asa 5510, vpn remote access wizard -> can't access LAN and inet

IMCAcustomer · ‎04-03-2008

Hello!

My asa 5510 config part:

interface Ethernet0/0

description local network interface

nameif localnet

security-level 100

ip address 192.168.15.31 255.255.255.0

!

interface Ethernet0/1

nameif external

security-level 0

ip address x.x.x.20 255.255.255.248

.....

nat (localnet) 1 192.168.15.0 255.255.255.0

.....

route localnet 192.168.1.0 255.255.255.0 192.168.15.1 1

route localnet 192.168.11.0 255.255.255.0 192.168.15.1 1

route localnet 192.168.168.0 255.255.255.0 192.168.15.1 1

I want vpn connect to asa from "localnet" (from 192.168.1.0 network) interface using vpn wizard:

access-list CiscoASA_splitTunnelAcl standard permit any

username vpnuser password xxx encrypted privilege 0

username vpnuser attributes

vpn-group-policy CiscoASA

ip local pool vpnpool 192.168.87.1-192.168.87.20

group-policy CiscoASA internal

group-policy CiscoASA attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value CiscoASA_splitTunnelAcl

dns-server value 192.168.15.33

wins-server value 192.168.15.33

default-domain value dssa.ru

tunnel-group CiscoASA type ipsec-ra

tunnel-group CiscoASA general-attributes

default-group-policy CiscoASA

address-pool vpnpool

tunnel-group CiscoASA ipsec-attributes

pre-shared-key CisCo

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map localnet_dyn_map 20 set pfs group2

crypto dynamic-map localnet_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map localnet_map 65535 ipsec-isakmp dynamic localnet_dyn_map

crypto map localnet_map interface localnet

after it i can connect to asa using cisco vpn client, but i can't access anywhere, no LAN no internet no asa...

How can i acces?

thx for any answers

IMCAcustomer · ‎04-03-2008

after connect vpn client statistics:

Bytes

received: 0

sent: 22722

Local LAN: disabled

but i check "Allow local LAN access" ...

husycisco · ‎04-03-2008

Hi Sergey,

Assuming that your isakmp entries are correct (that you can establish connection)

1) Do not use "any" statements in ACLs that define networks, like split tunneling. Issue the following

no access-list CiscoASA_splitTunnelAcl standard permit any

access-list CiscoASA_splitTunnelAcl permit ip 192.168.15.0 255.255.255.0 192.168.87.0 255.255.255.224

2)issue the following command

crypto isakmp nat-traversal 20

3) There is really no sense in terminating the VPN connection at the "localnet" interface which has the highest security level

Regards

IMCAcustomer · ‎04-03-2008

error in the config, don't look it

Hi Huseyin, i did 1) and 2) and have no effect((

my asa full config in attachmetns, look it pls

IMCAcustomer · ‎04-03-2008

actual config here

with this config after connect i see all LAN, but dont see 192.168.15.0/24

husycisco · ‎04-04-2008

Sergey,

Add the following

access-list inside_na0_outbound permit ip 192.168.15.0 255.255.255.0 192.168.87.0 255.255.255.224

nat (localnet) 0 access-list inside_nat0_outbound

IMCAcustomer · ‎04-04-2008

very thanks!!!

after your hepl i can access localLAN 192.168.15.0))))

but one problem exist(((

asa device is the gateway to inet for computers from 192.168.15.0 network

how can i through vpn (from IP 192.168.87.1) go to inet through asa?

husycisco · ‎04-04-2008

Sergey,

Nice to hear that your problem is resolved, and thanks for rating.

I have a question before answering your question. Termianting VPN at inside interface as you do now is not a common practise. Do you have a specific reason for this?

Regards

IMCAcustomer · ‎04-04-2008

Huseyin,

i have next reason: my pc have ip 192.168.1.7 from 192.168.1.0/24 network and default gateway 192.168.1.1 - through it i go to inet, i need go to inet through asa (other inet connection)

husycisco · ‎04-04-2008

I didnt understand this actually, your inside users can already set the ASA as gateway and connect to internet via it. VPN is usually users which are outside of your infrastructrue.

IMCAcustomer · ‎04-06-2008

No, between my localnet part and asa's locanet part placed 3 switch and 2 from it has DG 192.168.1.1, only last switch has DG 192.168.15.1.