beardog1113
asked on
ASA remote access VPN can not access internet
hello experts
i have a Cisco ASA firewall, soft version is 8.2(1), i did configure remote access VPN on it, i could connect it properly via Cisco VPN client and also access internal or DMZ network is fine, but i can't access internet with VPN connected, following is the configuration of ASA, so help me on this please.
access-list VPN-USER extended permit ip 10.0.0.0 255.0.0.0 10.140.5.0 255.255.255.0
access-list VPN-USER extended permit ip 192.168.0.0 255.255.0.0 10.140.5.0 255.255.255.0
access-list VPN-USER extended permit ip 172.16.0.0 255.240.0.0 10.140.5.0 255.255.255.0
access-list VPN-USER extended permit ip any 10.140.5.0 255.255.255.0
global (outside) 1 interface
nat (outside) 1 10.140.5.0 255.255.255.0
nat (inside) 0 access-list VPN-USER
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list VPN-USER
nat (DMZ) 1 0.0.0.0 0.0.0.0
explanations: 10.140.5.0/24 is the network range for VPN clients, i have a another ASA anyway with the same configuration and everything works fine, the only different is that ASA is more higher soft version: 8.2(2)4.
i am really puzzled not sure whats wrong.
thanks very much
i have a Cisco ASA firewall, soft version is 8.2(1), i did configure remote access VPN on it, i could connect it properly via Cisco VPN client and also access internal or DMZ network is fine, but i can't access internet with VPN connected, following is the configuration of ASA, so help me on this please.
access-list VPN-USER extended permit ip 10.0.0.0 255.0.0.0 10.140.5.0 255.255.255.0
access-list VPN-USER extended permit ip 192.168.0.0 255.255.0.0 10.140.5.0 255.255.255.0
access-list VPN-USER extended permit ip 172.16.0.0 255.240.0.0 10.140.5.0 255.255.255.0
access-list VPN-USER extended permit ip any 10.140.5.0 255.255.255.0
global (outside) 1 interface
nat (outside) 1 10.140.5.0 255.255.255.0
nat (inside) 0 access-list VPN-USER
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list VPN-USER
nat (DMZ) 1 0.0.0.0 0.0.0.0
explanations: 10.140.5.0/24 is the network range for VPN clients, i have a another ASA anyway with the same configuration and everything works fine, the only different is that ASA is more higher soft version: 8.2(2)4.
i am really puzzled not sure whats wrong.
thanks very much
ASKER
yes, i did try that after configure the ASA, but it doesn't help.
thx
thx
ok, please show the whole config
ASKER
ASA-001# sh run
: Saved
:
ASA Version 8.2(1)
!
hostname ASA-001
enable password oJXexQk.vUwCf1TY encrypted
passwd oJXexQk.vUwCf1TY encrypted
names
name 10.140.7.5 server1
name 10.140.7.6 server2
name 10.140.7.7 VIP
name 10.140.7.3 PHPWEB
name 10.140.7.2 WEB05
name 10.160.229.128 POWER
name 10.160.217.126 POWER_1
name 10.140.7.10 SFTP
name 10.140.7.4 server3
name 10.140.7.13 monline5
name 10.140.7.12 server4
name 10.140.0.45 sql2
name 10.140.1.14 backup
name 10.140.0.10 MAIL1
name 10.140.3.27 EPO1
name 10.140.3.28 WSUS1
name 10.140.3.11 DC1
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.196 255.255.255.192 standby x.x.x.197
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.140.0.3 255.255.255.128 standby 10.140.0.4
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.140.7.1 255.255.255.0 standby 10.140.7.254
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface Management0/0
description STATE Failover Interface
!
ftp mode passive
object-group network Mail-Servers-Inside
network-object 10.140.0.17 255.255.255.255
network-object MAIL1 255.255.255.255
network-object 10.140.1.127 255.255.255.255
object-group service Dim-ports
service-object icmp echo-reply
service-object icmp echo
service-object tcp eq www
service-object tcp eq https
service-object tcp eq 1433
service-object tcp eq 1759
service-object tcp eq 65100
service-object tcp eq 445
service-object tcp eq 3177
service-object tcp eq netbios-ssn
service-object udp eq 1434
service-object udp eq 5093
service-object udp eq netbios-ns
object-group network MS-Servers-DMZ
network-object WEB05 255.255.255.255
network-object PHPWEB 255.255.255.255
network-object server1 255.255.255.255
network-object server2 255.255.255.255
network-object VIP 255.255.255.255
object-group network D-Servers
network-object VIP 255.255.255.255
network-object host server2
network-object host server3
network-object host server1
object-group network Backup
network-object WEB05 255.255.255.255
network-object PHPWEB 255.255.255.255
network-object server1 255.255.255.255
network-object VIP 255.255.255.255
object-group network EPO
network-object WEB05 255.255.255.255
network-object PHPWEB 255.255.255.255
network-object server1 255.255.255.255
network-object VIP 255.255.255.255
object-group network SNMP
network-object WEB05 255.255.255.255
network-object PHPWEB 255.255.255.255
network-object server1 255.255.255.255
network-object VIP 255.255.255.255
object-group service EPO-ports
service-object tcp eq 8081
service-object udp eq 8081
service-object tcp eq 8082
service-object udp eq 8082
service-object tcp eq 8444
service-object udp eq 8444
object-group service Backup-ports
service-object tcp eq 10000
object-group service snmp
service-object tcp eq 161
service-object udp eq snmp
service-object udp eq snmptrap
object-group network Internal-Network
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group service wsus-ports
service-object tcp eq 8530
service-object tcp eq www
service-object tcp eq https
service-object tcp eq 8531
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Dim-Internal
network-object host 10.140.0.37
network-object host 10.140.0.38
network-object host 10.140.0.39
network-object host 10.140.0.40
object-group network DM_INLINE_NETWORK_1
network-object host server4
network-object host monline5
object-group network DM_INLINE_NETWORK_2
network-object host EPO1
network-object host WSUS1
object-group network DM_INLINE_NETWORK_3
network-object host server4
network-object host monline5
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_4
network-object host server4
network-object host monline5
object-group service Fileshare
service-object tcp-udp eq 137
service-object tcp-udp eq 138
service-object tcp-udp eq 139
service-object tcp eq 445
object-group service SQL
service-object tcp eq 1433
service-object tcp eq 2483
service-object tcp eq 1434
service-object tcp eq 137
service-object tcp
service-object tcp eq netbios-ssn
service-object tcp eq 0
service-object tcp eq 445
service-object tcp eq exec
service-object udp
object-group service DM_INLINE_SERVICE_1
group-object Fileshare
group-object SQL
object-group service SQL-Ports
service-object tcp range 1024 5000
object-group network SMTP_SO
network-object host server4
network-object host monline5
network-object host WEB05
network-object host SFTP
network-object host server3
network-object host server1
network-object host server2
object-group network SMTP_DE
network-object host POWER_1
network-object host 10.137.8.23
object-group network CAST
network-object 135.196.24.192 255.255.255.240
network-object 213.235.63.64 255.255.255.192
network-object 94.185.244.0 255.255.255.0
network-object 212.2.3.128 255.255.255.192
network-object 94.185.240.0 255.255.255.0
network-object 212.188.232.144 255.255.255.248
network-object 195.130.217.0 255.255.255.0
access-list dmz extended permit icmp any any
access-list dmz extended permit object-group TCPUDP 10.140.7.0 255.255.255.128 host DC1 eq domain
access-list dmz extended permit tcp 10.140.7.0 255.255.255.128 host DC1 eq 3389
access-list dmz extended permit tcp 10.140.7.0 255.255.255.128 host backup eq 10000
access-list dmz extended permit object-group EPO-ports 10.140.7.0 255.255.255.128 host EPO1
access-list dmz extended permit object-group wsus-ports 10.140.7.0 255.255.255.128 host WSUS1
access-list dmz extended permit object-group snmp 10.140.7.0 255.255.255.128 host 10.11.2.97
access-list dmz extended permit object-group snmp 10.140.7.0 255.255.255.128 host 10.140.0.14
access-list dmz extended permit tcp host WEB05 host 10.140.0.16 eq 1433
access-list dmz extended permit tcp host WEB05 host 203.23.136.46 eq 990
access-list dmz extended permit tcp host WEB05 host 203.23.136.46 eq ftp
access-list dmz extended permit tcp host WEB05 host 203.23.136.46 range 4900 4920
access-list dmz extended permit tcp host WEB05 host 10.140.0.18 eq 1433
access-list dmz extended permit tcp host WEB05 host POWER eq smtp
access-list dmz extended permit tcp object-group MS-Servers-DMZ host POWER eq smtp
access-list dmz extended permit tcp object-group MS-Servers-DMZ host 10.160.217.216 eq smtp
access-list dmz extended permit tcp host 10.140.7.14 host 10.167.101.1 eq 7000
access-list dmz extended permit tcp host monline5 host 10.167.101.1 eq 7000
access-list dmz extended permit tcp host server4 host 10.167.101.1 eq 7000
access-list dmz extended permit tcp object-group MS-Servers-DMZ host POWER_1 eq smtp
access-list dmz extended permit tcp 10.140.7.0 255.255.255.128 host backup eq 6101
access-list dmz extended permit tcp 10.140.7.0 255.255.255.128 host backup eq 6103
access-list dmz extended permit tcp 10.140.7.0 255.255.255.128 host backup eq 441
access-list dmz extended permit tcp host SFTP any eq www
access-list dmz extended permit tcp host SFTP host MAIL1 eq smtp
access-list dmz extended permit tcp host SFTP any eq https
access-list dmz extended permit tcp host server2 any eq www
access-list dmz extended permit tcp host server2 host 203.29.78.90 eq ftp
access-list dmz extended permit tcp host WEB05 any eq domain
access-list dmz extended permit tcp host server3 host 10.140.0.41 eq 2074
access-list dmz extended deny ip host WEB05 192.168.0.0 255.255.0.0
access-list dmz extended deny ip host WEB05 10.0.0.0 255.0.0.0
access-list dmz extended deny ip host WEB05 172.16.0.0 255.240.0.0
access-list dmz extended permit ip host WEB05 any
access-list dmz extended permit ip object-group D-Servers host 10.140.0.41 log
access-list dmz extended permit tcp object-group D-Servers host 10.140.0.41 eq 1433
access-list dmz extended permit tcp object-group D-Servers host 10.140.0.41 eq 3177
access-list dmz extended permit tcp object-group D-Servers host 10.140.0.41 eq 2074
access-list dmz extended permit udp host monline5 host 10.140.3.12 eq 5093
access-list dmz extended permit udp object-group D-Servers host 10.140.3.12 eq 5093
access-list dmz extended permit tcp object-group SMTP_SO object-group SMTP_DE eq smtp
access-list dmz extended deny ip object-group D-Servers 192.168.0.0 255.255.0.0
access-list dmz extended deny ip object-group D-Servers 172.16.0.0 255.240.0.0
access-list dmz extended deny ip object-group D-Servers 10.0.0.0 255.0.0.0
access-list dmz extended permit ip object-group D-Servers any
access-list dmz extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list dmz extended permit object-group SQL object-group DM_INLINE_NETWORK_4 host sql2
access-list dmz extended permit ip object-group DM_INLINE_NETWORK_4 host sql2
access-list dmz extended permit tcp object-group DM_INLINE_NETWORK_3 any object-group DM_INLINE_TCP_1
access-list dmz extended deny ip any any
access-list inside extended permit icmp any any
access-list inside extended permit ip any any
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host x.x.x.199 eq www
access-list outside extended permit tcp any host x.x.x.199 eq https
access-list outside extended permit tcp any host x.x.x.199 eq ftp
access-list outside extended permit tcp any host x.x.x.199 eq ssh
access-list outside extended permit tcp any host x.x.x.199 eq 55
access-list outside extended permit tcp any host x.x.x.200 eq 1433
access-list outside extended permit tcp any host x.x.x.199 eq 81
access-list outside extended permit ip host 121.223.202.97 host x.x.x.200
access-list outside extended permit ip host 59.151.57.251 host x.x.x.200
access-list outside extended permit tcp any host x.x.x.201 eq ssh
access-list outside extended permit tcp host 203.23.136.46 host x.x.x.199 eq 990
access-list outside extended permit tcp any host x.x.x.205 eq www
access-list outside extended permit tcp any host x.x.x.205 eq https
access-list outside extended permit tcp any host x.x.x.206 eq https
access-list outside extended permit tcp any host x.x.x.206 eq www
access-list outside extended permit tcp any host x.x.x.202 eq www
access-list outside extended permit tcp any host x.x.x.202 eq https
access-list outside extended permit tcp any host x.x.x.203 eq www
access-list outside extended permit tcp any host x.x.x.203 eq https
access-list outside extended permit tcp any host x.x.x.204 eq www
access-list outside extended permit tcp any host x.x.x.204 eq https
access-list outside extended permit tcp any host x.x.x.207 eq www
access-list outside extended permit tcp any host x.x.x.207 eq https
access-list outside extended permit tcp any host x.x.x.209 eq www
access-list outside extended permit tcp any host x.x.x.209 eq https
access-list outside extended permit tcp any host x.x.x.210 eq https
