Internal network and Internet access problem when VPN. Please assist. Tx

Answered Question
Mar 27th, 2008
User Badges:

We are having problem accessing servers/machines- i.e. map and access files on the inside network when connected via vpn. The other problem with access to the Internet through the VPN tunnel- I know it has something to do with split-tunneling but I cannot figure out the problem. When I connect via SSL VPN I can shared files on the DMZ and inside with no problem at all. Please assist. I greatly appreciated.

Correct Answer by Jesse Wiener about 9 years 4 months ago

Are you trying to get to the inside or the dmz or both?

Right now you are not doing any kind of split tunneling. You are tunneling everything, per this acl.

"access-list testvpn_splitTunnelAcl extended permit ip any any"

If you only wanted to tunnel to the inside 192.168.0.0/16 and the 10.0.0.0/8. Remove that acl and enter these 2 lines.

access-list testvpn_splitTunnelAcl standard 192.168.0.0 255.255.0.0

access-list testvpn_splitTunnelAcl standard 10.0.0.0 255.0.0.0


then you also need a nat 0

access-list Nat0 extended permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

access-list Nat0 extended permit ip 192.168.0.0 255.255.0.0 172.16.100.0 255.255.255.0

nat (Inside) 0 access-list Nat0.


If you are trying to tunnel internet traffic through the vpn then read this link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
lansingschools_ops Fri, 03/28/2008 - 07:17
User Badges:

I cannot ping server on the DMZ or machines on the inside. The only thing I can ping is my interfaces on the ASA.

acomiskey Fri, 03/28/2008 - 07:36
User Badges:
  • Green, 3000 points or more

To get access to inside from vpn.


nat (inside) 0 access-list inside_nat0_outbound

access-list inside_nat0_outbound extended permit ip any 172.16.100.0 255.255.255.0


To get access to dmz from vpn.


nat (DMZ1) 0 access-list dmz_nat0_outbound

access-list dmz_nat0_outbound extended permit ip any 172.16.100.0 255.255.255.0

acomiskey Fri, 03/28/2008 - 07:40
User Badges:
  • Green, 3000 points or more

For split tunneling...


change...


access-list testvpn_splitTunnelAcl extended permit ip any any


to...


access-list testvpn_splitTunnelAcl extended permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

access-list testvpn_splitTunnelAcl extended permit ip 192.168.0.0 255.255.0.0 172.16.100.0 255.255.255.0

access-list testvpn_splitTunnelAcl extended permit ip 172.16.1.0 255.255.255.0 172.16.100.0 255.255.255.0

Correct Answer
Jesse Wiener Fri, 03/28/2008 - 07:52
User Badges:

Are you trying to get to the inside or the dmz or both?

Right now you are not doing any kind of split tunneling. You are tunneling everything, per this acl.

"access-list testvpn_splitTunnelAcl extended permit ip any any"

If you only wanted to tunnel to the inside 192.168.0.0/16 and the 10.0.0.0/8. Remove that acl and enter these 2 lines.

access-list testvpn_splitTunnelAcl standard 192.168.0.0 255.255.0.0

access-list testvpn_splitTunnelAcl standard 10.0.0.0 255.0.0.0


then you also need a nat 0

access-list Nat0 extended permit ip 10.0.0.0 255.0.0.0 172.16.100.0 255.255.255.0

access-list Nat0 extended permit ip 192.168.0.0 255.255.0.0 172.16.100.0 255.255.255.0

nat (Inside) 0 access-list Nat0.


If you are trying to tunnel internet traffic through the vpn then read this link

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805734ae.shtml






lansingschools_ops Fri, 03/28/2008 - 11:17
User Badges:

Tunneling internet traffic is working along with inside and dmz access. Thank you very much. I greatly appreciate your assistance.

Actions

This Discussion