01-23-2008 10:24 AM - edited 02-21-2020 03:29 PM
ASA5510 at SiteB end.
1.SiteB has 2.2.2.0/24 assigned by ISP
2.Configured SiteB Internal workstations to access Internet using Public iPs assigned (with nat 2) and also proviced RDP/telnet access to couple of internal machines using pubic IPs assigned.
3.Configured Remote access VPN using ASDM on SiteB ASA.
4.Did not select' Split Tunneling' while configuring Remote access VPN.
5. Now From Site A , from my internal Network desktop (10.50.0.0), Iam able to dial in to the VPN and access siteB Internal resources, but loosing connectivity to Internet and access to my LAN and other network resources. (if I use a Laptop from outside internet line like DSL, I could not access Internet when VPN in to siteB)
6.SiteA setup is regular setup:
PCs-->Switch -->ASA-->Cable modem.
Please find the attached config (IPs changed and removed unwanted config from ASA). The 'bold' items are created by ASDM.
Please advise.
Thank you in advance for your help.
MS.
01-23-2008 11:05 AM
Hi Mehboob
Not configuring Split tunneling is the cause. Second, do not use an IP pool which is in the same subnet of inside. 10.30.50.0/24 covers 10.30.50.0/28 Do the following modification and VPN will work as you like
ip local pool Remote_DialPool 10.30.40.1-10.30.40.253 mask 255.255.255.0
no access-list Inside_nat0_outbound extended permit ip 10.30.50.0 255.255.255.0 10.30.50.224 255.255.255.224
access-list Inside_nat0_outbound extended permit ip 10.30.50.0 255.255.255.0 10.30.40.0 255.255.255.0
access-list Split_T permit ip 10.30.50.0 255.255.255.0 10.30.40.0 255.255.255.0
group-policy Remote_Dialin attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_T
tunnel-group Remote_Dialin general-attributes
no address-pool RemoteDialPool
address-pool Remote_DialPool
Regards
01-23-2008 11:20 AM
You could also do public internet on a stick...
global (outside) 1 interface
nat (outside) 1
same-security-traffic permit intra-interface
01-23-2008 12:59 PM
Hi,
Thank you both for your reply. I did both the changes. Now, once I VPN'ed (from SiteA)I can access Internet, but Iam still lososing my access to SITEA local resoources.(mainly email)
Please advice.
Thank you
MS
01-23-2008 01:10 PM
Please post your current running-config. What is the IP subnet of site A?
Right-click VPN client icon at right-bottom>statistics. Now click route details. Make sure 10.30.50.0 is listed there
Also click modify in VPN client configuration screen, then click trnasport tab, and check "Allow local LAN access"
01-23-2008 02:36 PM
Hi,
Thank you for quick reply.Please find the current running configs. I cleaned up the nat statements & VPN pool ips from the original posting.
SiteA : 10.1.201.0 and it has connectivity to other sites (10.1.202.0/24, 10.70.0.0/16 etc)
Now with the existing configuration, what I observed was, when connected from SiteA to ASA via VPN from my desktop(at SiteA), I can browse the internet. But Loosing access to my network drives at SiteA and also, once the VPN is up, I cannot 'ping'/Access the devices at SITEB also.
Please find the configs. Iam sure that Iam missing some ACLS here. Please advice.
Thank you
MS
01-23-2008 07:05 PM
Just got realise.. looks like I i a mistake in Splitunnel IP (any). Will configure ASA internal networks tomorrow an will upate all.
Thank you
MS
01-24-2008 12:28 PM
Thank you all for your support. That is really wondeful. 2things...
1.Split tunnel acl to 'any' causing issue
2. The VPN users DNS address entry in the config causing issue to access my Local network (SiteA) excahnge server when connected to VPN from my work station.
Everything is working as it supposed to be.
Thanks again
MS
09-29-2008 12:09 PM
Hi Mehboob,
Glad to see your issue has been solved! Please rate the answers you received so people searching the NetPro database will know that this is a thread they should read.
Best,
Paul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: