Solved

Cannot connect to servers while connected to VPN

Posted on 2008-06-24
17
2,063 Views
Last Modified: 2012-06-27
Hi All,

I've setup a Remote Access VPN on a Cisco ASA 5510 - the Cisco VPN client (5.0.01.0600) can connect ok and assigns the laptop an IP address but I cannot reach any systems on the LAN once connected.  Is theres something missing in my config here? Any help would be much appreciated!

Regards

Rob
ASA Version 7.2(2) 

!

hostname XXXciscoasa

domain-name adroot.XXX.co.uk

enable password xxx encrypted

names

!

interface Ethernet0/0

 nameif WAN

 security-level 0

 ip address 194.x.x.62 255.255.255.0 standby 194.x.x.63 

!

interface Ethernet0/1

 nameif LAN

 security-level 50

 ip address 194.129.15.252 255.255.255.0 standby 194.129.15.251 

!

interface Ethernet0/2

 description LAN Failover Interface

!

interface Ethernet0/3

 description STATE Failover Interface

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.7 

 management-only

!

passwd xxx encrypted

boot system disk0:/asa722k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

 domain-name adroot.XXX.co.uk

object-group service FilemakerPro tcp-udp

 port-object range 5003 5003

object-group service CiscoVPN tcp

 description CiscoVPN allow ports 4500, 500

 port-object range 500 500

 port-object range 4500 4500

access-list WAN_access_out extended permit ip any any inactive 

access-list WAN_access_out extended permit udp any any eq ntp 

access-list WAN_access_out extended permit tcp any any eq 123 inactive 

access-list WAN_access_out remark Allow port 445 SMB MS File Sharing access to remote NAS device at James' Home

access-list WAN_access_out extended permit tcp interface WAN host 91.84.29.97 eq 445 

access-list WAN_access_out extended permit tcp any any eq ssh inactive 

access-list WAN_access_out remark Planning - Charnwood related documents link

access-list WAN_access_out extended permit tcp interface WAN host 193.129.245.154 eq 34965 

access-list WAN_access_out remark Planning - Barnet

access-list WAN_access_out extended permit tcp interface WAN host 195.171.200.80 eq 7778 

access-list WAN_access_out remark Planning - Breckland

access-list WAN_access_out extended permit tcp interface WAN host 212.240.79.100 eq 7778 

access-list WAN_access_out remark Planning website - havering.gov.uk

access-list WAN_access_out extended permit tcp any host 62.172.223.20 eq 7783 

access-list WAN_access_out remark Planning website - access to barking and dagenham

access-list WAN_access_out extended permit tcp interface WAN host 212.85.19.44 eq 8081 

access-list WAN_access_out remark Planning website - access to northamptonboroughcouncil.com

access-list WAN_access_out extended permit tcp interface WAN host 83.100.223.135 eq 8099 

access-list WAN_access_out remark Allow port 5003 file maker pro access to bulwein server - Bulwein allow access from our gateway IP

access-list WAN_access_out extended permit tcp any host 195.30.62.92 eq 5003 

access-list WAN_access_out remark Planning Website - Castle Morpeth Borough Council

access-list WAN_access_out extended permit tcp interface WAN host 195.224.122.231 eq 5757 

access-list WAN_access_out remark Planning website - St Helens Council

access-list WAN_access_out extended permit tcp any host 212.248.225.150 eq 7777 

access-list WAN_access_out remark planning

access-list WAN_access_out remark Planning Website - Uttlesford District Council

access-list WAN_access_out extended permit tcp any host 213.121.206.247 eq 7778 

access-list WAN_access_out remark planning

access-list WAN_access_out remark Planning Website - Ellesmere Port & Neston Borough Council

access-list WAN_access_out extended permit tcp any host 193.133.69.117 eq 7778 

access-list WAN_access_out remark Planning - Hartlepool

access-list WAN_access_out extended permit tcp interface WAN host 195.172.81.205 eq 7777 

access-list WAN_access_out remark planning

access-list WAN_access_out remark Planning Website - Arun District Council

access-list WAN_access_out extended permit tcp any host 195.224.159.100 eq 7778 

access-list WAN_access_out remark Planning Website - Maidstone Council

access-list WAN_access_out extended permit tcp any host 195.188.250.22 eq 8070 

access-list WAN_access_out remark Allow port 25 SMTP access from XXX to the Internet - in reality XXXs Exchange server only sends

access-list WAN_access_out remark outbound email to Messagelabs European cluster (set under SMTP connector on Exchange server)

access-list WAN_access_out extended permit tcp host 194.x.x.56 any eq smtp 

access-list WAN_access_out remark Allow UDP Port 53 DNS access from XXX to Internet

access-list WAN_access_out extended permit udp any any eq domain 

access-list WAN_access_out remark Allow TCP Port 53 DNS access from XXX to Internet

access-list WAN_access_out extended permit tcp any any eq domain 

access-list WAN_access_out remark Allow port 21 FTP access from XXX to Internet

access-list WAN_access_out extended permit tcp any any eq ftp 

access-list WAN_access_out extended permit tcp interface WAN any eq ftp-data inactive 

access-list WAN_access_out remark Allow XXX to Ping Internet

access-list WAN_access_out extended permit icmp any any echo 

access-list WAN_access_out remark Allow XXX to Ping Internet

access-list WAN_access_out extended permit icmp any any echo-reply 

access-list WAN_access_out remark Allow UDP Port 500 IKE key exchange for secure connections from XXX to Internet

access-list WAN_access_out extended permit udp any any eq isakmp 

access-list WAN_access_out remark Allow port 443 HTTPS secure access from XXX to Internet

access-list WAN_access_out extended permit tcp any any eq https 

access-list WAN_access_out remark Allow port 8080 HTTP access from XXX to Internet

access-list WAN_access_out remark Used for access to remote XXX routers and other websites (planning sites)

access-list WAN_access_out extended permit tcp any any eq 8080 

access-list WAN_access_out remark Allow port 1755 windows media player access from XXX to internet for website video streaming

access-list WAN_access_out extended permit tcp any any eq 1755 

access-list WAN_access_out remark Allow GRE from XXX VPN server to remote VPN users

access-list WAN_access_out extended permit gre host 194.x.x.57 any 

access-list WAN_access_out remark Internal access to RTSP-Media Streaming servers on the internet - also requires TCP on same port.

access-list WAN_access_out extended permit udp any any eq 554 

access-list WAN_access_out remark Internal access to RTSP-Media Streaming servers on the internet - also requires UDP on same port.

access-list WAN_access_out extended permit tcp any any eq rtsp 

access-list WAN_access_out remark XXX LAN Access to remote users machines via Tight VNC

access-list WAN_access_out extended permit tcp any any eq 5900 

access-list WAN_access_out remark Allow port 80 HTTP access from XXX to internet - required for access to remote websites

access-list WAN_access_out extended permit tcp any any eq www 

access-list WAN_access_out remark Test Desk RDP connection

access-list WAN_access_out extended permit tcp any host 78.32.137.8 eq 3541 inactive 

access-list WAN_access_out extended permit tcp any any inactive 

access-list WAN_access_out extended permit udp any any inactive 

access-list WAN_access_out remark Default rule to block all traffic - subsequent rules allows traffic through

access-list WAN_access_out extended deny ip any any 

access-list WAN_access_in remark External access to XXX Backup WEB server.

access-list WAN_access_in remark 194.129.15.194 translated from 194.74.191.44 using one-to-one NAT (see NAT rules).

access-list WAN_access_in extended permit tcp any host 194.x.x.44 eq www 

access-list WAN_access_in remark Allow Port 1723 PPTP VPN Access from Internet to XXX VPN Server 194.129.15.207

access-list WAN_access_in remark translated on one-to-one NAT from 194.x.x.57

access-list WAN_access_in extended permit tcp any host 194.x.x.57 eq pptp 

access-list WAN_access_in remark Allow GRE protocol for PPTP VPN Access from Internet to XXX VPN Server 194.129.15.207

access-list WAN_access_in remark translated on one-to-one NAT from 194.x.x.57

access-list WAN_access_in extended permit gre any host 194.x.x.57 

access-list WAN_access_in remark Allow Internet to Ping XXX

access-list WAN_access_in extended permit icmp any any echo 

access-list WAN_access_in remark Allow Internet to Ping XXX - Public addresses only

access-list WAN_access_in extended permit icmp any any echo-reply 

access-list WAN_access_in remark Allow port 25 SMTP access to XXX Email server 194.129.15.206

access-list WAN_access_in remark translated from one-to-one NAT address 194.x.x.56

access-list WAN_access_in extended permit tcp any host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 216.82.240.0 255.255.240.0 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 85.158.136.0 255.255.248.0 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabd email in

access-list WAN_access_in extended permit tcp 193.109.254.0 255.255.254.0 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 194.106.220.0 255.255.254.0 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 195.245.230.0 255.255.254.0 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp host 212.125.74.44 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp host 195.216.16.211 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark Allow port 80 HTTP access to XXX Web server at 194.129.15.211

access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.11

access-list WAN_access_in extended permit tcp any host 194.x.x.11 eq www 

access-list WAN_access_in remark Allow port 80 HTTP access to XXX Web server at 194.129.15.199

access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.49

access-list WAN_access_in extended permit tcp any host 194.x.x.49 eq www 

access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Email Web server at 194.129.15.206

access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.56

access-list WAN_access_in extended permit tcp any host 194.x.x.56 eq https 

access-list WAN_access_in remark Allow port 80 HTTP access to XXX Email Web server at 194.129.15.206

access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.56

access-list WAN_access_in extended permit tcp any host 194.x.x.56 eq www 

access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Web server at 194.129.15.211

access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.11

access-list WAN_access_in extended permit tcp any host 194.x.x.11 eq https 

access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Web server at 194.129.15.199

access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.49

access-list WAN_access_in extended permit tcp any host 194.x.x.49 eq https 

access-list WAN_access_in extended permit udp any any eq ntp inactive 

access-list WAN_access_in extended permit tcp any host 194.x.x.25 eq 15401 

access-list WAN_access_in extended permit tcp any host 194.x.x.11 eq 3541 inactive 

