Link to home
Start Free TrialLog in
Avatar of aidanhammond
aidanhammond

asked on

VPN Issues - ASA5510

Hello,

I have an ASA5510 to replace a PIX515, but i'm having a few problems configuring my VPN tunnel for remote access... I can successfully authenticate and connect to the VPN, but I can't:

* Access Internet - I'd like users to use their 'own' internet connection
* Access 10.10.10.* network when connected to VPN

I'd like both internal and VPN network to be able to see:
10.10.10.0 255.255.255.0
192.168.10.0 255.255.255.0

Does anyone have any pointers?

My config can be found at: http://aidan.org/config.txt

Many thanks
Avatar of batry_boy
batry_boy
Flag of United States of America image

First, remove the static route referencing your VPN client pool...this is unnecessary and could be causing routing issues:

no route outside 10.10.11.0 255.255.255.0 65.100.2.98

Next, the following commands should enable split tunneling so the VPN users can access the Internet, but also access 10.10.10.0/24 while connected:

access-list vpn_split_tunnel standard permit ip 10.10.10.0 255.255.255.0
group-policy CompanyVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list vpn_split_tunnel

Issue the following commands and then try to access the 192.168.10.0/24 network from the internal network (10.10.10.0/24):

no static (inside,public) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
no access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0

Next, you'll need to add the following lines to your configuration in order for your VPN users to access the 192.168.10.0/24 network:

access-list vpn_split_tunnel standard permit ip 192.168.10.0 255.255.255.0

Next, I'm not sure why you have IPSEC and ISAKMP enabled on your inside interface...this is not needed for remote access VPN connectivity nor site-to-site VPN tunnels...issue the following commands to remove these statements:

no crypto map inside_map interface inside
no crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
no isakmp enable inside

Let's stop there and see where we are on your issues...post back with the results...
Avatar of aidanhammond
aidanhammond

ASKER

Many thanks for the reply, I can confirm that inside can still see public after the changes. I am however having problems setting up the access lists you suggested, below is an export of errors:

Result of the command: "access-list vpn_split_tunnel standard permit ip 10.10.10.0 255.255.255.0"
access-list vpn_split_tunnel standard permit ip 10.10.10.0 255.255.255.0
                                             ^
ERROR: % Invalid input detected at '^' marker.

Result of the command: "group-policy CompanyVPN attributes"
The command has been sent to the device

Result of the command: "split-tunnel-policy tunnelspecified"
The command has been sent to the device

Result of the command: "split-tunnel-network-list vpn_split_tunnel"
split-tunnel-network-list vpn_split_tunnel
                           ^
ERROR: % Invalid input detected at '^' marker.

Result of the command: "access-list vpn_split_tunnel standard permit ip 192.168.10.0 255.255.255.0"
access-list vpn_split_tunnel standard permit ip 192.168.10.0 255.255.255.0
                                             ^
ERROR: % Invalid input detected at '^' marker.


Many thanks for the help.
Are you using the command line interface through the ASDM GUI?  I would use the true CLI to input these commands.

Also, change:

access-list vpn_split_tunnel standard permit ip 10.10.10.0 255.255.255.0

to this:

access-list vpn_split_tunnel standard permit 10.10.10.0 255.255.255.0

Are you putting these commands into the ASA or the PIX?  These commands are for the ASA...
Hello,

The device is an ASA5510. I was running commands via ADSM, but I have done these via telnet.

The folowing commands were accepted:
access-list vpn_split_tunnel standard permit 10.10.10.0 255.255.255.0
access-list vpn_split_tunnel standard permit 192.168.10.0 255.255.255.0

I've gone back into: group-policy CompanyVPN attributes
but the command: split-tunnel-network-list vpn_split_tunnel
does not get accepted:

ciscoasa(config)# group-policy CompanyVPN attributes
ciscoasa(config-group-policy)# split-tunnel-network-list vpn_split_tunnel
                                                          ^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config-group-policy)#

Many thanks.
What version of code are you running?  Do you already have the command "split-tunnel-policy tunnelspecified" in your configuration?  That command should work OK to specify what traffic should be sent down the tunnel, leaving all other traffic to flow outside the tunnel.
I'm running: 7.0(7)

The command: split-tunnel-policy tunnelspecified
Is already in the config.

Many thanks.
I recommend that you upgrade to version 7.2(3) at your earliest opportunity.  The version you are running is over 2 years old and is VERY buggy.  Cisco has also changed some of the commands supported between that version and the newer 7.2(3).

See the following for help on this:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008067e9f9.shtml

Also, post your current config (sanitized) so I can see where we are in your config.
The updated, sanitized config is @ http://aidan.org/Config.txt

I have requested an upgrade to 7.2(3) from our supplier, I'm told I should have this by the end of the day.

I am still having VPN issues, I don't seam to be able to access anything :(

Many thanks.
I've been let down by our supplier, however here is an update of where we are:

* internal network can communicate with public (dmz) network
* vpn users can connect to public (dmz) network 192.168.10.0/24 but not internal network 10.10.10.0/24
* Split tunnel doesn't appear to be working, when I connect to the VPN, my internet connectivity vanishes.

Not covered by original question, so rightly covered by another question:
https://www.experts-exchange.com/questions/23220631/ASA5510-Pinging-Options.html

* is it possible to allow internal network users to ping public machines?
* is it possible to allow vpn users to ping internal and public machines?
* is it possible to allow internal network users to ping outside machines, eg, google.com?

Any help would be appreciated!
>>is it possible to allow internal network users to ping public machines?

Yes.  If the ACL applied to the outside interface is named "outside_access_in", then you would put in the following statement to allow internal machines to ping public machines:

access-list outside_access_in permit icmp any any echo-reply

>>is it possible to allow vpn users to ping internal and public machines?

Yes, as long as the split tunneling is working correctly.  I think you should post your entire sanitized config so we can troubleshoot this issue.

>>is it possible to allow internal network users to ping outside machines, eg, google.com?

I believe this is the same question as your first one above.
Hey Batry_Boy - The questions you answered were related to another question I had open, I was hoping someone would pick it up from this thread :)

Here is an update of where we are:

* internal network can communicate with public (dmz) network
* vpn users can connect to public (dmz) network 192.168.10.0/24 but not internal network 10.10.10.0/24
* Split tunnel doesn't appear to be working, when I connect to the VPN, my internet connectivity vanishes.

Many thanks.
The updated, sanitized config is @ http://aidan.org/Config.txt
Try this:

group-policy CompanyVPN attributes
split-tunnel-network-list value vpn_split_tunnel

I can confirm these commands solved the issue - Thanks!

RE: Pinging, I used the info you provided above to come up with these rules:
no access-list outside_nat0_inbound permit icmp any any echo-reply
access-group outside_nat0_inbound in interface outside
access-list public_nat0_inbound permit icmp any any echo-reply
access-group public_nat0_inbound in interface public

Since applying it appears that DMZ machines are unable to access the internet - I assume this is because I've added an access list onto the interface, how would I get around this?

Many thanks.
Repost the current config and I'll take a look.  Judging from the names of those ACL's, you probably shouldn't use them applied directly to the firewall interfaces.  Those are used for NAT exemption.
Latest config can be found at: http://aidan.org/config2.txt

Many thanks
ASKER CERTIFIED SOLUTION
Avatar of batry_boy
batry_boy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial