Remote Access VPN via ASA--please help

Unanswered Question
Jan 23rd, 2008

ASA5510 at SiteB end.


1.SiteB has 2.2.2.0/24 assigned by ISP


2.Configured SiteB Internal workstations to access Internet using Public iPs assigned (with nat 2) and also proviced RDP/telnet access to couple of internal machines using pubic IPs assigned.


3.Configured Remote access VPN using ASDM on SiteB ASA.


4.Did not select' Split Tunneling' while configuring Remote access VPN.


5. Now From Site A , from my internal Network desktop (10.50.0.0), Iam able to dial in to the VPN and access siteB Internal resources, but loosing connectivity to Internet and access to my LAN and other network resources. (if I use a Laptop from outside internet line like DSL, I could not access Internet when VPN in to siteB)


6.SiteA setup is regular setup:

PCs-->Switch -->ASA-->Cable modem.



Please find the attached config (IPs changed and removed unwanted config from ASA). The 'bold' items are created by ASDM.


Please advise.


Thank you in advance for your help.


MS.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
husycisco Wed, 01/23/2008 - 11:05

Hi Mehboob

Not configuring Split tunneling is the cause. Second, do not use an IP pool which is in the same subnet of inside. 10.30.50.0/24 covers 10.30.50.0/28 Do the following modification and VPN will work as you like


ip local pool Remote_DialPool 10.30.40.1-10.30.40.253 mask 255.255.255.0

no access-list Inside_nat0_outbound extended permit ip 10.30.50.0 255.255.255.0 10.30.50.224 255.255.255.224

access-list Inside_nat0_outbound extended permit ip 10.30.50.0 255.255.255.0 10.30.40.0 255.255.255.0

access-list Split_T permit ip 10.30.50.0 255.255.255.0 10.30.40.0 255.255.255.0

group-policy Remote_Dialin attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split_T

tunnel-group Remote_Dialin general-attributes

no address-pool RemoteDialPool

address-pool Remote_DialPool



Regards

acomiskey Wed, 01/23/2008 - 11:20

You could also do public internet on a stick...


global (outside) 1 interface

nat (outside) 1

same-security-traffic permit intra-interface

fortis123 Wed, 01/23/2008 - 12:59

Hi,

Thank you both for your reply. I did both the changes. Now, once I VPN'ed (from SiteA)I can access Internet, but Iam still lososing my access to SITEA local resoources.(mainly email)


Please advice.


Thank you

MS

husycisco Wed, 01/23/2008 - 13:10

Please post your current running-config. What is the IP subnet of site A?

Right-click VPN client icon at right-bottom>statistics. Now click route details. Make sure 10.30.50.0 is listed there

Also click modify in VPN client configuration screen, then click trnasport tab, and check "Allow local LAN access"

fortis123 Wed, 01/23/2008 - 14:36

Hi,


Thank you for quick reply.Please find the current running configs. I cleaned up the nat statements & VPN pool ips from the original posting.


SiteA : 10.1.201.0 and it has connectivity to other sites (10.1.202.0/24, 10.70.0.0/16 etc)


Now with the existing configuration, what I observed was, when connected from SiteA to ASA via VPN from my desktop(at SiteA), I can browse the internet. But Loosing access to my network drives at SiteA and also, once the VPN is up, I cannot 'ping'/Access the devices at SITEB also.


Please find the configs. Iam sure that Iam missing some ACLS here. Please advice.

Thank you

MS



Attachment: 
fortis123 Wed, 01/23/2008 - 19:05

Just got realise.. looks like I i a mistake in Splitunnel IP (any). Will configure ASA internal networks tomorrow an will upate all.


Thank you

MS

fortis123 Thu, 01/24/2008 - 12:28

Thank you all for your support. That is really wondeful. 2things...

1.Split tunnel acl to 'any' causing issue


2. The VPN users DNS address entry in the config causing issue to access my Local network (SiteA) excahnge server when connected to VPN from my work station.


Everything is working as it supposed to be.

Thanks again

MS

pmccubbin Mon, 09/29/2008 - 12:09

Hi Mehboob,


Glad to see your issue has been solved! Please rate the answers you received so people searching the NetPro database will know that this is a thread they should read.


Best,

Paul

Actions

This Discussion