access-list outside extended permit tcp any host x.x.x.210 eq www
access-list outside extended permit tcp any host x.x.x.208 eq www
access-list outside extended permit tcp any host x.x.x.208 eq https
access-list outside extended permit ip host 202.5.96.181 host x.x.x.200
access-list VPN-USER extended permit ip 10.0.0.0 255.0.0.0 10.140.5.0 255.255.255.0
access-list VPN-USER extended permit ip 192.168.0.0 255.255.0.0 10.140.5.0 255.255.255.0
access-list VPN-USER extended permit ip 172.16.0.0 255.255.0.0 10.140.5.0 255.255.255.0
access-list VPN-USER extended permit ip any 10.140.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool RM-VPN-POOL 10.140.5.1-10.140.5.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover link state Management0/0
failover interface ip failover 10.140.16.213 255.255.255.252 standby 10.140.16.214
failover interface ip state 10.140.16.209 255.255.255.252 standby 10.140.16.210
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 10.140.5.0 255.255.255.0
nat (inside) 0 access-list VPN-USER
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list VPN-USER
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp x.x.x.199 81 PHPWEB 81 netmask 255.255.255.255
static (DMZ,outside) tcp x.x.x.199 www WEB05 www netmask 255.255.255.255
static (DMZ,outside) tcp x.x.x.199 ftp WEB05 ftp netmask 255.255.255.255
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside,DMZ) 172.16.0.0 172.16.0.0 netmask 255.240.0.0
static (DMZ,outside) x.x.x.202 VIP netmask 255.255.255.255
static (DMZ,outside) x.x.x.203 server1 netmask 255.255.255.255
static (DMZ,outside) x.x.x.205 10.140.7.8 netmask 255.255.255.255
static (DMZ,outside) x.x.x.206 10.140.7.9 netmask 255.255.255.255
static (inside,outside) x.x.x.200 10.140.0.16 netmask 255.255.255.255
static (DMZ,outside) x.x.x.204 server2 netmask 255.255.255.255
static (DMZ,outside) x.x.x.201 SFTP netmask 255.255.255.255
static (DMZ,outside) x.x.x.207 server3 netmask 255.255.255.255
static (DMZ,outside) x.x.x.209 server4 netmask 255.255.255.255
static (DMZ,outside) x.x.x.210 monline5 netmask 255.255.255.255
static (DMZ,outside) x.x.x.208 10.140.7.14 netmask 255.255.255.255
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
route inside 10.0.0.0 255.0.0.0 10.140.0.1 1
route inside 172.16.0.0 255.240.0.0 10.140.0.1 1
route inside 192.168.0.0 255.255.0.0 10.140.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa-server ACS-Group protocol radius
aaa-server ACS-Group (inside) host 10.11.2.33
timeout 15
key *****
aaa-server ACS-Group (inside) host 10.11.2.34
timeout 15
key *****
aaa-server ACS-Group (inside) host 192.168.1.240
timeout 15
key *****
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 60
http server session-timeout 60
http 10.0.0.0 255.0.0.0 inside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp DMZ
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set DM-MAP esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DM-MAP 10 set pfs
crypto dynamic-map DM-MAP 10 set transform-set ESP-3DES-SHA ESP-3DES-MD5 DM-MAP
crypto dynamic-map DM-MAP 65535 set pfs
crypto dynamic-map DM-MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 DM-MAP
crypto map DM-MAP 65535 ipsec-isakmp dynamic DM-MAP
crypto map DM-MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 60
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 30
ssh 10.0.0.0 255.0.0.0 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DM-MAP internal
group-policy DM-MAP attributes
dns-server value 10.140.3.11 10.137.8.26
vpn-tunnel-protocol IPSec
default-domain value ap.ipsos
address-pools value RM-VPN-POOL
ipv6-address-pools none
username admin password oD4GyTosDcH1utla encrypted privilege 15
tunnel-group DM-MAP type remote-access
tunnel-group DM-MAP general-attributes
address-pool RM-VPN-POOL
authentication-server-grou p ACS-Group
default-group-policy DM-MAP
tunnel-group DM-MAP ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ea5e04f553a b6c11232ec 55ddae4ff9 b
: end
ASA-001#
: Saved
:
ASA Version 8.2(1)
!
hostname ASA-001
enable password oJXexQk.vUwCf1TY encrypted
passwd oJXexQk.vUwCf1TY encrypted
names
name 10.140.7.5 server1
name 10.140.7.6 server2
name 10.140.7.7 VIP
name 10.140.7.3 PHPWEB
name 10.140.7.2 WEB05
name 10.160.229.128 POWER
name 10.160.217.126 POWER_1
name 10.140.7.10 SFTP
name 10.140.7.4 server3
name 10.140.7.13 monline5
name 10.140.7.12 server4
name 10.140.0.45 sql2
name 10.140.1.14 backup
name 10.140.0.10 MAIL1
name 10.140.3.27 EPO1
name 10.140.3.28 WSUS1
name 10.140.3.11 DC1
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address x.x.x.196 255.255.255.192 standby x.x.x.197
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.140.0.3 255.255.255.128 standby 10.140.0.4
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
ip address 10.140.7.1 255.255.255.0 standby 10.140.7.254
!
interface GigabitEthernet0/3
description LAN Failover Interface
!
interface Management0/0
description STATE Failover Interface
!
ftp mode passive
object-group network Mail-Servers-Inside
network-object 10.140.0.17 255.255.255.255
network-object MAIL1 255.255.255.255
network-object 10.140.1.127 255.255.255.255
object-group service Dim-ports
service-object icmp echo-reply
service-object icmp echo
service-object tcp eq www
service-object tcp eq https
service-object tcp eq 1433
service-object tcp eq 1759
service-object tcp eq 65100
service-object tcp eq 445
service-object tcp eq 3177
service-object tcp eq netbios-ssn
service-object udp eq 1434
service-object udp eq 5093
service-object udp eq netbios-ns
object-group network MS-Servers-DMZ
network-object WEB05 255.255.255.255
network-object PHPWEB 255.255.255.255
network-object server1 255.255.255.255
network-object server2 255.255.255.255
network-object VIP 255.255.255.255
object-group network D-Servers
network-object VIP 255.255.255.255
network-object host server2
network-object host server3
network-object host server1
object-group network Backup
network-object WEB05 255.255.255.255
network-object PHPWEB 255.255.255.255
network-object server1 255.255.255.255
network-object VIP 255.255.255.255
object-group network EPO
network-object WEB05 255.255.255.255
network-object PHPWEB 255.255.255.255
network-object server1 255.255.255.255
network-object VIP 255.255.255.255
object-group network SNMP
network-object WEB05 255.255.255.255
network-object PHPWEB 255.255.255.255
network-object server1 255.255.255.255
network-object VIP 255.255.255.255
object-group service EPO-ports
service-object tcp eq 8081
service-object udp eq 8081
service-object tcp eq 8082
service-object udp eq 8082
service-object tcp eq 8444
service-object udp eq 8444
object-group service Backup-ports
service-object tcp eq 10000
object-group service snmp
service-object tcp eq 161
service-object udp eq snmp
service-object udp eq snmptrap
object-group network Internal-Network
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
object-group service wsus-ports
service-object tcp eq 8530
service-object tcp eq www
service-object tcp eq https
service-object tcp eq 8531
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Dim-Internal
network-object host 10.140.0.37
network-object host 10.140.0.38
network-object host 10.140.0.39
network-object host 10.140.0.40
object-group network DM_INLINE_NETWORK_1
network-object host server4
network-object host monline5
object-group network DM_INLINE_NETWORK_2
network-object host EPO1
network-object host WSUS1
object-group network DM_INLINE_NETWORK_3
network-object host server4
network-object host monline5
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_4
network-object host server4
network-object host monline5
object-group service Fileshare
service-object tcp-udp eq 137
service-object tcp-udp eq 138
service-object tcp-udp eq 139
service-object tcp eq 445
object-group service SQL
service-object tcp eq 1433
service-object tcp eq 2483
service-object tcp eq 1434
service-object tcp eq 137
service-object tcp
service-object tcp eq netbios-ssn
service-object tcp eq 0
service-object tcp eq 445
service-object tcp eq exec
service-object udp
object-group service DM_INLINE_SERVICE_1
group-object Fileshare
group-object SQL
object-group service SQL-Ports
service-object tcp range 1024 5000
object-group network SMTP_SO
network-object host server4
network-object host monline5
network-object host WEB05
network-object host SFTP
network-object host server3
network-object host server1
network-object host server2
object-group network SMTP_DE
network-object host POWER_1
network-object host 10.137.8.23
object-group network CAST
network-object 135.196.24.192 255.255.255.240
network-object 213.235.63.64 255.255.255.192
network-object 94.185.244.0 255.255.255.0
network-object 212.2.3.128 255.255.255.192
network-object 94.185.240.0 255.255.255.0
network-object 212.188.232.144 255.255.255.248
network-object 195.130.217.0 255.255.255.0
access-list dmz extended permit icmp any any
access-list dmz extended permit object-group TCPUDP 10.140.7.0 255.255.255.128 host DC1 eq domain
access-list dmz extended permit tcp 10.140.7.0 255.255.255.128 host DC1 eq 3389
access-list dmz extended permit tcp 10.140.7.0 255.255.255.128 host backup eq 10000
access-list dmz extended permit object-group EPO-ports 10.140.7.0 255.255.255.128 host EPO1
access-list dmz extended permit object-group wsus-ports 10.140.7.0 255.255.255.128 host WSUS1
access-list dmz extended permit object-group snmp 10.140.7.0 255.255.255.128 host 10.11.2.97
access-list dmz extended permit object-group snmp 10.140.7.0 255.255.255.128 host 10.140.0.14
access-list dmz extended permit tcp host WEB05 host 10.140.0.16 eq 1433
access-list dmz extended permit tcp host WEB05 host 203.23.136.46 eq 990
access-list dmz extended permit tcp host WEB05 host 203.23.136.46 eq ftp
access-list dmz extended permit tcp host WEB05 host 203.23.136.46 range 4900 4920
access-list dmz extended permit tcp host WEB05 host 10.140.0.18 eq 1433
access-list dmz extended permit tcp host WEB05 host POWER eq smtp
access-list dmz extended permit tcp object-group MS-Servers-DMZ host POWER eq smtp
access-list dmz extended permit tcp object-group MS-Servers-DMZ host 10.160.217.216 eq smtp
access-list dmz extended permit tcp host 10.140.7.14 host 10.167.101.1 eq 7000
access-list dmz extended permit tcp host monline5 host 10.167.101.1 eq 7000
access-list dmz extended permit tcp host server4 host 10.167.101.1 eq 7000
access-list dmz extended permit tcp object-group MS-Servers-DMZ host POWER_1 eq smtp
access-list dmz extended permit tcp 10.140.7.0 255.255.255.128 host backup eq 6101
access-list dmz extended permit tcp 10.140.7.0 255.255.255.128 host backup eq 6103
access-list dmz extended permit tcp 10.140.7.0 255.255.255.128 host backup eq 441
access-list dmz extended permit tcp host SFTP any eq www
access-list dmz extended permit tcp host SFTP host MAIL1 eq smtp
access-list dmz extended permit tcp host SFTP any eq https
access-list dmz extended permit tcp host server2 any eq www
access-list dmz extended permit tcp host server2 host 203.29.78.90 eq ftp
access-list dmz extended permit tcp host WEB05 any eq domain
access-list dmz extended permit tcp host server3 host 10.140.0.41 eq 2074
access-list dmz extended deny ip host WEB05 192.168.0.0 255.255.0.0
access-list dmz extended deny ip host WEB05 10.0.0.0 255.0.0.0
access-list dmz extended deny ip host WEB05 172.16.0.0 255.240.0.0
access-list dmz extended permit ip host WEB05 any
access-list dmz extended permit ip object-group D-Servers host 10.140.0.41 log
access-list dmz extended permit tcp object-group D-Servers host 10.140.0.41 eq 1433
access-list dmz extended permit tcp object-group D-Servers host 10.140.0.41 eq 3177
access-list dmz extended permit tcp object-group D-Servers host 10.140.0.41 eq 2074
access-list dmz extended permit udp host monline5 host 10.140.3.12 eq 5093
access-list dmz extended permit udp object-group D-Servers host 10.140.3.12 eq 5093
access-list dmz extended permit tcp object-group SMTP_SO object-group SMTP_DE eq smtp
access-list dmz extended deny ip object-group D-Servers 192.168.0.0 255.255.0.0
access-list dmz extended deny ip object-group D-Servers 172.16.0.0 255.240.0.0
access-list dmz extended deny ip object-group D-Servers 10.0.0.0 255.0.0.0
access-list dmz extended permit ip object-group D-Servers any
access-list dmz extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list dmz extended permit object-group SQL object-group DM_INLINE_NETWORK_4 host sql2
access-list dmz extended permit ip object-group DM_INLINE_NETWORK_4 host sql2
access-list dmz extended permit tcp object-group DM_INLINE_NETWORK_3 any object-group DM_INLINE_TCP_1
access-list dmz extended deny ip any any
access-list inside extended permit icmp any any
access-list inside extended permit ip any any
access-list outside extended permit icmp any any
access-list outside extended permit tcp any host x.x.x.199 eq www
access-list outside extended permit tcp any host x.x.x.199 eq https
access-list outside extended permit tcp any host x.x.x.199 eq ftp
access-list outside extended permit tcp any host x.x.x.199 eq ssh
access-list outside extended permit tcp any host x.x.x.199 eq 55
access-list outside extended permit tcp any host x.x.x.200 eq 1433
access-list outside extended permit tcp any host x.x.x.199 eq 81
access-list outside extended permit ip host 121.223.202.97 host x.x.x.200
access-list outside extended permit ip host 59.151.57.251 host x.x.x.200
access-list outside extended permit tcp any host x.x.x.201 eq ssh
access-list outside extended permit tcp host 203.23.136.46 host x.x.x.199 eq 990
access-list outside extended permit tcp any host x.x.x.205 eq www
access-list outside extended permit tcp any host x.x.x.205 eq https
