waynewilliams
asked on
Cisco ASA5510 VPN Client connecting but cant access anything
Hi,
I have configured our ASA5510 for remote VPN access using the Cisco VPN client. It connects to the VPN and gets assigned an IP address from the specified pool but I can't ping anything on the network (even the ASA) and I cant access the internet either (split tunnelling is on). Can any of you guys have a look at my config and let me know where I've gone wrong?
: Saved
:
ASA Version 7.0 (7)
!
hostname asa
domain-name domain.com
enable password qI0afsG2/uOsdsldjkd encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 123.456.789.1 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd qI0afsG2/uOqsdsdf encrypted
ftp mode passive
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit gre any interface outside
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list ouside_access_in extended permit tcp any interface outside eq pptp
access-list inside_nat0_outbound extended permit ip any 192.168.100.232 255.255.255.248
access-list vpn_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 192.168.100.235-192.168.10 0.238 mask 255.255.255.0
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.100.120 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.120 https netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.100.122 pptp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.456.789.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn internal
group-policy vpn attributes
wins-server value 192.168.100.122
dns-server value 192.168.100.121
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
default-domain value domain.com
webvpn
username admin password CUz5OFKpeU8Hmdssd encrypted privilege 15
username testvpnuser password sbfghI0ccGO7sdasd encrypted privilege 0
username testvpnuser attributes
vpn-group-policy vpn
webvpn
aaa authentication ssh console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool vpnpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
telnet 192.168.100.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
Cryptochecksum:2d6aaecf174 8e02484e18 3201ae29a7 3
: end
I have configured our ASA5510 for remote VPN access using the Cisco VPN client. It connects to the VPN and gets assigned an IP address from the specified pool but I can't ping anything on the network (even the ASA) and I cant access the internet either (split tunnelling is on). Can any of you guys have a look at my config and let me know where I've gone wrong?
: Saved
:
ASA Version 7.0 (7)
!
hostname asa
domain-name domain.com
enable password qI0afsG2/uOsdsldjkd encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 123.456.789.1 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd qI0afsG2/uOqsdsdf encrypted
ftp mode passive
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit gre any interface outside
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list ouside_access_in extended permit tcp any interface outside eq pptp
access-list inside_nat0_outbound extended permit ip any 192.168.100.232 255.255.255.248
access-list vpn_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 192.168.100.235-192.168.10
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.100.120 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.120 https netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.100.122 pptp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.456.789.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn internal
group-policy vpn attributes
wins-server value 192.168.100.122
dns-server value 192.168.100.121
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_splitTunnelAcl
default-domain value domain.com
webvpn
username admin password CUz5OFKpeU8Hmdssd encrypted privilege 15
username testvpnuser password sbfghI0ccGO7sdasd encrypted privilege 0
username testvpnuser attributes
vpn-group-policy vpn
webvpn
aaa authentication ssh console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
address-pool vpnpool
default-group-policy vpn
tunnel-group vpn ipsec-attributes
pre-shared-key *
telnet 192.168.100.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
Cryptochecksum:2d6aaecf174
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
crypto isakmp nat-traversal
ASKER
Your solution worked. Thank you very much
ASKER