access-list WAN_access_in extended permit tcp any any object-group CiscoVPN 

access-list management_nat0_outbound extended permit ip any 194.129.15.128 255.255.255.224 

access-list Inside_nat0_outbound extended permit ip any 194.129.15.128 255.255.255.224 

access-list outside_cryptomap_dyn_20 extended permit ip any 194.129.15.0 255.255.255.0 

no pager

logging enable

logging timestamp

logging list Email_Alerts level warnings

logging asdm informational

logging mail Email_Alerts

logging from-address FirewallLogs@XXX.co.uk

logging recipient-address FirewallLogs@XXX.co.uk level errors

logging class auth mail warnings 

logging class np mail warnings 

logging class sys mail warnings 

logging class vpdn mail warnings 

mtu WAN 1500

mtu LAN 1500

mtu management 1500

ip local pool VPN_IPS 194.129.15.140-194.129.15.150 mask 255.255.255.0

ip verify reverse-path interface WAN

failover

failover lan unit primary

failover lan interface LANFailover Ethernet0/2

failover key *****

failover replication http

failover link StateFailover Ethernet0/3

failover interface ip LANFailover 192.168.250.1 255.255.255.0 standby 192.168.250.2

failover interface ip StateFailover 192.168.251.1 255.255.255.0 standby 192.168.251.2

monitor-interface WAN

monitor-interface LAN

no monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (WAN) 10 interface

nat (LAN) 0 access-list Inside_nat0_outbound

nat (LAN) 10 0.0.0.0 0.0.0.0

nat (management) 0 access-list management_nat0_outbound

nat (management) 10 0.0.0.0 0.0.0.0

static (LAN,WAN) 194.x.x.25 194.129.15.25 netmask 255.255.255.255 

static (LAN,WAN) 194.x.x.56 194.129.15.206 netmask 255.255.255.255 

static (LAN,WAN) 194.x.x.57 194.129.15.207 netmask 255.255.255.255 

static (LAN,WAN) 194.x.x.11 194.129.15.211 netmask 255.255.255.255 

static (LAN,WAN) 194.x.x.49 194.129.15.199 netmask 255.255.255.255 

static (LAN,WAN) 194.129.15.252 194.129.15.252 netmask 255.255.255.255 

static (LAN,WAN) 194.x.x.44 194.129.15.194 netmask 255.255.255.255 

access-group WAN_access_in in interface WAN

access-group WAN_access_out out interface WAN

route WAN 0.0.0.0 0.0.0.0 194.x.x.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server XXX_Tiger protocol radius

aaa-server XXX_Tiger (LAN) host 194.129.15.214

 timeout 5

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 vpn-tunnel-protocol IPSec 

group-policy DfltGrpPolicy attributes

 banner none

 wins-server value 194.129.15.197

 dns-server value 194.129.15.203 194.129.15.198

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 50

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec 

 password-storage disable

 ip-comp disable

 re-xauth enable

 group-lock none

 pfs enable

 ipsec-udp enable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy 81.x.x.154 internal

group-policy 81.x.x.154 attributes

 wins-server value 194.129.15.198

 dns-server value 194.129.15.203 194.129.15.198

 vpn-tunnel-protocol IPSec 

 group-lock value 81.x.x.154

 default-domain value ADROOT.XXX.CO.UK

username rob_admin password xxx encrypted privilege 15

username rob_admin attributes

 vpn-group-policy 81.x.x.154

 vpn-tunnel-protocol IPSec 

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map WAN_dyn_map 10 match address outside_cryptomap_dyn_20

crypto dynamic-map WAN_dyn_map 10 set transform-set ESP-DES-SHA ESP-3DES-SHA TRANS_ESP_3DES_SHA

crypto dynamic-map WAN_dyn_map 20 set pfs 

crypto dynamic-map WAN_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map WAN_dyn_map 40 set pfs 

crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 60 set pfs 

crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 80 set pfs 

crypto dynamic-map WAN_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 100 set pfs 

crypto dynamic-map WAN_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 120 set pfs 

crypto dynamic-map WAN_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 140 set pfs 

crypto dynamic-map WAN_dyn_map 140 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map management_dyn_map 20 set pfs 

crypto dynamic-map management_dyn_map 20 set transform-set ESP-DES-SHA

crypto dynamic-map management_dyn_map 40 set pfs 

crypto dynamic-map management_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map management_dyn_map 60 set pfs 

crypto dynamic-map management_dyn_map 60 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map management_dyn_map 80 set pfs 

crypto dynamic-map management_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map management_dyn_map 100 set pfs 

crypto dynamic-map management_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map

crypto map WAN_map interface WAN

crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map

crypto map management_map interface management

crypto isakmp enable WAN

crypto isakmp enable management

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

crypto isakmp ipsec-over-tcp port 10000 

tunnel-group DefaultRAGroup general-attributes

 address-pool VPN_IPS

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

 peer-id-validate nocheck

tunnel-group DefaultRAGroup ppp-attributes

 authentication ms-chap-v2

tunnel-group 81.x.x.154 type ipsec-ra

tunnel-group 81.x.x.154 general-attributes

 address-pool VPN_IPS

 default-group-policy 81.x.x.154

tunnel-group 81.x.x.154 ipsec-attributes

 pre-shared-key *

 peer-id-validate nocheck

tunnel-group 81.x.x.154 ppp-attributes

 no authentication chap

 no authentication ms-chap-v1

vpn-sessiondb max-session-limit 250

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect ftp 

!