access-list outside extended permit tcp any host x.x.x.206 eq https
access-list outside extended permit tcp any host x.x.x.206 eq www
access-list outside extended permit tcp any host x.x.x.202 eq www
access-list outside extended permit tcp any host x.x.x.202 eq https
access-list outside extended permit tcp any host x.x.x.203 eq www
access-list outside extended permit tcp any host x.x.x.203 eq https
access-list outside extended permit tcp any host x.x.x.204 eq www
access-list outside extended permit tcp any host x.x.x.204 eq https
access-list outside extended permit tcp any host x.x.x.207 eq www
access-list outside extended permit tcp any host x.x.x.207 eq https
access-list outside extended permit tcp any host x.x.x.209 eq www
access-list outside extended permit tcp any host x.x.x.209 eq https
access-list outside extended permit tcp any host x.x.x.210 eq https
access-list outside extended permit tcp any host x.x.x.210 eq www
access-list outside extended permit tcp any host x.x.x.208 eq www
access-list outside extended permit tcp any host x.x.x.208 eq https
access-list outside extended permit ip host 202.5.96.181 host x.x.x.200
access-list VPN-USER extended permit ip 10.0.0.0 255.0.0.0 10.140.5.0 255.255.255.0
access-list VPN-USER extended permit ip 192.168.0.0 255.255.0.0 10.140.5.0 255.255.255.0
access-list VPN-USER extended permit ip 172.16.0.0 255.255.0.0 10.140.5.0 255.255.255.0
access-list VPN-USER extended permit ip any 10.140.5.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool RM-VPN-POOL 10.140.5.1-10.140.5.254 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/3
failover key *****
failover link state Management0/0
failover interface ip failover 10.140.16.213 255.255.255.252 standby 10.140.16.214
failover interface ip state 10.140.16.209 255.255.255.252 standby 10.140.16.210
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 10.140.5.0 255.255.255.0
nat (inside) 0 access-list VPN-USER
nat (inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list VPN-USER
nat (DMZ) 1 0.0.0.0 0.0.0.0
static (DMZ,outside) tcp x.x.x.199 81 PHPWEB 81 netmask 255.255.255.255
static (DMZ,outside) tcp x.x.x.199 www WEB05 www netmask 255.255.255.255
static (DMZ,outside) tcp x.x.x.199 ftp WEB05 ftp netmask 255.255.255.255
static (inside,DMZ) 10.0.0.0 10.0.0.0 netmask 255.0.0.0
static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.0.0
static (inside,DMZ) 172.16.0.0 172.16.0.0 netmask 255.240.0.0
static (DMZ,outside) x.x.x.202 VIP netmask 255.255.255.255
static (DMZ,outside) x.x.x.203 server1 netmask 255.255.255.255
static (DMZ,outside) x.x.x.205 10.140.7.8 netmask 255.255.255.255
static (DMZ,outside) x.x.x.206 10.140.7.9 netmask 255.255.255.255
static (inside,outside) x.x.x.200 10.140.0.16 netmask 255.255.255.255
static (DMZ,outside) x.x.x.204 server2 netmask 255.255.255.255
static (DMZ,outside) x.x.x.201 SFTP netmask 255.255.255.255
static (DMZ,outside) x.x.x.207 server3 netmask 255.255.255.255
static (DMZ,outside) x.x.x.209 server4 netmask 255.255.255.255
static (DMZ,outside) x.x.x.210 monline5 netmask 255.255.255.255
static (DMZ,outside) x.x.x.208 10.140.7.14 netmask 255.255.255.255
access-group outside in interface outside
access-group inside in interface inside
access-group dmz in interface DMZ
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
route inside 10.0.0.0 255.0.0.0 10.140.0.1 1
route inside 172.16.0.0 255.240.0.0 10.140.0.1 1
route inside 192.168.0.0 255.255.0.0 10.140.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa-server ACS-Group protocol radius
aaa-server ACS-Group (inside) host 10.11.2.33
timeout 15
key *****
aaa-server ACS-Group (inside) host 10.11.2.34
timeout 15
key *****
aaa-server ACS-Group (inside) host 192.168.1.240
timeout 15
key *****
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 60
http server session-timeout 60
http 10.0.0.0 255.0.0.0 inside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp DMZ
service resetoutside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set DM-MAP esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DM-MAP 10 set pfs
crypto dynamic-map DM-MAP 10 set transform-set ESP-3DES-SHA ESP-3DES-MD5 DM-MAP
crypto dynamic-map DM-MAP 65535 set pfs
crypto dynamic-map DM-MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 DM-MAP
crypto map DM-MAP 65535 ipsec-isakmp dynamic DM-MAP
crypto map DM-MAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 60
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 30
ssh 10.0.0.0 255.0.0.0 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DM-MAP internal
group-policy DM-MAP attributes
dns-server value 10.140.3.11 10.137.8.26
vpn-tunnel-protocol IPSec
default-domain value ap.ipsos
address-pools value RM-VPN-POOL
ipv6-address-pools none
username admin password oD4GyTosDcH1utla encrypted privilege 15
tunnel-group DM-MAP type remote-access
tunnel-group DM-MAP general-attributes
address-pool RM-VPN-POOL
authentication-server-grou
default-group-policy DM-MAP
tunnel-group DM-MAP ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ea5e04f553a
: end
ASA-001#
Hi,
you use same pool with the routed address to inside:
route inside 10.0.0.0 255.0.0.0 10.140.0.1 1
route inside 172.16.0.0 255.240.0.0 10.140.0.1 1
route inside 192.168.0.0 255.255.0.0 10.140.0.1 1
you need all address to route?
you use same pool with the routed address to inside:
route inside 10.0.0.0 255.0.0.0 10.140.0.1 1
route inside 172.16.0.0 255.240.0.0 10.140.0.1 1
route inside 192.168.0.0 255.255.0.0 10.140.0.1 1
you need all address to route?
you need to create an acl for VPN
access-list VPN_REMOTE_ACL standard permit 10.0.0.0 255.0.0.0
access-list VPN_REMOTE_ACL standard permit 172.16.0.0 255.240.0.0
access-list VPN_REMOTE_ACL standard permit 192.168.0.0 255.255.0.0
and you need to use it in the group policy:
group-policy DM-MAP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_REMOTE_ACL
access-list VPN_REMOTE_ACL standard permit 10.0.0.0 255.0.0.0
access-list VPN_REMOTE_ACL standard permit 172.16.0.0 255.240.0.0
access-list VPN_REMOTE_ACL standard permit 192.168.0.0 255.255.0.0
and you need to use it in the group policy:
group-policy DM-MAP attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_REMOTE_ACL
ASKER
hi expert
as i said, with my current configuration, access internal network is fine with VPN connected, my problem is i can't access internet with VPN connected.
thanks
as i said, with my current configuration, access internal network is fine with VPN connected, my problem is i can't access internet with VPN connected.
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi expert
finally i understand your solution, i can say that should be fine, you split the tunnel for only internal access and for internet using the circuit of laptop's self.
but usually with my configuration once VPN connected, internet access should be go out through ASA NAT, maybe in the future for security reason i need that.
at least you help me fix this issue, thank you, for the comments of mine, do you have any idea or suggestion? i guess this soft version not support.
thanks again
finally i understand your solution, i can say that should be fine, you split the tunnel for only internal access and for internet using the circuit of laptop's self.
but usually with my configuration once VPN connected, internet access should be go out through ASA NAT, maybe in the future for security reason i need that.
at least you help me fix this issue, thank you, for the comments of mine, do you have any idea or suggestion? i guess this soft version not support.
thanks again
oh, I see....
But it seems the config good, because you configured nat for VPN clients!
global (outside) 1 interface
nat (outside) 1 10.140.5.0 255.255.255.0
I am using same configuration with:
System image file is "disk0:/asa822-k8.bin"
and it is working.... I advise to reload the asa, and retry to connect to internet via VPN...
Are the DNS servers working well?
But it seems the config good, because you configured nat for VPN clients!
global (outside) 1 interface
nat (outside) 1 10.140.5.0 255.255.255.0
I am using same configuration with:
System image file is "disk0:/asa822-k8.bin"
and it is working.... I advise to reload the asa, and retry to connect to internet via VPN...
Are the DNS servers working well?
ASKER
hi expert
as i said, i am also have higher version ASA with similar configuration, that one works fine, so that i think upgrade the ASA will support that.
anyway with this question you teach the "split" command to extend my knowledge about ASA.
thanks
as i said, i am also have higher version ASA with similar configuration, that one works fine, so that i think upgrade the ASA will support that.
anyway with this question you teach the "split" command to extend my knowledge about ASA.
thanks
ASKER
my problem solved
did you made 'clear xlate' after?