CISCO ASA 5505 - Internet disabled when VPN clients connect

Posted on 2009-04-29
Last Modified: 2012-05-06
Hi, I am trying to configure a CiscoASA 5505, I have never used this device, I have outside access to internet, clietns can connect to VPN and access the internal network, but when they do the vpn clients have no internet access what so ever. I am sure I missed some translation or should I use split option for them to use their own?

I will apppreciate any clue on this.

: Saved


ASA Version 7.2(4)


hostname ciscoasa

domain-name company

enable password 4LhqpJXQrTL8ddVA encrypted

passwd 2KFQnbNIdddI.2KYOU encrypted



interface Vlan1

 description Alta LAN internal

 nameif inside

 security-level 100

 ip address

 ospf cost 10


interface Vlan2

 description Internet ISP connection

 nameif outside

 security-level 0

 ip address dhcp setroute

 ospf cost 10


interface Vlan3

 description DMZ on Port 1 - No access to Internal VLAN1

 no forward interface Vlan1

 nameif dmz

 security-level 50

 ip address dhcp

 ospf cost 10


interface Ethernet0/0

 switchport access vlan 2


interface Ethernet0/1

 switchport access vlan 3


interface Ethernet0/2


interface Ethernet0/3


interface Ethernet0/4


interface Ethernet0/5


interface Ethernet0/6


interface Ethernet0/7


ftp mode passive

dns server-group DefaultDNS

 domain-name alta.local

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list inside_nat0_outbound extended permit ip any

access-list inbound extended permit tcp any interface outside eq https

access-list inbound extended permit tcp any interface outside eq 3389

access-list inbound extended permit tcp any interface outside eq smtp

access-list inbound extended permit tcp any interface outside eq www

access-list inbound extended permit tcp any interface outside eq pop3

access-list inbound extended permit tcp any interface outside eq 4125

access-list 100 extended permit icmp any any echo-reply

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip local pool VPNIP mask

ip local pool insidecli mask

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 


timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs group1

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

client-update enable

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcp-client client-id interface outside

dhcp-client client-id interface dmz

dhcpd auto_config outside


dhcpd address inside

dhcpd enable inside


group-policy AltaVPN internal

group-policy AltaVPN attributes

 vpn-tunnel-protocol IPSec

username jbaitx password H3ZBb0MW6h4LeSkt encrypted privilege 15

tunnel-group AltaVPN type ipsec-ra

tunnel-group AltaVPN general-attributes

 address-pool VPNIP

 default-group-policy AltaVPN

tunnel-group AltaVPN ipsec-attributes

 pre-shared-key *


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp


service-policy global_policy global

prompt hostname context


: end

Open in new window

Question by:joski781
    LVL 43

    Accepted Solution

    You need to enable split tunnelling.  Add this:

    conf t
    access-list split-tunnel standard permit

    group-policy AltaVPN internal
    group-policy AltaVPN attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel

    Author Closing Comment

    Thanks, this worked well was exactly what I needed

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Suggested Solutions

    Title # Comments Views Activity
    VLAN and IP Addressing Schema 35 45
    Cisco ASA Restarted Suddenly 11 49
    Cisco MSRP pricing 5 41
    correct Anyconnect package 2 863
    I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
    I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now