• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 285
  • Last Modified:

CISCO ASA 5505 - Internet disabled when VPN clients connect

Hi, I am trying to configure a CiscoASA 5505, I have never used this device, I have outside access to internet, clietns can connect to VPN and access the internal network, but when they do the vpn clients have no internet access what so ever. I am sure I missed some translation or should I use split option for them to use their own?

I will apppreciate any clue on this.

: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name company
enable password 4LhqpJXQrTL8ddVA encrypted
passwd 2KFQnbNIdddI.2KYOU encrypted
interface Vlan1
 description Alta LAN internal
 nameif inside
 security-level 100
 ip address
 ospf cost 10
interface Vlan2
 description Internet ISP connection
 nameif outside
 security-level 0
 ip address dhcp setroute
 ospf cost 10
interface Vlan3
 description DMZ on Port 1 - No access to Internal VLAN1
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp
 ospf cost 10
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
 switchport access vlan 3
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
 domain-name alta.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip any
access-list inbound extended permit tcp any interface outside eq https
access-list inbound extended permit tcp any interface outside eq 3389
access-list inbound extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq pop3
access-list inbound extended permit tcp any interface outside eq 4125
access-list 100 extended permit icmp any any echo-reply
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool VPNIP mask
ip local pool insidecli mask
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
client-update enable
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcp-client client-id interface outside
dhcp-client client-id interface dmz
dhcpd auto_config outside
dhcpd address inside
dhcpd enable inside
group-policy AltaVPN internal
group-policy AltaVPN attributes
 vpn-tunnel-protocol IPSec
username jbaitx password H3ZBb0MW6h4LeSkt encrypted privilege 15
tunnel-group AltaVPN type ipsec-ra
tunnel-group AltaVPN general-attributes
 address-pool VPNIP
 default-group-policy AltaVPN
tunnel-group AltaVPN ipsec-attributes
 pre-shared-key *
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end

Open in new window

1 Solution
You need to enable split tunnelling.  Add this:

conf t
access-list split-tunnel standard permit

group-policy AltaVPN internal
group-policy AltaVPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
joski781Author Commented:
Thanks, this worked well was exactly what I needed
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now