We help IT Professionals succeed at work.

VPN SPLIT TUNNELING CONFIGURATION ISSUE

stephen2025
stephen2025 asked
on
1,828 Views
Last Modified: 2009-02-20
I am fairly new with Networking.  I recently replace my company's old symantec firewall with CISCO ASA5505 security appliance.  I can successfully connect to VPN however, I can not access the internet/outlook while connected. On the VPN client, I check allow LAN access.  Please help
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name propaksw.com
 
access-list test_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.224 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.51.1-192.168.51.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy propakvpn internal
group-policy propakvpn attributes
 dns-server value 192.168.50.3
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value propakvpn_splitTunnelAcl
 default-domain value propaksw.com
username chengyuc password /zQEfoAYoekYrBdD encrypted privilege 0
username chengyuc attributes
 vpn-group-policy propakvpn
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group propakvpn type ipsec-ra
tunnel-group propakvpn general-attributes
 address-pool vpnpool
 default-group-policy propakvpn
tunnel-group propakvpn ipsec-attributes
 pre-shared-key *
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:d2a0cea88efec88116197c6b53c63514
: end

Open in new window

Comment
Watch Question

CERTIFIED EXPERT

Commented:
check the settings on the router/firewall dealing with allowing internet access.  It is possible you have it set to only allow a certain set of computers access.  Connecting via vpn is like plugging a new computer into your internal network.  Test the settings by plugging a previously unseen laptop on the network and see if you have internet access.
You have specified a split tunnel ACL in your configufration named "propakvpn_splitTunnelAcl", but you don't have that ACL actually defined anywhere in your config.  If you want to only tunnel traffic for the LAN behind the ASA, which seems to be 192.168.50.0/24, then add the following ACL, and try your VPN connectivity again:

access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any

See if that helps your split tunneling configuration...

Author

Commented:
thanks dave4dl, Batry boy !

I already included access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any which is from a previous solution of a previous inquiry and still I can not access internet access when vpn'ed.  I did some troubleshooting and see snippet.

It was odd because when a issue a route change command (with values the same) it change my default gateway from 192.168.51.2 (default gateway vpn connection) to 192.168.1.1 (DG of my local connection).



Below is the route print snap shot (with this I am connected through VPN'ed but no access to internet.
 
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.3       25
          0.0.0.0          0.0.0.0     192.168.51.2    192.168.51.1       1
    24.227.XX.XX  255.255.255.255      192.168.1.1     192.168.1.3       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.3     192.168.1.3       25
      192.168.1.0    255.255.255.0     192.168.51.2    192.168.51.1       25
      192.168.1.1  255.255.255.255      192.168.1.3     192.168.1.3       1
      192.168.1.3  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.1.255  255.255.255.255      192.168.1.3     192.168.1.3       25
     192.168.51.0    255.255.255.0     192.168.51.1    192.168.51.1       25
     192.168.51.1  255.255.255.255        127.0.0.1       127.0.0.1       25
   192.168.51.255  255.255.255.255     192.168.51.1    192.168.51.1       25
        224.0.0.0        240.0.0.0      192.168.1.3     192.168.1.3       25
        224.0.0.0        240.0.0.0     192.168.51.1    192.168.51.1       25
  255.255.255.255  255.255.255.255      192.168.1.3     192.168.1.3       1
  255.255.255.255  255.255.255.255     192.168.51.1               2       1
  255.255.255.255  255.255.255.255     192.168.51.1    192.168.51.1       1
Default Gateway:      192.168.51.2
===========================================================================
Persistent Routes:
  None
 
Below is the route print snapshot after I issue below route change command.  I can connect to the internet but can not access network resources.
 
C:\Documents and Settings\stephenu>route change 0.0.0.0 mask 0.0.0.0 192.168.1.1
 metric 25
 
C:\Documents and Settings\stephenu>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 15 c5 b3 26 19 ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac
ket Scheduler Miniport
0x3 ...00 17 31 ad 1a 12 ...... Dell Wireless 1390 WLAN Mini-Card - Packet Sched
uler Miniport
0x30005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler
 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.3       25
    24.227.XX.XX  255.255.255.255      192.168.1.1     192.168.1.3       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.3     192.168.1.3       25
      192.168.1.0    255.255.255.0     192.168.51.2    192.168.51.1       25
      192.168.1.1  255.255.255.255      192.168.1.3     192.168.1.3       1
      192.168.1.3  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.1.255  255.255.255.255      192.168.1.3     192.168.1.3       25
     192.168.51.0    255.255.255.0     192.168.51.1    192.168.51.1       25
     192.168.51.1  255.255.255.255        127.0.0.1       127.0.0.1       25
   192.168.51.255  255.255.255.255     192.168.51.1    192.168.51.1       25
        224.0.0.0        240.0.0.0      192.168.1.3     192.168.1.3       25
        224.0.0.0        240.0.0.0     192.168.51.1    192.168.51.1       25
  255.255.255.255  255.255.255.255      192.168.1.3     192.168.1.3       1
  255.255.255.255  255.255.255.255     192.168.51.1               2       1
  255.255.255.255  255.255.255.255     192.168.51.1    192.168.51.1       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

Open in new window

Author

Commented:
Is there a minimum speed for VPN connection?  I am using wireless at 54Mbps but sometimes the VPN connection will be cut-off with an error message " disconnected because remote peer is not responding"
>>Is there a minimum speed for VPN connection?

No, there is not.  That message typically means either a general network connectivity issue on the VPN server (ASA) side or a misconfiguration of some sort.

When you are in a VPN session, right-click on the yellow padlock in the system tray and then click "Statistics" on the menu that pops up.  Click on the "Route Details" tab and look at the "Secured Routes" window.  If it says:

0.0.0.0    0.0.0.0

Then you have a fully tunneled connection and your split tunneling configuration is not configured properly.  If it says:

192.168.50.0    255.255.255.0

Then the only traffic that is being sent down the tunnel is traffic destined for the 192.168.50.0/24 network which means that your split tunneling configuration is correct.  Post back with your results.

Author

Commented:
it is 0.0.0.0    0.0.0.0.  Please advise how to correct problem. Thanks very much!!!!
Post your current config so I can take a look...

Author

Commented:
pls see below

hostname propak-gw120707
domain-name propaksw.com
enable password DHAsnd72H9963llX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.9 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 24.227.xx.xxx 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name propaksw.com
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 8080 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq https 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 7777 
access-list 110 extended deny icmp any any 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 5000 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 5100 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 4001 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 4030 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 3085 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 1433 
access-list 110 extended permit tcp any host 24.227.xx
.xxx eq www 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 7072 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq ftp 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 3389 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 82 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 83 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 6080 
access-list test_splitTunnelAcl extended permit ip 192.168.1.0 255.255.255.0 any
 
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.224 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.51.1-192.168.51.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
static (inside,outside) tcp interface 8080 192.168.50.10 8080 netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.50.116 https netmask 255.255.255.255 
static (inside,outside) tcp interface 5000 192.168.50.3 5000 netmask 255.255.255.255 
static (inside,outside) tcp interface 5100 192.168.50.12 5100 netmask 255.255.255.255 
static (inside,outside) tcp interface 4001 192.168.50.10 4001 netmask 255.255.255.255 
static (inside,outside) tcp interface 4030 192.168.5.13 4030 netmask 255.255.255.255 
static (inside,outside) tcp interface 3085 192.168.50.3 3085 netmask 255.255.255.255 
static (inside,outside) tcp interface 1433 192.168.50.10 1433 netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255 
static (inside,outside) tcp interface 7072 192.168.50.116 7072 netmask 255.255.255.255 
static (inside,outside) tcp interface ftp 192.168.50.10 ftp netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.50.110 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 82 192.168.50.20 82 netmask 255.255.255.255 
static (inside,outside) tcp interface 83 192.168.50.3 83 netmask 255.255.255.255 
static (inside,outside) tcp interface 6080 192.168.50.5 6080 netmask 255.255.255.255  dns 
static (inside,outside) tcp interface 7777 192.168.50.116 7777 netmask 255.255.255.255 
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 24.227.xx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy propakvpn internal
group-policy propakvpn attributes
 dns-server value 192.168.50.3
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value propakvpn_splitTunnelAcl
 default-domain value propaksw.com
username chengyuc password /zQEfoAYoekYrBdD encrypted privilege 0
username chengyuc attributes
 vpn-group-policy propakvpn
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group propakvpn type ipsec-ra
tunnel-group propakvpn general-attributes
 address-pool vpnpool
 default-group-policy propakvpn
tunnel-group propakvpn ipsec-attributes
 pre-shared-key *
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:d2a0cea88efec88116197c6b53c63514
: end

