Accessing external FTP web server and local LAN through Cisco VPN on a ASA5505

I have a co-worker who needs to FTP to our external web server hosted outside of our network using the Cisco VPN AnyConnect Client from his home to our local network. After toying with possible solutions, I created a new VPN group on the ASA 5505 (webgroup) and new group policy called clientgroup with a split tunnel ACL allowing access to this external web server (98.129.60.XX). He is able to VPN in and can FTP to the external server (using Dream Weaver) without issue. But he cannot access the internal LAN (192.168.0.0). How do I allow him access to this external web server and also access to the local lan?

If I went about this the wrong way, please advise.

Is it possible to apply 2 split tunnel ACL’s to the same group, one for the external web server and one for the internal LAN?  I thought this would work, but didn’t work when I tried it.

I also made a few minor adjustments last night from home but haven’t had a chance to test, so if the below config seems correct for now, than I will test tonight and post back tomorrow.

Below is the “washed” config. If you need to see the full one, please let me know. I am not new to cisco, but am no expert by any means. Thanks in advance.


Running Config:

Result of the command: "show running-config"

: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name audiology.org
enable password
passwd
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
 ospf cost 10
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 216.64.xx.xx 255.255.255.240
 ospf cost 10
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
 domain-name audiology.org
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in remark Allowed outside access for Exchange
access-list inside_access_in extended permit tcp host 192.168.0.10 any eq smtp
access-list inside_access_in extended deny tcp any any eq smtp
access-list inside_access_in extended permit tcp any any eq https
access-list inside_access_in extended permit tcp any any eq www


access-list Audiology_VPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0

access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list inside_nat0_outbound extended permit ip any 192.168.0.160 255.255.255.224
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 192.168.25.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.60.0 255.255.255.0
access-list outside_20_cryptomap standard permit 192.168.0.0 255.255.255.0
access-list clientgroup_VPN_splitTunnelACL standard permit host 98.129.xx.xx

pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging queue 150
mtu inside 1500
mtu outside 1500
ip local pool vpnippool 192.168.50.1-192.168.50.10 mask 255.255.255.0
ip local pool SSLClientPool 192.168.25.1-192.168.25.50 mask 255.255.255.0
ip local pool AAAIPPOOL 192.168.0.161-192.168.0.190 mask 255.255.255.0
ip local pool webpool 192.168.60.1-192.168.60.10 mask 255.255.255.0
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 216.64.xx.xx-216.64.xx.xx netmask 255.255.255.240
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 192.168.60.0 255.255.255.0

static (inside,outside) 216.64.xx.x 192.168.0.4 netmask 255.255.255.255

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 216.64.xx.xx 1
route inside 192.168.1.0 255.255.255.0 192.168.0.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server NTWRKSVRS protocol ldap
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http 192.168.50.0 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-128-SHA
crypto map outside_map 20 set pfs
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=ciscoasa.audiology.org
 keypair sslvpnkeypair
 crl configure
crypto ca server
 shutdown
crypto ca certificate chain ASDM_TrustPoint0
 certificate 1470244c
    30820207 30820170 a0030201 02020414 70244c30 0d06092a 864886f7 0d010105
    05003048 311f301d 06035504 03131663 6973636f 6173612e 61756469 6f6c6f67
    792e6f72 67312530 2306092a 864886f7 0d010902 16166369 73636f61 73612e61
    7564696f 6c6f6779 2e6f7267 301e170d 31303036 32353039 30303034 5a170d32
    30303632 32303930 3030345a 3048311f 301d0603 55040313 16636973 636f6173
    612e6175 64696f6c 6f67792e 6f726731 25302306 092a8648 86f70d01 09021616
    63697363 6f617361 2e617564 696f6c6f 67792e6f 72673081 9f300d06 092a8648
    86f70d01 01010500 03818d00 30818902 818100a0 8b90b08f bbfaf555 4b19f899
    6b04b4b1 ec7b07f8 3ba2504d bb5b54bb 3450bfed 80607843 13a6f146 79472b79
    2e08f1f7 ef32fb77 cf33f0b5 55982455 ef74c3b2 c054efff c58d3698 2bb5e44d
    e6f148b2 81aa2fa0 d317175f 2b8364cd 3c8b0290 12f0a01f 06c6af47 7a7d70cc
    975a3567 9b2e7f24 0d88bcb8 daaf1f7d d0e74d02 03010001 300d0609 2a864886
    f70d0101 05050003 8181005d 269ebb82 ad21cb8c fd5ce3ce bbc51073 370cdd5a
    bccf01e3 b993caf4 b2582663 f18248ed 3634e670 c2c4dd72 abeabbe1 406293a8
    48085355 55885f72 cb78a10e 4d6c1267 ad0fc28e e883e002 6ea9af97 6d722868
    537966f4 de71bd98 f07ba491 7929e460 17062837 5570ce10 b2aba39e 0b1c9e83
    6176373b 33b7204c f92bb6
  quit
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
client-update enable
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside vpnclient-wins-override
!
dhcpd address 192.168.0.2-192.168.0.129 inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.0.3 /tftp
ssl trust-point ASDM_TrustPoint0 outside
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
 svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 2
 svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
 svc enable
 tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
 dns-server value 192.168.0.8
 vpn-tunnel-protocol l2tp-ipsec svc
 default-domain value audiology
 address-pools value SSLClientPool
group-policy DfltGrpPolicy attributes
 banner value Welcome to the Audiology Domain.
 dns-server value 192.168.0.8
 vpn-simultaneous-logins 10
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 ipsec-udp enable
 default-domain value audiology
 nac-settings value DfltGrpPolicy-nac-framework-create
 address-pools value vpnippool
 webvpn
  svc keepalive none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
  svc ask none default svc
  customization value DfltCustomization
group-policy Audiology_VPN internal
group-policy Audiology_VPN attributes
 dns-server value 192.168.0.8
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Audiology_VPN_splitTunnelAcl
 default-domain value audiology
 webvpn
  svc ask none default svc
group-policy vpnphone internal
group-policy vpnphone attributes
 dns-server value 192.168.0.8 192.168.0.9
 vpn-tunnel-protocol IPSec
 default-domain value audiology.org
group-policy clientgroup internal
group-policy clientgroup attributes
 dns-server value 192.168.0.8
 vpn-tunnel-protocol IPSec l2tp-ipsec svc
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value clientgroup_VPN_splitTunnelACL
 address-pools value webpool
 webvpn
  svc keep-installer installed
  svc ask none default svc