service-policy global_policy global

ntp server 130.88.202.49 source WAN prefer

prompt hostname context 

Cryptochecksum:67276e1f60834cb3b3122fd7fe492bbc

: end

Open in new window

0
Comment
Question by:robclarke41
  • 7
  • 4
  • 3
  • +3
17 Comments
 
LVL 13

Expert Comment

by:TheCapedPlodder
Comment Utility
I'm not conversant with ASA config but it sounds like your default gateway is changing on the local machine once you're connected to the VPN and this means no traffic is being sent to the local LAN.  You need to implement split tunneling so that traffic bound for the other end of the VPN gets routed via the VPN and all other traffic gets routed locally.
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Thanks for responding - do you have any idea how I would do this?

Cheers

Rob
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
Comment Utility
As I fessed up early on, I'm not an ASA expert I just hoped my two peneth would give you some clue as to how to proceed!

Cheers,

TCP
0
 
LVL 11

Expert Comment

by:rowansmith
Comment Utility
This document provides step-by-step instructions on how to allow Cisco VPN Clients to only access their local LAN while tunneled into a Cisco ASA 5500 Series Security Appliance or PIX 500 Series Security Appliance. This configuration allows VPN Clients secure access to corporate resources via IPsec and still gives the client the ability to carry out activities like printing wherever the client is located. If it is permitted, traffic destined for the Internet is still tunneled to the ASA or PIX.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml
0
 
LVL 11

Expert Comment

by:rowansmith
Comment Utility
This document provides step-by-step instructions on how to allow VPN Clients access to the Internet while they are tunneled into a Cisco Adaptive Security Appliance (ASA) 5500 Series Security Appliance. This configuration allows VPN Clients secure access to corporate resources via IPsec while giving unsecured access to the Internet.

Warning: Split tunneling can pose a security risk when configured. Because VPN Clients have unsecured access to the Internet, they can be compromised by an attacker. That attacker might then be able to access the corporate LAN via the IPsec tunnel. A compromise between full tunneling and split tunneling can be to allow VPN Clients local LAN access only. Refer to PIX/ASA 7.x: Allow Local LAN Access for VPN Clients Configuration Example for more information.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Hi There,

I followed the instructions and configured the split tunnelling and now on the client i can see '194.129.15.0' under route details but I still cant connect to any devices on the LAN.  My default gateway for the VPN connection is showing as 194.129.15.1 when it should be 194.129.15.252 - is this whats causing the problem?

Regards

Rob
0
 
LVL 13

Expert Comment

by:TheCapedPlodder
Comment Utility
That'll be it.  You need the default gateway to be correct.
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
damn, I'm really struggling here - anyone have any idea why my default gateway is incorrect?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Do I need to change a setting in the 'Default Tunnel Gateway' section? When I go here it says 'To configure default tunnel gateway go to 'Static Route'
0
 
LVL 11

Expert Comment

by:rowansmith
Comment Utility
Can you please post the output of your routing table on your VPN client when the VPN is connected?

netstat -rn

Also please paste another copy of the ASA Config now that you have split tunneling set up as per the document I supplied above.

By the way which one did you go for?  Local LAN Split Tunnel?  (The first document) Or Internet Split Tunnel (The second document)?

-Rowan
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Hi Rowan,

Here's the routing table from the client:

Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x3 ...00 0e 35 00 9b 2f ...... Intel(R) PRO/Wireless 2200BG Network Connection
- Packet Scheduler Miniport
0x30002 ...08 00 46 cd 04 3e ...... Intel(R) PRO/100 VE Network Connection - Pac
ket Scheduler Miniport
0x30004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler
 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     194.129.15.1  194.129.15.140       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0      192.168.0.3     192.168.0.3       25
      192.168.0.0    255.255.255.0     194.129.15.1  194.129.15.140       25
      192.168.0.1  255.255.255.255      192.168.0.3     192.168.0.3       1
      192.168.0.3  255.255.255.255        127.0.0.1       127.0.0.1       25
    192.168.0.255  255.255.255.255      192.168.0.3     192.168.0.3       25
     194.36.23.62  255.255.255.255      192.168.0.1     192.168.0.3       1
     194.129.15.0    255.255.255.0   194.129.15.140  194.129.15.140       25
     194.129.15.0    255.255.255.0      192.168.0.1     192.168.0.3       1
   194.129.15.140  255.255.255.255        127.0.0.1       127.0.0.1       25
   194.129.15.255  255.255.255.255   194.129.15.140  194.129.15.140       25
        224.0.0.0        240.0.0.0      192.168.0.3     192.168.0.3       25
        224.0.0.0        240.0.0.0   194.129.15.140  194.129.15.140       25
  255.255.255.255  255.255.255.255      192.168.0.3     192.168.0.3       1
  255.255.255.255  255.255.255.255      192.168.0.3           30002       1
  255.255.255.255  255.255.255.255   194.129.15.140  194.129.15.140       1
Default Gateway:      194.129.15.1
===========================================================================
Persistent Routes:
  None

and the ASA config is attached as a code snippet:

I used the first document and configured the local LAN split tunnel - any help would be most welcome!

