stephen2025
asked on
VPN SPLIT TUNNELING CONFIGURATION ISSUE
I am fairly new with Networking. I recently replace my company's old symantec firewall with CISCO ASA5505 security appliance. I can successfully connect to VPN however, I can not access the internet/outlook while connected. On the VPN client, I check allow LAN access. Please help
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name propaksw.com
access-list test_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.51.1-192.168.51.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy propakvpn internal
group-policy propakvpn attributes
dns-server value 192.168.50.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value propakvpn_splitTunnelAcl
default-domain value propaksw.com
username chengyuc password /zQEfoAYoekYrBdD encrypted privilege 0
username chengyuc attributes
vpn-group-policy propakvpn
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group propakvpn type ipsec-ra
tunnel-group propakvpn general-attributes
address-pool vpnpool
default-group-policy propakvpn
tunnel-group propakvpn ipsec-attributes
pre-shared-key *
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d2a0cea88efec88116197c6b53c63514
: end
check the settings on the router/firewall dealing with allowing internet access. It is possible you have it set to only allow a certain set of computers access. Connecting via vpn is like plugging a new computer into your internal network. Test the settings by plugging a previously unseen laptop on the network and see if you have internet access.
You have specified a split tunnel ACL in your configufration named "propakvpn_splitTunnelAcl"
access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any
See if that helps your split tunneling configuration...
access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any
See if that helps your split tunneling configuration...
ASKER
thanks dave4dl, Batry boy !
I already included access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any which is from a previous solution of a previous inquiry and still I can not access internet access when vpn'ed. I did some troubleshooting and see snippet.
It was odd because when a issue a route change command (with values the same) it change my default gateway from 192.168.51.2 (default gateway vpn connection) to 192.168.1.1 (DG of my local connection).
I already included access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any which is from a previous solution of a previous inquiry and still I can not access internet access when vpn'ed. I did some troubleshooting and see snippet.
It was odd because when a issue a route change command (with values the same) it change my default gateway from 192.168.51.2 (default gateway vpn connection) to 192.168.1.1 (DG of my local connection).
Below is the route print snap shot (with this I am connected through VPN'ed but no access to internet.
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 25
0.0.0.0 0.0.0.0 192.168.51.2 192.168.51.1 1
24.227.XX.XX 255.255.255.255 192.168.1.1 192.168.1.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 25
192.168.1.0 255.255.255.0 192.168.51.2 192.168.51.1 25
192.168.1.1 255.255.255.255 192.168.1.3 192.168.1.3 1
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 25
192.168.51.0 255.255.255.0 192.168.51.1 192.168.51.1 25
192.168.51.1 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.51.255 255.255.255.255 192.168.51.1 192.168.51.1 25
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 25
224.0.0.0 240.0.0.0 192.168.51.1 192.168.51.1 25
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 1
255.255.255.255 255.255.255.255 192.168.51.1 2 1
255.255.255.255 255.255.255.255 192.168.51.1 192.168.51.1 1
Default Gateway: 192.168.51.2
===========================================================================
Persistent Routes:
None
Below is the route print snapshot after I issue below route change command. I can connect to the internet but can not access network resources.
C:\Documents and Settings\stephenu>route change 0.0.0.0 mask 0.0.0.0 192.168.1.1
metric 25
C:\Documents and Settings\stephenu>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 c5 b3 26 19 ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac
ket Scheduler Miniport
0x3 ...00 17 31 ad 1a 12 ...... Dell Wireless 1390 WLAN Mini-Card - Packet Sched
uler Miniport
0x30005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler
Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 25
24.227.XX.XX 255.255.255.255 192.168.1.1 192.168.1.3 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 25
192.168.1.0 255.255.255.0 192.168.51.2 192.168.51.1 25
192.168.1.1 255.255.255.255 192.168.1.3 192.168.1.3 1
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 25
192.168.51.0 255.255.255.0 192.168.51.1 192.168.51.1 25
192.168.51.1 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.51.255 255.255.255.255 192.168.51.1 192.168.51.1 25
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 25
224.0.0.0 240.0.0.0 192.168.51.1 192.168.51.1 25
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 1
255.255.255.255 255.255.255.255 192.168.51.1 2 1
255.255.255.255 255.255.255.255 192.168.51.1 192.168.51.1 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
NoneASKER
Is there a minimum speed for VPN connection? I am using wireless at 54Mbps but sometimes the VPN connection will be cut-off with an error message " disconnected because remote peer is not responding"
>>Is there a minimum speed for VPN connection?
