ASA 5510 VPN access to internal network and split tunneling

Hi
I am trying to allow VPN users 10.10.10.0/24 access to internal network 10.52.0.0/16 and also use split tunneling

access-list insideCorp_access_in extended permit ip any 10.52.0.0 255.255.0.0
access-list insideCorp_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0
 10.52.0.0 255.255.0.0
access-list inside_nat0_outbound remark the Corporate Network behind the ASA
access-list inside_nat0_outbound extended permit ip any 10.52.0.0 255.255.0.0
access-list HamSSl_$$_splitTunnelAcl standard permit 10.52.0.0 255.255.0.0

doesn't seem to allow access internally but i can surf?

What should the rules be?
Rbauckham69Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
Can you post your entire sanitized config along with a brief summary of your network layout?
Texas_BillyCommented:
Haven't seen the full config so can't say if there's not a problem in there, but I can tell you this symptom you're describing is a very common one with ASA code prior to 8.0.  If you're still on one of the ASA 7.x code versions, upgrade to 8.2(1) and, provided the rest of your config is ok, this should start working fine.  --TX
Rbauckham69Author Commented:
Ok here's my config

I have a single network 10.52.0.0/16 that i initially want access to. From remote users connecting with VPNpool address og 10.10.10.0/24

:
ASA Version 8.0(4)
!
hostname asa
domain-name test.co.uk
enable password WNRUp./8.g7VaOGw encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address 216.134.250.190 255.255.255.224
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
 nameif insideCorp
 security-level 100
 ip address 10.52.200.100 255.255.0.0
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup Outside
dns domain-lookup inside
dns domain-lookup insideCorp
dns server-group DefaultDNS
 name-server 10.52.3.31
 domain-name test.co.uk
access-list insideCorp_access_in extended permit ip any 10.52.0.0 255.255.0.0
access-list insideCorp_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.52.0.0 255.255.0.0
access-list inside_nat0_outbound remark the Corporate Network behind the ASA
access-list inside_nat0_outbound extended permit ip any 10.52.0.0 255.255.0.0
access-list HamSSl_$$_splitTunnelAcl standard permit 10.52.0.0 255.255.0.0
pager lines 24
logging enable
logging asdm informational
logging from-address asa@test.co.uk
logging recipient-address admin@test.co.uk level errors
mtu Outside 1500
mtu inside 1500
mtu insideCorp 1500
ip local pool InternalCorp 10.52.10.1-10.52.10.50 mask 255.255.0.0
ip local pool ASAPool 10.10.10.0-10.10.10.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (Outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
nat (insideCorp) 0 access-list insideCorp_nat0_outbound
nat (insideCorp) 101 0.0.0.0 0.0.0.0
access-group insideCorp_access_in in interface insideCorp control-plane
route Outside 0.0.0.0 0.0.0.0 216.134.250.191 1
route insideCorp 10.51.5.0 255.255.255.0 10.52.0.1 1
route insideCorp 192.168.1.0 255.255.255.0 10.52.0.1 1
route insideCorp 192.168.3.0 255.255.255.0 10.52.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.52.0.0 255.255.0.0 insideCorp
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
no vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 5
telnet 10.52.0.0 255.255.0.0 insideCorp
telnet 192.168.1.0 255.255.255.0 insideCorp
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 insideCorp
ssh 10.52.0.0 255.255.0.0 insideCorp
ssh timeout 5
console timeout 0
management-access insideCorp
dhcpd address 192.168.10.100-192.168.10.200 inside
dhcpd dns 192.168.10.1 interface inside
dhcpd domain test.co.uk interface inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
 enable Outside
 internal-password enable
group-policy DfltGrpPolicy attributes
 dns-server value 10.52.3.31
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value HamSSl_$$_splitTunnelAcl
 webvpn
  url-list value testRentals
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 dns-server value 10.52.3.31
 split-tunnel-policy tunnelall
 split-tunnel-network-list value HamSSl_$$_splitTunnelAcl
 webvpn
  url-list value test
  svc ask enable default webvpn timeout 20
  url-entry disable
group-policy HamSSl_$$ internal
group-policy HamSSl_$$ attributes
 dns-server value 10.52.3.31
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value HamSSl_$$_splitTunnelAcl
username user1 password fcvVaLJuHSweHkI/ encrypted privilege 15
username user1 attributes
 webvpn
  file-entry enable
  url-list value test
  customization value hit
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool (insideCorp) InternalCorp
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultWEBVPNGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group HamSSL type remote-access
tunnel-group HamSSL general-attributes
 address-pool ASAPool
 authorization-server-group LOCAL
 default-group-policy GroupPolicy1
tunnel-group HamSSL ipsec-attributes
 pre-shared-key *
tunnel-group HamSSl_$$ type remote-access
tunnel-group HamSSl_$$ general-attributes
 address-pool ASAPool
 default-group-policy HamSSl_$$
tunnel-group HamSSl_$$ ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
!
service-policy global_policy global
smtp-server 10.52.3.5
prompt hostname context
Cryptochecksum:2fdee4bc40eb55d9fcb658d3078ebb4d
: end
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

Rbauckham69Author Commented:
also I believe this to be a ASA5510-BUN-K9 but the load file is "asa804-k8.bin" does this mean it's a ASA5510-BUN-K8 ?
MikeKaneCommented:
The load file is different than the model.  

And from the looks of it, the only I see that's out of order is your Nonat on the InsideCorp nonat ACL... Looks like the source and dest are reversed.    

Change
access-list insideCorp_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.52.0.0 255.255.0.0

to be

access-list insideCorp_nat0_outbound extended permit ip 10.52.0.0 255.255.0.01 0.10.10.0 255.255.255.0
MikeKaneCommented:
Oops - that should actually read:
access-list insideCorp_nat0_outbound extended permit ip 10.52.0.0 255.255.0.0 10.10.10.0 255.255.255.0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.