Cheers

Rob
ASA Version 7.2(2) 

!

hostname XXXciscoasa

domain-name adroot.XXX.co.uk

enable password xxx encrypted

names

!

interface Ethernet0/0

 nameif WAN

 security-level 0

 ip address 194.x.x.62 255.255.255.0 standby 194.x.x.63 

!

interface Ethernet0/1

 nameif LAN

 security-level 50

 ip address 194.129.15.252 255.255.255.0 standby 194.129.15.251 

!

interface Ethernet0/2

 description LAN Failover Interface

!

interface Ethernet0/3

 description STATE Failover Interface

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 standby 192.168.1.7 

 management-only

!

passwd xxx encrypted

boot system disk0:/asa722k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

 domain-name adroot.XXX.co.uk

object-group service FilemakerPro tcp-udp

 port-object range 5003 5003

object-group service CiscoVPN tcp

 description CiscoVPN allow ports 4500, 500

 port-object range 500 500

 port-object range 4500 4500

access-list WAN_access_out extended permit ip any any inactive 

access-list WAN_access_out extended permit udp any any eq ntp 

access-list WAN_access_out extended permit tcp any any eq 123 inactive 

access-list WAN_access_out remark Allow port 445 SMB MS File Sharing access to remote NAS device at James' Home

access-list WAN_access_out extended permit tcp interface WAN host 91.84.29.97 eq 445 

access-list WAN_access_out extended permit tcp any any eq ssh inactive 

access-list WAN_access_out remark Planning - Charnwood related documents link

access-list WAN_access_out extended permit tcp interface WAN host 193.129.245.154 eq 34965 

access-list WAN_access_out remark Planning - Barnet

access-list WAN_access_out extended permit tcp interface WAN host 195.171.200.80 eq 7778 

access-list WAN_access_out remark Planning - Breckland

access-list WAN_access_out extended permit tcp interface WAN host 212.240.79.100 eq 7778 

access-list WAN_access_out remark Planning website - havering.gov.uk

access-list WAN_access_out extended permit tcp any host 62.172.223.20 eq 7783 

access-list WAN_access_out remark Planning website - access to barking and dagenham

access-list WAN_access_out extended permit tcp interface WAN host 212.85.19.44 eq 8081 

access-list WAN_access_out remark Planning website - access to northamptonboroughcouncil.com

access-list WAN_access_out extended permit tcp interface WAN host 83.100.223.135 eq 8099 

access-list WAN_access_out remark Allow port 5003 file maker pro access to bulwein server - Bulwein allow access from our gateway IP

access-list WAN_access_out extended permit tcp any host 195.30.62.92 eq 5003 

access-list WAN_access_out remark Planning Website - Castle Morpeth Borough Council

access-list WAN_access_out extended permit tcp interface WAN host 195.224.122.231 eq 5757 

access-list WAN_access_out remark Planning website - St Helens Council

access-list WAN_access_out extended permit tcp any host 212.248.225.150 eq 7777 

access-list WAN_access_out remark planning

access-list WAN_access_out remark Planning Website - Uttlesford District Council

access-list WAN_access_out extended permit tcp any host 213.121.206.247 eq 7778 

access-list WAN_access_out remark planning

access-list WAN_access_out remark Planning Website - Ellesmere Port & Neston Borough Council

access-list WAN_access_out extended permit tcp any host 193.133.69.117 eq 7778 

access-list WAN_access_out remark Planning - Hartlepool

access-list WAN_access_out extended permit tcp interface WAN host 195.172.81.205 eq 7777 

access-list WAN_access_out remark planning

access-list WAN_access_out remark Planning Website - Arun District Council

access-list WAN_access_out extended permit tcp any host 195.224.159.100 eq 7778 

access-list WAN_access_out remark Planning Website - Maidstone Council

access-list WAN_access_out extended permit tcp any host 195.188.250.22 eq 8070 

access-list WAN_access_out remark Allow port 25 SMTP access from XXX to the Internet - in reality XXXs Exchange server only sends

access-list WAN_access_out remark outbound email to Messagelabs European cluster (set under SMTP connector on Exchange server)

access-list WAN_access_out extended permit tcp host 194.x.x.56 any eq smtp 

access-list WAN_access_out remark Allow UDP Port 53 DNS access from XXX to Internet

access-list WAN_access_out extended permit udp any any eq domain 

access-list WAN_access_out remark Allow TCP Port 53 DNS access from XXX to Internet

access-list WAN_access_out extended permit tcp any any eq domain 

access-list WAN_access_out remark Allow port 21 FTP access from XXX to Internet

access-list WAN_access_out extended permit tcp any any eq ftp 

access-list WAN_access_out extended permit tcp interface WAN any eq ftp-data inactive 

access-list WAN_access_out remark Allow XXX to Ping Internet

access-list WAN_access_out extended permit icmp any any echo 

access-list WAN_access_out remark Allow XXX to Ping Internet

access-list WAN_access_out extended permit icmp any any echo-reply 

access-list WAN_access_out remark Allow UDP Port 500 IKE key exchange for secure connections from XXX to Internet

access-list WAN_access_out extended permit udp any any eq isakmp 

access-list WAN_access_out remark Allow port 443 HTTPS secure access from XXX to Internet

access-list WAN_access_out extended permit tcp any any eq https 

access-list WAN_access_out remark Allow port 8080 HTTP access from XXX to Internet

access-list WAN_access_out remark Used for access to remote XXX routers and other websites (planning sites)

access-list WAN_access_out extended permit tcp any any eq 8080 

access-list WAN_access_out remark Allow port 1755 windows media player access from XXX to internet for website video streaming

access-list WAN_access_out extended permit tcp any any eq 1755 

access-list WAN_access_out remark Allow GRE from XXX VPN server to remote VPN users

access-list WAN_access_out extended permit gre host 194.x.x.57 any 

access-list WAN_access_out remark Internal access to RTSP-Media Streaming servers on the internet - also requires TCP on same port.

access-list WAN_access_out extended permit udp any any eq 554 

access-list WAN_access_out remark Internal access to RTSP-Media Streaming servers on the internet - also requires UDP on same port.

access-list WAN_access_out extended permit tcp any any eq rtsp 

access-list WAN_access_out remark XXX LAN Access to remote users machines via Tight VNC

access-list WAN_access_out extended permit tcp any any eq 5900 

access-list WAN_access_out remark Allow port 80 HTTP access from XXX to internet - required for access to remote websites

access-list WAN_access_out extended permit tcp any any eq www 

access-list WAN_access_out remark Test Desk RDP connection

access-list WAN_access_out extended permit tcp any host 78.32.137.8 eq 3541 inactive 

access-list WAN_access_out extended permit tcp any any inactive 

access-list WAN_access_out extended permit udp any any inactive 

access-list WAN_access_out remark Default rule to block all traffic - subsequent rules allows traffic through

access-list WAN_access_out extended deny ip any any 

access-list WAN_access_in remark External access to XXX Backup WEB server.

access-list WAN_access_in remark 194.129.15.194 translated from 194.74.191.44 using one-to-one NAT (see NAT rules).

access-list WAN_access_in extended permit tcp any host 194.x.x.44 eq www 

access-list WAN_access_in remark Allow Port 1723 PPTP VPN Access from Internet to XXX VPN Server 194.129.15.207

access-list WAN_access_in remark translated on one-to-one NAT from 194.x.x.57

access-list WAN_access_in extended permit tcp any host 194.x.x.57 eq pptp 

access-list WAN_access_in remark Allow GRE protocol for PPTP VPN Access from Internet to XXX VPN Server 194.129.15.207

access-list WAN_access_in remark translated on one-to-one NAT from 194.x.x.57

access-list WAN_access_in extended permit gre any host 194.x.x.57 

access-list WAN_access_in remark Allow Internet to Ping XXX

access-list WAN_access_in extended permit icmp any any echo 

access-list WAN_access_in remark Allow Internet to Ping XXX - Public addresses only

access-list WAN_access_in extended permit icmp any any echo-reply 

access-list WAN_access_in remark Allow port 25 SMTP access to XXX Email server 194.129.15.206

access-list WAN_access_in remark translated from one-to-one NAT address 194.x.x.56

access-list WAN_access_in extended permit tcp any host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 216.82.240.0 255.255.240.0 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 85.158.136.0 255.255.248.0 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabd email in

access-list WAN_access_in extended permit tcp 193.109.254.0 255.255.254.0 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 194.106.220.0 255.255.254.0 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp 195.245.230.0 255.255.254.0 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp host 212.125.74.44 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark messagelabs email in

access-list WAN_access_in extended permit tcp host 195.216.16.211 host 194.x.x.56 eq smtp 

access-list WAN_access_in remark Allow port 80 HTTP access to XXX Web server at 194.129.15.211

access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.11

access-list WAN_access_in extended permit tcp any host 194.x.x.11 eq www 

access-list WAN_access_in remark Allow port 80 HTTP access to XXX Web server at 194.129.15.199

access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.49

access-list WAN_access_in extended permit tcp any host 194.x.x.49 eq www 

access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Email Web server at 194.129.15.206

access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.56

access-list WAN_access_in extended permit tcp any host 194.x.x.56 eq https 

access-list WAN_access_in remark Allow port 80 HTTP access to XXX Email Web server at 194.129.15.206

access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.56

access-list WAN_access_in extended permit tcp any host 194.x.x.56 eq www 

access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Web server at 194.129.15.211

access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.11

access-list WAN_access_in extended permit tcp any host 194.x.x.11 eq https 

access-list WAN_access_in remark Allow port 443 HTTPS access to XXX Web server at 194.129.15.199

access-list WAN_access_in remark translated from one-to-one NAT address of 194.x.x.49

access-list WAN_access_in extended permit tcp any host 194.x.x.49 eq https 

access-list WAN_access_in extended permit udp any any eq ntp inactive 

access-list WAN_access_in extended permit tcp any host 194.x.x.25 eq 15401 

access-list WAN_access_in extended permit tcp any host 194.x.x.11 eq 3541 inactive 

access-list WAN_access_in extended permit tcp any any object-group CiscoVPN 

access-list management_nat0_outbound extended permit ip any 194.129.15.128 255.255.255.224 

access-list Inside_nat0_outbound extended permit ip any 194.129.15.128 255.255.255.224 

access-list outside_cryptomap_dyn_20 extended permit ip any 194.129.15.0 255.255.255.0 

access-list XXX_VPN_ACL remark XXX Lan

access-list XXX_VPN_ACL standard permit 194.129.15.0 255.255.255.0 

no pager

logging enable

logging timestamp

logging list Email_Alerts level warnings

logging asdm informational

logging mail Email_Alerts

logging from-address FirewallLogs@XXX.co.uk

logging recipient-address FirewallLogs@XXX.co.uk level errors

logging class auth mail warnings 

logging class np mail warnings 

logging class sys mail warnings 

logging class vpdn mail warnings 

mtu WAN 1500

mtu LAN 1500

mtu management 1500

ip local pool VPN_IPS 194.129.15.140-194.129.15.150 mask 255.255.255.0

ip local pool VPN_XXX 192.168.0.2-192.168.0.10 mask 255.255.255.0

ip verify reverse-path interface WAN

failover

failover lan unit primary

failover lan interface LANFailover Ethernet0/2

failover key *****

failover replication http

failover link StateFailover Ethernet0/3

failover interface ip LANFailover 192.168.250.1 255.255.255.0 standby 192.168.250.2

failover interface ip StateFailover 192.168.251.1 255.255.255.0 standby 192.168.251.2

monitor-interface WAN

monitor-interface LAN

no monitor-interface management

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat-control

global (WAN) 10 interface

nat (LAN) 0 access-list Inside_nat0_outbound

nat (LAN) 10 0.0.0.0 0.0.0.0

nat (management) 0 access-list management_nat0_outbound

nat (management) 10 0.0.0.0 0.0.0.0

static (LAN,WAN) 194.x.x.25 194.129.15.25 netmask 255.255.255.255 

static (LAN,WAN) 194.x.x.56 194.129.15.206 netmask 255.255.255.255 

static (LAN,WAN) 194.x.x.57 194.129.15.207 netmask 255.255.255.255 

static (LAN,WAN) 194.x.x.11 194.129.15.211 netmask 255.255.255.255 

static (LAN,WAN) 194.x.x.49 194.129.15.199 netmask 255.255.255.255 

static (LAN,WAN) 194.129.15.252 194.129.15.252 netmask 255.255.255.255 

static (LAN,WAN) 194.x.x.44 194.129.15.194 netmask 255.255.255.255 

access-group WAN_access_in in interface WAN

access-group WAN_access_out out interface WAN

route WAN 0.0.0.0 0.0.0.0 194.x.x.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

aaa-server XXX_Tiger protocol radius

aaa-server XXX_Tiger (LAN) host 194.129.15.214

 timeout 5

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

 vpn-tunnel-protocol IPSec 

group-policy DfltGrpPolicy attributes

 banner none

 wins-server value 194.129.15.197

 dns-server value 194.129.15.203 194.129.15.198

 dhcp-network-scope none

 vpn-access-hours none

 vpn-simultaneous-logins 50

 vpn-idle-timeout 30

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol IPSec 

 password-storage disable

 ip-comp disable

 re-xauth enable

 group-lock none

 pfs enable

 ipsec-udp enable

 ipsec-udp-port 10000

 split-tunnel-policy tunnelall

 split-tunnel-network-list none

 default-domain none

 split-dns none

 intercept-dhcp 255.255.255.255 disable

 secure-unit-authentication disable

 user-authentication disable

 user-authentication-idle-timeout 30

 ip-phone-bypass disable

 leap-bypass disable

 nem disable

 backup-servers keep-client-config

 msie-proxy server none

 msie-proxy method no-modify

 msie-proxy except-list none

 msie-proxy local-bypass disable

 nac disable

 nac-sq-period 300

 nac-reval-period 36000

 nac-default-acl none

 address-pools none

 client-firewall none

 client-access-rule none

 webvpn

  functions url-entry

  html-content-filter none

  homepage none

  keep-alive-ignore 4

  http-comp gzip

  filter none

  url-list none

  customization value DfltCustomization

  port-forward none

  port-forward-name value Application Access

  sso-server none

  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information

  svc none

  svc keep-installer installed

  svc keepalive none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression deflate

group-policy 81.x.x.154internal

group-policy 81.x.x.154attributes

 wins-server value 194.129.15.198

 dns-server value 194.129.15.203 194.129.15.198

 vpn-tunnel-protocol IPSec 

 group-lock value 81.137.240.154

 ipsec-udp enable

 split-tunnel-policy excludespecified

 split-tunnel-network-list value XXX_VPN_ACL

 default-domain value ADROOT.XXX.CO.UK

username rob_admin password oPv83W5h./yuqWL. encrypted privilege 15

username rob_admin attributes

 vpn-group-policy 81.137.240.154

 vpn-tunnel-protocol IPSec 

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map WAN_dyn_map 10 match address outside_cryptomap_dyn_20

crypto dynamic-map WAN_dyn_map 10 set transform-set ESP-DES-SHA ESP-3DES-SHA TRANS_ESP_3DES_SHA

crypto dynamic-map WAN_dyn_map 20 set pfs 

crypto dynamic-map WAN_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map WAN_dyn_map 40 set pfs 

crypto dynamic-map WAN_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 60 set pfs 

crypto dynamic-map WAN_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 80 set pfs 

crypto dynamic-map WAN_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 100 set pfs 

crypto dynamic-map WAN_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 120 set pfs 

crypto dynamic-map WAN_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map WAN_dyn_map 140 set pfs 

crypto dynamic-map WAN_dyn_map 140 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map management_dyn_map 20 set pfs 

crypto dynamic-map management_dyn_map 20 set transform-set ESP-DES-SHA

crypto dynamic-map management_dyn_map 40 set pfs 

crypto dynamic-map management_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map management_dyn_map 60 set pfs 

crypto dynamic-map management_dyn_map 60 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map management_dyn_map 80 set pfs 

crypto dynamic-map management_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map management_dyn_map 100 set pfs 

crypto dynamic-map management_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map WAN_map 65535 ipsec-isakmp dynamic WAN_dyn_map

crypto map WAN_map interface WAN

crypto map management_map 65535 ipsec-isakmp dynamic management_dyn_map

crypto map management_map interface management

crypto isakmp enable WAN

crypto isakmp enable management

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 1

 lifetime 86400

crypto isakmp policy 30

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20

crypto isakmp ipsec-over-tcp port 10000 

tunnel-group DefaultRAGroup general-attributes

 address-pool VPN_IPS

 default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

 peer-id-validate nocheck

tunnel-group DefaultRAGroup ppp-attributes

 authentication ms-chap-v2

tunnel-group 81.x.x.154type ipsec-ra

tunnel-group 81.x.x.154general-attributes

 address-pool VPN_IPS

 default-group-policy 81.x.x.154

tunnel-group 81.x.x.154ipsec-attributes

 pre-shared-key *

 peer-id-validate nocheck

tunnel-group 81.x.x.154ppp-attributes

 no authentication chap

 no authentication ms-chap-v1

vpn-sessiondb max-session-limit 250

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map global_policy

 class inspection_default

  inspect ftp 

!

service-policy global_policy global

ntp server 130.88.202.49 source WAN prefer

prompt hostname context 

Cryptochecksum:4029d5b426925ff94b7eb0a8125a652f

: end

Open in new window

0
 
LVL 7

Expert Comment

by:vishal_impact
Comment Utility
hi
i think the dg shoul be the one its set it up to
can you tell me the os you are working on
thanks
Vish
0
 
LVL 1

Author Comment

by:robclarke41
Comment Utility
Hi Vish I'm not sure what you mean? The client OS is Windows XP

0
 
LVL 2

Expert Comment

by:litmuslogic
Comment Utility
Rob, I am sorry, I am coming to this kind of late in the conversation, but still let me ask:  when you say you cannot reach any of the servers on the LAN, do you mean that once the VPN connection is established you cannot reach any of the devices (servers, other comps) on your LOCAL LAN?  Or are you talking about the network that is on the other end of the tunnel and that you cannot reach any of the servers on THAT OTHER SIDE LAN?
0
 
LVL 11

Expert Comment

by:rowansmith
Comment Utility
He is trying to access local LAN.  He has applied the insructions as supplied in post ID:21854761  above.

I don't know why the ASA is dishing out the wrong Default Gateway.

Have you tried manually overriding the gateway with a route command to ensure that everything works and all it is is an incorrect route?  This might be a good first step to ensure that the tunel is operating correctly then perhaps you can start a new thread querying why the default route is getting advertised wrongly.

-Rowan
0
 
LVL 2

Expert Comment

by:adminnrg
Comment Utility
Looking at your ASA config, I don't see where you have established the default gateway. I do see that you have a Static NAT rule  for 194.129.15.252 where you've NAT'ed the address to itself. It's early and my mind is foggy but I'm not sure why you've done that. As far as which DG the ASA hands out, it can be set up to hand out a "global" DG address, or a specific one per tunnel group.

Just an FYI, split tunneling is a no-no if network security is paramount.
0
 
LVL 1

Accepted Solution

by:
robclarke41 earned 0 total points
Comment Utility
Hi adminnrg,

How would I set up a specific DG for my particular tunnel group?

Regards

Rob
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

SSL is a very common protocol used these days when browsing the web.  The purpose is to provide security to communication, but how does it do it?  There are several pieces at work that have to be setup before SSL will even work and it requires both …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now