No, there is not. That message typically means either a general network connectivity issue on the VPN server (ASA) side or a misconfiguration of some sort.
When you are in a VPN session, right-click on the yellow padlock in the system tray and then click "Statistics" on the menu that pops up. Click on the "Route Details" tab and look at the "Secured Routes" window. If it says:
0.0.0.0 0.0.0.0
Then you have a fully tunneled connection and your split tunneling configuration is not configured properly. If it says:
192.168.50.0 255.255.255.0
Then the only traffic that is being sent down the tunnel is traffic destined for the 192.168.50.0/24 network which means that your split tunneling configuration is correct. Post back with your results.
No, there is not. That message typically means either a general network connectivity issue on the VPN server (ASA) side or a misconfiguration of some sort.
When you are in a VPN session, right-click on the yellow padlock in the system tray and then click "Statistics" on the menu that pops up. Click on the "Route Details" tab and look at the "Secured Routes" window. If it says:
0.0.0.0 0.0.0.0
Then you have a fully tunneled connection and your split tunneling configuration is not configured properly. If it says:
192.168.50.0 255.255.255.0
Then the only traffic that is being sent down the tunnel is traffic destined for the 192.168.50.0/24 network which means that your split tunneling configuration is correct. Post back with your results.
ASKER
it is 0.0.0.0 0.0.0.0. Please advise how to correct problem. Thanks very much!!!!
Post your current config so I can take a look...
ASKER
pls see below
hostname propak-gw120707
domain-name propaksw.com
enable password DHAsnd72H9963llX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.9 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.227.xx.xxx 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name propaksw.com
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 8080
access-list 110 extended permit tcp any host 24.227.xx.xxx eq https
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 7777
access-list 110 extended deny icmp any any
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 5000
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 5100
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 4001
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 4030
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 3085
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 1433
access-list 110 extended permit tcp any host 24.227.xx
.xxx eq www
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 7072
access-list 110 extended permit tcp any host 24.227.xx.xxx eq ftp
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 3389
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 82
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 83
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 6080
access-list test_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.51.1-192.168.51.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
static (inside,outside) tcp interface 8080 192.168.50.10 8080 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.50.116 https netmask 255.255.255.255
static (inside,outside) tcp interface 5000 192.168.50.3 5000 netmask 255.255.255.255
static (inside,outside) tcp interface 5100 192.168.50.12 5100 netmask 255.255.255.255
static (inside,outside) tcp interface 4001 192.168.50.10 4001 netmask 255.255.255.255
static (inside,outside) tcp interface 4030 192.168.5.13 4030 netmask 255.255.255.255
static (inside,outside) tcp interface 3085 192.168.50.3 3085 netmask 255.255.255.255
static (inside,outside) tcp interface 1433 192.168.50.10 1433 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255
static (inside,outside) tcp interface 7072 192.168.50.116 7072 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.50.10 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.50.110 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 82 192.168.50.20 82 netmask 255.255.255.255
static (inside,outside) tcp interface 83 192.168.50.3 83 netmask 255.255.255.255
static (inside,outside) tcp interface 6080 192.168.50.5 6080 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 7777 192.168.50.116 7777 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 24.227.xx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy propakvpn internal
group-policy propakvpn attributes
dns-server value 192.168.50.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value propakvpn_splitTunnelAcl
default-domain value propaksw.com
username chengyuc password /zQEfoAYoekYrBdD encrypted privilege 0
username chengyuc attributes
vpn-group-policy propakvpn
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group propakvpn type ipsec-ra
tunnel-group propakvpn general-attributes
address-pool vpnpool
default-group-policy propakvpn
tunnel-group propakvpn ipsec-attributes
pre-shared-key *
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d2a0cea88efec88116197c6b53c63514
: end
I don't see the ACL called "propakvpn_splitTunnelAcl"
access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any
You mentioned earlier that you had already put this in, but I don't see it in there now. Did you take it back out at some point in your troubleshooting? Put it back in and try it out.
access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any
You mentioned earlier that you had already put this in, but I don't see it in there now. Did you take it back out at some point in your troubleshooting? Put it back in and try it out.
ASKER
sorry. I attached the wrong file. This line on the config:
access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any
access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any
hostname propak-gw120707
domain-name propaksw.com
enable password DHAsnd72H9963llX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.9 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.227.xx.xxx 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name propaksw.com
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 8080
access-list 110 extended permit tcp any host 24.227.xx.xxx eq https
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 7777
access-list 110 extended deny icmp any any
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 5000
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 5100
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 4001
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 4030
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 3085
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 1433
access-list 110 extended permit tcp any host 24.227.xx.xxx eq www
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 7072
access-list 110 extended permit tcp any host 24.227.xx.xxx eq ftp
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 3389
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 82
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 83
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 6080
access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.51.1-192.168.51.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
static (inside,outside) tcp interface 8080 192.168.50.10 8080 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.50.116 https netmask 255.255.255.255
static (inside,outside) tcp interface 5000 192.168.50.3 5000 netmask 255.255.255.255
static (inside,outside) tcp interface 5100 192.168.50.12 5100 netmask 255.255.255.255
static (inside,outside) tcp interface 4001 192.168.50.10 4001 netmask 255.255.255.255
static (inside,outside) tcp interface 4030 192.168.5.13 4030 netmask 255.255.255.255
static (inside,outside) tcp interface 3085 192.168.50.3 3085 netmask 255.255.255.255
static (inside,outside) tcp interface 1433 192.168.50.10 1433 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255
static (inside,outside) tcp interface 7072 192.168.50.116 7072 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.50.10 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.50.110 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 82 192.168.50.20 82 netmask 255.255.255.255
static (inside,outside) tcp interface 83 192.168.50.3 83 netmask 255.255.255.255
static (inside,outside) tcp interface 6080 192.168.50.5 6080 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 7777 192.168.50.116 7777 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 24.227.43.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy propakvpn internal
group-policy propakvpn attributes
dns-server value 192.168.50.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value propakvpn_splitTunnelAcl
default-domain value propaksw.com
username chengyuc password /zQEfoAYoekYrBdD encrypted privilege 0
username chengyuc attributes
vpn-group-policy propakvpn
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group propakvpn type ipsec-ra
tunnel-group propakvpn general-attributes
address-pool vpnpool
default-group-policy propakvpn
tunnel-group propakvpn ipsec-attributes
pre-shared-key *
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:d2a0cea88efec88116197c6b53c63514
: end
Add this line and see what you get:
crypto isakmp nat-traversal
crypto isakmp nat-traversal
Also, remove the following line (you don't need this):
global (inside) 1 interface
global (inside) 1 interface
ASKER
ok. Please bear with me. I am accessing the ASA5505 using RDP through one of our server and it is not loading and frooze at 67%. I am resetting the server. Also, when I am connected thru VPN I can not access the firewall though the browser with URL https://192.168.50.9. Is this normal?
Yes, it's normal for your current configuration. Add the following lines to be able to access it via a VPN connection on the inside interface:
management-access inside
http 192.168.51.0 255.255.255.0 inside
management-access inside
http 192.168.51.0 255.255.255.0 inside
ASKER
I can not access now my firewall. It froze at 67% (checking software dependencies).
ASKER
thanks for all the inputs. Can we just continue this next week? I can not access now the firewall.
ASKER
Hello batry_boy,
Please see below configuration, I have a both entry for accesgs-list propakvpn_splitTunnelAcl standard permit any and access-list propakvpn_SplittunnelAcl extended permit ip 192.168.50.0 255.255.255.0 any.
I try to get rid of the first line by issuing "no access-list propakvpn_splitTunneling standard permit any I got the below error: Please advise what to do. Thanks!!!!
Result of the command: "no access-list propakvpn_splitTunnelAcl standard permit any"
ERROR: Access-list propakvpn_splitTunnelAcl is attached to class-map, route-map,
username, group-policy, distribute-list, multicast or wccp subsystem.
Please remove the relevant configuration before removing the access-list
Please see below configuration, I have a both entry for accesgs-list propakvpn_splitTunnelAcl standard permit any and access-list propakvpn_SplittunnelAcl extended permit ip 192.168.50.0 255.255.255.0 any.
I try to get rid of the first line by issuing "no access-list propakvpn_splitTunneling standard permit any I got the below error: Please advise what to do. Thanks!!!!
Result of the command: "no access-list propakvpn_splitTunnelAcl standard permit any"
ERROR: Access-list propakvpn_splitTunnelAcl is attached to class-map, route-map,
username, group-policy, distribute-list, multicast or wccp subsystem.
Please remove the relevant configuration before removing the access-list
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(2)
!
hostname propak-gw120707
domain-name propaksw.com
enable password DHAsnd72H9963llX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.9 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.227.xxx.xxx 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name propaksw.com
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 8080
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq https
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 7777
access-list 110 extended deny icmp any any
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 5000
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 5100
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 4001
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 4030
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 3085
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 1433
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq www
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 7072
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq ftp
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 3389
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 82
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 83
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 6080
access-list propakvpn_splitTunnelAcl standard permit any
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.224
access-list propakvpn_SplitTunnelAcl extended permit ip 192.168.50.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.51.1-192.168.51.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
static (inside,outside) tcp interface 8080 192.168.50.10 8080 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.50.116 https netmask 255.255.255.255
static (inside,outside) tcp interface 5000 192.168.50.3 5000 netmask 255.255.255.255
static (inside,outside) tcp interface 5100 192.168.50.12 5100 netmask 255.255.255.255
static (inside,outside) tcp interface 4001 192.168.50.10 4001 netmask 255.255.255.255
static (inside,outside) tcp interface 4030 192.168.5.13 4030 netmask 255.255.255.255
static (inside,outside) tcp interface 3085 192.168.50.3 3085 netmask 255.255.255.255
static (inside,outside) tcp interface 1433 192.168.50.10 1433 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255
static (inside,outside) tcp interface 7072 192.168.50.116 7072 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.50.10 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.50.110 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 82 192.168.50.20 82 netmask 255.255.255.255
static (inside,outside) tcp interface 83 192.168.50.3 83 netmask 255.255.255.255
static (inside,outside) tcp interface 6080 192.168.50.5 6080 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 7777 192.168.50.116 7777 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 24.227.43.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy propakvpn internal
group-policy propakvpn attributes
dns-server value 192.168.50.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value propakvpn_splitTunnelAcl
default-domain value propaksw.com
username chengyuc password /zQEfoAYoekYrBdD encrypted privilege 0
username chengyuc attributes
vpn-group-policy propakvpn
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group propakvpn type ipsec-ra
tunnel-group propakvpn general-attributes
address-pool vpnpool
default-group-policy propakvpn
tunnel-group propakvpn ipsec-attributes
pre-shared-key *
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:453185447b76f0aa1363160fd6e16493
: end
You now have two access lists (line 60 and line 62 in your above output)
access-list propakvpn_splitTunnelAcl standard permit any
access-list propakvpn_SplitTunnelAcl extended permit ip 192.168.50.0 255.255.255.0 any
They're considered two different access lists by the firewall because one has a lowercase "s" in the name and other has an uppercase "S" in the name. This being the case, just do this:
conf t
group-policy propakvpn attributes
split-tunnel-network-list value propakvpn_SplitTunnelAcl
exit
no access-list propakvpn_splitTunnelAcl standard permit any
See if that helps...
access-list propakvpn_splitTunnelAcl standard permit any
access-list propakvpn_SplitTunnelAcl extended permit ip 192.168.50.0 255.255.255.0 any
They're considered two different access lists by the firewall because one has a lowercase "s" in the name and other has an uppercase "S" in the name. This being the case, just do this:
conf t
group-policy propakvpn attributes
split-tunnel-network-list value propakvpn_SplitTunnelAcl
exit
no access-list propakvpn_splitTunnelAcl standard permit any
See if that helps...
