Cisco VPN client setup

I am trying to setup VPN client tp an ASA5510.
I have a question as i can connect but am unable to pass any traffic to internal network.
the IPSEC (optional) setting? what interface do i configure on? do i want to select all internal addresses? what is this section actually for?

any advice welcome
Rbauckham69Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
If your tunnel is connecting, but there is no traffic passing, then you should look at the ASA nonat ACL and make sure the IP local pool range is set.     The ASA Syslog or ASDM log will also show if any traffic is being dropped due to an ACL.  


The ipsec client will usually does not need additional config if you are using a textbook cisco setup.   But would need to see your firewall code to be sure.  

0
Rbauckham69Author Commented:
Mike

Is this pool of addresses (allocated to VPN client) ip addresses from my internal (192.168.1.0) network range? Or should they be a differnet range ie (192.168.100.0).  

0
qbakiesCommented:
You can make it any range you want but if you are going to use the same range as your LAN then ensure the addresses don't overlap your LAN DHCP (or are excluded).  I always advise using a different range than your LAN so you can easily identify VPN traffic on your network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

MikeKaneCommented:
Correct, and if you don't know the range?   Is it even setup?    Post your code, we can review it for you.
0
Rbauckham69Author Commented:
ASA Version 8.0(4)
!
hostname asa
domain-name TEST.co.uk
enable password WNRUp./8.g7VaOGw encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 209.209.209.211 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
 nameif insideCorp
 security-level 100
 ip address 10.52.200.100 255.255.0.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
banner exec *****session banner text*****
banner login ****Login Banner Text*****
banner motd ****MOTD******
banner asdm ****ASDM Banner*******
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Outside
dns domain-lookup inside
dns domain-lookup insideCorp
dns server-group DefaultDNS
 name-server 10.52.3.31
 domain-name TEST.co.uk
access-list insideCorp_access_in extended permit tcp 10.52.0.0 255.255.0.0 any eq telnet
access-list ciscovpntest_splitTunnelAcl standard permit 10.52.0.0 255.255.0.0
access-list insideCorp_nat0_outbound extended permit ip 10.52.0.0 255.255.0.0 10.52.10.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip 10.52.10.0 255.255.255.192 10.52.0.0 255.255.0.0
pager lines 24
logging enable
logging from-address asa@TEST.co.uk
logging recipient-address TEST@TEST.co.uk level errors
mtu Outside 1500
mtu inside 1500
mtu insideCorp 1500
ip local pool InternalCorp 10.52.10.1-10.52.10.50 mask 255.255.0.0
ip local pool ASAPool 10.10.10.0-10.10.10.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (insideCorp) 0 access-list insideCorp_nat0_outbound
nat (insideCorp) 101 0.0.0.0 0.0.0.0
access-group insideCorp_access_in in interface insideCorp control-plane
route Outside 0.0.0.0 0.0.0.0 209.209.209.209 1
route insideCorp 10.51.5.0 255.255.255.0 10.52.0.1 1
route insideCorp 192.168.1.0 255.255.255.0 10.52.0.1 1
route insideCorp 192.168.3.0 255.255.255.0 10.52.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.52.0.0 255.255.0.0 insideCorp
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign dhcp
telnet 10.52.0.0 255.255.0.0 insideCorp
telnet 192.168.1.0 255.255.255.0 insideCorp
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 insideCorp
ssh 10.52.0.0 255.255.0.0 insideCorp
ssh timeout 5
console timeout 0
management-access insideCorp
dhcpd address 192.168.10.100-192.168.10.200 inside
dhcpd dns 192.168.10.1 interface inside
dhcpd domain TEST.co.uk interface inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable Outside
 internal-password enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 webvpn
  url-list value TESTURL
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 banner value Comapny Banner!!!~~~~~~~~~~~~
 webvpn
  url-list value TESTURL
  svc ask enable default webvpn timeout 20
  url-entry disable
group-policy vpntest1 internal
group-policy vpntest1 attributes
 dns-server value 10.52.3.31
 vpn-tunnel-protocol IPSec
 split-tunnel-network-list value ciscovpntest_splitTunnelAcl
 default-domain value TEST.co.uk
 split-dns value 10.52.3.31
group-policy ciscovpntest internal
group-policy ciscovpntest attributes
 dns-server value 10.52.3.31
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list none
 default-domain value TEST.co.uk
username test password EjXxOWE6buj33lY1 encrypted privilege 15
username test attributes
 vpn-group-policy GroupPolicy1
 webvpn
  customization value DfltCustomization
  svc ask enable default webvpn timeout 20
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool (insideCorp) InternalCorp
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group clientssl type remote-access
tunnel-group TunnelGroup1 type remote-access
tunnel-group TunnelGroup1 general-attributes
 address-pool (insideCorp) InternalCorp
 address-pool InternalCorp
 authentication-server-group (Outside) LOCAL
 default-group-policy GroupPolicy1
 dhcp-server 10.52.3.3
tunnel-group TunnelGroup1 ipsec-attributes
 pre-shared-key *
tunnel-group ciscovpntest type remote-access
tunnel-group ciscovpntest general-attributes
 address-pool (insideCorp) InternalCorp
 address-pool InternalCorp
 default-group-policy ciscovpntest
tunnel-group ciscovpntest ipsec-attributes
 pre-shared-key *
tunnel-group vpntest1 type remote-access
tunnel-group vpntest1 general-attributes
 address-pool InternalCorp
 default-group-policy vpntest1
 dhcp-server 10.52.3.3
tunnel-group vpntest1 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
smtp-server 10.52.3.5
prompt hostname context
Cryptochecksum:861c4648fb6ce428e75eebb1f22cb7e8
: end
0
Rbauckham69Author Commented:
Hi
another question

one the Address translation Exemption and split tunneling option. Should the interface i select the internal hosts that i want availablt to VPN clients the inside or outside interface?

Regards
0
MikeKaneCommented:
Please confirm the following:

You have a client on the outside that needs to gain access to the network on the INSIDECORP interface.  

You want to use iplocal pool InternalCorp 10.52.10.1-50/16

I see only 1 group tunnel defined, so the ip pool ASApool is not used, correct?  



Next, did you want to enable split tunneling from the client?  




0
Rbauckham69Author Commented:
Mike
I have access to internal resources using ASAPool 10.10.10.0 255.255.255.0
I can ping and http etc.
But i don't have ability to surf! - Split Tunneling.

here is config
access-list insideCorp_access_in extended permit ip any 10.52.0.0 255.255.0.0
access-list insideCorp_nat0_outbound extended permit ip any 10.52.0.0 255.255.0.0
access-list inside_nat0_outbound remark the Corporate Network behind the ASA
access-list inside_nat0_outbound extended permit ip any 10.52.0.0 255.255.0.0
access-list HamSSl_$$_splitTunnelAcl standard permit 10.52.0.0 255.255.0.0

Can you explain what needs to be done to enable split-tunneling
Thnaks in advance
0
Rbauckham69Author Commented:
access-list insideCorp_access_in extended permit ip any 10.52.0.0 255.255.0.0
access-list insideCorp_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0
 10.52.0.0 255.255.0.0
access-list inside_nat0_outbound remark the Corporate Network behind the ASA
access-list inside_nat0_outbound extended permit ip any 10.52.0.0 255.255.0.0
access-list HamSSl_$$_splitTunnelAcl standard permit 10.52.0.0 255.255.0.0

The above now lets me connect but with no access to internal LAN but I can surf!

0
Rbauckham69Author Commented:
this is config from another user...I copied this and all works fine

name 10.2.100.0 VPN_POOL
name 10.0.0.0 LAN
access-list inside_nat0_outbound extended permit ip LAN 255.0.0.0 VPN_POOL 255.255.255.0
access-list SPLIT_TUNNEL standard permit LAN 255.0.0.0
ip local pool VPN_POOL 10.2.100.1-10.2.100.22 mask 255.255.255.0

global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0

webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.4.0202-k9.pkg 1
 svc enable
group-policy DfltGrpPolicy attributes
 wins-server value 10.1.0.6
 dns-server value 10.1.0.5
 vpn-tunnel-protocol IPSec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT_TUNNEL
 default-domain value xxxxxx.local
 nem enable

username lrmoore password *********** encrypted privilege 15
username lrmoore attributes
 vpn-group-policy DfltGrpPolicy
 vpn-framed-ip-address 10.2.100.99 255.255.255.0
             
      
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.