Accessing external FTP web server and local LAN through Cisco VPN on a ASA5505
I have a co-worker who needs to FTP to our external web server hosted outside of our network using the Cisco VPN AnyConnect Client from his home to our local network. After toying with possible solutions, I created a new VPN group on the ASA 5505 (webgroup) and new group policy called clientgroup with a split tunnel ACL allowing access to this external web server (98.129.60.XX). He is able to VPN in and can FTP to the external server (using Dream Weaver) without issue. But he cannot access the internal LAN (192.168.0.0). How do I allow him access to this external web server and also access to the local lan?
If I went about this the wrong way, please advise.
Is it possible to apply 2 split tunnel ACL’s to the same group, one for the external web server and one for the internal LAN? I thought this would work, but didn’t work when I tried it.
I also made a few minor adjustments last night from home but haven’t had a chance to test, so if the below config seems correct for now, than I will test tonight and post back tomorrow.
Below is the “washed” config. If you need to see the full one, please let me know. I am not new to cisco, but am no expert by any means. Thanks in advance.
Running Config:
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name audiology.org
enable password
passwd
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 216.64.xx.xx 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name audiology.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in remark Allowed outside access for Exchange
access-list inside_access_in extended permit tcp host 192.168.0.10 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq www
access-list Audiology_VPN_splitTunnelA
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_nat0_outbound extended permit ip any 192.168.0.160 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0
access-list outside_20_cryptomap standard permit 192.168.0.0 255.255.255.0
access-list clientgroup_VPN_splitTunne
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging queue 150
mtu inside 1500
mtu outside 1500
ip local pool vpnippool 192.168.50.1-192.168.50.10
ip local pool SSLClientPool 192.168.25.1-192.168.25.50
ip local pool AAAIPPOOL 192.168.0.161-192.168.0.19
ip local pool webpool 192.168.60.1-192.168.60.10
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 216.64.xx.xx-216.64.xx.xx netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.60.0 255.255.255.0
static (inside,outside) 216.64.xx.x 192.168.0.4 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.64.xx.xx 1
route inside 192.168.1.0 255.255.255.0 192.168.0.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa-server NTWRKSVRS protocol ldap
nac-policy DfltGrpPolicy-nac-framewor
reval-period 36000
sq-period 300
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-128-SHA
crypto map outside_map 20 set pfs
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa.audiology.org
keypair sslvpnkeypair
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint0
certificate 1470244c
30820207 30820170 a0030201 02020414 70244c30 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131663 6973636f 6173612e 61756469 6f6c6f67
792e6f72 67312530 2306092a 864886f7 0d010902 16166369 73636f61 73612e61
7564696f 6c6f6779 2e6f7267 301e170d 31303036 32353039 30303034 5a170d32
30303632 32303930 3030345a 3048311f 301d0603 55040313 16636973 636f6173
612e6175 64696f6c 6f67792e 6f726731 25302306 092a8648 86f70d01 09021616
63697363 6f617361 2e617564 696f6c6f 67792e6f 72673081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 818100a0 8b90b08f bbfaf555 4b19f899
6b04b4b1 ec7b07f8 3ba2504d bb5b54bb 3450bfed 80607843 13a6f146 79472b79
2e08f1f7 ef32fb77 cf33f0b5 55982455 ef74c3b2 c054efff c58d3698 2bb5e44d
e6f148b2 81aa2fa0 d317175f 2b8364cd 3c8b0290 12f0a01f 06c6af47 7a7d70cc
975a3567 9b2e7f24 0d88bcb8 daaf1f7d d0e74d02 03010001 300d0609 2a864886
f70d0101 05050003 8181005d 269ebb82 ad21cb8c fd5ce3ce bbc51073 370cdd5a
bccf01e3 b993caf4 b2582663 f18248ed 3634e670 c2c4dd72 abeabbe1 406293a8
48085355 55885f72 cb78a10e 4d6c1267 ad0fc28e e883e002 6ea9af97 6d722868
537966f4 de71bd98 f07ba491 7929e460 17062837 5570ce10 b2aba39e 0b1c9e83
6176373b 33b7204c f92bb6
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
client-update enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside vpnclient-wins-override
!
dhcpd address 192.168.0.2-192.168.0.129 inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.0.3 /tftp
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.
svc image disk0:/anyconnect-dart-win
svc image disk0:/anyconnect-macosx-i
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.0.8
vpn-tunnel-protocol l2tp-ipsec svc
default-domain value audiology
address-pools value SSLClientPool
group-policy DfltGrpPolicy attributes
banner value Welcome to the Audiology Domain.
dns-server value 192.168.0.8
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec l2tp-ipsec svc
ipsec-udp enable
default-domain value audiology
nac-settings value DfltGrpPolicy-nac-framewor
address-pools value vpnippool
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
svc ask none default svc
customization value DfltCustomization
group-policy Audiology_VPN internal
group-policy Audiology_VPN attributes
dns-server value 192.168.0.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Audiology_VPN_splitTunnelA
default-domain value audiology
webvpn
svc ask none default svc
group-policy vpnphone internal
group-policy vpnphone attributes
dns-server value 192.168.0.8 192.168.0.9
vpn-tunnel-protocol IPSec
default-domain value audiology.org
group-policy clientgroup internal
group-policy clientgroup attributes
dns-server value 192.168.0.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value clientgroup_VPN_splitTunne
address-pools value webpool
webvpn
svc keep-installer installed
svc ask none default svc
username marco password MPVAtQgiWJ9tqgGc encrypted privilege 5
username marco attributes
vpn-group-policy clientgroup
tunnel-group DefaultRAGroup general-attributes
default-group-policy Audiology_VPN
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpnippool
tunnel-group Audiology_VPN type remote-access
tunnel-group Audiology_VPN general-attributes
address-pool vpnippool
default-group-policy Audiology_VPN
tunnel-group Audiology_VPN ipsec-attributes
pre-shared-key *****
tunnel-group Audiology_VPN ppp-attributes
authentication ms-chap-v2
tunnel-group vpnphone type remote-access
tunnel-group vpnphone general-attributes
address-pool vpnippool
default-group-policy vpnphone
tunnel-group vpnphone ipsec-attributes
pre-shared-key *****
tunnel-group vpnphone ppp-attributes
authentication ms-chap-v2
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group webgroup type remote-access
tunnel-group webgroup general-attributes
address-pool webpool
default-group-policy clientgroup
tunnel-group webgroup webvpn-attributes
group-alias webgroup_users enable
tunnel-group webgroup ipsec-attributes
pre-shared-key *****
tunnel-group-map default-group DefaultL2LGroup
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect ip-options
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
!
If I went about this the wrong way, please advise.
Is it possible to apply 2 split tunnel ACL’s to the same group, one for the external web server and one for the internal LAN? I thought this would work, but didn’t work when I tried it.
I also made a few minor adjustments last night from home but haven’t had a chance to test, so if the below config seems correct for now, than I will test tonight and post back tomorrow.
Below is the “washed” config. If you need to see the full one, please let me know. I am not new to cisco, but am no expert by any means. Thanks in advance.
Running Config:
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name audiology.org
enable password
passwd
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 216.64.xx.xx 255.255.255.240
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name audiology.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in remark Allowed outside access for Exchange
access-list inside_access_in extended permit tcp host 192.168.0.10 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq www
access-list Audiology_VPN_splitTunnelA
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_nat0_outbound extended permit ip any 192.168.0.160 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0
access-list outside_20_cryptomap standard permit 192.168.0.0 255.255.255.0
access-list clientgroup_VPN_splitTunne
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging queue 150
mtu inside 1500
mtu outside 1500
ip local pool vpnippool 192.168.50.1-192.168.50.10
ip local pool SSLClientPool 192.168.25.1-192.168.25.50
ip local pool AAAIPPOOL 192.168.0.161-192.168.0.19
ip local pool webpool 192.168.60.1-192.168.60.10
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 216.64.xx.xx-216.64.xx.xx netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.60.0 255.255.255.0
static (inside,outside) 216.64.xx.x 192.168.0.4 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.64.xx.xx 1
route inside 192.168.1.0 255.255.255.0 192.168.0.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa-server NTWRKSVRS protocol ldap
nac-policy DfltGrpPolicy-nac-framewor
reval-period 36000
sq-period 300
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-128-SHA
crypto map outside_map 20 set pfs
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa.audiology.org
keypair sslvpnkeypair
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint0
certificate 1470244c
30820207 30820170 a0030201 02020414 70244c30 0d06092a 864886f7 0d010105
05003048 311f301d 06035504 03131663 6973636f 6173612e 61756469 6f6c6f67
792e6f72 67312530 2306092a 864886f7 0d010902 16166369 73636f61 73612e61
7564696f 6c6f6779 2e6f7267 301e170d 31303036 32353039 30303034 5a170d32
30303632 32303930 3030345a 3048311f 301d0603 55040313 16636973 636f6173
612e6175 64696f6c 6f67792e 6f726731 25302306 092a8648 86f70d01 09021616
63697363 6f617361 2e617564 696f6c6f 67792e6f 72673081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 818100a0 8b90b08f bbfaf555 4b19f899
6b04b4b1 ec7b07f8 3ba2504d bb5b54bb 3450bfed 80607843 13a6f146 79472b79
2e08f1f7 ef32fb77 cf33f0b5 55982455 ef74c3b2 c054efff c58d3698 2bb5e44d
e6f148b2 81aa2fa0 d317175f 2b8364cd 3c8b0290 12f0a01f 06c6af47 7a7d70cc
975a3567 9b2e7f24 0d88bcb8 daaf1f7d d0e74d02 03010001 300d0609 2a864886
f70d0101 05050003 8181005d 269ebb82 ad21cb8c fd5ce3ce bbc51073 370cdd5a
bccf01e3 b993caf4 b2582663 f18248ed 3634e670 c2c4dd72 abeabbe1 406293a8
48085355 55885f72 cb78a10e 4d6c1267 ad0fc28e e883e002 6ea9af97 6d722868
537966f4 de71bd98 f07ba491 7929e460 17062837 5570ce10 b2aba39e 0b1c9e83
6176373b 33b7204c f92bb6
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
client-update enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside vpnclient-wins-override
!
dhcpd address 192.168.0.2-192.168.0.129 inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.0.3 /tftp
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.
svc image disk0:/anyconnect-dart-win
svc image disk0:/anyconnect-macosx-i
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
dns-server value 192.168.0.8
vpn-tunnel-protocol l2tp-ipsec svc
default-domain value audiology
address-pools value SSLClientPool
group-policy DfltGrpPolicy attributes
banner value Welcome to the Audiology Domain.
dns-server value 192.168.0.8
vpn-simultaneous-logins 10
vpn-tunnel-protocol IPSec l2tp-ipsec svc
ipsec-udp enable
default-domain value audiology
nac-settings value DfltGrpPolicy-nac-framewor
address-pools value vpnippool
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
svc ask none default svc
customization value DfltCustomization
group-policy Audiology_VPN internal
group-policy Audiology_VPN attributes
dns-server value 192.168.0.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Audiology_VPN_splitTunnelA
default-domain value audiology
webvpn
svc ask none default svc
group-policy vpnphone internal
group-policy vpnphone attributes
dns-server value 192.168.0.8 192.168.0.9
vpn-tunnel-protocol IPSec
default-domain value audiology.org
group-policy clientgroup internal
group-policy clientgroup attributes
dns-server value 192.168.0.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value clientgroup_VPN_splitTunne
address-pools value webpool
webvpn
svc keep-installer installed
svc ask none default svc
username marco password MPVAtQgiWJ9tqgGc encrypted privilege 5
username marco attributes
vpn-group-policy clientgroup
tunnel-group DefaultRAGroup general-attributes
default-group-policy Audiology_VPN
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool vpnippool
tunnel-group Audiology_VPN type remote-access
tunnel-group Audiology_VPN general-attributes
address-pool vpnippool
default-group-policy Audiology_VPN
tunnel-group Audiology_VPN ipsec-attributes
pre-shared-key *****
tunnel-group Audiology_VPN ppp-attributes
authentication ms-chap-v2
tunnel-group vpnphone type remote-access
tunnel-group vpnphone general-attributes
address-pool vpnippool
default-group-policy vpnphone
tunnel-group vpnphone ipsec-attributes
pre-shared-key *****
tunnel-group vpnphone ppp-attributes
authentication ms-chap-v2
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
group-alias SSLVPNClient enable
tunnel-group webgroup type remote-access
tunnel-group webgroup general-attributes
address-pool webpool
default-group-policy clientgroup
tunnel-group webgroup webvpn-attributes
group-alias webgroup_users enable
tunnel-group webgroup ipsec-attributes
pre-shared-key *****
tunnel-group-map default-group DefaultL2LGroup
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect pptp
inspect ip-options
policy-map asa_global_fw_policy
class inspection_default
inspect ftp
!
hi,
you need:
access-list clientgroup_VPN_splitTunne
you need:
access-list clientgroup_VPN_splitTunne
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for replying ikalmar.
I receive the following error when trying to apply the access list:
access-list clientgroup_VPN_splitTunne
ERROR: % Invalid Hostname
Is it the wrong subnet mask?
I receive the following error when trying to apply the access list:
access-list clientgroup_VPN_splitTunne
ERROR: % Invalid Hostname
Is it the wrong subnet mask?
ASKER
Never mind, the command finally applied. Not sure what happened, but I just re-opened the CLI and it worked. WIll test and get back with you.
ASKER
Everything seems to be working now, thank you. I'd like to test for another day or so and will award the points then. Thanks again ikalmar, I knew I was missing something just needed a freash set of eyes.
ASKER