Link to home
Start Free TrialLog in
Avatar of BrettAMair
BrettAMairFlag for United States of America

asked on

Assign Gateway for VPN users

I'm setting up a VPN for users. When they connect, they are assigned a gateway that I did not specify and I cannot locate where to correct this setting.
ASA Version 7.2(2) 
!
hostname XXXX-asa
domain-name XXXX-XXX.com
enable password qpP9bQNCwpw6ZT09 encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.10.77.254 255.255.255.0 
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address X5.67.XX6.X9 255.255.255.248 
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name XXXX-XXX.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any eq ssh any eq ssh 
access-list outside_access_in extended permit tcp any eq smtp any eq smtp 
access-list outside_access_in extended permit tcp any eq pop3 any eq pop3 
access-list outside_access_in extended permit tcp any eq www any eq www 
access-list outside_access_in extended permit tcp any eq 209 any eq 209 
access-list outside_access_in extended permit tcp any eq 445 any eq 445 
access-list outside_access_in extended permit tcp any eq 628 any eq 628 
access-list outside_access_in extended permit tcp any eq 5901 any eq 5901 
access-list outside_access_in extended permit tcp any eq 10000 any eq 10000 
access-list outside_access_in extended permit tcp any range 33000 33254 any range 33000 33254 
access-list outside_access_in extended permit tcp any range 55000 55254 any range 55000 55254 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit ip any any 
access-list ghla_splitTunnelAcl standard permit 10.10.77.0 255.255.255.0 
access-list ghla_splitTunnelAcl standard permit any 
access-list ghla-vpn_splitTunnelAcl standard permit any 
access-list inside_nat0_outbound extended permit ip any 10.20.77.128 255.255.255.192 
access-list 101 extended permit ip 10.20.77.0 255.255.255.0 10.10.77.0 255.255.255.0 
 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool XXXX 10.10.77.150-10.10.77.170 mask 255.255.255.0
ip local pool XXXX-vpn 10.20.77.150-10.20.77.170 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit 10.10.77.0 255.255.255.0 inside
icmp permit host 72.54.172.178 outside
icmp permit any outside
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface ssh 10.10.77.1 ssh netmask 255.255.255.255 
static (inside,outside) tcp interface smtp 10.10.77.1 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 10.10.77.1 pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface www 10.10.77.1 www netmask 255.255.255.255 
static (inside,outside) tcp interface 209 10.10.77.1 209 netmask 255.255.255.255 
static (inside,outside) tcp interface 445 10.10.77.1 445 netmask 255.255.255.255 
static (inside,outside) tcp interface 628 10.10.77.1 628 netmask 255.255.255.255 
static (inside,outside) tcp interface 5901 10.10.77.1 5901 netmask 255.255.255.255 
static (inside,outside) tcp interface 10000 10.10.77.1 10000 netmask 255.255.255.255 
static (inside,outside) tcp interface 55249 10.10.77.249 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55248 10.10.77.248 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55228 10.10.77.228 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55229 10.10.77.229 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55230 10.10.77.230 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55231 10.10.77.231 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55232 10.10.77.232 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55233 10.10.77.233 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55234 10.10.77.234 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55235 10.10.77.235 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55236 10.10.77.236 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55237 10.10.77.237 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55238 10.10.77.238 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55239 10.10.77.239 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55240 10.10.77.240 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55241 10.10.77.241 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55242 10.10.77.242 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55243 10.10.77.243 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55244 10.10.77.244 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55245 10.10.77.245 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55246 10.10.77.246 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55247 10.10.77.247 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55200 10.10.77.200 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55201 10.10.77.201 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55202 10.10.77.202 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55203 10.10.77.203 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55204 10.10.77.204 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55205 10.10.77.205 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55206 10.10.77.206 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55207 10.10.77.207 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55208 10.10.77.208 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55209 10.10.77.209 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55210 10.10.77.210 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55211 10.10.77.211 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55212 10.10.77.212 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55213 10.10.77.213 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55214 10.10.77.214 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55215 10.10.77.215 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55216 10.10.77.216 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55217 10.10.77.217 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55218 10.10.77.218 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55219 10.10.77.219 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55220 10.10.77.220 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55221 10.10.77.221 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55222 10.10.77.222 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55223 10.10.77.223 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55224 10.10.77.224 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55225 10.10.77.225 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55226 10.10.77.226 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 55227 10.10.77.227 5900 netmask 255.255.255.255 