ASKER
Yes it work. I will test it at home tonight. Please see below final config. Kindly explain what we just did? Thank you so much.
Result of the command: "show run"
: Saved
:
ASA Version 7.2(2)
!
hostname propak-gw120707
domain-name propaksw.com
enable password DHAsnd72H9963llX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.50.9 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 24.227.XXX.XXX 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name propaksw.com
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 8080
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq https
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 7777
access-list 110 extended deny icmp any any
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 5000
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 5100
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 4001
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 4030
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 3085
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 1433
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq www
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 7072
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq ftp
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 3389
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 82
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 83
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 6080
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.224
access-list propakvpn_SplitTunnelAcl extended permit ip 192.168.50.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.51.1-192.168.51.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
static (inside,outside) tcp interface 8080 192.168.50.10 8080 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.50.116 https netmask 255.255.255.255
static (inside,outside) tcp interface 5000 192.168.50.3 5000 netmask 255.255.255.255
static (inside,outside) tcp interface 5100 192.168.50.12 5100 netmask 255.255.255.255
static (inside,outside) tcp interface 4001 192.168.50.10 4001 netmask 255.255.255.255
static (inside,outside) tcp interface 4030 192.168.5.13 4030 netmask 255.255.255.255
static (inside,outside) tcp interface 3085 192.168.50.3 3085 netmask 255.255.255.255
static (inside,outside) tcp interface 1433 192.168.50.10 1433 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255
static (inside,outside) tcp interface 7072 192.168.50.116 7072 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.50.10 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.50.110 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 82 192.168.50.20 82 netmask 255.255.255.255
static (inside,outside) tcp interface 83 192.168.50.3 83 netmask 255.255.255.255
static (inside,outside) tcp interface 6080 192.168.50.5 6080 netmask 255.255.255.255 dns
static (inside,outside) tcp interface 7777 192.168.50.116 7777 netmask 255.255.255.255
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 24.227.43.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy propakvpn internal
group-policy propakvpn attributes
dns-server value 192.168.50.3
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value propakvpn_SplitTunnelAcl
default-domain value propaksw.com
username chengyuc password /zQEfoAYoekYrBdD encrypted privilege 0
username chengyuc attributes
vpn-group-policy propakvpn
http server enable
http 192.168.51.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group propakvpn type ipsec-ra
tunnel-group propakvpn general-attributes
address-pool vpnpool
default-group-policy propakvpn
tunnel-group propakvpn ipsec-attributes
pre-shared-key *
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:cf021987254d42dd38998e2810268676
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks very much.... Appreciate all the help. I try it tonight. Have a great day!!!
ASKER
Hello batry_boy,
Everything is working good. I can access all my resources. However, I can only access map drive and when I use my network places>> entire network>>>microsoft windows network>>>> domain to access other files I can not see them under my domain though I can access them using the run line \\propak-xxxx. Please advice rationale behind this. Thanks very much.
Everything is working good. I can access all my resources. However, I can only access map drive and when I use my network places>> entire network>>>microsoft windows network>>>> domain to access other files I can not see them under my domain though I can access them using the run line \\propak-xxxx. Please advice rationale behind this. Thanks very much.
I just realized I never answered your question from your last comment on this one.
The reason you can't access file shares via "My Network Places" across a VPN connection is because it uses broadcast traffic to display the list of computers and broadcast traffic cannot traverse a VPN connection because it cannot be routed by its very nature. Only routed traffic can traverse a VPN tunnel. Does this make sense?
The reason you can't access file shares via "My Network Places" across a VPN connection is because it uses broadcast traffic to display the list of computers and broadcast traffic cannot traverse a VPN connection because it cannot be routed by its very nature. Only routed traffic can traverse a VPN tunnel. Does this make sense?