Cisco asa 5505 remote vpn client with internet out split

soyglobal
soyglobal used Ask the Experts™
on
HI, i need do remote access to my network throught a Cisco asa 5505, but when connect i don't have access to normal internet.
I setup it with wizard and marked the option for split internet access, but nothing.
I search in EE, and find other question as me, but his solution don't work in my cisco,
where can be the problem?
Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
HI, the eaxemple:

group-policy ALDIN internal
group-policy ALDIN attributes
 split-tunnel-policy tunnelall
tunnel-group ALDIN type remote-access
tunnel-group ALDIN general-attributes
 address-pool ALDIN
 default-group-policy ALDIN

Author

Commented:
i have as your example, and none
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
CAn you show me your confguration??

Did you configured NONAT for the VPN traffic??
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

ikalmar is correct, usually the nonat, or an improper access-list for the split tunneling.  I have also seen times where the DNS server is not specified properly in the VPN tunnel and you are unable to resolve names to IP, therefore, you cannot resolve internet addresses even if split tunneling is working.  If you would, post a traceroute to 4.2.2.2, an nslookup to google.com and route print when connected to the vpn?  We should be able to narrow it down pretty quickly.

Author

Commented:
i'm having many problems with the Cisco ASD and his wizard for vpn remote, can somebody send me all the command line for create a vpn remote with internet access?
My intenal lan network is 10.1.2.0/24
Thanks
Head of IT Security Division
Top Expert 2010
Commented:
access-list inside_nat0_outbound extended permit ip 10.1.2.0.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list SCI_SPLIT_tunnel_acl standard permit 10.1.2.0.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.2.0.0 255.255.255.0

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map0 20 set pfs
crypto dynamic-map outside_dyn_map0 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map0
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 600
crypto isakmp policy 2
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

ip local pool VPN_Client_Pool 192.168.100.100-192.168.100.200 mask 255.255.255.0

group-policy REMOTE_TEST attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SCI_SPLIT_tunnel_acl

tunnel-group REMOTE_TEST_er type ipsec-ra
tunnel-group REMOTE_TEST_er general-attributes
 address-pool VPN_Client_Pool
 default-group-policy REMOTE_TEST
tunnel-group REMOTE_TEST_er ipsec-attributes
 pre-shared-key *



Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial