510 and the VPN itself works well. However you can not connect to the internet while the VPN i active. I figuer I have missed something in the config. Can someone please help me out? Here is the current config:

ASA Version 7.0(4)
hostname fw01
domain-name sargem.office
enable password IfsTwrsRylpv1cmS encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
same-security-traffic permit intra-interface
object-group service webmail tcp
 port-object eq www
 port-object eq 480
 port-object eq 8080
 port-object eq https
access-list outside_access_in extended permit icmp any
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp host interface outside eq pop3
access-list outside_access_in extended permit tcp any interface outside object-group webmail
access-list inside_nat0_outbound extended permit ip any
access-list inside_nat0_outbound extended permit ip any
access-list sargem_VPN_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_20 extended permit ip any
access-list sargem_Office_splitTunnelAcl standard permit any
access-list outside_cryptomap_dyn_40 extended permit ip any
access-list RAsargem_splitTunnelAcl standard permit any
access-list inside_cryptomap_dyn_20 extended permit ip any
pager lines 24
logging enable
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool bVPN mask
ip local pool OfficeVPN mask
ERROR: Command requires failover license
ERROR: Command requires failover license
asdm image disk0:/asdm504.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10
static (inside,outside) tcp interface smtp smtp netmask
static (inside,outside) tcp interface pop3 pop3 netmask
static (inside,outside) tcp interface www www netmask
static (inside,outside) tcp interface https https netmask
static (inside,outside) tcp interface 8080 8080 netmask
access-group outside_access_in in interface outside
route outside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server value
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value sargem.Office
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
  functions url-entry
  port-forward-name value Application Access
group-policy RAsargem internal
group-policy RAsargem attributes
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RAsargem_splitTunnelAcl
 default-domain value sargem.office
group-policy sargem_VPN internal
group-policy sargem_VPN attributes
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value sargem_VPN_splitTunnelAcl
 default-domain value sargem.office
username johnny.kola password eMRIIbNRESWsQuPt encrypted privilege 15
username johnny.kola attributes
 vpn-group-policy sargem_VPN
http server enable
http inside
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map inside_dyn_map 20 match address inside_cryptomap_dyn_20
crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
isakmp enable outside
isakmp enable inside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group sargem_VPN type ipsec-ra
tunnel-group sargem_VPN general-attributes
 address-pool bVPN
 default-group-policy sargem_VPN
tunnel-group sargem_VPN ipsec-attributes
 pre-shared-key *
tunnel-group RAsargem type ipsec-ra
tunnel-group RAsargem general-attributes
 address-pool OfficeVPN
 default-group-policy RAsargem
tunnel-group RAsargem ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address inside
dhcpd address management
dhcpd dns
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain sargem.office
dhcpd enable inside
dhcpd enable management
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
service-policy global_policy global
: end
Question by:matthh

Accepted Solution

stressedout2004 earned 2000 total points
ID: 17005666
I am not sure which group is active, but regardless make the following modification:

access-list sargem_VPN_splitTunnelAcl standard permit
no access-list sargem_VPN_splitTunnelAcl standard permit any
access-list  RAsargem_splitTunnelAcl standard permit
no access-list RAsargem_splitTunnelAcl standard permit any

If you still have difficulty accessing the internet once connected to the VPN after making the changes, I would suggest changing the VPN pool to a totally different subnet. and still overlaps with which is the internal network.


Author Comment

ID: 17014519
Thank you stressedout! Worked like a charm!

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question