static (inside,outside) tcp interface 33200 10.10.77.200 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33201 10.10.77.201 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33202 10.10.77.202 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33203 10.10.77.203 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33204 10.10.77.204 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33205 10.10.77.205 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33206 10.10.77.206 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33207 10.10.77.207 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33208 10.10.77.208 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33209 10.10.77.209 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33210 10.10.77.210 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33211 10.10.77.211 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33212 10.10.77.212 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33213 10.10.77.213 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33214 10.10.77.214 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33215 10.10.77.215 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33216 10.10.77.216 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33217 10.10.77.217 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33218 10.10.77.218 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33219 10.10.77.219 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33220 10.10.77.220 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33221 10.10.77.221 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33222 10.10.77.222 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33223 10.10.77.223 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33224 10.10.77.224 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33225 10.10.77.225 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33226 10.10.77.226 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33227 10.10.77.227 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33228 10.10.77.228 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33229 10.10.77.229 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33230 10.10.77.230 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33231 10.10.77.231 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33232 10.10.77.232 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33233 10.10.77.233 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33234 10.10.77.234 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33235 10.10.77.235 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33236 10.10.77.236 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33237 10.10.77.237 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33238 10.10.77.238 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33239 10.10.77.239 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33240 10.10.77.240 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33241 10.10.77.241 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33242 10.10.77.242 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33243 10.10.77.243 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33244 10.10.77.244 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33245 10.10.77.245 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33246 10.10.77.246 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33247 10.10.77.247 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33248 10.10.77.248 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 33249 10.10.77.249 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 6666 10.10.77.1 6666 netmask 255.255.255.255 
static (outside,inside) 0.0.0.0 X5.XX.XX6.X8 netmask 255.255.255.248 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X5.XX.XX6.X4 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy XXXX-vpn internal
group-policy XXXX-vpn attributes
 dns-server value 10.10.77.1 208.67.222.222
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value XXXX-vpn_splitTunnelAcl
 default-domain value XXXX-inc.com
group-policy XXXX internal
group-policy XXXX attributes
 vpn-tunnel-protocol IPSec 
 client-firewall none
username XXXX-vpn password qVdFUvNBkElFNUuo encrypted privilege 0
username XXXX-vpn attributes
 vpn-group-policy XXXX-vpn
username XXXX password In5O53FBAMHrLjLt encrypted privilege 10
http server enable
http 72.54.172.178 255.255.255.255 outside
http 10.10.77.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set pfs 
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs 
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group XXXX type ipsec-ra
tunnel-group XXXX general-attributes
 address-pool XXXX
 default-group-policy XXXX
 dhcp-server 10.10.77.1
tunnel-group XXXX ipsec-attributes
 pre-shared-key *
 peer-id-validate cert
tunnel-group XXXX ppp-attributes
 authentication pap
 authentication ms-chap-v2
 authentication eap-proxy
tunnel-group XXXX-vpn type ipsec-ra
tunnel-group XXXX-vpn general-attributes
 address-pool XXXX-vpn
 default-group-policy XXXX-vpn
tunnel-group XXXX-vpn ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 208.67.222.222 208.67.220.220
dhcpd domain XXXX-XXX.com
dhcpd auto_config outside vpnclient-wins-override
dhcpd option 3 ip 10.10.77.254
dhcpd option 5 ip 10.10.77.1
!
dhcprelay server 10.10.77.1 inside
 
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
ntp authenticate
ntp server X5.XX.XX4.X2 source outside prefer
smtp-server 10.10.77.1
prompt hostname context 
Cryptochecksum:6c685f512f85f6fb1bb430fc45d24efc
: end

Open in new window

Avatar of debuggerau
debuggerau
Flag of Australia image

Are they not using the gateway that provided them the internet access initially.
Or are you concerned that the clients VPN gateway has changed?

Maybe you could post a ipconfig /all from the client to elaborate.
ASKER CERTIFIED SOLUTION
Avatar of BrettAMair
BrettAMair
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial