Avatar of First Last
First Last
Flag for United States of America asked on

ASA IPSec VPN from Windows to ASA 5510


Today I setup a IPSec VPN on a ASA 5510. I was able to setup the DHCP for the client and get the client (Windows XP) to connect via the Cisco VPN Software. I'm having two general problems and was wondering if you could point me in the right direction. Unfortunately, I don't have the configure and left work with this problem on my mind.

1) Everytime I establish a VPN connection from the client and do an 'ipconfig' I see that my default gateway is the dhcp address assigned. So, I manually changed the default gatewa on the laptop to what should be the proper gateway.

2) I can ping the VPN client via the assigned DHCP address from my internal LAN but my client VPN PC can't ping anything internally.

I did try to setup a default tunneled gateway, but that didn't help. I know for a fact I didn't get to setting up any NAT or anything else. I had no other directions and time was running short.

Do you have any suggestions or step by step configuration settings I could follow for setting up IPSEC VPN that will allow for internal DNS to be used, proper routing to internal LAN, general setup,etc?

Thanks. I can't wait to get back to work tomorrow and get back to the grind.

Avatar of undefined
Last Comment
First Last

8/22/2022 - Mon
Istvan Kalmar


It seems that you need to configure split-tunnel on cisco:

First Last

I tried to enable split-tunnel, but i'm still having no luck with accessing the internet via the tunnel or local resources across the VPN. When I do a route print from the command line of the XP client using the VPN all the routes for the VPN network point back to the IP of the XP client.

172.20.2.x range is my private range on the LAN side of my firewall.

I'm uploading a my 'route print' display from my client PC when the VPN is connected. Also, i'm uploading my ASA configuration.

All my ACL are set to ANY ANY for testing purposes.
: Saved
ASA Version 8.3(2) 
hostname ASA
domain-name 1234
interface Ethernet0/0
 nameif dmz
 security-level 100
 ip address standby 
interface Ethernet0/1
 no nameif
 no security-level
 no ip address
interface Ethernet0/1.101
 vlan 101
 nameif FIOS
 security-level 100
 ip address 173.71.x.x standby 173.71.x.x
interface Ethernet0/2
 nameif inside
 security-level 100
 ip address standby 
interface Ethernet0/3
 description LAN/STATE Failover Interface
interface Management0/0
 nameif management
 security-level 100
 ip address standby 
banner exec This is a private network.
banner exec Access beyond this point is for authorized personell only.
banner exec Unauthorized access will be prosecuted to the full extent of the law.
banner exec We thank you for respecting our privacy.
banner login This is a private network.
banner login Access beyond this point is for authorized personell only.
banner login Unauthorized access will be prosecuted to the full extent of the law.
banner login We thank you for respecting our privacy.
banner asdm This is a private network.
banner asdm Access beyond this point is for authorized personell only.
banner asdm Unauthorized access will be prosecuted to the full extent of the law.
banner asdm We thank you for respecting our privacy.
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 domain-name xxxx
same-security-traffic permit inter-interface
object network obj_any 
object network Inside 
object network NETWORK_OBJ_172.20.2.192_27 
access-list inside_access_in extended permit ip 
access-list inside_access_in extended permit ip 
access-list inside_access_in extended permit ip 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit ip interface FIOS interface inside 
access-list global_access extended permit ip any any 
access-list outside_access_in extended permit ip any any 
access-list test extended permit ip host host 
access-list test extended permit ip host host 
access-list FIOS_access_in extended permit ip any any 
access-list cap1 extended permit ip host any 
access-list cap1 extended permit ip any host 
pager lines 24
logging enable
logging monitor warnings
logging buffered critical
logging asdm informational
mtu dmz 1500
mtu FIOS 1500
mtu inside 1500
mtu management 1500
ip local pool Inside-VPN-IP mask
ip verify reverse-path interface dmz
ip verify reverse-path interface FIOS
ip verify reverse-path interface management
ip audit name ATTACK attack action alarm drop reset
ip audit name INFO info action alarm drop reset
failover lan unit secondary
failover lan interface failover Ethernet0/3
failover polltime unit msec 200 holdtime 15
failover polltime interface msec 500 holdtime 25
failover key *****
failover replication http
failover link failover Ethernet0/3
failover interface ip failover standby
monitor-interface FIOS
icmp unreachable rate-limit 1 burst-size 1
icmp permit any FIOS
icmp permit any inside
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
nat (inside,FIOS) source dynamic obj_any interface
nat (FIOS,FIOS) source static any any destination static NETWORK_OBJ_172.20.2.192_27 NETWORK_OBJ_172.20.2.192_27
nat (inside,FIOS) after-auto source dynamic any interface
access-group FIOS_access_in in interface FIOS
access-group inside_access_in in interface inside
access-group global_access global
route FIOS 1
route inside 1
route FIOS tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DC protocol ldap
aaa-server DC (inside) host
 timeout 5
 server-type auto-detect
url-server (inside) vendor websense host timeout 10 protocol TCP version 4 connections 100
url-cache dst 128
aaa authentication ssh console LOCAL 
aaa authentication http console LOCAL 
aaa authentication telnet console LOCAL 
filter url http allow proxy-block longurl-truncate 
filter https 443 allow 
filter activex 80 
filter java 80 
http server enable
http management
http inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
auth-prompt prompt Hello. 
service resetoutside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map FIOS_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map FIOS_map interface FIOS
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable FIOS
crypto isakmp enable inside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
vpn-addr-assign local reuse-delay 5
telnet timeout 1440
ssh inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
url-block url-mempool 2
url-block url-size 2
url-block block 1
ntp authenticate
ntp server source inside prefer
 enable FIOS
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
  url-list value Bookmark
group-policy NEW internal
group-policy NEW attributes
 dns-server value
 vpn-tunnel-protocol svc 
 default-domain value new.local
group-policy IPSecVPN internal
group-policy IPSecVPN attributes
 dns-server value
 vpn-idle-timeout 30
 vpn-filter value FIOS_access_in
 ipv6-vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelall
 split-tunnel-network-list value outside_access_in
 default-domain value new.local
 split-dns value 
 msie-proxy method no-proxy
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 authentication-server-group DC
tunnel-group NEW type remote-access
tunnel-group NEW general-attributes
 address-pool Inside-VPN-IP
 default-group-policy NEW
tunnel-group NEW ipsec-attributes
 pre-shared-key *****
tunnel-group IPSecVPN type remote-access
tunnel-group IPSecVPN general-attributes
 address-pool Inside-VPN-IP
 default-group-policy IPSecVPN
tunnel-group IPSecVPN ipsec-attributes
 pre-shared-key *****
class-map FIOS-class
 match default-inspection-traffic
policy-map type inspect im IM-Inspect-Map
 match protocol msn-im yahoo-im 
  drop-connection log
policy-map type inspect dns migrated_dns_map_1
  message-length maximum client auto
  message-length maximum 512
policy-map FIOS-policy
 class FIOS-class
  inspect dns 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect icmp 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect sip  
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
service-policy FIOS-policy interface FIOS
prompt hostname context 
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
: end
asdm image disk0:/asdm-635.bin
no asdm history enable

Open in new window

C:\Documents and Settings\Administrator>route print
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 14 22 f7 8b 55 ...... Broadcom NetXtreme 57xx Gigabit Controller - Pac
ket Scheduler Miniport
0x100003 ...00 16 ce 45 59 c9 ...... Dell Wireless 1390 WLAN Mini-Card - Packet
Scheduler Miniport
0x130005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Schedule
r Miniport
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
       1       1       25       25       25       1       25       25       1       25       25       25       25       1               2       1       1
Default Gateway:

Open in new window

Istvan Kalmar

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
First Last

Thank you! I did notice a few minor problems, but I was able to fix them.

1) With the "objects" you had a .10 for the third octet. It should be a .0
2) By default the nat was added to the end of my nat list. In the ASDM i moved those two NAT commands to the top.

Thankfully now I can ping across in both directions! I do have some issues regarding why I can only PING and HTTP, but not RDP or File Share. I'll figure those out on my own. Thank you again.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck