02-05-2008 04:43 AM - edited 02-21-2020 03:32 PM
Hi,
I have configured remote access VPN in my CISCO ASA 5505 SW Version 7.2(2). It's working fine, i get ip address from vpn_pool, can connect to
internal hosts and use services there. But if i connect to external ressources (e.g. internet->website), no connection is set up.
First, ASDM Log shows the error message:
13:11:54 302014 192.168.1.150 209.85.135.104 Teardown TCP connection 147256 for outside:192.168.1.150/2122 to outside:209.85.135.104/80 duration 0:00:00 bytes 0 Flow is a loopback (vpn_user)
After entering "same-security-traffic permit inter-interface" and "same-security-traffic permit intra-interface",
ASDM Log shows now the error message:
13:13:17 302013 192.168.1.150 209.85.135.103 Built inbound TCP connection 147281 for outside:192.168.1.150/2127 (192.168.1.150/2127) to outside:209.85.135.103/80 (209.85.135.103/80) (vpn_user)
13:13:47 302014 192.168.1.150 209.85.135.103 Teardown TCP connection 147281 for outside:192.168.1.150/2127 to outside:209.85.135.103/80 duration 0:00:30 bytes 0 SYN Timeout (vpn_user)
Any ideas how to solve this problem and how to connect to external ressources using remote access VPN (without SplitTunneling)?
Thanks.
Regards,
M.Braun
--
attached ASA Config
02-05-2008 05:57 AM
Here is a sample configuration of split tunneling
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
And yes, it is a good way of allowing Internet and VPN on the same end host. However, I am still trying to see why your configuration is not working....
02-07-2008 02:12 AM
Thank you for the link. I will try it. I hope you will find the error in my config.
Thanks in advance, Braun.
02-07-2008 04:01 PM
Hi Markus
Do the following modification in your config
access-list split_t permit ip 192.168.1.0 255.255.255.0 192.168.1.128 255.255.255.192
group-policy vpn_1 attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_t
Keep in mind that using a VPN pool subnet which is covered by your inside interface is a handicap for possible further configurations
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: