Cisco ASA 5505 VPN - How to configure to browse connected network?

Posted on 2008-10-14
Medium Priority
Last Modified: 2012-05-05
Hello. I have a Cisco ASA 5505 device that I recently put into place. I have it up and running and users can get to the Internet just fine. I have recently been asked to try to configure it to allow certain users VPN access from home.

I originally configured the VPN through the wizard and that didn't work, so I found a place online that had some examples and I tried to emulate those. I can successfully connect to the VPN now, but I cannot access any of the resources on the network.

My host network is 192.168.121.x and the VPN network is 192.168.122.x. I would like the .122 network to be able to access resources on the .121 network via VPN.

I have attached a copy of the router's config. Where you see <hidden> I have cleared that info.

If someone could take a quick look and see what I might be missing and let me know, that would be great.
Result of the command: "sh run"
isakmp policy 30 is superceded by identical policy 10
ASA Version 7.2(4) 
hostname <hidden>
domain-name <hidden>.local
enable password .<hidden> encrypted
passwd <hidden>.<hidden> encrypted
interface Vlan1
 nameif inside
 security-level 100
 ip address 
interface Vlan2
 nameif outside
 security-level 0
 ip address 71.xx.xx.xx 
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp 
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
 domain-name <hidden>.local
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list Split_Tunnel_List_ACL remark ****** NAT Access List ******
access-list Split_Tunnel_List_ACL remark ****** Split Tunnel Encrypted Traffic ******
access-list Split_Tunnel_List_ACL standard permit 
access-list outside_access_in extended permit tcp any any eq pcanywhere-data 
access-list outside_access_in extended permit tcp any any eq 5632 
access-list outside_access_in extended permit tcp any any eq 3389 
access-list inside_access_in extended permit ip any any 
access-list privpn_splitTunnelAcl standard permit 
access-list inside_nat0_outside extended permit ip any 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpnpool mask
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-524.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outside
nat (inside) 1
static (inside,outside) tcp interface pcanywhere-data pcanywhere-data netmask 
static (inside,outside) tcp interface 5632 5632 netmask 
static (inside,outside) tcp interface 3389 <hidden> 3389 netmask 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 71.xx.xx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set myset esp-3des esp-md5-hmac 
crypto ipsec df-bit clear-df outside
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map dynmap 10 set pfs 
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal  20
telnet timeout 5
ssh inside
ssh inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd dns interface inside
ntp server
ntp server source outside prefer
group-policy privpn internal
group-policy privpn attributes
 dns-server value
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split_Tunnel_List_ACL
 default-domain value pri.local
username <hidden> password <hidden> encrypted
username <hidden> password <hidden>  encrypted
tunnel-group privpn type ipsec-ra
tunnel-group privpn general-attributes
 address-pool vpnpool
 default-group-policy privpn
tunnel-group privpn ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

Question by:readydave

Expert Comment

ID: 22713243
What lines did you add or change from the original configuration of the firewall before vpn connectivity was attempted. Could you highlight or copy and paste to a separate doc?
LVL 43

Accepted Solution

JFrederick29 earned 2000 total points
ID: 22713284
Give these a shot.

conf t
access-list remote-vpn extended permit ip any

no crypto dynamic-map dynmap 10 set pfs
crypto dynamic-map dynmap 10 match address remote-vpn

group-policy privpn attributes
no split-tunnel-network-list value Split_Tunnel_List_ACL
split-tunnel-network-list value remote-vpn
LVL 12

Expert Comment

ID: 22713753
If you're asking about browsing computers in a Windows network, this simply will not work over VPN.
The protocol used to browse computers is called NetBIOS - NetBIOS is a broadcast protocol and broadcasts do not work over VPN - it is impossible to do.
The alternative is to create a mapped drive using IP addresses or DNS names (this uses a different protocol) - but you won't be able to contact a computer just by typing its name and trying to browse it.
Cheers! Let me know if you have any questions!

Author Closing Comment

ID: 31505966
This worked for me. Thank you!

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question