Link to home
Start Free TrialLog in
Avatar of waynewilliams
waynewilliamsFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Cisco ASA5510 VPN Client connecting but cant access anything

Hi,

I have configured our ASA5510 for remote VPN access using the Cisco VPN client.  It connects to the VPN and gets assigned an IP address from the specified pool but I can't ping anything on the network (even the ASA) and I cant access the internet either (split tunnelling is on).  Can any of you guys have a look at my config and let me know where I've gone wrong?

: Saved
:
ASA Version 7.0 (7)
!
hostname asa
domain-name domain.com
enable password qI0afsG2/uOsdsldjkd encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 123.456.789.1 255.255.255.240
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
passwd qI0afsG2/uOqsdsdf encrypted
ftp mode passive
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit gre any interface outside
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list ouside_access_in extended permit tcp any interface outside eq pptp
access-list inside_nat0_outbound extended permit ip any 192.168.100.232 255.255.255.248
access-list vpn_splitTunnelAcl standard permit any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool 192.168.100.235-192.168.100.238 mask 255.255.255.0
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.100.120 smtp netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.120 https netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.100.122 pptp netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.456.789.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy vpn internal
group-policy vpn attributes
 wins-server value 192.168.100.122
 dns-server value 192.168.100.121
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_splitTunnelAcl
 default-domain value domain.com
 webvpn
username admin password CUz5OFKpeU8Hmdssd encrypted privilege 15
username testvpnuser password sbfghI0ccGO7sdasd encrypted privilege 0
username testvpnuser attributes
 vpn-group-policy vpn
 webvpn
aaa authentication ssh console LOCAL
http server enable
http 192.168.100.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group vpn type ipsec-ra
tunnel-group vpn general-attributes
 address-pool vpnpool
 default-group-policy vpn
tunnel-group vpn ipsec-attributes
 pre-shared-key *
telnet 192.168.100.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
Cryptochecksum:2d6aaecf1748e02484e183201ae29a73
: end
ASKER CERTIFIED SOLUTION
Avatar of AugustTen
AugustTen
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of waynewilliams

ASKER

Thanks for the reply.  Can you briefly give me the command I need to enable nat-transparency?
crypto isakmp nat-traversal
Your solution worked.  Thank you very much