username marco password MPVAtQgiWJ9tqgGc encrypted privilege 5
username marco attributes
 vpn-group-policy clientgroup

tunnel-group DefaultRAGroup general-attributes
 default-group-policy Audiology_VPN
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool vpnippool
tunnel-group Audiology_VPN type remote-access
tunnel-group Audiology_VPN general-attributes
 address-pool vpnippool
 default-group-policy Audiology_VPN
tunnel-group Audiology_VPN ipsec-attributes
 pre-shared-key *****
tunnel-group Audiology_VPN ppp-attributes
 authentication ms-chap-v2
tunnel-group vpnphone type remote-access
tunnel-group vpnphone general-attributes
 address-pool vpnippool
 default-group-policy vpnphone
tunnel-group vpnphone ipsec-attributes
 pre-shared-key *****
tunnel-group vpnphone ppp-attributes
 authentication ms-chap-v2
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
 default-group-policy SSLClientPolicy
tunnel-group SSLClientProfile webvpn-attributes
 group-alias SSLVPNClient enable
tunnel-group webgroup type remote-access
tunnel-group webgroup general-attributes
 address-pool webpool
 default-group-policy clientgroup
tunnel-group webgroup webvpn-attributes
 group-alias webgroup_users enable
tunnel-group webgroup ipsec-attributes
 pre-shared-key *****
tunnel-group-map default-group DefaultL2LGroup
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect ip-options
policy-map asa_global_fw_policy
 class inspection_default
  inspect ftp
!

bkanaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bkanaAuthor Commented:
One more thing: our web hosting provider only allows access from my network (216.64.x.x), which is why he must first VPN in to aceess it.
0
Istvan KalmarHead of IT Security Division Commented:
hi,

you need:

access-list clientgroup_VPN_splitTunnelACL standard permit host 192.168.0.1 255.255.255.0
0
Istvan KalmarHead of IT Security Division Commented:
sorry:


access-list clientgroup_VPN_splitTunnelACL standard permit host 192.168.0.0 255.255.255.0
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

bkanaAuthor Commented:
Thanks for replying ikalmar.

I receive the following error when trying to apply the access list:

access-list clientgroup_VPN_splitTunnelACL standard permit host 192.168.0.0 255.                                                                            ^255.255.0

ERROR: % Invalid Hostname

Is it the wrong subnet mask?
0
bkanaAuthor Commented:
Never mind, the command finally applied. Not sure what happened, but I just re-opened the CLI and it worked. WIll test and get back with you.
0
bkanaAuthor Commented:
Everything seems to be working now, thank you. I'd like to test for another day or so and will award the points then. Thanks again ikalmar, I knew I was missing something just needed a freash set of eyes.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.