Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

No internet when connected to VPN

Status
Not open for further replies.
ndinc

ndinc

ISP
Jun 29, 2005
111
US
Everything works very well with this ASA, but when connected to the VPN using Cisco VPN client we are unable to use the Internet.

Here is the config for your reference. I may have missed something.

Thanks in advance


prasa# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname prasa
domain-name
enable password
passwd
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 207.X.X.162 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name
access-list outside_access_in extended permit tcp any host 207.X.X.164 eq smtp
access-list outside_access_in extended permit tcp host 207.X.X.13 host 207.X.X.163 eq 3389
access-list outside_access_in extended permit tcp host 207.X.X.13 host 207.X.X.164 eq 3389
access-list outside_access_in extended permit tcp host 207.X.X.13 host 207.X.X.165 eq 3389
access-list outside_access_in extended permit tcp host 207.X.X.19 host 207.X.X.163 eq 3389
access-list outside_access_in extended permit tcp host 207.X.X.19 host 207.X.X.164 eq 3389
access-list outside_access_in extended permit tcp host 207.X.X.19 host 207.X.X.165 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.164 eq pptp
access-list outside_access_in extended permit gre any host 207.X.X.164
access-list outside_access_in extended permit tcp any host 207.X.X.163 eq www
access-list outside_access_in extended permit tcp any host 207.X.X.163 eq https
access-list inside_nat0_outbound extended permit ip any 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool PRvpnpool 192.168.0.75-192.168.0.85 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 207.X.X.163
global (outside) 3 207.X.X.164
global (outside) 4 207.X.X.165
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 192.168.0.5 255.255.255.255
nat (inside) 3 192.168.0.6 255.255.255.255
nat (inside) 4 192.168.0.7 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 207.X.X.163 3389 192.168.0.5 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.164 3389 192.168.0.6 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.164 smtp 192.168.0.6 smtp netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.164 pptp 192.168.0.6 pptp netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.163 255.255.255.255
static (inside,outside) tcp 207.X.X.163 https 192.168.0.5 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.X.X.162 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 207.X.X.19 255.255.255.255 outside
http 207.X.X.13 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 207.X.X.13 255.255.255.255 outside
ssh 207.X.X.19 255.255.255.255 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy prtunnel internal
group-policy prtunnel attributes
dns-server value 68.X.X.30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
username password encrypted privilege 0
username prvpn attributes
vpn-group-policy prtunnel
service-type remote-access
username password encrypted privilege 0
username username attributes
vpn-group-policy prtunnel
tunnel-group prtunnel type remote-access
tunnel-group prtunnel general-attributes
address-pool PRvpnpool
default-group-policy prtunnel
tunnel-group prtunnel ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:2ebd0ca7332e3e01cbcb1d56cee0e0d6
: end
prasa#

Thanks for your help
 
Sort by date Sort by votes
two things:
1) change the vpn pool to be something other than what your internal LAN pool is. put it in a completely different subnet
2) add nat (outside) 1 192.168.1.0 255.255.255.0 where 192.168.1/24 is the ip range of your vpn pool

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
What about access the internal network at 192.168.0.x? Will that be a problem?

Thanks for your help
 
Upvote 0 Downvote
nope, you just change your nonat ACL to reflect your new vpn pool.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Thank you, I will try it out.

Thanks for your help
 
Upvote 0 Downvote
I am a looser or maybe its the fact that I have my 5 year old asking me too many questions while I am working. I made the changes and I am connecting and getting an Ip assigned at 10.10.10.x but now I have no internet and cannot see the internal network.

A updated config is below.

Thanks in advance for putting up with my thickheadedness.

prasa# sh run
: Saved
:
ASA Version 8.2(2)
!
hostname prasa
domain-name prconstruction.net
enable password 9/BmWkjAcHkpXqhk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 207.X.X.162 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
domain-name prconstruction.net
access-list outside_access_in extended permit tcp any host 207.X.X.164 eq smtp
access-list outside_access_in extended permit tcp host X.X.71.100 host 207.X.X.163 eq 3389
access-list outside_access_in extended permit tcp host X.X.71.100 host 207.X.X.164 eq 3389
access-list outside_access_in extended permit tcp host X.X.71.100 host 207.X.X.165 eq 3389
access-list outside_access_in extended permit tcp host 207.X.X.13 host 207.X.X.163 eq 3389
access-list outside_access_in extended permit tcp host 207.X.X.13 host 207.X.X.164 eq 3389
access-list outside_access_in extended permit tcp host 207.X.X.13 host 207.X.X.165 eq 3389
access-list outside_access_in extended permit tcp host 207.X.X.19 host 207.X.X.163 eq 3389
access-list outside_access_in extended permit tcp host 207.X.X.19 host 207.X.X.164 eq 3389
access-list outside_access_in extended permit tcp host 207.X.X.19 host 207.X.X.165 eq 3389
access-list outside_access_in extended permit tcp any host 207.X.X.164 eq pptp
access-list outside_access_in extended permit gre any host 207.X.X.164
access-list outside_access_in extended permit tcp any host 207.X.X.163 eq www
access-list outside_access_in extended permit tcp any host 207.X.X.163 eq https
access-list inside_nat0_outbound extended permit ip any 10.10.10.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool PRvpnpool 10.10.10.20-10.10.10.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
global (outside) 2 207.X.X.163
global (outside) 3 207.X.X.164
global (outside) 4 207.X.X.165
nat (inside) 2 192.168.0.5 255.255.255.255
nat (inside) 3 192.168.0.6 255.255.255.255
nat (inside) 4 192.168.0.7 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 10.10.10.0 255.255.255.0
static (inside,outside) tcp 207.X.X.163 3389 192.168.0.5 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.164 3389 192.168.0.6 3389 netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.164 smtp 192.168.0.6 smtp netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.164 pptp 192.168.0.6 pptp netmask 255.255.255.255
static (inside,outside) tcp 207.X.X.163 255.255.255.255
static (inside,outside) tcp 207.X.X.163 https 192.168.0.5 https netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 207.X.X.162 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 207.X.X.19 255.255.255.255 outside
http 207.X.X.13 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 inside
http X.X.71.100 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 207.X.X.13 255.255.255.255 outside
ssh 207.X.X.19 255.255.255.255 outside
ssh X.X.71.100 255.255.255.255 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy prtunnel internal
group-policy prtunnel attributes
dns-server value 68.X.X.30
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
username prvpn password oJqKSwM9pZixS3pM encrypted privilege 0
username prvpn attributes
vpn-group-policy prtunnel
service-type remote-access
username cheiner password utzNLG6xdKpJ68yd encrypted privilege 0
username cheiner attributes
vpn-group-policy prtunnel
tunnel-group prtunnel type remote-access
tunnel-group prtunnel general-attributes
address-pool PRvpnpool
default-group-policy prtunnel
tunnel-group prtunnel ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:386132099d028ebc6694f52d9694b304
: end
prasa#


Thanks for your help
 
Upvote 0 Downvote
Thank you for the Split Tunnel reference, but I thought it had security issues.

Will this get me my access back to the internal network which I had before I made the changes?

Thanks for your help
 
Upvote 0 Downvote
yes there are security issues. but if you want internet and not have all traffic through the firewall

Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
665
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
582
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
580
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
205
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
714
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top