Open in new window

I don't see the ACL called "propakvpn_splitTunnelAcl" which is what you are specifying as the split tunneling access list for your VPN connection.  You need to put in the following line:

access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any

You mentioned earlier that you had already put this in, but I don't see it in there now.  Did you take it back out at some point in your troubleshooting?  Put it back in and try it out.

Author

Commented:
sorry.  I attached the wrong file. This line on the config:
access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any


hostname propak-gw120707
domain-name propaksw.com
enable password DHAsnd72H9963llX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.9 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 24.227.xx.xxx 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name propaksw.com
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 8080 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq https 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 7777 
access-list 110 extended deny icmp any any 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 5000 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 5100 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 4001 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 4030 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 3085 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 1433 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq www 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 7072 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq ftp 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 3389 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 82 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 83 
access-list 110 extended permit tcp any host 24.227.xx.xxx eq 6080 
access-list propakvpn_splitTunnelAcl permit ip 192.168.50.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.224 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.51.1-192.168.51.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
static (inside,outside) tcp interface 8080 192.168.50.10 8080 netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.50.116 https netmask 255.255.255.255 
static (inside,outside) tcp interface 5000 192.168.50.3 5000 netmask 255.255.255.255 
static (inside,outside) tcp interface 5100 192.168.50.12 5100 netmask 255.255.255.255 
static (inside,outside) tcp interface 4001 192.168.50.10 4001 netmask 255.255.255.255 
static (inside,outside) tcp interface 4030 192.168.5.13 4030 netmask 255.255.255.255 
static (inside,outside) tcp interface 3085 192.168.50.3 3085 netmask 255.255.255.255 
static (inside,outside) tcp interface 1433 192.168.50.10 1433 netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255 
static (inside,outside) tcp interface 7072 192.168.50.116 7072 netmask 255.255.255.255 
static (inside,outside) tcp interface ftp 192.168.50.10 ftp netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.50.110 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 82 192.168.50.20 82 netmask 255.255.255.255 
static (inside,outside) tcp interface 83 192.168.50.3 83 netmask 255.255.255.255 
static (inside,outside) tcp interface 6080 192.168.50.5 6080 netmask 255.255.255.255  dns 
static (inside,outside) tcp interface 7777 192.168.50.116 7777 netmask 255.255.255.255 
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 24.227.43.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy propakvpn internal
group-policy propakvpn attributes
 dns-server value 192.168.50.3
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value propakvpn_splitTunnelAcl
 default-domain value propaksw.com
username chengyuc password /zQEfoAYoekYrBdD encrypted privilege 0
username chengyuc attributes
 vpn-group-policy propakvpn
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group propakvpn type ipsec-ra
tunnel-group propakvpn general-attributes
 address-pool vpnpool
 default-group-policy propakvpn
tunnel-group propakvpn ipsec-attributes
 pre-shared-key *
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:d2a0cea88efec88116197c6b53c63514
: end

Open in new window

Add this line and see what you get:

crypto isakmp nat-traversal
Also, remove the following line (you don't need this):

global (inside) 1 interface

Author

Commented:
ok.  Please bear with me.  I am accessing the ASA5505 using RDP through one of our server and it is not loading and frooze at 67%.  I am resetting the server.  Also, when I am connected thru VPN I can not access the firewall though the browser with URL https://192.168.50.9.  Is this normal?
Yes, it's normal for your current configuration.  Add the following lines to be able to access it via a VPN connection on the inside interface:

management-access inside
http 192.168.51.0 255.255.255.0 inside

Author

Commented:
I can not access now my firewall.  It froze at 67% (checking software dependencies).  

Author

Commented:
thanks for all the inputs.  Can we just continue this next week?  I can not access now the firewall.

Author

Commented:
Hello batry_boy,
Please see below configuration,  I have a both entry for accesgs-list propakvpn_splitTunnelAcl standard permit any and access-list propakvpn_SplittunnelAcl extended permit ip 192.168.50.0 255.255.255.0 any.
I try to get rid of the first line by issuing "no access-list propakvpn_splitTunneling standard permit any I got the below error: Please advise what to do.  Thanks!!!!

Result of the command: "no access-list propakvpn_splitTunnelAcl standard permit any"

ERROR: Access-list propakvpn_splitTunnelAcl is attached to class-map, route-map,
username, group-policy, distribute-list, multicast or wccp subsystem.
Please remove the relevant configuration before removing the access-list
Result of the command: "show running-config"
 
: Saved
:
ASA Version 7.2(2) 
!
hostname propak-gw120707
domain-name propaksw.com
enable password DHAsnd72H9963llX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.9 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 24.227.xxx.xxx 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name propaksw.com
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 8080 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq https 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 7777 
access-list 110 extended deny icmp any any 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 5000 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 5100 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 4001 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 4030 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 3085 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 1433 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq www 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 7072 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq ftp 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 3389 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 82 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 83 
access-list 110 extended permit tcp any host 24.227.xxx.xxx eq 6080 
access-list propakvpn_splitTunnelAcl standard permit any 
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.224 
access-list propakvpn_SplitTunnelAcl extended permit ip 192.168.50.0 255.255.255.0 any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.51.1-192.168.51.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
static (inside,outside) tcp interface 8080 192.168.50.10 8080 netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.50.116 https netmask 255.255.255.255 
static (inside,outside) tcp interface 5000 192.168.50.3 5000 netmask 255.255.255.255 
static (inside,outside) tcp interface 5100 192.168.50.12 5100 netmask 255.255.255.255 
static (inside,outside) tcp interface 4001 192.168.50.10 4001 netmask 255.255.255.255 
static (inside,outside) tcp interface 4030 192.168.5.13 4030 netmask 255.255.255.255 
static (inside,outside) tcp interface 3085 192.168.50.3 3085 netmask 255.255.255.255 
static (inside,outside) tcp interface 1433 192.168.50.10 1433 netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255 
static (inside,outside) tcp interface 7072 192.168.50.116 7072 netmask 255.255.255.255 
static (inside,outside) tcp interface ftp 192.168.50.10 ftp netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.50.110 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 82 192.168.50.20 82 netmask 255.255.255.255 
static (inside,outside) tcp interface 83 192.168.50.3 83 netmask 255.255.255.255 
static (inside,outside) tcp interface 6080 192.168.50.5 6080 netmask 255.255.255.255  dns 
static (inside,outside) tcp interface 7777 192.168.50.116 7777 netmask 255.255.255.255 
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 24.227.43.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy propakvpn internal
group-policy propakvpn attributes
 dns-server value 192.168.50.3
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value propakvpn_splitTunnelAcl
 default-domain value propaksw.com
username chengyuc password /zQEfoAYoekYrBdD encrypted privilege 0
username chengyuc attributes
 vpn-group-policy propakvpn
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group propakvpn type ipsec-ra
tunnel-group propakvpn general-attributes
 address-pool vpnpool
 default-group-policy propakvpn
tunnel-group propakvpn ipsec-attributes
 pre-shared-key *
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:453185447b76f0aa1363160fd6e16493
: end

Open in new window

You now have two access lists (line 60 and line 62 in your above output)

access-list propakvpn_splitTunnelAcl standard permit any
access-list propakvpn_SplitTunnelAcl extended permit ip 192.168.50.0 255.255.255.0 any

They're considered two different access lists by the firewall because one has a lowercase "s" in the name and other has an uppercase "S" in the name.  This being the case, just do this:

conf t
group-policy propakvpn attributes
split-tunnel-network-list value propakvpn_SplitTunnelAcl
exit
no access-list propakvpn_splitTunnelAcl standard permit any

See if that helps...

Author

Commented:
Yes it work.  I will test it at home tonight.  Please see below final config.  Kindly explain what we just did?  Thank you so much.
Result of the command: "show run"
 
: Saved
:
ASA Version 7.2(2) 
!
hostname propak-gw120707
domain-name propaksw.com
enable password DHAsnd72H9963llX encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.9 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 24.227.XXX.XXX 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name propaksw.com
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 8080 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq https 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 7777 
access-list 110 extended deny icmp any any 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 5000 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 5100 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 4001 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 4030 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 3085 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 1433 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq www 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 7072 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq ftp 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 3389 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 82 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 83 
access-list 110 extended permit tcp any host 24.227.XXX.XXX eq 6080 
access-list inside_nat0_outbound extended permit ip any 192.168.51.0 255.255.255.224 
access-list propakvpn_SplitTunnelAcl extended permit ip 192.168.50.0 255.255.255.0 any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.51.1-192.168.51.20 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.50.0 255.255.255.0
static (inside,outside) tcp interface 8080 192.168.50.10 8080 netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.50.116 https netmask 255.255.255.255 
static (inside,outside) tcp interface 5000 192.168.50.3 5000 netmask 255.255.255.255 
static (inside,outside) tcp interface 5100 192.168.50.12 5100 netmask 255.255.255.255 
static (inside,outside) tcp interface 4001 192.168.50.10 4001 netmask 255.255.255.255 
static (inside,outside) tcp interface 4030 192.168.5.13 4030 netmask 255.255.255.255 
static (inside,outside) tcp interface 3085 192.168.50.3 3085 netmask 255.255.255.255 
static (inside,outside) tcp interface 1433 192.168.50.10 1433 netmask 255.255.255.255 
static (inside,outside) tcp interface www 192.168.50.10 www netmask 255.255.255.255 
static (inside,outside) tcp interface 7072 192.168.50.116 7072 netmask 255.255.255.255 
static (inside,outside) tcp interface ftp 192.168.50.10 ftp netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.50.110 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 82 192.168.50.20 82 netmask 255.255.255.255 
static (inside,outside) tcp interface 83 192.168.50.3 83 netmask 255.255.255.255 
static (inside,outside) tcp interface 6080 192.168.50.5 6080 netmask 255.255.255.255  dns 
static (inside,outside) tcp interface 7777 192.168.50.116 7777 netmask 255.255.255.255 
access-group 110 in interface outside
route outside 0.0.0.0 0.0.0.0 24.227.43.201 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy propakvpn internal
group-policy propakvpn attributes
 dns-server value 192.168.50.3
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value propakvpn_SplitTunnelAcl
 default-domain value propaksw.com
username chengyuc password /zQEfoAYoekYrBdD encrypted privilege 0
username chengyuc attributes
 vpn-group-policy propakvpn
http server enable
http 192.168.51.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group propakvpn type ipsec-ra
tunnel-group propakvpn general-attributes
 address-pool vpnpool
 default-group-policy propakvpn
tunnel-group propakvpn ipsec-attributes
 pre-shared-key *
telnet 192.168.50.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:cf021987254d42dd38998e2810268676
: end

Open in new window

This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks very much.... Appreciate all the help.  I try it tonight.  Have a great day!!!

Author

Commented:
Hello  batry_boy,

Everything is working good.  I can access all my resources.  However, I can only access map drive and when I use my network places>> entire network>>>microsoft windows network>>>> domain to access other files I can not see them under my domain though I can access them using the run line \\propak-xxxx.  Please advice rationale behind this.  Thanks very much.
I just realized I never answered your question from your last comment on this one.

The reason you can't access file shares via "My Network Places" across a VPN connection is because it uses broadcast traffic to display the list of computers and broadcast traffic cannot traverse a VPN connection because it cannot be routed by its very nature.  Only routed traffic can traverse a VPN tunnel.  Does this make sense?
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.