Problems w/ Cisco VPN Client configuration: Cannot access anything

I can connect my Cisco VPN client (v 5.0.03) to the ASA 5510 firewall and see the tunnel come up on the ASDM interface.  However, I cannot access anything on the internal network from my client.  No email, no pinging, no browsing, nothing.  I have split tunneling enabled, but I cannot access the internet after I establish the tunnel.

asdm image disk0:/asdm-507.bin
asdm location Outside
no asdm history enable
: Saved
ASA Version 7.0(7)
hostname xxxxxx
enable password ZxbzN033lVser1Gv encrypted
interface Ethernet0/0
 description Outside Interface
 duplex full
 nameif Outside
 security-level 0
 ip address
interface Ethernet0/1
 description Inside Interface
 duplex full
 nameif Inside
 security-level 99
 ip address
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns name-server
dns name-server
same-security-traffic permit intra-interface
object-group service Paraexchange_Service_Group tcp
 description Services allowed to Paraexchange
 port-object eq www
 port-object eq pop3
 port-object eq smtp
 port-object eq imap4
object-group service Paraccess_Service_Group tcp
 description Services allowed to Paraccess
 port-object eq ftp-data
 port-object eq pptp
 port-object eq ftp
access-list Outside_access_in extended permit tcp any host object-group Paraccess_Service_Group
access-list Outside_access_in extended permit gre any host
access-list Outside_access_in extended permit tcp any host eq www
access-list Outside_access_in extended permit tcp any host object-group Paraexchange_Service_Group
access-list Inside_nat0_outbound extended permit ip
access-list Outside_cryptomap_20 extended permit ip
access-list inside_access_out extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu management 1500
no failover
monitor-interface Outside
monitor-interface Inside
monitor-interface management
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (Outside) 10
global (Outside) 10
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 10
static (Inside,Outside) netmask
static (Inside,Outside) netmask
static (Inside,Outside) netmask
access-group Outside_access_in in interface Outside
access-group inside_access_out in interface Inside
route Outside 1
route Inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server Para_RAS_VPN protocol nt
aaa-server Para_RAS_VPN host
 nt-auth-domain-controller laniwot00
group-policy Para_RAS_VPN internal
group-policy Para_RAS_VPN attributes
 vpn-filter none
http server enable
http Inside
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
auth-prompt prompt Please wait. Your identity is being authenticated.
auth-prompt accept Congratulations! You have been authenticated!
auth-prompt reject I'm sorry. You have not been authenticated. Only authorized personnel may use this service.
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-256-MD5
crypto map Outside_map 20 match address Outside_cryptomap_20
crypto map Outside_map 20 set peer
crypto map Outside_map 20 set transform-set ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
isakmp identity address
isakmp enable Outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 1000
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *
tunnel-group Para_RAS_VPN type ipsec-ra
tunnel-group Para_RAS_VPN general-attributes
 authentication-server-group Para_RAS_VPN
 authentication-server-group (Outside) Para_RAS_VPN
 default-group-policy Para_RAS_VPN
tunnel-group Para_RAS_VPN ipsec-attributes
 pre-shared-key *
vpn-sessiondb max-session-limit 100
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address management
dhcpd lease 3600
dhcpd ping_timeout 50
class-map inspection_default
 match default-inspection-traffic
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
client-update enable
: end
Who is Participating?
Jay_GridleyConnect With a Mentor Commented:
Sounds like your tunnel is up and running, split tunneling and all. Good!

Add the following lines to use your internal DNS server when connecting to the VPN:
group-policy Para_RAS_VPN attributes
 dns-server value

This way you'll use your internal DNS server (who know's about the names / IP's of your corporate LAN machines) in stead of your local one. That should enable you to ping on hostname and consequentely also to use your email.

your ipconfig is fine the way it is, btw. No default gateway needed. (it acutally uses your local default gateway and only routes through the tunnel the traffic destined for your local network.

I'm actually missing a couple of things in your config. Did you use the wizard to create your mobile VPN?

First the reason I think you can get the tunnel up but no traffic through is I would think you don't have your NAT0 setup correctly.
There is a site to site tunnel configured to a network. NAT0 is configured for this tunnel. I don't see it for the RA VPN. (I reckon you use your inside DHCP server to provide an address to the VPN Clients because I don't see a IP pool at first glance)
Try adding:
access-list Inside_nat0_outbound extended permit ip <ip range VPN Clients>

Furthermore you say you have split tunnelling enabled, but I don't see an access-list that tells the ASA which networks to tunnel. Try adding:
access-list SPLITTUNNEL standard permit

Hope this helps.

I was just thinking... I made a mistake on the NAT0 access-list.
It should be the other way around:
access-list Inside_nat0_outbound extended permit ip <VPNClients>

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

jamjamissAuthor Commented:
Thanks for your help Jay.

The access-list SPLITTUNNEL standard permit
didn't do anything.  I still cannot access the internet while connected to the VPN.  You were correct in that I am using DHCP for the VPN clients.  With that said, what IP range for the VPN clients should I use?  If the VPN clients are using the same IP range as the rest of the network, then how does that access-list make sense?  I'm sorry, I just don't quite understand what that specific access list is trying to accomplish.
Starting off with your last question.
When you create a VPN tunnel and don't specify anything ALL traffic will be routed through the VPN tunnel. Using an access-list you can specify which traffic will be sent through the tunnel. With the access-list I told you to use you specify that you only want to have traffic sent to (your LAN) through the tunnel, which means traffic destined to the internet won't be sent to the tunnel but to the default gateway of the pc. This way it allows you to access the internet.

To be honest, I've been told that it is possible to use the same IP segment for your VPN clients as well as your local LAN, but I'm unsure how this works for split tunneling. I suggest keeping it this way and first trying something else.

First go into the VPN group policy:
group-policy Para_RAS_VPN attributes

From there add the following lines to your config:
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLITTUNNEL

This final piece actually adds the split tunnel access-list to VPN tunnel, comparable to applying an access-list to an interface with the access-group command. I forgot to add that this afternoon. I must be having an off day ;-)

Anyway, if this also doens't work you might try using an IP range not yet present in your network for the VPN clients. But try this first.

Btw, can you already ping across the tunnel to your local LAN?
jamjamissAuthor Commented:
Will try this solution when I get in.  Thanks.

jamjamissAuthor Commented:

We're getting closer!  I can now browse the internet while connected to the VPN.  I can also ping the internal network by IP address, but not by name.  I am trying to open email, and it keeps telling me that I need to connect to the exchange server.  It sounds like a DNS problem somewhere.  When I do an ipconfig /all, the Cisco VPN adapter says the following:

DHCP Enabled........... : No
IP Address................ :
Subnet Mask............. :
Default Gateway...... : {blank}
jamjamissAuthor Commented:
Thanks for all your help Jay!  It is working perfectly!!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.